Secure Workflow. Was: "Dry" and "Wet" signatures - A definition from Anders Rundgren on 2005-08-27 (w3c-ietf-xmldsig@w3.org from July to September 2005)

From: Anders Rundgren <anders.rundgren@telia.com>
Date: Sat, 27 Aug 2005 12:03:44 +0200
To: "A. Jerman Blazic" <aljosa@e5.ijs.si>, <w3c-ietf-xmldsig@w3.org>
Message-ID: <005f01c5aaf2$ad294de0$8217a8c0@arport2v>
Aleksej,

I find your comments regarding the to date mostly unsolved (and unaddressed) workflow issues extremely valid.

A further complexity is that few organizations including the US federal agencies have yet begun to look on how secure messaging is to be accomplished on a wider scale except by using e-mail.

However, e-mail has huge limitations for sophisticated (automated and interactive) workflow compared to web based systems where the
"transaction" and the "view", are typically not using a common representation.  The latter of course has a major impact on how signatures can be utilized.

I have personally "toyed" with a number of use cases in order to clear the picture for myself (to begin with...).  One simple but still pretty universal such use-case is the e-purchasing process where one or more employees are running an internal workflow system where a purchase request is, after proper authorization, converted into a purchase order and sent to a supplier. 

My own take on the aforementioned e-purchasing process and using the web is as follows:

1. The user is (when he considers him as ready), presented a completed requisition proposal in for example HTML or PDF, which he is requested to sign and submit.   In the background the actual data is usually held by the web server session in a "computer-friendly" format.

2. After signature validation etc by the workflow system. the requisition is archived together with the user's signature for possible future references

3. Assuming the user is the final authorizer, a purchase order is now created in a B2B-network specific format (like UBL or EDI), based on the requisition data (kept in the web session).

4.  The completed purchase order is then archived in a table linked to the signed requisition for possible future references.

5.  Finally, the purchase order is secured[*] and sent away for fulfillment in a B2B-network defined way

Steps 2-5 are automatically performed by the workflow system (server).  Except for user signatures, the scheme above is the de-facto standard way of performing B2B operations.

regards
Anders Rundgren
Working for a major US computer security company but here acting as an individual

*]  This part is unfortunately a major problem for many people working with PKI as it is really the workflow system that creates, secures, and sends purchase orders to external suppliers.  Due to this, existing [and widely used] B2B schemes are almost exclusively non-secured or are using shared secrets as such schemes (in spite of being completely inferior) seem to pass without major consideration, while "signing PKI-servers", immediately brings in the legal department ("a machine has no will or legal power"), the security experts ("this is violating end-to-end security"), and forces most such efforts into a dead halt.  A maybe vane hope, is that these very interesting issues will be properly "aired" when/if a web signature standards process is launched.

----- Original Message ----- 
From: "A. Jerman Blazic" <aljosa@e5.ijs.si>
To: <w3c-ietf-xmldsig@w3.org>
Sent: Thursday, August 25, 2005 11:28
Subject: RE: "Dry" and "Wet" signatures - A definition



Dear Andres

Web Signing is indeed an interesting proposition to consider for some
standardization initiative. The major concern in this scope is not signing
(validation, wet, dry or anything else) but the workflow of forms associated
to a business/government process. Forms may come in complex workflow and
signatures associated should follow the workflow. This is where I see the
major problem, as there were (AFAIK) only some awkward attempts by XAdES to
introduce "counter signatures" (whatever that means). Workflow management is
indeed a complex issue and no standardization so far has been achieved.
Putting signatures on top of that is another (complex?) issue, which I would
be interested to discuss.

Regards

Aleksej

> -----Original Message-----
> From: w3c-ietf-xmldsig-request@w3.org 
> [mailto:w3c-ietf-xmldsig-request@w3.org] On Behalf Of Anders Rundgren
> Sent: 25. avgust 2005 11:08
> To: w3c-ietf-xmldsig@w3.org
> Subject: "Dry" and "Wet" signatures - A definition
> 
> Dear list,
> In a previous posting where I referred to some discussions 
> concerning a possible Web Sign standards effort within OASIS, 
> "Dry" and "Wet" signatures were mentioned.  Several off-list 
> messages indicate that these terms need a proper explanation.
> 
> This comes to no big surprise as these terms have actually 
> been coined by myself in the absence of an established 
> terminology in this actually rather virgin field.
> 
> "Wet" web-signatures
> An editable document, be it an MS Word document or an HTML 
> form with edit fields, radio buttons etc. is filled-in and 
> signed by the user and then sent to the service provider.
> 
> "Dry" web-signatures
> The user is (after an arbitrary interactive process with a 
> service provider), presented, a static (read-only) document 
> and is requested to sign it in order to indicate 
> "acceptance".  Since the document actually comes from the 
> service provider, the result sent to the service provider is 
> typically only a detached signature of the shown document.
>  
> Further comments
> These schemes represent two different schools, one which 
> tries to mimic the existing paper form world, while the other 
> scheme is more aligned with how the web is currently used.
>  
> Implications
> Superficially these schemes may appear similar, but that is 
> indeed not the case; there is probably a 10-to-1 difference 
> in complexity unless you restrict "Wet" signatures to only 
> support a single document format.  The reason for this 
> increase in complexity is that each document format has its 
> own native signature format (or has no defined signature 
> format at all), as well as its own input data validation 
> scheme.  Using "Dry" detached signatures, you can achieve the 
> same thing as S/MIME does, namely document format 
> independence with respect to the signature process (except 
> for some trivial canonicalizations).  Possible input data 
> validation is assumed to have been carried out in earlier 
> phases of a web session, using standard web methodology.  
> There are numerous other implications as well concerning the 
> use of "Wet" and "Dry" signatures, but these are far outside 
> the range of an e-mail posting.
> 
>  
> Anders Rundgren
> Working for a major US computer security company but here 
> acting as an individual
> 
>
Received on Saturday, 27 August 2005 10:29:36 UTC