W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > October to December 2002

Re: Introductory article about XML Signatures and Best Practices

From: David Wall <dwall@Yozons.com>
Date: Sat, 14 Dec 2002 11:12:26 -0800
Message-ID: <008b01c2a3a4$bdb7d260$3201a8c0@expertrade.com>
To: <w3c-ietf-xmldsig@w3.org>

Thanks for the legal point of view, Mr. Messing.  I do appreciate the
updates and your comments.

> Proof of intent (the subject of this posting) is best determined from the
> social and human context rather than any automated means such as a
> certificate non-repudiation bit. To add to the ideas of the posting, how
> does one distinguish an autograph from a signature intending to bind a
> person to a document, either in the paper world or the electronic world?
The
> answer is look at the content. What was said? But that is not a signature
> function, it is a legal construction issue based upon the objective
> expression of human intent, indicating the posting is really off-topic for
> XML Signatures.

I completely agree with this sentiment, but this is what tweaked my
curiousity, since the one of the main benefits of XML Signatures is
automated signature verification.  My query was mostly about determining how
suitable automatic verification is when it comes to electronic signatures in
which the context is all important and cannot be easily automated.  Clearly,
from a digital signature perspective, it's wonderful assuming all of the
options for forming signatures within the standard can successfully be
implemented interoperably.

> With these points covered, XML digital signatures can be made a perfectly
> appropriate means for creating electronic signatures on XML data for any
and
> all legal purposes.

I agree and never really contested that it would not.  After all, most
electronic signature products are based on digital signatures, and I'd bet
several have an XML data structure underlying it all.  Again, I'm thinking
about if I wanted to send you a signed contract electronically, is there
really that much of a benefit using XML Signatures rather than other digital
signature-based solutions.

Sure, with XML Signatures you can automatically validate the digital
signature, but you still have to "render" the XML data underlying it in a
way that makes it obvious to a human what is being agreed to, etc., who
signed it and when, and that won't be part of the automated XML Signature
capability, implying that I'll still need some sort of specialized
application to render the contract terms in a way that I can determine if
the signature is on something that I'd also agree to (and perhaps
countersign or simply add my signature as part of the cause), who signed it,
when it was signed, etc.  Most business documents today are in World, Excel,
PDF or HTML, and these won't be helped all that much by wrapping them inside
XML tags.  If I need specialized applications to render the data in a
meaningful way, then is there really that much gained by not just having
that application also validate the digital signature?

Anyway, I do like the XML Signature standard.  I think it will be
particularly useful in the future when contracts are perhaps created in a
more transactional environment using automated systems with agreed upon XML
structures as LegalXML Oasis group is no doubt working on.  When I think of
fixed transactions like those done with EDI, ATMs/SWIFT, etc., I'm sure XML
Signatures will be even more powerful because the signature and the intent
can all be automated.

David Wall
Received on Saturday, 14 December 2002 14:11:28 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:16 GMT