Discussion Regarding Digital Signatures

Discussion in 'Computer Security' started by Ari, Aug 1, 2007.

  1. Ari

    Ari Guest

    There are many digital signature products on the market but they appear
    to be overkill for a project I have due very soon. The project requires
    that a digital signature be applied to an authorization of an e-form
    (Request by a non commissioned officer) by his superior or superiors.

    By "digital signature", the requirements are:

    1) that a physical "mark" appear and
    2) that the digital signature protects the document from tampering
    (invalidates it if tampered with will do)

    When the Request is printed, that mark should also appear.

    Adobe PDF would be useable but it does require that a digital signature
    be applied manually. This is problematic for the User base, an automated
    solution must be sought.

    I am wondering if the best approach would be to find an existing, open
    source, with code and write the automating functions ourselves.

    Comments are appreciated.
    --
    "You can't trust code that you did not totally create yourself"
    Ken Thompson "Reflections on Trusting Trust"
    http://www.acm.org/classics/sep95/
     
    Ari, Aug 1, 2007
    #1
    1. Advertising

  2. Ari

    Jim Watt Guest

    On Wed, 1 Aug 2007 13:12:40 -0400, Ari <>
    wrote:

    >There are many digital signature products on the market but they appear
    >to be overkill for a project I have due very soon. The project requires
    >that a digital signature be applied to an authorization of an e-form
    >(Request by a non commissioned officer) by his superior or superiors.
    >
    >By "digital signature", the requirements are:
    >
    >1) that a physical "mark" appear and
    >2) that the digital signature protects the document from tampering
    >(invalidates it if tampered with will do)
    >
    >When the Request is printed, that mark should also appear.
    >
    >Adobe PDF would be useable but it does require that a digital signature
    >be applied manually. This is problematic for the User base, an automated
    >solution must be sought.
    >
    >I am wondering if the best approach would be to find an existing, open
    >source, with code and write the automating functions ourselves.
    >
    >Comments are appreciated.


    PGP provides a mechanism for signing documents, however if you are
    lookin at an 'automatic' method of signing documents, thats rather the
    same as using a rubber stamp as a conventional signature.

    ie without the necessary personal intervention and trust.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Aug 1, 2007
    #2
    1. Advertising

  3. Ari

    Luca T. Guest

    Ari wrote:
    > There are many digital signature products on the market but they appear
    > to be overkill for a project I have due very soon. The project requires
    > that a digital signature be applied to an authorization of an e-form
    > (Request by a non commissioned officer) by his superior or superiors.
    >
    > By "digital signature", the requirements are:
    >
    > 1) that a physical "mark" appear and
    > 2) that the digital signature protects the document from tampering
    > (invalidates it if tampered with will do)
    >
    > When the Request is printed, that mark should also appear.
    >
    > Adobe PDF would be useable but it does require that a digital signature
    > be applied manually. This is problematic for the User base, an automated
    > solution must be sought.
    >
    > I am wondering if the best approach would be to find an existing, open
    > source, with code and write the automating functions ourselves.
    >
    > Comments are appreciated.


    Begin here:
    http://sourceforge.net/project/showfiles.php?group_id=67103&package_id=188602

    Bye,
    Luca
     
    Luca T., Dec 26, 2007
    #3
  4. Ari

    Ari Guest

    On Wed, 26 Dec 2007 03:40:05 +0100, Luca T. wrote:

    > Ari wrote:
    >> There are many digital signature products on the market but they appear
    >> to be overkill for a project I have due very soon. The project requires
    >> that a digital signature be applied to an authorization of an e-form
    >> (Request by a non commissioned officer) by his superior or superiors.
    >>
    >> By "digital signature", the requirements are:
    >>
    >> 1) that a physical "mark" appear and
    >> 2) that the digital signature protects the document from tampering
    >> (invalidates it if tampered with will do)
    >>
    >> When the Request is printed, that mark should also appear.
    >>
    >> Adobe PDF would be useable but it does require that a digital signature
    >> be applied manually. This is problematic for the User base, an automated
    >> solution must be sought.
    >>
    >> I am wondering if the best approach would be to find an existing, open
    >> source, with code and write the automating functions ourselves.
    >>
    >> Comments are appreciated.

