- From: David Wall <dwall@Yozons.com>
- Date: Fri, 13 Dec 2002 20:39:50 -0800
- To: <w3c-ietf-xmldsig@w3.org>
How close is the XML Signature standard to being a great foundation for electronic signatures. As you specify in your article, a digital signature on data does not make an electronic signature, and it's not clear that the XML Signature using digital signatures really is appropriate as an electronic signature standard. After all, they are not the same (see Bruce Schneier's Cryptogram on this at http://www.counterpane.com/crypto-gram-0011.html#1) What I mean is that digitally signing something really means that it came from the party and has not been tampered with. Automated tools using XML Signatures enable the automatic validation of such data (in XML format, obviously), and this can be quite useful (ensuring the data integrity and fact it came from me, for example, could be very useful). But this is more like a checksum with identity than an electronic signature which implies that I am legally binding myself to what the data implies (such as for a contract, agreeing to abide by the terms therein). Aside from highly automated transactional systems (such as order entry), it seems that most XML Signatures won't really be electronic signatures as validating a signature on a contract clearly is insuffient (so automation may not really help) -- it's more important to know what is being agreed to than that it was agreed to, so the content is priority one, followed by the signature. For example, assuming that I had a Word, PDF or HTML file that I'd like to sign because that file contains a contract. What is the substantial value of having this signed using XML Signature? An automated system clearly could accept this XML data and validate the digital signature, but what was agreed to? Did I agree to to fulfill a consulting job for $200 an hour over the next 100 days, or was it $100 and hour over the next 200 days. Even this example results in the same "total cost" but changes the delivery time by a factor of 2x and means you won't have your results in the next quarter! I guess the gist of my question revolves around the fact that I see the true value of digital signatures. I see the true value of being able to automatically verify them, especially to ensure that orders (for example) are originals and come from a known entity (assuming I use my own copy of the sender's public key and not just the public key embedded inside the XML signature). But is this overkill or really necessary for electronic signatures which imply agreement over the terms expressed within, rather than just saying the data has not been tampered with and it's from me? When sending a message that reports on a terrorist attack, for example, or describes how to make a bomb, it's one thing for someone to know that I sent it and it's the original such as using PGP or S/MIME email, and quite another to say that I agree or otherwise want to be legally bound to the ideas expressed within. David Wall
Received on Friday, 13 December 2002 23:39:01 UTC