With support for signing XML documents in its WYSIWYS solution, Cryptomathic now provides the means to offer the much desired What You See Is What You Sign (WYSIWYS) feature for both PDF documents and XML files. With WYSIWYS, it is possible to demonstrate that signatory’s intent was provided for, with a well-specified UI, thereby strengthening non-repudiation of online transfers or other signature operations. The new feature is now available as part of the latest Cryptomathic Signer product version, released in November 2018.
Introduction to WYSIWYS
The concept of What You See is What You Sign was envisioned by Peter Landrock and Torben Pedersen in 1998. This is of paramount importance when speaking about digital signatures. Being able to demonstrate WYSIWYS capabilities allows for smooth transition between the paper world and the digital world.
In the physical world of paper documents, a signatory can physically review the content before committing to it with his handwritten signature. In the digital world, his willful and legally binding consent (the digital signature) is represented as the signature value applied to the hash of document. To most individuals, the latter is obscure and meaningless.
At Cryptomathic, we designed our remote signature solution, Cryptomathic Signer, in such a way that we can guarantee, with a high level of confidence, that the document to be signed will be accurately presented to the user through a trusted viewer - before being effectively signed, under the sole control of the user, with an adequate assurance level (Substantial or High).
The Cryptomathic Signer, combined with the WYSIWYS server solution, provides an extensive audit trail to ensure non-repudiation of origin and emission. We also integrated built-in mechanisms to ensure that relying parties have the means to validate the signature.
As part of the security design, we engineered the solution to:
- Counter man-in-the-middle (MITM) attacks
- Between the Client and the WYSIWYS server
- Between the Client and Cryptomathic Signer
- Counter man-in-the-browser (MITB) attacks
- Enable reuse of federated identity credentials
- Apply use of a nonce to avoid replay attacks
- Ensure authorization of a signature operation is bound to the document hash
The rendering of the data to be signed is an essential feature for demonstrating the WYSIWYS property. In other words, the challenge is
to ensure that the semantic signature user interface (UI) is unique, predictable and reproducible even years after the electronic signature was applied.
The Cryptomathic WYSIWYS always starts the signature experience by fetching the data to be signed from a trusted source, e.g. the business application or a central document management system used to manage the document workflow. From this point, we can initiate the actual signature workflow in a secure and legally binding manner to ensure that the data is signed in a non-repudiable way. In our solution, we primarily distinguish two use cases namely:
- fixed-layout flat documents (e.g. formatted in PDF)
- markup-based layout documents (e.g. formatted in XML)
Fixed Layout Document
Developed by ISO, the PDF/A is today´s defacto standard of the Portable Document Format (PDF) specialized for use in the archiving and long-term preservation of electronic documents. While normal PDF, Word or other file formats do not provide a stable method for encoding documents in an "as printed" form that is portable between systems, PDF/A does. This is also why Cryptomathic WYSIWYS offers options to convert to this format before the signature process is initiated.
We first render the data to be signed in the browser session (trusted viewer) and get the user´s consent after ensuring that all pages were presented to the user. The user´s control is provided over a sole control protocol using our CC EAL 4+ certified signature solution:
Figure: WYSIWYS with Fixed Layout
If long term validation is required, the signature value is returned to the WYSIWYS server to be embedded into a ETSI standardized format to guarantee that the certificate was valid at time of signing and to include a trusted time stamp that can be verified years after the signature was created.
Mark-up based layout Documents (XML)
Fixed layout documents are, however, not always easy to parse by a machine. Human beings however often need to validate or sign machine readable data that will be later processed by a computer or system. The underlying format is often based on the XML formats. This is the case for instance when authorizing financial transactions (e.g. formatted in ISO 20022) or authorizing data as part of a workflow.
Compared to fixed layout (PDFs), the WYSIWYS feature is more difficult to handle with XML files, as the semantic signature UI is not always predictable. To mitigate this, programmers use Extensible Stylesheet Language Transformation (XSLT) with dynamic reference to the XML data to be signed, thereby guarantying predictable presentation of the data for human readability.
Cryptomathic WYSIWYS incorporates the XSLT data, either as information embedded in to the XML document to be signed, or as detached file with a dynamic link including the hash to ensure integrity of the representation in the XML file.
Figure: WYSIWYS with Markup Based Layout (XML)
In both cases, the semantic signature UI then becomes an integral part of the signed data. It is therefore possible to demonstrate even years after the data was signed that a specific UI was presented to the signatory as part of the signature process.