Presentation is loading. Please wait.

Presentation is loading. Please wait.

WASP Application note #2 1 WASP (Web Activated Signature Protocol) Application Note #2 – Signature container considerations WASP was designed to support.

Published byElwin Randall Modified over 9 years ago

Similar presentations

Presentation on theme: "WASP Application note #2 1 WASP (Web Activated Signature Protocol) Application Note #2 – Signature container considerations WASP was designed to support."— Presentation transcript:

1 WASP Application note #2 1 WASP (Web Activated Signature Protocol) Application Note #2 – Signature container considerations WASP was designed to support What You See Is What You Sign (WYSIYS) which is quite logical but also have consequences for how you actually design information systems. It important to keep in mind that whatever method you deploy, a reasonable signature scheme should not hold the user responsible, except for data which the user have seen. In addition, user considerations also makes it reasonable to limit the user’s signature view to the core of the transaction rather than requiring the user to view and accept data which the user have little knowledge of, or no control of. This include things like order IDs and similar which are only of significance to internal or external bookkeeping processes. Note that WASP is based on the use of “dry signatures” which means that the requesting service already have a copy of the data to sign. I.e. WASP is exclusively intended for user confirmation of a transaction (or agreement etc), while the transaction is supposed to have been created in an earlier phase of the current web session. That WASP displays data in the same fashion as the rest of the web application, makes signatures appear as integrated processes. The following pages show how information systems can deal with WASP signatures and signature views. V0.6, © 2005 by Anders Rundgren (anders.rundgren@telia.com)

2 WASP Application note #2 2 The user’s view of a transaction… Supplier Name: MegaToys AB Address: Storgatan 3 City: Stockholm Zip: 11100 Country: Sweden Purchase order application Item IDDescriptionPriceQuantitySubtotal 1-556-442Teddy bear, 30cm$4.46100$446.00 Total: $446.00 Sign...Cancel... Name: John Smith Phone: +1.415.555.3453 Authorized by ! ! By digitally signing the document shown above, you confirm that you have read and understood the implications of its content Signature request by: secure.acmestores.com WASP application frame (fixed) Customer-supplied signature request (typically HTML) Acme Stores

3 WASP Application note #2 3 The computer’s view of the same transaction…

4 WASP Application note #2 4 So how do you combine these views in a signature enabled application? Solution 1: combine the views at the information system layer only (loose/non-cryptographic binding) User ViewComputer View UC Verify signature (accept) Create computer view Save computer view Save signed user view linked to the computer view + This scheme assumes that the computer view is what an eventual receiver is interested in, not what the (to them maybe unknown) user did. Such an arrangement is applicable to for example B2B purchasing where order authorization for all but unusual or high-value orders, is supposed to be handled within the purchasing organization. How the computer view is secured when sent outside of the enterprise is not a part of this application note but an organizational “stamp” signature is always an option. Note that the scenario above may often be the only way to add signatures to existing processes due to a legitimate wish to create order IDs only for committed and authorized orders. Otherwise there may be “holes” in the sequence of order IDs. Signature process

5 WASP Application note #2 5 Solution 2a: Sign the user view as well as a hash of the computer view U C This scheme binds the two different objects cryptographically together which may at first sight seem ideal but also puts restrictions on the computer view as it must be created in whole, before the signature can be applied. Note that the computer view is not downloaded to the signing user (as it can’t make any use of it), only the pre-calculated hash. Due to the fact that the hashes of the user view and the computer view appear as as two separate objects in a signature, an external receiver can verify the signature with respect to the computer view without necessarily having the user view. A variation (2b) on the basic theme is shown on the next slide where only the elements of the computer view that has a direct counterpart in the user view is actually hashed and subject to signing. Signature process Create a hash of the computer view “Composite” signature +

6 WASP Application note #2 6 Solution 2b: Sign the user view as well as a hash of the pieces of the computer view that matches the user view

Download ppt "WASP Application note #2 1 WASP (Web Activated Signature Protocol) Application Note #2 – Signature container considerations WASP was designed to support."

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
1 Layers Data from IBM-Rational and Craig Larman’s text integrated into these slides. These are great references… Slides from these sources have been modified.

1 Layers Data from IBM-Rational and Craig Larman’s text integrated into these slides. These are great references… Slides from these sources have been modified.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
PHP (2) – Functions, Arrays, Databases, email and sessions.

PHP (2) – Functions, Arrays, Databases, and sessions.
Satzinger, Jackson, and Burd Object-Orieneted Analysis & Design

Satzinger, Jackson, and Burd Object-Orieneted Analysis & Design
Copyright © 2002 Pearson Education, Inc.

Copyright © 2002 Pearson Education, Inc.
SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.
Works Cardholder Tutorial Initial Login, Transaction Review, & Reports.

Works Cardholder Tutorial Initial Login, Transaction Review, & Reports.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Homework #5 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #5 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
How to get your free Windows Store Access

How to get your free Windows Store Access
How the World Wide Web Works

How the World Wide Web Works
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.
The Electronic Transaction Getting Paperless signatures with zipLogix Digital Ink®

The Electronic Transaction Getting Paperless signatures with zipLogix Digital Ink®
Go to our website, www.lvccld.org and click on the eMedia Catalog link www.lvccld.org To find books, either click on the advanced search (which I will.

Go to our website, and click on the eMedia Catalog link To find books, either click on the advanced search (which I will.
© 2008 The McGraw-Hill Companies, Inc. All rights reserved. M I C R O S O F T ® Preparing for Electronic Distribution Lesson 14.

© 2008 The McGraw-Hill Companies, Inc. All rights reserved. M I C R O S O F T ® Preparing for Electronic Distribution Lesson 14.
Registering for MasteringChemistry TM www.masteringchemistry.com.

Registering for MasteringChemistry TM

Similar presentations

Ads by Google