Re: Iconic and visual representations of signatures and certificates

[Arshad Noor <arshad.noor@strongauth.com>]

Gerard,

Thank you for your comments.  Before I respond, I would like to
ask you to consider joining OASIS and participate in this process
officially.  While I will welcome your e-mails at a personal level,
we, in the Technical Committee, cannot act on any of your comments
in the standards process, since you have not accepted the IPR rules
governing this TC's activities.  With your official participation,
not only will your suggestions be welcomed, but your contributions
will be acknowledged in the formal specification document.  I have
copied Scott McGrath of OASIS who can assist you in the membership
process, if you need any information.

That said, I will mention that my primary vocation for the last nine
years has been in the field of Security, and specifically in PKI at
that.  I am very familiar with the myriad ways in which data/documents
can be attacked and have been a proponent for improving data-security
at the data/document level for many years.  Most of my time is spent
in the OASIS Enterprise Key Management Infrastructure (EKMI) Technical
Committee focusing in this area.  (Your OASIS membership will allow
you to participate there too, at no additional cost, if you're
interested). :-)

I have already committed to the TC that I intend to prepare a non-
normative document that explains the security implications of
eNotarizations and what the industry - Notaries, Secretaries of State,
Relying Parties - need to be aware of with respect to eNotarized
documents.  I will submit this informative document to the TC when
the spec is ready for public-review.  While this security document
will point out potential vulnerabilities and how to mitigate those
risks, it will not help people who will shoot themselves in the
foot despite being warned.

A consequence of technological progress is that those affected by it
must make the effort to understand the technology lest it hurt them
more than it helps them (Caveat Emptor).

Arshad Noor
StrongAuth, Inc.

Gerard Ashton wrote:
> I've read your contribution at
> http://lists.oasis-open.org/archives/legalxml-enotary/200808/msg00015.html
> and I have been giving some thought to the visual representation
> of signed and notarized documents for some time. It seems to me
> that a single representation is suitable only for the simplest documents.
> More typical documents must be examined interactively, to determine who
> signed what.
> 
> One might imagine an interactive notarized document viewer which has
> a control panel, where the reader can specify that portions of the document
> signed by Alice AND Bob AND covered by a notary certificate from Neal OR
> Nancy
> have a light green background, portions not meeting the criteria have a
> white background, and any portion where the verification process failed for
> any reason with a light red background. The reader would probably have to
> change the settings several times to fully comprehend who signed which
> portions of a document.
> 
> The fact that business people like to rely on faxed documents whenever
> possible, and the fact that some states who accept notarized real estate
> documents post those documents to the public in an image form that cannot
> be processed through any PKI application by members of the public, suggests
> that if icons or visual representations are available, it won't be long
> before images that look like enotarized documents, but from which all
> PKI capabilities have been stripped away, will appear and will be used as
> proxies for the real documents. This could lead to naive members of the
> public being deceived, in much the same way that some people are deceived
> into thinking that diplomas from diploma mills (which offer academic degrees
> for little or no effort on the part of the "graduate") just because these
> degrees have been notarized and an appostile has been obtained. (Such scams
> are located all over the Internet).
> 
> Gerard Ashton
>