OASIS Unfurls Standard for Digital Signatures

OASIS has approved a standard for digital signatures using XML. The standard, called Digital Signature Services (DSS) version 1.0, enables the sharing of digital signatures without the use of "complex client software," according to an announcement issued by the organization.

The standard aims to facilitate security in electronic commerce, as well as in Web-based applications. It incorporates existing digital signature standards formulated by the IETF (Internet Engineering Task Force) and ETSI (European Telecommunications Standards Institute).

The DSS standard can make it easier for companies to verify documents because signing keys are maintained on a secure server, rather than being managed individually, according to OASIS' announcement.

"DSS allows sensitive signing keys to be protected by using tamper-proof signing devices and by locating the server in a room with controlled access. Costs are reduced with DSS, because security can be highly localized," explained Nick Pope of Thales eSecurity Ltd. in the announcement. Pope is also co-chair of the OASIS DSS Technical Committee.

The DSS standard describes two XML-based request and response protocols, according to the announcement. One of the protocols is used for signatures and the other is used for verification. The standard supports time-stamping, corporate seals, electronic postmarks and code signing.

The process of verification works using "a range of transport and security bindings," according to OASIS' DSS FAQ. The use of HTTP Post or SOAP over transport layer security is optional.

OASIS, or Organization for the Advancement of Structured Information Standards, is an international nonprofit consortium that advocates for e-business standards.

About the Author

Kurt Mackie is online news editor, Enterprise Group, at 1105 Media Inc.