The World Wide Web Consortium (W3C) is working with major Internet software companies to create a standard for secure software transfers over the Net, seeking a way to make separate initiatives compatible.
"Everyone has it in their best interest to try to get an interoperable standard," said Philip DesAutels, project manager of W3C's digital signatures initiative. Initial participants working to write a standard include IBM, which has its CryptoLopes secure containers; Microsoft, which has Authenticode to guard against downloading hostile code; Netscape, Sun Microsystems' JavaSoft unit with its Java Archive (JAR) initiative; Oracle, Intel, AT&T, and others.
The initiative seeks to move beyond "digital IDs" that simply identify an individual or server on the Net. The "digital signatures" link a user's identity to a particular document, an email message for example, to show not just who the person is but that the user attests to what is written in the document.
"Digital signatures are the next step to saying what you can trust on the Web," said DesAutels, who likened digital IDs to signing a blank piece of paper. "Unless there's an assertion, it doesn't mean much."
"Digital signatures are only one part of the puzzle. They just tell you, 'I signed this.' It doesn't make an assertion," DesAutels added. "What Web users are interested in is, 'What is the level of trust?' For that, you have to have an assertion."
Digital signatures could be used in many ways. A "digital signature" might state that Microsoft attests that a particular ActiveX control is bug-free and won't harm a user's hard drive. They also would be highly relevant for users trying to verify a company's price list as legitimate or identifying an authorized Web site from a spoofed one.
On intranets, companies could use digital signatures to control access to specific content or to catalog documents as relevant for specific departments.
The first phase of work on the digital signature initiative is due to wrap up next month, when a draft specification will be published. Next, an implementation stage would begin, with a broader range of smaller companies as well as firms based in Europe.
The Digital Signature Initiative doesn't intend to create a rating for a particular document, but a structure so different entities can rate the document or active content, much like what the W3C's PICS (Platform for Internet Content Selection) initiative did for ratings of Web sites.