The use of digital signatures as is disclosed in U.S. Pat. No. 4,405,829 issued to Rivest et al. is a method well accepted for document authentication. The usual implementation of digital signatures involves the combination of the signer's personal private key with a hashed representation of a document to create a unique digital signature.
There are sometimes problems associated with the authentication of documents using digital signatures. Digital signatures are attached to entire documents, while often there is a need to manage a hierarchy of signatures where signatures within the hierarchy are interrelated. Military logs, as an example, are a compilation of lesser documents (watches), each of which is the responsibility of a different individual. While the individual watches are subject to modification, such modification cannot be done without destroying the integrity of that watch signature and any higher-level approval signature. Treating the watches as a collection of individually sighed documents without a controlling structure is awkward.
Previous document management schemes either do not allow for the management of the editing of signed documents or require programmed hierarchy information for verification purposes only. For example, in U.S. Pat. No. 5,915,024 by Kitaori et al allows separation of a master document into subdocuments and the signature generation for each subdocument, but does not allow editing and control of the establishment of the subdocuments as a part of the signature creation.
The verification of such segmented documents is also addressed in U.S. Pat. No. 5,661,805 by Miyauchi, allowing the inclusion of relational information to generate document verification but again does not address the maintenance of modifications to the sections subject to signature.
FIG. 1 illustrates the problems associated with the normal document creation procedure. While this Figure and the following discussion describe a military log, it is intended that this be only an example of similar problems within and without the government. After individual watches are recorded (steps 1, 2 and 3 or 10, 11 and 12) they are presented to the officer of the day (OD) for review (step 4 or 13), and possibly correction (step 5 or 14). When corrected, any watch signature must be redone (step 6 or 15). After the OD signs a watch (step 7 or 16) it is then reviewed by the Officer in Charge (OIC) (step 8 or 17). The OIC can order revisions (step 9 or 18). If revisions are then made to a watch, both the watch signature, if made, and the OD signature, if made, must be redone (step 6 or 15). The OIC then signs the watch entries as a final approval after all revisions are made (step 19), after which no corrections can be made (step 20). FIG. 6 illustrates a military log showing some relationships of the log approvals.
While the single watches can be signed as a single document in the traditional manner, the single acceptance signature signifying the approval of the collection of watches, and the invalidation of approval signatures if another watch in the collection of watches is modified makes desirable the compilation of the individually-signed watches as a unified document.
An ancillary problem present in the approval process for documents is the case where a reviewer questions the content of a document he must approve prepared by another. Since often the review process is through a document transfer rather than a face-to-face meeting, such comments are often best managed by inclusion within the document under review. If an existing signature encompasses this document then the embedding of questions by a reviewer could cause the invalidation of the signature if steps were not taken to protect against that event. The inclusion of comments outside the document under review prevents a precise localization of the area under question within the document. The automatic revocation of a digital signature when a comment is inserted to avoid the presence of an invalid signature would cause an unnecessary resigning step if the comment were resolved without a change to the document.