OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop

I understand.

Regarding WASP and private keys, see attached FAQ, third question.

The main difference between WASP and the DRAFT (+ other communication)
seems to be that the AGSC essentially have decided to do a remake of secure e-mail
(but upgrading the crypto stuff by using XML security rather than S/MIME),
while WASP is an effort to support interactive transactions on the web.
The latter effectively disables the use of message encryption.

Anders Rundgren
RSA Security

----- Original Message ----- 
From: "Arshad Noor" <arshad.noor@strongauth.com>
To: "PKI TC" <pki-tc@lists.oasis-open.org>
Sent: Thursday, December 15, 2005 00:01
Subject: Re: [pki-tc] Re: Transaction PKI. Was:PKI-TC@PKI Workshop

The contractor's focus is not to develop software, Anders; it is
to research what is available in  browsers today from a technical
perspective, and to determine what needs to be created to meet the
requirements specified (a DRAFT of which I posted on this alias
some months ago).

Once the gap is identified, then comes the real work for the AG
subcommitee - how do we fill that gap?  What kinds of technologies
are needed?  What are browser vendors doing already and what are
they prepared to do to help support such customer requirements?
Is the open-source community working on projects that might address
this?  Are commercial browser vendors addressing this?  Once we've
reached consensus in the AGSC, then we need the TC to vote and
approve our recommendations before anything is promulgated by
OASIS as a standard.

I believe our goals are similar - the ability to sign/encrypt from
browser all the way back to the application.  However, from what I
understood of your solution, it did not meet one of the requirements
we're focused on: that the web-signing solution had to use a private-
key stored in the client application key-store - in this case, the

If your solution does use the private key of the client certificate
in the browser's key-store for the signing, then it will definitely
be evaluated in detail by the contractor along with other potential

I can't speak for the TC's position on this; only as the chair of
the AG subcommitee.

Arshad Noor
StrongAuth, Inc.

Anders Rundgren wrote:
> Dear Arshad,
> I am curious to know how this project is to be managed.  It seems that
> "we" are going to produce "something", but that this will not be following
> common OASIS procedures with issues, votings, deliverables etc.
> I do believe that we should have some kind of embryonic specification
> before somebody is contracted for dev. work.  I have for example
> mentioned the connection between the "view", "data" and the signature
> as an important and actually very difficult area.  If we cannot define
> this, I doubt that we will be able to follow much else of what the
> contractor is doing.  BTW, we are apparently looking for one of the
> top ten browser/PKI/security coder/designers in the world!
> Regarding my participation:
> I consider the 18-page PPT, the fairly ambitious FAQ, and a runnable
> test site as a rather tangible input to this project.  Although you (and
> the TC?) do not seem to agree with my clearly stated goals[1] and the
> FAQ,  there must be pretty much the same issues in T-PKI.
> regards
> Anders Rundgren
> 1] Universal, platform- and document-format independent "sign-off" utility
> designed for interactive web applications.  With the hope that it should
> eventually become a "standard" in web browsers.  I.e. the counterpart
> to the S/MIME signature support available in every e-mail client.
> ----- Original Message -----
> From: "Arshad Noor" <arshad.noor@strongauth.com>
> To: "PKI TC" <pki-tc@lists.oasis-open.org>
> Sent: Wednesday, December 14, 2005 21:12
> Subject: Re: [pki-tc] PKI-TC@PKI Workshop
> Indeed, the "Transaction-PKI" project is behind schedule.  Some of it
> is my fault as I have been busy trying to do those mundane things that
> keep body and soul together - earning money from paying customers to
> pay bills :-).
> However, some of it als due to the fact that the PKI Steering Commitee
> needed clarification of the mission of this project, as well as
> affirmations from at least 2 end-user customers on the goals of this
> effort.  Those affirmations were sent to the Steering Commitee this
> morning (customers also have jobs to do besides volunteering for these
> efforts, Anders; I can only express my appreciation for their having
> taken the time to review the requirements and comment on it).
> Hopefully, with the information available to the SC, funding will be
> approved to hire a contractor who will dedicate his/her time towards
> performing the detailed research necessary to move this TPKI project
> forward.
> Anders, perhaps you and I should talk offline about how you might be
> able to help us move this forward faster, if you have additional
> cycles available to you.  Perhaps, some of the work that was charted
> out for this contractor could be absorbed by you to speed it up even
> more?
> Arshad Noor
> StrongAuth, Inc.
> Anders Rundgren wrote:
>>It also appears that the "Transaction PKI" project is behind schedule as only very little information has been published in spite
> of
>>being talked about for a year or so.  Don't get me wrong, I just want the charter and reality to match, and I have no problems
> with
>>a charter revision.  That is, PKI surveys and promotion may indeed be this TC's main purpose.
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 

To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in OASIS
Title: WASP (Web Activated Signature Protocol) - FAQ


What is WASP?

