Digital Signature Initiative

Version 1.0: June 1, 1996

Introduction

In early 1996, W3C identified digital signatures to be one of the major market drivers for Web Security. There are two specific applications that are driving the market:

1. The need for quality assurance on code loaded over the network.
2. The need to authenticate documents, including political statements and public documents from corporations with a presence on the Internet.

W3C convened a meeting of representatives of major stakeholders in this area to determine possible interest in working together to provide solutions. In addition to a clear statement of interest, these representatives

• strongly recommended to Microsoft that they modify their proposed code validation interface to remove the distinction between "large" and "small" software manufacturers.
• offered to find significant resources to move the area forward;
• requested that W3C put significant resources (at least one full-time staff person) on the project as soon as possible;

Requirements

1. In order to be effective, the Digital Signature Initiative needs to move very rapidly. Initial commercial products will be shipped in the summer of 1996, but the companies have indicated that they will retain some flexibility for an additional year or so. As time passes, however, the stakes are deeper in the ground and the ability of W3C to influence products will fade.
2. The solution must take ease-of-use as a primary consideration, even at the possible expense of flexibility.
3. The solution needs buy-in from (at least) the major Web client and server manufacturers, the operating systems developers, and organizations willing to provide identity services (certificate authorities or others).
4. The solution cannot mandate a specific cryptographic algorithm and must not require a single certification hierarchy.
5. The first meeting separated the problem into two parts: the ability to make statements about information (ownership, authorship, platform availability, testing, etc.) and the statement of identity of the signer. Each must be addressed, but separating them will allow a simpler solution to emerge than attempting to solve the problem as a whole.
6. The first meeting also agreed that it should be possible to acquire signed statements by any one of three methods:
   • embedded in the object the statement is about
   • transmitted with (but not in) the object the statement is about
   • from a trusted third party

Current Situation

Several major companies (including Netscape, Microsoft, Oracle, JavaSoft, and IBM) have announced their plans to address this basic area. Nonetheless, they attended the initial meeting and have indicated their willingness to work together to produce interoperable solutions. While these companies have partnered with various certificate authorities (VeriSign, GTE) who have significant stakes in the existing (but not widely deployed) public key infrastructure, there are indications that all parties would consider major changes to this infrastructure if they occur quickly and as a joint effort. While W3C cannot provide the technical leadership from its own staff in this area, we are well positioned to work with the existing technical leaders to come to a joint plan to move forward quickly.

Products

It is not yet clear what W3C's role will be in this initiative. Clearly, we provide the neutral meeting place. Our connection to the MIT security and systems strengths (Rivest, Lampson) also give us some credibility technically. It is likely that W3C will be asked to produce specifications for the digital signature initiative, probably based around our existing work on PICS and PEP. In fact, the work on the digital signature initiative is likely to emerge as the S (Signature) part of the SEA security architecture that W3C has proposed over the past year. W3C may wish to produce implementations as part of its own server and/or browser platforms as demonstrations of feasibility, but the market driver force here is probably enough to ensure wide-spread deployment independent of W3C implementation efforts.

Next Step

W3C must find a full-time staff person to participate in this effort and then convene, as soon as possible, a second meeting of the participants. We must also report on this initial development at the next Security Working Group meeting. As a result of this, we are likely to receive requests from additional companies to participate in the Initiative. It will be imperative to carefully select participants, and this will require a certain amount of effort, tact, and diplomacy on the part of the W3C.

At the current time, the Initiative is strictly U.S. companies. With W3C beginning its security and electronic commerce work in Europe over the summer, we must decide whether European involvement in this Initiative is appropriate. If so, we must organize our work carefully to capitalize on resources and issues on both sides of the Atlantic.

Public Commitments

W3C has publicly committed to the hiring of a full-time staff person for this initiative, and we have informally said that this work will begin over the summer of 1996. To have any serious impact, the work must be well underway by September of 1997.