With support for signing XML documents in its WYSIWYS solution, Cryptomathic now provides the means to offer the much-desired What You See Is What You Sign (WYSIWYS) feature for both PDF documents and XML files. With WYSIWYS, it is possible to demonstrate that the signatory’s intent was provided for, with a well-specified UI, thereby strengthening non-repudiation of online transfers or other signature operations. The new feature is now available as part of the latest Cryptomathic Signer product version, released in November 2018.
Introduction to WYSIWYS
The concept of What You See is What You Sign was envisioned by Peter Landrock and Torben Pedersen in 1998. This is of paramount importance when speaking about digital signatures. Being able to demonstrate WYSIWYS capabilities allows for a smooth transition between the paper world and the digital world.
In the physical world of paper documents, a signatory can physically review the content before committing to it with his handwritten signature. In the digital realm, his willful and legally binding consent (the digital signature) is represented as the signature value applied to the hash of the document. To most people, the latter is obscure and meaningless.
At Cryptomathic, we designed our remote signature solution, Cryptomathic Signer, in such a way that we can guarantee, with a high level of confidence, that the document to be signed will be accurately presented to the user through a trusted viewer - before being effectively signed, under the sole control of the user, with an adequate assurance level (Substantial or High).
The Cryptomathic Signer, combined with the WYSIWYS server solution, provides an extensive audit trail to ensure non-repudiation of origin and emission. We also integrated built-in mechanisms to ensure that relying parties have the means to validate the signature.
As part of the security design, we engineered the solution to:
- Counter man-in-the-middle (MITM) attacks
- Between the WYSIWYS server and the client
- Between the Cryptomathic signer and client
- Counter man-in-the-browser (MITB) attacks
- Enable reuse of federated identity credentials
- Utilize a nonce to prevent replay attacks
- Ensure authorization of a signature operation is bound to the document hash
The rendering of the data to be signed is an essential feature for demonstrating the WYSIWYS property. In other words, the challenge is to ensure that the semantic signature user interface (UI) is unique, predictable, and repeatable even years after the electronic signature was used.
The Cryptomathic WYSIWYS always starts the signature experience by fetching the data to be signed from a trusted source, e.g. the business application or a central document management system used to manage the document workflow. From this point, we can initiate the actual signature workflow in a secure and legally binding manner to ensure that the data is signed in a non-repudiable way. In our solution, we primarily distinguish two use cases, namely:
- fixed-layout flat documents (e.g. formatted in PDF)
- markup-based layout documents (e.g. formatted in XML)
Fixed Layout Document
Developed by ISO, the PDF/A is today´s defacto standard of the Portable Document Format (PDF) specialized for use in the archiving and long-term preservation of electronic documents. While normal PDF, Word or other file formats do not provide a stable method for encoding documents in an "as printed" form that is portable between systems, PDF/A does. This is also why Cryptomathic WYSIWYS offers options to convert to this format before initiating the signature process.
We first render the data to be signed in the browser session (trusted viewer) and get the user´s consent after ensuring that all pages were presented to the user. The user´s control is provided over a sole control protocol using our CC EAL 4+ certified signature solution:
Figure: WYSIWYS with Fixed Layout
If long-term validation is required, the signature value is returned to the WYSIWYS server to be embedded into an ETSI standardized format to guarantee that the certificate was valid at the time of signing and to include a trusted time stamp that can be verified years after the signature was created.
Mark-up-based layout Documents (XML)
Fixed layout documents are, however, not always easy to parse by a machine. Human beings, however, often need to validate or sign machine-readable data that will be later processed by a computer or system. The underlying format is often based on the XML formats. This is the case when authorizing financial transactions (e.g., ISO 20022) or data as part of a workflow.
Compared to fixed layouts (PDFs), the WYSIWYS feature is more difficult to use with XML files, because the semantic signature UI is not always predictable. To counteract this, programmers use Extensible Stylesheet Language Transformation (XSLT) with dynamic reference to the XML data to be signed, ensuring a predictable presentation of the data for human readability.
Cryptomathic WYSIWYS incorporates the XSLT data, either as information embedded into the XML document to be signed or as a detached file with a dynamic link including the hash to ensure the integrity of the representation in the XML file.
Figure: WYSIWYS with Markup Based Layout (XML)
In both cases, the semantic signature UI then becomes an integral part of the signed data. It is, therefore, possible to demonstrate even years after the data was signed that a specific UI was presented to the signatory as part of the signature process.