RE: Signed-XML (revised) ("Electronic" Signature in RD)

Hi all,

Not to beat it to death, but I just thought an electronic signature should have a proper place in an XML file.  ...as a "signature" as opposed to "just another piece of data".  Then a program could handle this type of signature properly because it has an accepted identity as a signature.  

Perhaps the flag that sez what algorithm to use would indicate "not verifiable" as opposed to "RSA" or "DSS".  (and likely the data type will need some attention too.)

It seems I overstated my point about "all rights and benefits".  I meant something more like "all rights and benefits of an electronic signature."  I apologize.

That said, I trust you to come up with the right answer.  Because I'm new to XML and the W3C, I will defer to your judgment.

Thanks for listening,

Larry

PS:  And yes, I agree at some point we ought to define terms.

> ----------
> From: 	Winchel 'Todd' Vincent, III[SMTP:Winchel@mindspring.com]
> Reply To: 	Winchel 'Todd' Vincent, III
> Sent: 	Friday, June 25, 1999 2:42 PM
> To: 	Joseph M. Reagle Jr.
> Cc: 	IETF/W3C XML-DSig WG
> Subject: 	Re: Signed-XML  (revised) ("Electronic" Signature in RD)
> 
> 
> > At 05:46 PM 6/23/99 -0700, Bugbee, Larry wrote:
> >  ><new para>
> >  >And given that an electronic signature is still a signature, it should
> > enjoy all the rights
> >  >and benefits of other signatures.
> 
> I disagree in two respects: (1) all signatures should not enjoy all the
> rights and benefits of other signatures.  Although this notion is debatable,
> emerging law supports it (see below) (2) even if all signatures are equal,
> XML-Signatures, as a technical specification, is not where the "rights and
> benefitss" of any signature will be determined -- this is a legal
> question/determination that will be decided in legislaturures and courts.
> 
> > At 05:46 PM 6/23/99 -0700, Bugbee, Larry wrote:
> ...albeit it is not cryptographically
> > strong and verification
> >  >is difficult.
> 
> "Cryptographically strong" vs. "Not Cryptogrphically Strong" has an
> analogous distinction in the law which is reflected in three definitions:
> "electronic signature", "secure electronic signature" and "digital
> signature."  Accordingly, we need to define our terms.
> 
> An "electronic signature" can be just about any mark/symbol or method (an X,
> email headers, a click, a bitmap signature, credit card verification, etc.)
> provided there is a requisite "intent to sign" (i.e., mental state +
> action/mark).
> 
> http://e-ct-file.gsu.edu/ERSA/Definition-ElectronicSignature-Insecure_1.asp
> 
> I often call such symbols or methods "insecure" electronic signatures.  The
> following is an example of an electronic record with an "insecure"
> electronic signature marked up in XML:
> 
> <ElectronicDocument>
>     <Assertion>
> I agree to pay $1.00 in exchange for one peppercorn.
>     </Assertion>
>     <Signature>
>     Todd Vincent
>     </Signature>
> </ElectronicDocument>
> 
> This is obviously not what this workgroup is trying to accomplish.
> 
> A "secure electronic signature" is generally defined as:
> 
> "an electronic method executed or adopted by a party with the intent to be
> bound by or to authenticate a record, which is (1) unique to the person
> using it, (2) is capable of verification, (3) is under the sole control of
> the person using it, (3) and is linked to data in such a manner that if the
> data are changed the electronic signature is invalidated."
> 
> http://e-ct-file.gsu.edu/ERSA/Definition-ElectronicSignature-Secure_1.asp
> 
> A "digital signature" is a "secure electronic signature" that employs an
> asymmetric cryptosystem.
> 
> http://e-ct-file.gsu.edu/ERSA/Definition-DigitalSignature_26.asp
> 
> Clearly, this group is attempting to define standards for using XML with
> digital signatures.  My understanding is that it is important to accomodate
> symmetric (secret key) signatures as well.  John Boyer mentions biometric> 
> signatures that employ encryption.  Generally, the disctinction between what
> is "insecure" and "secure" hinges on a technology that uses a
> cryptographically strong technique to bind a unique thing (which is in the
> control of a person) to an electronic document.
> 
> It seems clear to me that this group is not concerned with Xs, typed
> signatures, email headers, bitmapped signatures or other such "insecure"
> technology.
> 
> It is clear that we are concerned with digital signatures.
> 
[ snip ]

> However, Larry's comment, above, seems to contemplate signatures that are
> not cryptographically strong.  I do not believe this group needs to concern
> itself with signatures that do not fit the definition of "secure" above
> (which, based on my knowledge, means a signature that uses cryptography).
> 
> > At 05:46 PM 6/23/99 -0700, Bugbee, Larry wrote:
> >  ></new para>
> >  >
> >  > Do you think the wording in sections 2.1, 2.2 and 2.3B sufficiently
> > captures that notion?
> >  >I'm not sure.
> 
> Accordingly, I think 2, 2.1, and 2.2 are stated very well.
> 
> [Joseph Reagle]
> >
> > I think this is the notion that has been raised in the past, for instance
> > see [1], and Boyer's response which I think is a fair assesment of
> people's
> > thoughts on it.
> 
> I agree.  However, again, it seems to me that John Boyer and Larry are
> saying two different things.
> 
> Todd Vincent
> 

Received on Friday, 25 June 1999 21:52:40 UTC