RE: [office] Digital signature proposal

["Uri Resnitzky" <Uri@arx.com>]

On Friday 16 February 2007 12:08, Michael Brauer wrote:
> A document signature *shall* be considered to be valid only if
> it valid itself, and if it is applied to all files of the package.

This requirement will prevent applications from implementing sectional
signing.
Sectional signing allows signing of only certain elements in a document
and is supported by xml-dsig.
For example in an approval process a document may be written by one
person and signed, then another person needs to approve it after
possibly adding some comments to a "comments" section of the document.
Another example is a collaboration of multiple people on the same
document, each responsible for his own section. Two requirements may
arise in this scenario: section A may need to be edited after section B
is already completed and signed, and person A may not want to appear to
have signed the text of section B for legal or other reasons.

To add to my previous suggestion for visible signatures:
I propose to add a new signature control.
This control can have some default appearance (something like
"x________").
It can have attributes such as the intended signer name/role.
It can be associated with an existing document element (section, table,
etc.) for sectional signing.
It must have a unique ID attribute.
When a user activates this control, the application will produce
document content to represent a new appearance for the signed control
(For example the application may prompt the user or may already have a
pre-configure signature image file for the user and the new appearance
will be built from that image + signer name + date / time).
The document content for the new appearance will not be stored in the
document itself so as not to break already existing signatures, but
instead will be written to a new file within the META-INF folder. The
content of the file will be an element that includes the originating
control's ID and the new appearance markup.
Next, the application will sign the whole document (or the element
specified in the control) and create the appropriate <Signature> element
in the documentsignatures.xml file. The file with the new signature
appearance must always be included in the signature calculation as well.
The application is expected to display signed controls using the content
from their respective appearance files rather than the default
appearance.
When a signed control is activated, the application can validate the
signature, display information about the signed area, about the signer
and certificate, etc.
To prevent users from thinking a document is properly signed when in
fact the signature validation fails (as Thomas suggested), applications
should display a validation mark on top of the appearance in any signed
signature control.
This validation mark will indicate if the signature has been validated
yet or not and if the validation failed or succeeded.

I'm new to ODF (but have a lot of experience in digital signatures and
signed documents of various formats) so I apologize in advance if I'm
not using the correct terminology.

- Uri

Uri Resnitzky
Chief Scientist
ARX
http://www.arx.com