The Certificate facility provides a utility for the signing and validation of standalone certificates in RFC 822 format. Such certificates may be used as orders, receipts, licenses etc. In some cases a certificate may perform more than one function. For example a certificate returned as the receipt for a transaction may also be the license key for the product.
The requirements are divided into two parts. At the highest level the user requirements specify the main goals. The functional requirements define technical goals that are implied by the high level goals.
RFC-822 provides a convenient format for presenting information.
Issuer: CERN Authorization: WEB-94-001 Authorized-User: Phillip M. Hallam-Baker CERN ECP PTG Product-Name: Webmaker Producer: CERN-PTG Units: 0 Version: 1.0 Start-Date: 01-Jan-1994 Expriy-Date: 31-Dec-1995 Availability: 0 Options: Hardware-ID:
Another presentation option would be to use SGML. This would however require a set of standards for the signing of SGML documents. Shen already provides a means of signing an RFC-822 module.
In addition to the standard MIME tags it is convenient to give special meaning to the following:
In addition to the above it is desirable that other necessary commercial information be expressible. For example taxation registration codes (such as European Union V.A.T. numbers).
The definition of tags within a certificate should have a well defined legal meaning. If a certificate is to be signed which contains tags which do not have a recognised meaning within the specification these tags should be queried prior to the signature being applied.
The X- convention should be used for all application or contract specific tags. Provision should be made for ensuring that the definition of such tags be clearly defined legally. Eg by registering the definition of the tags within a contract with a third party or by enclosure of the contract terms within the certificate.
The Certificate handling module should be closely related to the forms interface. A user must be protected from being tricked into signing a bogus order through use of hidden fields in a form. Provision must also be made to permit additional safeguards when a form is signed with a particular signature (eg one valid for monetary transactions). Such proceedures may involve a requirement for a particular form to be countersigned by another party or for an additional checking stage to be performed.
Adopting RFC822 header format as a standard for interchange of form data has a number of advantages. The format is easily understood by a user and it is practical to present a user with a form in the encoded format prior to final dispatch. There already exists an authority for defining semantics for header tags. Finaly an RFC822 system could be accessed by users with mail only access to the Internet while reusing substantial quantities of code.
A prototype implementation has been made in C and a grammar description language. This contains the following modules:
The following issues are not yet resolved:-