OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: US Higher Education PKI targets digital signatures

Apparently the HEPKI-TAG is evaluating signature tools.
 
http://middleware.internet2.edu/hepki-tag/new/signing4.html 

Since I have been working with such for a long time, I have concluded that there is room for two rather different approaches.

Off-line/Document Centric Signatures

The first one is what I would call "traditional" where the signer (human or server) signs a document that can be distributed "as is" to relying parties.   Currently it appears that the Adobe PDF format would be most suitable since the reader is free and usually installed as well on most computers and operating systems.  An important characteristic of document-oriented signature schemes, is that the document itself contains the signatures.    The major long-term application for document-centric signatures seems to be for distributing various kinds of "certificates" like diplomas, permits, etc.  that can be shown to other parties as well as being printed.  Signatures may be created off-line or on-line.  Some EU governments intend to use organization(only)-signed PDFs as a means to distribute digitally signed data to their "customers".

On-line/Transaction Oriented Signatures

In the EU, where signing is already an established high-volume e-government activity (C2G), the concept of transaction-signatures is prevailing.  In such scenarios, the user is connected to a web service, and signs a request issued by the service (=server) when a certain process step is to be passed.   A major difference compared to document centric signatures, is that such signatures are stored and validated by on-line systems only.  Since the EU has the same problem as HEPKI regarding the number of choices of on-line signature products to use, I and a number of other people are trying to establish a standard for this kind of signatures.  If we will be successful or not is yet to be seen...

Currently on-line signatures have almost exclusively been consumed by the requesting party only, but the goal with the EU projects (there are more than one...) is to make these schemes usable also for organization-to-organization workflow.  In order to fulfill this task, most if not all proposals are based on XML and XML Schemas since the ability to directly integrate PDF, HTML or Word in an integrated workflow is rather limited  (they are only used as display formats).  I believe that these systems will exchange messages in XML (using SOA), where the outer container typically will be organization(only)-signed and optionally embed signatures of employees and/or citizens.  That is, each task-set will have its unique XML Schema.  Note that this has nothing to do with sending documents over e-mail, this is rather integrated workflow, similar to what banks have had for decades, although e-government tasks are considerably more complex than payment transactions.

An important characteristic of on-line signatures is that they can handle both multiple signatures and validation without requiring the client software (or user) to deal with "foreign" PKIs, expired certificates etc.   This makes on-line signatures an ideal choice for high-volume applications where you can afford to create a web service.

One of these EU standardization efforts: http://middleware.internet2.edu/pki06/proceedings/rundgren-websigning.ppt

Anders Rundgren

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]