Walcott and Bishop describe a security model that addresses the need for the digital signing of government documents, so that document authors and the people who sign the document can be clearly established. The authors summarize other well-known security models, such as Bell--LaPadula, Biba, Clark-Wilson, and Chinese Wall. They also briefly cover models that are not as well known, including originator controlled (ORCON) and clinical information systems security (CISS), and elaborate on their shortcomings with respect to the application domain.

The authors first define the creation rule and the alteration rule. When a file is created by an author, it is not automatically signed, because the author may simply produce a draft that he or she would not like to sign. The author’s identity is stored in the author set of the document. Similarly, the alteration of an existing document voids all previous signatures in the signer set, and adds the user to the author set.

The signature rule leaves the author set unmodified, and adds the user to the signer set. The copy rule retains both sets unmodified. The authors of the paper formally show that, if a system is once in a secure state, it cannot reach an insecure state by performing any sequence of the aforementioned operations. The proof is quite straightforward.

An important issue that needs to be addressed to use such a system is unique names for users and signers (for example, X.509 distinguished names). The authors conclude the paper by giving an example for each of the rules. The model presented seems obvious, and the proposed approach does not seem very new; the proof, however, is a relevant contribution. This is a very useful paper if you need a proof that shows that such create, sign, and modify operations are secure.