Digital Signature Initiative [Online Reporter]

Rohit Khare (
Mon, 19 Aug 1996 12:54:14 -0400 (EDT)

This much is now part of the public record, so enjoy....

------- Forwarded Message

| O N L I N E R E P O R T E R |

Weekly dispatches from the Internet Front

Online Reporter is published weekly by G-2 Computer
Intelligence Inc and Apt Data News Ltd.

Publisher: Maureen O'Gara (
US Subscriptions: Heather Aitken (
Editor (London): Chris Rose (
Associate Editor (New York): Bob McMillan
Editorial consultant (London): John Abbott (

New York bureau:
3 Maple Place, PO Box 7, Glen Head,
New York 11545-9864, USA
Telephone: (516) 759-7025 Fax: (516) 759-7028

London bureau:
20 Newman St, London W1P 3HB, UK.
Telephone: +44 (0)171 468 0800 Fax: +44 (0)171 468 0808
European Publisher: Alan Heron (
European subscriptions: Faridah Malik (
(c) Copyright 1996 Apt Data News Ltd.

No portion of this publication may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording or otherwise
without prior permission of Apt Data News Ltd.

Single reader subscription rate: $595 per annum, published weekly
Available online to groups, departments and companies at multiple
reader rates.

London, 19 - 23 August 1996
Issue Number 012a


A new project, being considered by the Worldwide Web Consortium,
would significantly extend the value of code signing. The problem
with digital signatures today is that users have to judge an
applet's merits entirely on the basis of its authorship. There's
no way that the author can grade his or her work. The W3C
committee is proposing a system which is the logical extension of
the PICS system that allows Web sites to rate their risqui Web
sites for the protection of children. Only here, it would protect
sensitive users from risky code. The Consortium's members will
vote on September 15th on whether the project will go ahead.
Microsoft has already committed itself to following the W3C's
lead on code-signing, yet could find the results of the project
painful, since it is already deploying its "Authenticode" system
with Verisign (OR issue 11).

If the project gets the go-ahead, it is likely to result in a
system different from any of today's code-signing implementations
but incorporating the best of each, according to Rohit Khare, W3C
technical staff member. JavaSoft has also said it will abide by
the W3C's recommendations.

If implemented, the project would produce a combined
signing/rating architecture with wide applicability to content on
the Net. The different signing authorities would be able to set
up their own rating policies, and users would be able to choose
what kind of code or content they wished to receive. A magazine,
for example might decide to rate applets in terms of excellence
and a user might decide to only accept applets given more than
three stars.

The W3C first presented its ideas on merging PICS and signing on
April 15th in a meeting at Netscape's HQ. 15 companies attended,
a number of which, including Microsoft, threw their code-signing
technologies into the pot as the basis for a potential standard.
The W3C is not naming names, but it is thought that Verisign and
GTE were among the attendees, along with IBM (with its cryptolope
technology). The formal terms of the project were thrashed out at
a meeting at the end of July.

By the 15th the broader membership of the W3C will have to decide
whether it wants resources dedicated to the project and
volunteers will have to be found to provide engineering
resources. W3C director Tim Berners-Lee gets to give the final

Khare says that the actual engineering effort itself should be a
short, intensive affair, lasting around six months. Products will
likely appear within a year to 18 months.

------- End of Forwarded Message