What is WASP?

WASP (Web Activated Signature Protocol) is a standards proposal for "Web Signing".  That is, signing forms and transactions on the web using an enhanced web browser.  WASP essentially provides an integrated web browser "Sign-off" process combining: and then binding these things together by the use of cryptography, giving a persistent "stamp of authenticity".

What is the WASP web site featuring?

A proof-of-concept WASP "emulator", and a few sample applications, enabling people ranging from lawyers to cryptographers to get some initial "feel" for Web Signing using WASP.

But don’t I need a private key and certificate to sign web transactions?

Absolutely!  However, the proof-of-concept emulator was deliberately created in such a way that nothing needs to be installed or downloaded (everything runs on the server, including cryptographic operations).

Which is the target audience for WASP?

Anybody interested in securing web transactions using PKI (Public Key Infrastructure).  Typical applications include:

Is WASP a new concept?

No, it is rather a "compilation" of similar schemes already in use by millions of people in the EU for on-line banking and e-Government services.

Why bother with a standard for Web Signing?

For reducing costs for creating secure services as well as supporting interoperability for inter-organizational workflow operations.  WASP is intended to be the web browser’s counterpart to the S/MIME signature mechanism, which is preinstalled in every e-mail client including Outlook and Thunderbird.

What are the primary WASP features?

Is WASP suitable for on-line payment operations?

Yes and no. See next section.  Using payment schemes based on trusted intermediaries like 3D Secure, WASP can indeed support payments.

Does WASP protect users from dishonest service providers?

No.  WASP and similar schemes do not protect users from dishonest service providers since you typically cannot check what service providers do with received signatures and associated data.  That is, the scope of WASP is the user's own trusted service providers, hopefully including banks, employers, and government agencies.  Although this may appear as a major limitation, all kinds of signatures are in fact primarily an interest for the receiver (relying party).  In the case a user needs "evidence" of some kind, a signed receipt is a possible solution.

Does WASP support end-to-end security?

Yes.  However, in many applications like in B2B purchasing, WASP signatures would typically not be transferred to external parties.  This is due to the fact that purchase orders and similar business messages in most cases, are authorized, created, and finally secured, at the purchasing system level, while the purchasers’ signatures are only saved locally for binding purchasers to their associated purchase orders.

Does WASP support signing of "live" form data?

No.  Supporting "live" form data would constrain format independence while also being redundant, since user input preferable is performed (and validated), before entering any kind of "sign-off" procedure.  This is also the de-facto standard way of handling such scenarios on the web

Does WASP support encryption?

Yes and no.  Explicit message encryption indicates that the web application neither is the actual recipient, nor is trusted.  However, then you are also very close to e-mail-like functionality, which a Web Sign standard-to-be should not need (or try) to duplicate.  Due to this, encryption beyond what is already available in the web environment (i.e. HTTPS), is not supported by WASP.

Does WASP support multiple signatures?

Yes and no.  WASP does not support putting a signature on top of an already signed document.  However, this limitation does in no way hamper the ability to support multiple signatures in the information system layer.  In fact, such a scheme is much more flexible than relying on cryptographic methods only, as it can cope with different semantics like co-signatures by peers, or a final authorization signature by a manager.  Also see next paragraph regarding signature validation.

Does WASP support signature validation?

Yes and no.  WASP does not support local signature validation.  This is due to fact that local signature validation adds nothing but hassles for users who may have to process certificate paths from unknown PKIs as well as dealing with expired certificates. This seems to be a job ideally tailored for the web server application, including returning signature data in a user-interpretable manner.  That is, the server preferably validates signatures when received, and then the result is simply mirrored to the user when needed.  This scheme makes it easy to avoid the situation where a user may believe something is wrong because a certificate has expired although it vas actually valid when used in a signature operation.

Does WASP support time-stamping?

No.  WASP is a real-time signature system, where the difference between a user's signature time and the receival time, is typically only 0.5 - 10 seconds.  In addition, most real world providers like patent offices, only consider their own receival time as the actual filing time.  After receival a provider may at its own discretion, add a time-stamp to the received signature but that is outside of the WASP specification, which does not specify anything regarding what to do with a signature after basic validation.  In the presumably extremely rare case when is important to prove that a signature was not performed before a certain time, the provider may indeed insert a signed time-stamp in the optional "hidden fields" provided by WASP.  The client [software] also inserts its own non-validated time in a signature response, if the selected signature profile requires that.  If this time differs markedly from that of the receiver's, the signature may be rejected by the provider.  For "time critical" applications like patent filings, it seems that a more natural usage of time-stamping, would be to return a signed and optionally also time-stamped receipt (preferably in a standard format such as PDF), to the filing user, who may have to show this to other parties.

Does WASP support client API scripting?

No.  The reason for leaving out client scripting is that scripting would effectively disable a well-defined signature GUI and process, require additional server roundtrips, as well as impeding document format independence.

I would rather like to sign XML, is that possible?

Since plain-vanilla XML does not render itself in a user-interpretable way in a browser, you have a number of options.  A workable scheme is to provide transaction data in two flavors, HTML for the user, and XML as a hidden object.  An even better way is to exploit WASP’s ability to sign hashes provided by the requesting service, since it does not make sense downloading invisible data to the user.  Note that in both cases, the hashes of the HTML and XML documents are provided as distinct objects in the signed container.  Using an XSL style sheet linked to the XML document is another possibility.

Why does not WASP use SOAP?

SOAP is a request-response protocol primarily designed for machine-to-machine communication.  WASP is also a request-response protocol, but the request is actually an HTTP response (body), while the WASP response is actually an HTTP request, where the corresponding HTTP response is intended for human consumption which typically is just an HTML page.  This is similar to the Liberty POAS (reverse SOAP) scheme.

Does WASP support signing only specific parts of a document?

No.  WASP is primarily intended to be used in integrated workflow systems.  In such systems there is no concept of a "modified" document, you rather go back one step and repeat a procedure until all parties in the workflow chain are satisfied.  If there is a need to inform the user that he or she is only responsible for certain part of a view, it should be possible to highlight those, while still allowing the signature to work over the entire document (set).

Which are the major WASP deliverables?

The core of the WASP standard proposal is defined by the following deliverables:

How can I get the WASP specification?

Currently there is no formal specification, but a set of documents that put together describe WASP in a fairly detailed way.

How will WASP be shipped?

The long-term goal is that WASP should be a part of a standard browser distribution.  Before this has happened (it may in fact never happen depending on the outcome of the standardization effort), code will be made available in many ways, including Open Source.  More information will be posted at a later date.

Who is backing the WASP effort?

At the time of writing, WASP is essentially a private initiative by Anders Rundgren, WebPKI.org.  However, talks are currently held with government representatives in several countries in order to verify the concept’s applicability, perform "adjustments", as well seeking their support.  Yes, the naked truth is that raising standards is equally much a political process, as it is a quest for good technical solutions...


* * *

V0.8, 20-Aug-2008