Representatives from five OASIS corporate members (Entrust, Datum, NIST, webMethods, TIBCO) have proposed the creation of a new Digital Signature Services Technical Committee to develop techniques to support the processing of digital signatures. According to the proposal, the OASIS DSS technical committee will "define an interface for requesting that a web service produce and/or verify a digital signature on a given piece of data and techniques for proving that a signature was created within its private key validity period. The TC will develop a protocol for a digital signature creation web service. Providing digital signatures via such a web service facilitates policy-based control of the provision of the signatures. The TC will also develop a protocol for a centralized digital signature verification web service that can verify signatures in relation to a given policy set. Finally, the TC will develop an XML-based protocol to produce cryptographic time stamps that can be used for determing whether or not a signature was created within the associated public key's validity period or before revocation. This is required as part of the signature verification algorithm." Robert Zuccherato of Entrust Inc. will serve as the DSS TC Chair.

From the proposal:

"... there is a need for XML-based techniques for proving that data existed at a particular point in time. While this more general problem is not, strictly speaking, within the scope of the TC, the ability of the proposed solutions to solve this problem will be considered, as much as possible, while remaining consistent with the scope of the TC.

Proposed technical committee deliverables include:

1. an XML-based protocol providing a method or methods of proving that a private key was used during its validity period
2. a SOAP binding for the protocol elements in #1
3. a WS-Security profile for the elements in #1
4. an interface for a centralized digital signature creation web service
5. an interface for a centralized digital signature verification web service

Sponsors of the proposal:

• Robert Zuccherato, Entrust Inc., robert.zuccherato@entrust.com
• Brian Phelps, Datum, bphelps@datum.com
• Bill Burr, NIST, william.burr@nist.gov
• Jeremy Epstein, webMethods, jepstein@webmethods.com
• Don Adams, TIBCO, dadams@tibco.com

From the 2002-10-07 Entrust announcement: "Entrust, Inc., a leading global provider of Internet security solutions and services, today announced that it has submitted a set of security standards proposals for Web services to the Organization for the Advancement of Structured Information Standards (OASIS). These standards proposals specify open, XML protocols for digital signature and timestamping services operating in a Web services context. Entrust has submitted these proposals to accelerate the adoption of Web services standards, and is committed to implementing these standards as they evolve through and emerge from the OASIS standards body..."

From the W3C/IETF XML Signature Charter: "Digital signatures provide integrity, signature assurance and non-repudiatability over Web data. Such features are especially important for documents that represent commitments such as contracts, price lists, and manifests. In view of recent Web technology developments, the proposed work will address the digital signing of documents (any Web resource addressable by a URI) using XML syntax. This capability is critical for a variety of electronic commerce applications, including payment tools."

From the W3C XML Digital Signatures Activity Statement: "Digital signatures are created and verified using cryptography, the branch of applied mathematics concerned with transforming messages into seemingly unintelligible forms and then back again. Digital signatures are created by performing an operation on information such that others can confirm that a holder of a secret performed the operation and that the signed information has not subsequently changed. In a symmetric key system, both the sender and receiver need to be privy to the secret. In the public key cryptographic system, the holder of the private (secret) key signs information, but anyone with access to the public key can confirm that the signature is valid. The novel feature of public key cryptography is that knowledge of the public key used to confirm signatures does not reveal information about the private key itself."