    >
    > Begin here:
    > http://sourceforge.net/project/showfiles.php?group_id=67103&package_id=188602
    >
    > Bye,
    > Luca


    Focus on Italian CAs?
     
    Ari, Dec 27, 2007
    #4
  5. Hello!
    You wrote on Wed, 26 Dec 2007 03:40:05 +0100:

    A> Adobe PDF would be useable but it does require that a digital
    A> signature be applied manually. This is problematic for the User base,
    A> an automated solution must be sought.
    ??>> ??>> I am wondering if the best approach would be to find an
    ??>> existing, open source, with code and write the automating functions

    Don't know about automation, but if you can do some coding, you can check
    PDFBlackbox ( http://www.eldos.com/sbb/desc-pdf.php ), it can be used to
    apply the signature and it doesn't require Acrobat. You can also use Acrobat
    SDK, but you would need to have Acrobat installed on the system where you do
    signing. PDFBlackbox is more practical from this point of view.

    With best regards,
    Eugene Mayevski
     
    Eugene Mayevski, Dec 27, 2007
    #5
  6. Ari

    nemo_outis Guest

    "Eugene Mayevski" <> wrote in
    news:fkvsn8$1ao9$:

    > Hello!
    > You wrote on Wed, 26 Dec 2007 03:40:05 +0100:
    >
    > A> Adobe PDF would be useable but it does require that a digital
    > A> signature be applied manually. This is problematic for the User
    > base, A> an automated solution must be sought.
    > ??>> ??>> I am wondering if the best approach would be to find an
    > ??>> existing, open source, with code and write the automating
    > functions
    >
    > Don't know about automation, but if you can do some coding, you can
    > check PDFBlackbox ( http://www.eldos.com/sbb/desc-pdf.php ), it can be
    > used to apply the signature and it doesn't require Acrobat. You can
    > also use Acrobat SDK, but you would need to have Acrobat installed on
    > the system where you do signing. PDFBlackbox is more practical from
    > this point of view.
    >
    > With best regards,
    > Eugene Mayevski



    Another possible commercial solution is Aloaha:

    http://www.aloaha.com/wi-software-en/

    Regards,
     
    nemo_outis, Dec 27, 2007
    #6
  7. Ari

    Ari Guest

    On Thu, 27 Dec 2007 11:53:42 +0200, Eugene Mayevski wrote:

    > Hello!
    > You wrote on Wed, 26 Dec 2007 03:40:05 +0100:
    >
    > A> Adobe PDF would be useable but it does require that a digital
    > A> signature be applied manually. This is problematic for the User base,
    > A> an automated solution must be sought.
    > ??>> ??>> I am wondering if the best approach would be to find an
    > ??>> existing, open source, with code and write the automating functions
    >
    > Don't know about automation, but if you can do some coding, you can check
    > PDFBlackbox ( http://www.eldos.com/sbb/desc-pdf.php ), it can be used to
    > apply the signature and it doesn't require Acrobat. You can also use Acrobat
    > SDK, but you would need to have Acrobat installed on the system where you do
    > signing. PDFBlackbox is more practical from this point of view.
    >
    > With best regards,
    > Eugene Mayevski


    Thanks Eugene, this looks like a solid alternative. By automatic, I meant
    "without user intervention" as in selecting a particular checkbox
    ("approved" for instance) the having the software either recognize that
    action, insert the signature (wherever appropriate) or we call to the app
    to do so.

    Btw, Here is something I don't necessarily;y agree, it says "Timestamping
    is the vital part of the signing process, which certifies the moment, when
    the signature is made. With PDFBlackbox you can apply the timestamp when
    you sign the document..."

    I suppose they assume that the user has been authenticated (identity) which
    leads me to think why the signatory process couldn't be tied to the
    verification process. hmmm....
     
