Background: Currently many egovernment C2G services and online banks rely on proprietary schemes for

1
WASP - Web Activated Signature Protocol Motives
for a standardization effort V0.54 July 22, 2005
Background Currently many e-government C2G
services and online banks rely on proprietary
schemes for on-line signatures. A major reason
for this is that there is no generally accepted
standard for this particular task in spite of the
fact that the original EU signature directive was
issued back in 1993. This standards deficit
leads to high costs, platform dependencies, and
is actually thwarting major rollout of online
signatures. WASP, a general-purpose on-line
signature standards proposal represents an
attempt to solve this problem. The long-term
goal is that on-line signatures should be
supported by browsers in the same way as S/MIME
is supported by e-mail clients (built-in). This
slide-show highlights the current situation.
2
Claim Digital signatures are currently not
standardized
But isnt there CMS/PKCS 7, XML DSig, and
S/MIME?
Yes, but the market is nowadays using on-line
web-basedservices and browsers rather than
off-line e-mail for carryingout sophisticated
processes. None of the standards listed
abovedefine a web-browser-based protocol and
usage
3
Currently each trust-network/CA typically have
their own unique signature standard. This
works fine for on-line banks where the CAbank.
Proprietary signature solution
It is all in the family (no interoperability
issues)
4
Currently many trust-network/CA have their own
uniquesignature standard. This works less
satisfactory when there are multiple and
independent trust-networks/CAs.
CA-1
e-Governmentservice
CA-2
?
CA-3
Proprietary signature solutions
It is like if the different CAs had defined their
own e-mail standard
5
The Swedish e-government solution(Note this is
not a Swedish problem though)
Welcome to the Swedish Tax Authority
Please specify from who you got your
ID-certificate
BankID The Swedish Post Office Nordea
CA gt Technicalsignature solution (actually even
the authentication andon-line certificationparts
are unique)
There are on a global basis probably a hundred
different on-line signature schemes currently in
use. Since each scheme requires unique coding by
a service, users have to tell a service as shown
above, what they have in case the service accepts
multiple schemes
6
The basic steps of an on-line signature operation
Service provider(web-server)
Initiate (arbitrary HTTP GET or POST)
Signature Request
Here the local signature software in invoked,and
the user is requested to perform a
signatureprocedure
Optional (system dependent)
Non-standard (WASP target)
Signature Response
Result (arbitrary web content)
7
Additional issues addressed by the WASP standards
proposal

• Operating system independence. Most schemes only
  support Windows. WASP only relies on the
  standard web technologies XML and MIME
• Device independence. WASP supports smartphones
  to workstations. Currently mobile solutions are
  quite different to PC solutions
• Document format independence. Signs TXT, HTML,
  MS-Word, Adobe-PDF, etc. Most schemes only
  support a single format (typically plain text)
• Unified signature procedure. WASP unifies
  on-line signature procedures in the same way as
  is already the case for signed e-mail. Currently
  on-line signature procedures are more or less
  arbitrary
• Multiple signature formats. WASP supports XML
  DSig and CMS (specifiable by the signature
  requester)
• What you see is what you sign (WYSIWYS). In
  harmony with legal and user requirements
• Thin client design. WASP adheres to the web
  paradigm particularly suited for the consumer
  market