Validation of posted archives

From: Rzepa, Henry <h.rzepa_at_IC.AC.UK>
Date: Thu, 22 Mar 2001 08:23:05 +0000

Validation/authentication seems to be an area where
sociology rather than technology has been relied on.

Might I point out to this forum that about a year ago, my accumulated
"conventional" publication list since around 1995 had mostly
migrated to (or had always been in) electronic form, and I decided to
download all of the available "reprint" files from the various journals
(for which we had site licesenes to do so I add). This amounted
to around 25 Acrobat files (yes, they were all Acrobat). I
decided to see if any of them were "validatable" in a digital sense;
a technology that Adobe have in fact built into Acrobat via so called
X.509 certificates. None were. Indeed, any "validation"
(really authentication, see below) there was was
often associated with the production company, which is of course a
sub-contractor to the publisher. Most of the Acrobat files also had
no "security" settings, ie they were readily editable. Several publishers
I phoned admitted that no form of digital authentication was being applied;
worse they seem unaware that it could be applied.

Whilst I am prepared to believe any current problem with validation and
authenticity is tiny, we all thought that about computer viruses
ten yeara ago. Few would think so now.

I might add that two of our last articles have been in XML
form, and that these have in fact been digitally signed
as both authentic and valid (see below) using
X.509 certificates. To prove the point, my X.509 certificate
is attached with this email to prove its authenticity!
The destination of the article mentioned above is in fact as supplemental
data rather than the primary published article, but by so
signing, our article at least can be authenticated as coming from us,
and that it was created on a given date, and has not been changed
since, and furthermore that it can be assumed to be "valid" XML.

I have alluded above at the difference in
meaning between validation and authentication, since I
suspect the two words sometimes are used interchangeably.

Authentication is the ability to verify that a
document/assertion has been created by the authority
to whom it is attributed and that it is uncorrupted after its creation
Validation is the ability to show that a specified
validation process has been correctly carried out; for example
that the carbon alencies in a specified molecule all are four, or that
say an XML document has the correct form. The latter is of course
far more significant to science in the long term, but also far
more difficult to implement.

Henry Rzepa. +44 (0)20 7594 5774 (Office) +44 (0870) 132-3747 (eFax)
Dept. Chemistry, Imperial College, London, SW7  2AY, UK.

