Re: Introductory article about XML Signatures and Best Practices from David Wall on 2002-12-14 (w3c-ietf-xmldsig@w3.org from October to December 2002)

From: David Wall <dwall@Yozons.com>
Date: Fri, 13 Dec 2002 20:39:50 -0800
To: <w3c-ietf-xmldsig@w3.org>
Message-ID: <002401c2a32a$d75c4ea0$3201a8c0@expertrade.com>

How close is the XML Signature standard to being a great foundation for
electronic signatures.  As you specify in your article, a digital signature
on data does not make an electronic signature, and it's not clear that the
XML Signature using digital signatures really is appropriate as an
electronic signature standard.  After all, they are not the same (see Bruce
Schneier's Cryptogram on this at
http://www.counterpane.com/crypto-gram-0011.html#1)

What I mean is that digitally signing something really means that it came
from the party and has not been tampered with.  Automated tools using XML
Signatures enable the automatic validation of such data (in XML format,
obviously), and this can be quite useful (ensuring the data integrity and
fact it came from me, for example, could be very useful).  But this is more
like a checksum with identity than an electronic signature which implies
that I am legally binding myself to what the data implies (such as for a
contract, agreeing to abide by the terms therein).

Aside from highly automated transactional systems (such as order entry), it
seems that most XML Signatures won't really be electronic signatures as
validating a signature on a contract clearly is insuffient (so automation
may not really help) -- it's more important to know what is being agreed to
than that it was agreed to, so the content is priority one, followed by the
signature.

For example, assuming that I had a Word, PDF or HTML file that I'd like to
sign because that file contains a contract.  What is the substantial value
of having this signed using XML Signature?  An automated system clearly
could accept this XML data and validate the digital signature, but what was
agreed to?  Did I agree to to fulfill a consulting job for $200 an hour over
the next 100 days, or was it $100 and hour over the next 200 days.  Even
this example results in the same "total cost" but changes the delivery time
by a factor of 2x and means you won't have your results in the next quarter!

I guess the gist of my question revolves around the fact that I see the true
value of digital signatures.  I see the true value of being able to
automatically verify them, especially to ensure that orders (for example)
are originals and come from a known entity (assuming I use my own copy of
the sender's public key and not just the public key embedded inside the XML
signature).  But is this overkill or really necessary for electronic
signatures which imply agreement over the terms expressed within, rather
than just saying the data has not been tampered with and it's from me?  When
sending a message that reports on a terrorist attack, for example, or
describes how to make a bomb, it's one thing for someone to know that I sent
it and it's the original such as using PGP or S/MIME email, and quite
another to say that I agree or otherwise want to be legally bound to the
ideas expressed within.

David Wall

Received on Friday, 13 December 2002 23:39:01 UTC