Digital Signatures Workshop recap
The latest DII workshop was focused on digital signatures, and took place here in Redmond on Tuesday of this week. This was the first event for which there has been a web participation option (via LiveMeeting), and we had 18 virtual attendees in addition to the 15 people who attended in person. The level of expertise in the room was very high, so it was a great learning experience for me, and I hope for others as well.
The presenters at this event represented a diverse range of perspectives, and included implementers, users, standards professionals, and policy makers. All of the presentations are attached below, and here’s a brief summary of each presentation …
John Marchioni of ARX was first up, with a presentation on the scalability and control benefits of a centralized approach to key management. ARX was one of the contributors to the development of the OASIS DSS (Digital Signature Services) standard, and their CoSign® product was the first implementation of DSS for centralized key management.
The final slide of John’s presentation simply said “What do you think?” but John didn’t have to wait nearly that long for feedback. Early in his presentation, a vigorous debate sprung up about the tradeoffs between centralized and distributed approaches to key management. Cindy Cullen (Safe BioPharma CTO), for example, expressed her concerns about the assurance level that can be obtained in a server-based approach, and others weighed in from the implementer, user and public-policy perspectives. It was a good example of the value of getting a group of experts together to discuss complex issues that don’t lend themselves to a one-size-fits-all solution.
Next up was Ernandes Lopes Bezerra, General Coordinator of Standards and Research at Brazil’s ITI (National Institute of Information Technology). Mr. Bezerra delivered a very comprehensive presentation on the technical, legal, and procedural details of the use of digital signatures in Brazil. It’s clear that ITI has done a great deal of work in this area, and the use of digital signatures is rising rapidly. As an example of that, the Brazilian PKI initiative issued over 126,000 digital certificates in March of this year, after averaging about 30,000 per month through the last few months of 2009.
Gerson Rolim was the next speaker, and he is both the Executive Director of the Brazilian e-Commerce Chamber and Brazil’s coordinator for the Digital Mercusol project. Digital Mercusol is a collaboration between the Mercusol block countries (Argentina, Brazil, Paraguay and Uruguay) and the European Union spanning a variety of technology areas including eID and digital signatures. Mr. Rolim explained how key investments in PKI (public key infrastructure), time stamp infrastructure and a regulatory framework are enabling cross-border e-commerce throughout the Mercusol block and with trading partners around the world.
Office’s support for digital signatures was the topic of the next presentation. Shelley Gu, Program Manager for Office’s Trustworthy Computing team, covered the types of digital signatures supported in Office 2010, and explained how Office supports RFC 3161 (Time-Stamp Protocol), RFC 2560 (Online Certificate Revocation Protocol), XML–Dsig, and XAdES. She then demonstrated Word’s UI and general approach to digital signatures, as well as the new XAdES support in Office 2010, using a simple rental agreement as an example.
Chris Brotsos, Program Manager on the InfoPath team, demonstrated how InfoPath supports EDRM (the Electronic Discovery Reference Model). EDRM defines a set of e-discovery operations and a process for applying those operations, and is used by e-discovery consumers and providers. After the demo, Chris and Shelley led a Q&A session on topics related to digital signature planning for the next version of Office. It was great to get this type of well-informed feedback from digital signature users as we begin planning for the next version of Office.
After a delicious lunch (which we couldn’t figure out how to share with the LiveMeeting participants, unfortunately), Dennis Hamilton (NuovoDoc) gave his presentation on Document Security Anti-Patterns. This was an entertaining talk on the dangers of inadvertently creating patterns of action, process or structure that appear to be beneficial but ultimately produce more bad consequences than beneficial results. Dennis started with simple generic examples and then went through several anti-patterns related to document security and digital signatures. He noted in particular the risks of adding complexity in the pursuit of security.
Cindy Cullen, CTO of Safe BioPharma, covered the use of digital signatures in healthcare and pharmaceuticals. Safe BioPharma is engaged in creating standards for these industries, and has a goal of creating a fully electronic global business environment that addresses the technical, legal, and regulatory requirements of working with the FDA and other entities such as the DEA and NIH. It was impressive to see the level of complexity that arises in these sorts of highly regulated activities; this slide is a good example:
The final speaker of the day was Microsoft’s David LeBlanc, the developer responsible for leading Office’s implementation of digital signatures. The bulk of his presentation was a review of the history and architecture of the XAdES standard, including explanations of the various levels within XAdES. He followed this up with some information about the work he has been participating in within the OASIS ODF TC on how XAdES and encryption will be specified in ODF 1.2.
Each of the sessions was recorded, and we’ll be posting this recordings over on the DII web site in the next few days. I’ll follow up with a link to them when they’re live.
In addition to the presentations, we ended the day with a roundtable discussion of various topics. This was a good free-flowing conversation that went beyond the time we had allotted, and some of the conversation continued over beers later. A few of the topics I found interesting included:
- The suggestion that Office consider OASIS DSS
- A continuation/expansion of the debate about the tradeoffs between centralized and distributed key management
- Digital signature issues and options for mobile devices
- Discussion of the UI challenges related to partial signing of documents
- The need for audit frameworks to verify CFR Part 11 compliance
- And a topic everyone agreed on: the most important emerging digital signature standard is XAdES
Thanks to all of the speakers and attendees for a very informative and interesting event.