W3C home > Mailing lists > Public > w3c-xml-sig-ws@w3.org > April 1999

RE: what does a signature mean ? (standard vocabulary)

From: Martin Lee <m.lee@andtech.co.uk>
Date: Tue, 20 Apr 1999 14:43:24 +0100
Message-ID: <01BE8B3C.25430380@MARTINS.andtech.co.uk>
To: "'Alan Kotok'" <kotok@w3.org>, "'Richard D. Brown'" <rdbrown@GlobeSet.com>
Cc: "'XML-sig group'" <w3c-xml-sig-ws@w3.org>
My own view point on this is coming from wanting an application
to sign automatically generated metadata. I want the data that
is being singed to be uncluttered by any information relating to
the signature. The signature is an additional piece of reassurance
to any applications that choose to support it, that the metadata 
has been generated by a trusted application and has not been
tampered with.

Yes, it could be possible to point to a separate block of data
defining my intentions in signing, but this could generate lots
of additional blocks if everyone who generates metadata does this.

Being explicit in my intentions is necessary to protect myself from
litigation if my metadata generated by my application is found to be
fooled into being wildly incorrect by certain documents or wordings.
I dont want to attach a carefully worded document explaining the 
meaning of the signature to every signed document, I just want
a one-line phrase ' I believe its like this, but I'm not certain, if it isnt 
as I say then I'm sorry, please dont sue me' to my signature.
I think most people automatically generating metadata would
require something like this.


Martin Lee
AND Data Ltd

From:  Richard D. Brown [SMTP:rdbrown@GlobeSet.com]
Sent:  19 April 1999 23:33
To:  'Alan Kotok'; 'Martin Lee'
Cc:  'XML-sig group'
Subject:  RE: what does a signature mean ? (standard vocabulary)

Alan, Martin,

I do not think that the XML DSIG proposal shall mandate a RDF statement in
the signature block. Though RDF could provide a formal approach to this
problem, there are many frameworks that may suffice without being explicit.

An application usually comprises processes and rules, which are disclosed to
and agreed upon by the participants. As long as the meaning of signing a
given document is well-defined and properly documented, and all the parties
have made clear their intent to be bound to the rules and aware of potential
liability, there is no need to further specify the meaning of the signature
in the signature block. Sometimes, an application may want to distinguish
between several signatures (i.e. E-Check) but it can do so without making
use of an RDF statement.

I do not think that being implicit or explicit in the signature block will
make a difference from a signature validity standpoint. Adequate
documentation and fair reglementations are fare more important. Being
explicit or implicit will not changed signer's liability if the process is
ruled deceptive. Being explicit or implicit will not changed signature
validity if you cannot prove the intent of the signer because there is no
adequate documentation regarding the process. Being explicit and formal only
helps external agents (agents extern to a given process) "interpret" the
meaning of a signature. This does not change anything from a given process


Richard D. Brown
Software Architect, R&D
GlobeSet, Inc. Austin, TX - U.S.

> -----Original Message-----
> From: w3c-xml-sig-ws-request@w3.org
> [mailto:w3c-xml-sig-ws-request@w3.org]On Behalf Of Alan Kotok
> Sent: Monday, April 19, 1999 1:58 PM
> To: Martin Lee
> Cc: 'XML-sig group'
> Subject: Re: what does a signature mean ? (standard vocabulary)
> Martin,
> I am personally convinced of the need for adding explicit semantics to
> signatures.  I am less convinced of the wisdom of trying to define a
> standardized vocabulary of these meanings.  I rather favor the more
> generalized approach of including an "assertion" block in the
> signature
> block, coded in RDF.  It would then be possible for various
> interest groups
> to define their own sets of values with explanations in
> whatever legalese
> they want.
> Your list below is interesting and helful, but I can think of a dozen
> others I could add.  And I'm not a big fan of "central
> registries" where we
> get to argue what is on the list and what is not.
> Alan
> At 11:46 AM 4/19/99 , Martin Lee wrote:
> >I missed the subtlety, others will misunderstand too unless its made
> >clear in the specification.
> >
> >Singing a document, or part of a document means different things to
> >different people, from I've seen it, to I believe this to be
> true, to I
> legally
> >commit myself to this transaction.
> >
> >I propose that a set of standard vocabulary be suggested, to
> be included
> >as an attribute to the digital signature.
> >
> >The default being (jn the absence of any other assertion):
> >The keyholder has 'touched' or 'received' the signed data.
> >
> >Then in ascending order of commitment:
> >The keyholder has read the signed data.
> >The keyholder has read and agrees with the signed data.
> >The keyholder believes the signed data to be correct.
> >The keyholder believes the signed data to be correct and to
> be legally bound
> >by it.
> >
> >The first three should cover creating audit trails of who
> has received/seen
> >a document.
> >The forth expresses what I wish to say in signing metadata
> describing
> >documents.
> >The fifth I hope to come close to what the e-commerce people
> need to assert
> >in thier
> >documents.
> >
> >What do people think?
> >
> >Martin
> >
> >Martin Lee
> >AND Data Ltd.
> >Oxford
> >UK
> ______________________________________________________________
> _____________
> Alan Kotok, Associate Chairman
World Wide Web Consortium                                 http://www.w3.org
MIT Laboratory for Computer Science,  545 Technology Square,  Room NE43-409
Cambridge, MA 02139, USA     Voice: +1-617-258-5728    Fax: +1-617-258-5999
Received on Tuesday, 20 April 1999 09:44:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:44:59 UTC