RE: [ubl-ndrsc] Digital Signatures

[Paul Thorpe <thorpe@oss.com>]

On Wed, 4 Jun 2003, Chin Chee-Kai wrote:

> On Tue, 3 Jun 2003, Paul Thorpe wrote:
> 
> >>On Tue, 3 Jun 2003, Burcham, Bill wrote:
> >>
> >>...
> >>> My counterproposal, therefore, is to use XML Digital Signature... That is
> >>> _if_ we need to do digital signatures at all :-)
> >>
> >>If there is no authenication, who will trust the UBL documents outside of
> >>their own organization.  The point of UBL is business to business communication,
> >>right?
> >>
> >>Paul
> 
> I'd just like to add my 2 cents on the this last part.
> 
> The point is certainly valid that B2B needs authentication.
> Yet the same could apply to security (ie encrypted content
> on top of authentication), logging (accountability), 
> error handling, error recovery, integrity checks (e.g.
> rudimentary CRC checks, checksums, or hash bytes for purpose
> of checksuming, etc), and many other very nice to haves.
> 
> On the other hand, we see that many businesses today are
> using the open Email protocol to send unencrypted quotations,
> sales orders, invoices, etc across.  Some EDI installations,
> I was told, use plain FTP, and the end-point business entities 
> are ok with that.  It may not be the best, but all other factors
> considered, such as complexity of implementation, cost of 
> implementation, maintenance, inconvenience to customers or 
> suppliers, confusion due to difference in technical levels, 
> etc, business entities might still want to make do with the
> most simplistic communication available.
> 
> I am guessing Bill Burcham's words about "_if_ we need to do
> digital signatures" to mean if we need to do that *within*
> UBL, instead of leveraging other standards work to apply on
> generic XML contents.  I wonder if having UBL incorporate
> and thereby endorsing use of certain mode or mechanism of
> digital signature will be for the better or not.
> 

I have no doubt the email (unencrypted) works fine quite often since there
is usually a human judging the authenticity (sometimes with a follow up
phone call), but when doing machine to machine transactions (especially
when large orders -- or financially significant orders), authentication
becomes much more important.  Note, that the proposal is to make the
signature field optional so that authentication is not required by UBL,
but can be used if desired.  Some business may choose not to accept
documents that are not authenticated.

Just look at various machine-based attempts to eliminate spam vs. human
recognition of what is or isn't spam.  If UBL documents are exchanged on
an open network, someone is going attempt to forge UBL documents.

Paul