- From: A. Jerman Blazic <aljosa@e5.ijs.si>
- Date: Thu, 25 Aug 2005 11:28:22 +0200
- To: <w3c-ietf-xmldsig@w3.org>
Dear Andres Web Signing is indeed an interesting proposition to consider for some standardization initiative. The major concern in this scope is not signing (validation, wet, dry or anything else) but the workflow of forms associated to a business/government process. Forms may come in complex workflow and signatures associated should follow the workflow. This is where I see the major problem, as there were (AFAIK) only some awkward attempts by XAdES to introduce "counter signatures" (whatever that means). Workflow management is indeed a complex issue and no standardization so far has been achieved. Putting signatures on top of that is another (complex?) issue, which I would be interested to discuss. Regards Aleksej > -----Original Message----- > From: w3c-ietf-xmldsig-request@w3.org > [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Anders Rundgren > Sent: 25. avgust 2005 11:08 > To: w3c-ietf-xmldsig@w3.org > Subject: "Dry" and "Wet" signatures - A definition > > Dear list, > In a previous posting where I referred to some discussions > concerning a possible Web Sign standards effort within OASIS, > "Dry" and "Wet" signatures were mentioned. Several off-list > messages indicate that these terms need a proper explanation. > > This comes to no big surprise as these terms have actually > been coined by myself in the absence of an established > terminology in this actually rather virgin field. > > "Wet" web-signatures > An editable document, be it an MS Word document or an HTML > form with edit fields, radio buttons etc. is filled-in and > signed by the user and then sent to the service provider. > > "Dry" web-signatures > The user is (after an arbitrary interactive process with a > service provider), presented, a static (read-only) document > and is requested to sign it in order to indicate > "acceptance". Since the document actually comes from the > service provider, the result sent to the service provider is > typically only a detached signature of the shown document. > > Further comments > These schemes represent two different schools, one which > tries to mimic the existing paper form world, while the other > scheme is more aligned with how the web is currently used. > > Implications > Superficially these schemes may appear similar, but that is > indeed not the case; there is probably a 10-to-1 difference > in complexity unless you restrict "Wet" signatures to only > support a single document format. The reason for this > increase in complexity is that each document format has its > own native signature format (or has no defined signature > format at all), as well as its own input data validation > scheme. Using "Dry" detached signatures, you can achieve the > same thing as S/MIME does, namely document format > independence with respect to the signature process (except > for some trivial canonicalizations). Possible input data > validation is assumed to have been carried out in earlier > phases of a web session, using standard web methodology. > There are numerous other implications as well concerning the > use of "Wet" and "Dry" signatures, but these are far outside > the range of an e-mail posting. > > > Anders Rundgren > Working for a major US computer security company but here > acting as an individual > >
Received on Thursday, 25 August 2005 09:26:01 UTC