WASP (Web Activated Signature Protocol) is a standards proposal for "Web Signing".  That is, signing forms and transactions on the web using an enhanced web browser.  WASP essentially provides an integrated web browser "Sign-off" process combining: and then binding these things together by the use of cryptography.

What is the WASP web site featuring?

A proof-of-concept WASP "emulator", and a few sample applications, enabling people ranging from lawyers to cryptographers to get some initial "feel" for Web Signing using WASP.

But don’t I need a private key and certificate to sign web transactions?

Absolutely!  However, the proof-of-concept emulator was deliberately created in such a way that nothing needs to be installed or downloaded (everything runs on the server, including cryptographic operations).

Which is the target audience for WASP?

Anybody interested in securing web transactions using PKI (Public Key Infrastructure).  Typical applications include:

Is WASP a new concept?

No, it is rather a "compilation" of similar schemes already in use by millions of people in the EU for on-line banking and e-Government services.

Why bother with a standard for Web Signing?

For reducing costs for creating secure services as well as supporting interoperability for inter-organizational workflow operations.  WASP is intended to be the web browser’s counterpart to the S/MIME signature mechanism, which is preinstalled in every e-mail client including Outlook and Thunderbird.

What are the primary WASP features?

But I would rather like to sign XML, is that possible?

Since plain-vanilla XML does not render itself in a user-interpretable way in a browser, you have a number of options.  A workable scheme is to provide transaction data in two flavors, HTML for the user, and XML as a hidden object.  An even better way is to exploit WASP’s ability to sign hashes provided by the requesting service, since it does not make sense downloading invisible data to the user.  Note that in both cases, the hashes of the HTML and XML documents are provided as distinct objects in the signed container.  Using an XSL style sheet linked to the XML document is another possibility.

Does WASP support end-to-end security?

Yes.  However, in many applications like in B2B purchasing, WASP signatures would typically not be transferred to external parties.  This is due to the fact that purchase orders and similar business messages in most cases, are authorized, created, and finally secured, at the purchasing system level, while the purchasers’ signatures are only saved locally for binding purchasers to their associated purchase orders.

Does WASP support signing of "live" form data?

No.  Supporting "live" form data would constrain format independence while also being redundant, since user input preferable is performed (and validated), before entering any kind of "sign-off" procedure.  This is also the de-facto standard way of handling such scenarios on the web

Does WASP support encryption?

Yes and no.  Explicit message encryption indicates that the web application neither is the actual recipient, nor is trusted.  However, then you are also very close to e-mail-like functionality, which a Web Sign standard-to-be should not need (or try) to duplicate.  Due to this, encryption beyond what is already available in the web environment (i.e. HTTPS), is not supported by WASP.

Does WASP support multiple signatures?

Yes and no.  WASP does not support putting a signature on top of an already signed document.  However, this limitation does in no way hamper the ability to support multiple signatures in the information system layer.  In fact, such a scheme is much more flexible than relying on cryptographic methods only, as it can cope with different semantics like co-signatures by peers, or a final authorization signature by a manager.  Also see next paragraph regarding signature validation.

Does WASP support signature validation?

Yes and no.  WASP does not support local signature validation.  This is due to fact that local signature validation adds nothing but hassles for users who may have to process certificate paths from unknown PKIs as well as dealing with expired certificates. This seems to be a job ideally tailored for the web server application, including returning signature data in a user-interpretable manner.  That is, the server preferably validates signatures when received, and then the result is simply mirrored to the user when needed.  This scheme makes it easy to avoid the situation where a user may believe something is wrong because a certificate has expired although it vas actually valid when used in a signature operation.

Does WASP support client API scripting?

No.  The reason for leaving out client scripting is that scripting would effectively disable a well-defined signature GUI and process, require additional server roundtrips, as well as impeding document format independence.

Which are the major WASP deliverables?

The core of the WASP standard proposal is defined by the following deliverables:

How can I get the WASP specification?

The specification will be published in due time.  A early draft is currently available for selected parties.

How will WASP be shipped?

The long-term goal is that WASP should be a part of a standard browser distribution.  Before this has happened (it may in fact never happen depending on the outcome of the standardization effort), code could be made available in many ways, possibly including Open Source.  More information will be posted at a later date.

Who is backing the WASP effort?

At the time of writing, WASP is essentially a private initiative by Anders Rundgren of RSA Security, Sweden.  However, talks are currently held with government representatives in several countries in order to verify the concept’s applicability, perform "adjustments", as well seeking their support.  Yes, the naked truth is that raising standards is equally much a political process, as it is a quest for good technical solutions...


* * *

V0.3, 10-Oct-2005

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]