OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: URLs Corrected. US Higher Education PKI targets digital signatures

The URLs were wrong the other posting. Sorry.

Apparently the HEPKI-TAG is evaluating signature tools.


Since I have been working with such for a long time, I have concluded that there is room for two rather different approaches.

Off-line/Document Centric Signatures
The first one is what I would call "traditional" where the signer (human or server) signs a document that can be distributed "as is"
to relying parties.   Currently it appears that the Adobe PDF format would be most suitable since the reader is free and usually
installed as well on most computers and operating systems.  An important characteristic of document-oriented signature schemes, is
that the document itself contains the signatures.    The major long-term application for document-centric signatures seems to be for
distributing various kinds of "certificates" like diplomas, permits, etc.  that can be shown to other parties as well as being
printed.  Signatures may be created off-line or on-line.  Some EU governments intend to use organization(only)-signed PDFs as a
means to distribute digitally signed data to their "customers".

On-line/Transaction Oriented Signatures

In the EU, where signing is already an established high-volume e-government activity (C2G), the concept of transaction-signatures is
prevailing.  In such scenarios, the user is connected to a web service, and signs a request issued by the service (=server) when a
certain process step is to be passed.   A major difference compared to document centric signatures, is that such signatures are
stored and validated by on-line systems only.  Since the EU has the same problem as HEPKI regarding the number of choices of on-line
signature products to use, I and a number of other people are trying to establish a standard for this kind of signatures.  If we
will be successful or not is yet to be seen...
Currently on-line signatures have almost exclusively been consumed by the requesting party only, but the goal with the EU projects
(there are more than one...) is to make these schemes usable also for organization-to-organization workflow.  In order to fulfill
this task, most if not all proposals are based on XML and XML Schemas since the ability to directly integrate PDF, HTML or Word in
an integrated workflow is rather limited  (they are only used as display formats).  I believe that these systems will exchange
messages in XML (using SOA), where the outer container typically will be organization(only)-signed and optionally embed signatures
of employees and/or citizens.  That is, each task-set will have its unique XML Schema.  Note that this has nothing to do with
sending documents over e-mail, this is rather integrated workflow, similar to what banks have had for decades, although e-government
tasks are considerably more complex than payment transactions.
An important characteristic of on-line signatures is that they can handle both multiple signatures and validation without requiring
the client software (or user) to deal with "foreign" PKIs, expired certificates etc.   This makes on-line signatures an ideal choice
for high-volume applications where you can afford to create a web service.

Anders Rundgren

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]