Slashdot Mirror

← Back to Stories (view on slashdot.org)

Seeking a Practical Guide to Digital Signatures?

Posted by Cliff on from the your-name-in-bits dept.

ScuzzMonkey asks: "I work for a small company trying to streamline some business processes in Washington State. As a part of this initiative, we're considering implementing a 'paperless' contracts system. In order for this to work out, on our end, we need a legally acceptable method of electronically signing the contract documents that we receive via fax from our sub-contractors (at this time, they will still be signing manually; this may eventually move to e-mail and digital signatures on their end as well as they become more capable of dealing with us on that level). On the face of it, this seems pretty straightforward. I set up some sort of certificate or some such for our employees responsible for signing these documents, and they simply review the TIFF attachment that comes in from the fax software and 'sign' it with their digital signature via a selected program. With the passage of the E-Sign Act (PDF) in 2000, it seems like this should be every bit as solid in court as a written signature. But while I've been able to find quite a lot of information on the web about the theoretical ramifications of this law, there's not much on practical implementations. What sort of software should I use? Do I need a third-party issued certificate? If so, do I just need one for the company, or one for each signer? What certificate authorities would you recommend? Do some certificates work with some software but not other software? What about this program from the state? Has anyone done this successfully yet? Any other stumbling blocks I should be aware of here, either legal or technological?"

2 of 65 comments (clear)

  1. Use GnuPG by redcliffe · · Score: 2, Insightful

    It signs messages and files just fine. What's wrong with using it?

    1. Re:Use GnuPG by An+Audience+of+One · · Score: 2, Insightful
      It signs messages and files just fine. What's wrong with using it?

      The problem you have with this is not the signing itself, but with key trust relationships. Basically I can create a key with any name & email address - how do you know that it is actually me? There are several methods to solve this. Either you have to meet in person and give them the key there, or it has to be signed by a mutually trusted 3rd party. Meeting in person usually defies the point of public key encryption - you might as well just use symmetric if you can give them the key. The second option is a trusted 3rd party - but who do you trust that much, if you recall there was a slashdot story a while back (can't find the link) about Verisign signing dodgy Microsoft certificates.

      Gnupg actually uses a web of trust system - if you have verified someone's key in person, and you have signed it to say you trust it, then it assumes you trust any key they sign. This introduces another weak point though. Even if you only sign keys after personally verifying fingerprints, do all the people who you've signed?

      There are several program out there you can use, but if you are interfacing with customers using this, either you verifying their signatures, or they checking yours - there are going to be 2 problems. Do they trust the tech in general, and are they prepared to trust it, and how do you trust each other's keys. There probably needs to be a high profile 3rd party that you can both trust to authenticate against - but are there any at the moment for use with general signing tools? (Something like the certificates used in https/SSL, probably)