wissel.net

Usability - Productivity - Business - The web - Singapore & Twins

You approved what?


We all love our processes and the associated workflows. I recently even discovered a set of paper based ones at a customer site. I'm looking here at approval flows, not execution flows (that basically are checklists so everything is done in the right sequence and documented). In a nutshell they are all the same:
If someone claims it is more complicated than that, laugh at them
Someone request something, a set of approvers mused about it and the result has consequences. We all have build this type of applications in eMail, Notes, Sharepoint, dbBase, using spreadsheets, paper forms or high powered BPMN/ BPML/ BPEL engines. Workflow engines are supposed to ease the creation of the forms flowing through the process. They follow the same pattern: user fills in the form, some routing magic happens, the approver sees the same form, but with approve/reject and eventually a comment etc. We record who and when the approval happened (even using a signed section in Notes client apps) and the routing (and notification) magic kicks in again.
Since our systems are well designed and secure this works very well. Does it?
When we only record the who and when of approvals, but not the what, we open the door to the challenge:" I never approved THAT". So we need to capture a snapshot of how the record looked like at the moment of approval. Ideally that snapshot gets secured with a digital signature leading to non-repudiation. Now the next approver needs to not only endorse the data snapshot at the time of approval, but also the previous signature, so it can't be retracted either.
Approvals need to overlap each other
Now try to model that in an RDBMS (let me know if you succeed). This is one of the reasons why workflows are document oriented (sure you can persist it into an RDBMS, but you need to reassemble it to validate the signatures) and will stay that for the foreseeable future. The current "gold standard" for document signatures is XML Signature with an JSON equivalent in the making.
Some applications have support for signatures build in. For others we need to have a look at code. Stay tuned.

Update/Bonus challenge: Make the non-repudiation external verifiable (e.g. submit that to the court evidence collection). Hint: it is in the data, not the application

Posted by on 13 December 2013 | Comments (7) | categories: Business

Comments

  1. posted by Nigel on Friday 13 December 2013 AD:
    Nice little article. Amazing that so few people understand that concept. I guess when you come from a Notes background, you understand security a lot better.
  2. posted by Ian Randall on Friday 13 December 2013 AD:
    Are you asserting that digital signatures are the only to achieve non repudiation of an approval in a workflow?
  3. posted by Stephan H. Wissel on Friday 13 December 2013 AD:
    I'm asserting, that you need to capture all three: who, when, what. I'm also asserting that digitial signatures are an established way to achieve non-repudiation.

    And I'm admitting I wouldn't know of another method that can withstand scrutiny - but I'm happy to learn.

    The easiest attack against an application (and not cryptography) based approach:

    Q: Is there any user/admin who had direct access to the database table
    A: (in all cases) - Yes the superadmin

    Q: Could the superadmin alter one field in the table
    A: Yes

    -> not watertight

    and of course there are clever mothers
  4. posted by Nathan T. Freeman on Friday 13 December 2013 AD:
    Welcome... to the Blockchain. Emoticon smile.gif
  5. posted by Bruce Elgort on Friday 13 December 2013 AD:
    A few clicks in Salesforce and it's done. Even printing AND reporting.


  6. posted by Dan Sickles on Saturday 14 December 2013 AD:
    As for knowing how a document looked at point in time, there are databases in which time is a fundamental concept (Datomic). For other databases there are ways of capturing point in time state without explicit record/document versioning.

    As for non-repudiation, I'm not a repudiator so no worries.
  7. posted by Haran on Tuesday 17 December 2013 AD:
    Hello Stephan,

    Nice and very simple article. can you also pl. provide what graphics tool / software you used to create such a nice graphics?