Formats for Digitally Signed Documents

We attended the EEMA Workshop on digital signatures last week, which had some interesting presentations and group discussion.

Digital signatures based on X.509 PKI are used for a variety of purposes where the technology is directly integrated into the application. Examples are authentication for client/server and server/server protocols and directory signed operations.

An important application, discussed extensively at the workshop, is digitally signed documents. Digitally signed documents will generally make use of intermediate standards to integrate digital signatures with the document formats.

Cryptographic Message Syntax (CMS) is a secure document format defined in RFC 3852, and used by two of the most popular specifications for secure email:

  • S/MIME (RFC 3851) uses CMS to sign and encrypt Internet email.
  • STANAG 4406 Edition 2 uses CMS to sign and encrypt military messages based on X.400.

Although most secure email uses a secure document approach, secure messaging services do not need to use secure documents. X.400 Security provides built-in security that enables a number of security services not possible with a secure document approach (e.g., proof of submission).

Secure documents based on XML will be used increasingly. The key security technology is XML-Signature Syntax and Process (XMLDSIG) published by the W3C. Microsoft has moved from using CMS in the older versions of its Office products to XMLDSIG in recent versions. Microsoft is looking to tie document signatures to printable document representations, and in particular to the XPS (XML Paper Specification).

ETSI (European Telecommunications Standards Institute) is standardizing secure document profiles using both CMS and XML.

Adobe PDF provides good digital signature capabilities. It was noted by a number of the speakers, and commented on as a good product.

... Steve Kille

Post a comment

You must be logged in to post a comment. To comment, first join our community.