Re: SignatureProperties element from tgindin@us.ibm.com on 2000-05-23 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: <tgindin@us.ibm.com>
Date: Tue, 23 May 2000 19:14:52 -0400
To: "John Messing" <jmessing@law-on-line.com>
cc: CN= "\"IETF/O=W3C XML-DSig WG\"" <w3c-ietf-xmldsig@w3.org>
Message-ID: <852568E8.007FB51F.00@D51MTA04.pok.ibm.com>
     SignatureProperties was not included in the specification for the
primary purpose of technology neutrality.  I believe that it actually began
life as an analogue of PKCS #7's AuthenticatedAttributes.  This
specification deals with digital signatures, rather than general electronic
ones, in any case, and IMO a great deal of extension would be required to
permit any kind of signatures other than digital signatures in this format.
     The specification does support, quite explicitly, the use of shared
secret key authentication as a form of "signature", so there is no
restriction to asymmetric keys let alone to X.509-style certificates.  I
doubt that "a hash of the biometric or the document, or  both" will
constitute adequate proof of an electronic signature in any case, because a
document hash does not identify the originator and a biometric hash could
be pasted from any validly signed document to a new one.
     This does not mean that SignatureProperties should be eliminated (far
from it), nor that a greater degree of technology neutrality would be
undesirable in a later version of the specification.  The current version
might allow a signature to be recorded consisting of a message digest in
SignatureValue with a SignatureProperty containing a voice recording of the
signer saying something like "I, John Doe, am signing document X on Date Y
with digest (SignatureValue)" or it might not.  It would run against the
grain of the approach employed, where machine verification of signatures is
generally possible, and I have no idea what the SignatureMethod would be.

          Tom Gindin


"John Messing" <jmessing@law-on-line.com>@w3.org on 05/23/2000 09:34:14 AM

Sent by:  w3c-ietf-xmldsig-request@w3.org


To:   "\"IETF/W3C XML-DSig WG\"" <w3c-ietf-xmldsig@w3.org>
cc:
Subject:  SignatureProperties element




I sense that this element does not fit elegantly into the  overall work of
this group and if it had its own consciousness, would probably  feel a
little bit like the character in the children's story of  Cinderella.

I think the element is useful, and may turn out  to be critical in future
developments. One of the assumptions of the work  product of this group
appears to be that digital signatures of the type  supported by X-509
certificates will be the dominant if not exclusive signature  technology of
the next decades.

Legal developments are going in the opposite direction  from such an
assumption.

The Uniform Electronic  Transactions Act (UETA) was authored by the
National Conference of Commissioners  on Uniform State Laws, which took
almost four years on the project. Essential  points include a definition of
an electronic signature as ?an electronic sound,  symbol, or process
attached to or logically associated with a record and  executed or adopted
by a person with the intent to sign the record,? and a  legislative
determination that a signature or record may not be denied legal  effect or
enforceability solely because it is in electronic  form.

A  number of states have recently adopted the uniform law. These include
Arizona,  California, Idaho, Indiana, Minnesota, Nebraska, Pennsylvania,
South Dakota,  Utah and Virginia. A number of other states are in the
process of various stages  of adoption.

Both  the U.S. House of Representatives and the Senate have passed bills
providing for  national regulation in those states where the uniform law is
not yet adopted.  There are significant differences between the House and
Senate versions and a  compromise bill has been drafted. The compromise
bill provides that as an  alternative to adoption of the UETA, a state may
simply adopt legislation which  is not inconsistent with the federal law.
Like the UETA, the Congressional bills  include as an allowed electronic
signature ?an electronic sound, symbol, or  process".

The use of the word "sound" is deliberate. Under  the terms of these laws,
which will soon be in effect in one form or other in  all of the states of
the United States, it will be possible to sign  electronically using a
biometric as the authentication method. Preferably the  biometric signature
will include a hash of the biometric or the document, or  both, or a
digital signature, for the purposes of data integrity.

The European Union has a 1999 directive which  has a similar philosophy of
technology-neutrality as the American legislation.

We can expect a number of different signature  technologies to emerge. One,
which is laready recognized in many legal  jurisdictions, is the Chris
Smithies' signature dynamics, which uses a signature  tablet and a stylus
to create a digital file that includes signature  characteristics, or
properties.

Applications will need to know how the signing  application authenticated
the signer and how it dealt with data integrity. These  will be properly
handled as Signature Properties, to my way of thinking. It will  be an
error that will mar the usefulness of the work product of this group to
assume or insist upon digital signatures supported by x-509 certificates as
the  only, or even dominant technology. For these reasons, I think it is
indispensible to leave Signature Properties reserved for future
developments in  this area.
Received on Tuesday, 23 May 2000 19:15:15 UTC