[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [Fwd: Re: VS: The business case for signatures - is it really there?]
forwarding this to the list for archive. -------- Original Message --------
David Burdett (david.Burdett@commerceone.com) noted on 27 Feb 2003 as comments to UBL 0p70... <> Often the authenticity of a UBL document will need to be determined using cryptographic techniques. One way of doing this is to sign the document together with the envelope in which it is contained as, for example, ebXML Messaging provides [1]. However, this means that you HAVE to keep the message around in order to later prove authenticity when the message is being processed. This adds to complexity and only works if messaging protocols such as ebXML Messaging are being used.and Response from Eve Maler:and it came back i again from Crimson Logic in April 2005 as... <> Signature to prove integrity, and origin of the document data. An electronic signature is a requirement at document level, as defined by appropriate standards. This may be applied to the whole of the document data (with the exception of the signature element).Neither of these present the use case you describe (which is new to me). Dave was the Editor of the ebXML MS project and I trust him to understand the requirement beyond being an enveloping issue. His use case involves marketsites/gateways that must open documents to route them and then detach the signatures. So the applications don't see the signature. For audit and control it may be a requirement to prove a document's authenticity in the future and without a reference to the signature the document wont be able to say anything about it. We have spent many long hours discussing this and the TC did agree to provide such a solution. It has taken us 3 years to design one (which I think is quite elegant). So I suggest we put this into the 2.0 review package and see what comments we get. Mikkel Hippe Brun wrote: -----Oprindelig meddelelse----- Fra: Mikkel Hippe Brun Sendt: 13. december 2005 08:44 Til: 'ubl@lists.oasis-open.org' Emne: The business case for signatures - is it really there? Dear all, A signature class is now being proposed to be a part of all UBL documents. The following business case for this class has been explained to me: Prior to the exchange of a UBL document, authorized persons may have been required to digitally approve internal process steps. For an electronic order this could be the flow: 1. An employee in Big Inc. (Mrs. Imonitorstock) discovers that the stock of pencils is critically low and sends a request to the purchasing department. This request is digitally signed. 2. An employee (Mr. Underdog) in the purchasing department creates an Order and sends it to his boss Mr. Imakethedecision. The signature part of the Order contains metadata about the signature applied by Mrs. Imonitorstock. The order is off course signed by Mr. Underdog. 3. Mr. Imakethedecision verifies the signature applied by the order by Mr. Underdog, adds another ten pencils to the order. The signature metadata of Mr. Underdog is added to the order and the order is digitally signed by Mr. Imakethedecision and sent to the supplier. The above example demonstrates that the signature part proposed to all UBL messages contains information about previous signatures and approvals involved in the internal workflow of the organization sending a message. It is not an attempt to store metadata about the signature applied to the message on its way from sender to receiver. (This would off course also be impossible unless you only signed a subset of the document). The need for the Signature class has come up in the Transport group and probably for a good reason. I propose that we do not add the Signature class to documents where we have not seen a strong business case from a real domain. Academic arguments stating that it would be "nice to have" do not carry the same weight. Let's keep UBL on the 80/20 track. - mikkel Mikkel Hippe Brun Chief Consultant, M.Sc. Phone: +45 3337 9220 Cell: +45 2567 4252 E-mail: mhb@itst.dk National IT and Telecom Agency Office of IT Strategy Holsteinsgade 63 DK-2100 Copenhagen Ø Denmark Phone: +45 3545 0000 Fax: +45 3545 0010 www.itst.dk itst@itst.dk -- regards tim mcgrath phone: +618 93352228 postal: po box 1289 fremantle western australia 6160 DOCUMENT ENGINEERING: Analyzing and Designing Documents for Business Informatics and Web Services http://www.docengineering.com/ -- regards tim mcgrath phone: +618 93352228 postal: po box 1289 fremantle western australia 6160 DOCUMENT ENGINEERING: Analyzing and Designing Documents for Business Informatics and Web Services http://www.docengineering.com/ |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]