1. Field of the Invention
The present invention relates generally to a data processing system and in particular to digital signatures. More particularly, the present invention is directed to a computer implemented method, apparatus, and computer usable program code for generating secure digital signatures over rich web application content.
2. Description of the Related Art
Public key cryptography is a form of cryptography that used a public key and private key pair. The private key is kept a secret and known only to the holder of the private key. The public key paired with the private key is related mathematically to the private key and may be distributed publicly. A digital signature is a type of cryptography that uses a private key to create a signature. Any user with the public key may then verify the signature.
Thus, a digital signature is a cryptographically secure means of both protecting a message from tampering and associating an individual's identity with the message content. A message is any type of information or communication, such as, for example and without limitation, an email message, an extensible markup language (XML) of an electronic form representing a business transaction, a contract, or any other finite length byte sequence. A form is a general purpose application with special enablement for data collection and transport. A signer of a digital signature is a user that effects the transaction or contract, such as a transaction or contract represented by a form.
A digital signature typically includes a message authentication token and a signer authentication token. The authentication token for the message should be cryptographically secure. Similarly, the authentication token for the signer should be bound to the message in a cryptographically secure manner. These measures are necessary to ensure that it is computationally infeasible to tamper with the message without invalidating the digital signature, or associate the signer's authentication token with an altered message without invalidating the signature. Furthermore, it should be feasible to invalidate the signature by expiry or revocation of the signer's credentials.
The signing identity is composed of a private key and a public key certificate. The signer's private key material must be used to help generate a digital signature to associate the identity of the signer with the signed message content. Access to the operations involving the signer's private key is only granted to trusted applications on the end-user's computer. This is a problematic requirement for web applications that restrict deployment of client-side executable code other than the client-side web browser. Additionally, it is difficult to digitally sign content that fully represents the rich web application experience of the user because the bulk of the content comprising the full web application is maintained by the server.
In one current practice, digital signing of rich content documents is provided via client-side software. However, this solution requires the user to install or upgrade client-side software to enable the digital signing of rich content documents provided by the rich content document server.
In another current practice, rich content documents are provided by zero footprint web application server products that are incapable of digital signature security. A zero footprint web application server is a server that provides access to web applications without downloading or installing software associated with the application on the client. However, this solution compromises the security and authenticity of the documents because digital signature security is unavailable to the users.