W3C home > Mailing lists > Public > xml-encryption@w3.org > July 2001

RE: Decryption Transform

From: <eric.e.cohen@us.pwcglobal.com>
Date: Thu, 05 Jul 2001 13:34:25 -0400
To: mscherling@rsasecurity.com
Cc: xml-encryption@w3.org
Message-id: <OF16954BAB.18643279-ON85256A80.005D7362@us.pw.com>

You asked 'who signs the whole document'? Three quick answers: the
publishing company, which is making the assertions found in the file; a CPA
who would sign the external data and is also choosing to provide assurance
on the systems or underlying detail; a service bureau creating the file on
behalf of another company.

You hit on a very key issue (which bleeds over to the digital signature
area) - is the CPA's signature on a document really saying that the
"document is true"? That is an expectation issue, but there is a need to
have multiple types of signature - a signature may mean different things,
such as:

- This is the exact data file I was given by the company (just as a notary
does not read what is being signed, but is saying they have observed the
signer do their signing, this can be third party assurance that a data file
is actually that provided from an original source). Perhaps, the signature
shows it is the source document used for the CPA's own work and testing.

- The contents are the assertions of management, but they have used our
servicesd and systems to create this file and send it on to you (as will be
the case for many small companies uysing a service bureau to create a
file.)

- I have seen this, pass it on. Your turn.

- I have found a problem with this (not every accountant's report is clean)
Thought you might like to know.

- Check inside for more elaboration on what I think of this file and its
contents

Digital signature technology and agreement by the players can help provide
additional levels of guidance on what a signature really means.

Right now, on paper, the accountant's signature is stating something like
"the financial statements PRESENT fairly the (condition of the company) in
conformity with accounting principles generally accepted in the United
States of America." That is what today's assurance covers - not the truth
of the underlying document, but its fair presentation, and possibly really
the presentation of the paper document. When the financial statements are
then put on the Web, all of a sudden other issues come into play - such as
whether the CPA's signature also covers contents accessed off of
hyperlinks, or whether it is just saying "Check out the original paper
document. That is where it is really at."

What will a digital signature mean in the future? The means to have
financial information on the web offering assurance where there is no paper
(original presentation) around to fall back on. The profession is
(haltingly) working through those issues, and the abilities that XML
Encryption and XML Digital Signature give are certainly a catalyst. With
XML, the _presentation_ can be removed, leaving all of the content and
context. How does the CPA profession deal with content and context without
presentation?

New types of assurance may offer:

- This electronic document does exactly match the original paper version,
with the exception of the additional detail provided at
- All of the context you need to make a decision is here
- The correct tags have been applied
- The content has been put into the right classifications

XML Digital Signatures can really help highlight what is covered under a
CPA's assurance and more importantly WHAT IS NOT. There are a slew of
issues involved - such as who within the organization or at the CPA firm
can be authorized to be signers for different purposes (a repository of
authorized organizations and signers within those organizations comes to
mind, maintained by the SEC or equivalent organization.) How can you make
sure that the signature of a two year old financial statement shows as
valid if the signer is no longer authorized to sign, but was then? Can you
recall or obsolete a file so you have the equivalent of a recall?

I hit on some of these topics in a presentation
(http://raw.rutgers.edu/raw/XBRLandContinuousAuditing.ppt) given at a
continuous auditing symposium at Rutgers, including some animated graphics
of the selective unfolding of XML files.

<eccn />




On your second example, it's a bit more nebulous.  Since parts of the
document are public, parts are confidential and parts are sensitive, who
signs the whole document?  You could segment the signatories to each level
of security such that each part has been signed as a whole, i.e. public
component is signed by the CPA to indicate that the information is true and
an executive could sign the confidential parts, etc.

AS a CPA you may not want to sign an entire document that the document is
true if you cannot validate parts of the document.  I would not recommend
it
to anyone.


----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.
Received on Thursday, 5 July 2001 13:35:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:00 UTC