IETF, W3C agree: digital signatures need XML

The Internet Engineering Task Force and the World Wide Web Consortium (W3C) combined forces this week to develop a strategy for supporting digital signatures on the Web. The joint working group wants to employ XML to make digital signatures, which use public and private key encryption to identify users, universally accessible.

The Internet Engineering Task Force and the World Wide Web Consortium (W3C) combined forces at the 45th IETF meeting in Oslo this week to develop a strategy for supporting digital signatures on the Web.

The joint working group wants to employ XML to make digital signatures, which use public and private key encryption to identify users, universally accessible.

Creating an XML standard for the technology is important because XML applications are on the rise, says working group co-chair Joseph Reagle, a technology and society policy analyst at the W3C. Companies are using XML forms for loans and other documents and need to be able to access applicants' signatures through various applications, he says. "Anyone that cares about authentication will care about [digital signatures]," he adds.

The standard will specify a set of XML tags that labels the digital signature as a cryptographic identifier and maps it to the appropriate Web resource such as a certificate vendor's URL for verification.

Reagle says the XML approach works with current encryption technologies such as X.509 or PGP certificates.

The working group hopes to have a standard ready by year-end.

But Paul Hoffman, director of the Internet Mail Consortium, says XML digital signatures have an obstacle.

Hoffman says digital signatures are not catching on because people don't trust third parties such as encryption vendors to verify signatures. "It's the trust that's the problem, not the format," he says.

The government should be the trusted third party, he says. But the chances of that happening are slim. The U.S. government does not want to be the administrator of a signature database, Hoffman concedes.

The alternative is for banks or the U.S. Postal Service to hand out digital signatures as an extension to their traditional services, he says.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]