    Ari, Dec 29, 2007
    #7
  8. Ari

    Ari Guest

    On 27 Dec 2007 17:54:37 GMT, nemo_outis wrote:

    >> Don't know about automation, but if you can do some coding, you can
    >> check PDFBlackbox ( http://www.eldos.com/sbb/desc-pdf.php ), it can be
    >> used to apply the signature and it doesn't require Acrobat. You can
    >> also use Acrobat SDK, but you would need to have Acrobat installed on
    >> the system where you do signing. PDFBlackbox is more practical from
    >> this point of view.
    >>
    >> With best regards,
    >> Eugene Mayevski

    >
    > Another possible commercial solution is Aloaha:
    >
    > http://www.aloaha.com/wi-software-en/
    >
    > Regards,


    nemo you woof - woof dog you, thanks for the contribute! Solid looking
    stuff. Of course, the Customer has a new requirement (wtf do we have
    Statements Of Work and Descriptions and Specs for, eh?)

    A hand written look-a-like signature in a particular signatory block.

    Found this

    www.xyzmo.com

    Whattya think?
     
    Ari, Dec 29, 2007
    #8
  9. Hello!
    You wrote on Sat, 29 Dec 2007 10:00:27 -0500:

    A> I suppose they assume that the user has been authenticated (identity)
    A> which leads me to think why the signatory process couldn't be tied to
    A> the verification process. hmmm....

    I am not sure that I understand your point/question. The problem with
    absense of timestamping is that when the signature is verified several years
    later, the certificate, used to sign the document, will most likely be
    expired. If there's no timestamp, the validator will alert the user that the
    certificate has expired. If the certificate is revoked and this is
    discovered by the validator, the validator will complain about this too.

    Timestamping lets the validator check when the timestamp was made and not to
    alert the user about the expired certificate. If the certificate was
    revoked, the validator will compare the revocation moment with the timestamp
    and will have a chance to figure out whether the signature was made with a
    valid or revoked certificate.

    Timestamping authority timestamps the signature (to be precise, the hash of
    some data), it doesn't care about what was used to produce the hash.

    With best regards,
    Eugene Mayevski
     
    Eugene Mayevski, Dec 29, 2007
    #9
  10. Hello!
    You wrote on Sat, 29 Dec 2007 10:20:03 -0500:

    A> stuff. Of course, the Customer has a new requirement (wtf do we have
    A> Statements Of Work and Descriptions and Specs for, eh?)
    A> A hand written look-a-like signature in a particular signatory block.

    Did you check how the Acrobat behaves? You can put the signature image
    there. This is how I sign the invoices - I use both the signature image for
    printing and the digital signature to prove the authenticity of the
    signature image and of the document.

    With PDFBlackbox you can do this too. In fact you can customize the
    signature appearance in any way you like.

    With best regards,
    Eugene Mayevski
     
    Eugene Mayevski, Dec 29, 2007
    #10
  11. Ari

    Ari Guest

    On Sat, 29 Dec 2007 19:23:37 +0200, Eugene Mayevski wrote:

    > Hello!
    > You wrote on Sat, 29 Dec 2007 10:20:03 -0500:
    >
    > A> stuff. Of course, the Customer has a new requirement (wtf do we have
    > A> Statements Of Work and Descriptions and Specs for, eh?)
    > A> A hand written look-a-like signature in a particular signatory block.
    >
    > Did you check how the Acrobat behaves? You can put the signature image
    > there. This is how I sign the invoices - I use both the signature image for
    > printing and the digital signature to prove the authenticity of the
    > signature image and of the document.
    >
    > With PDFBlackbox you can do this too. In fact you can customize the
    > signature appearance in any way you like.
    >
    > With best regards,
    > Eugene Mayevski


    By "look-a-like, I mean that the signature needs to be a duplicate of the
    Signer's handwriting. The only way I know to do this (easily) is by using a
    digital pad, then having that signature inserted.
     
    Ari, Dec 31, 2007
    #11
  12. Ari

    Ari Guest

    On Sat, 29 Dec 2007 19:22:00 +0200, Eugene Mayevski wrote:

    > Hello!
    > You wrote on Sat, 29 Dec 2007 10:00:27 -0500:
    >
    > A> I suppose they assume that the user has been authenticated (identity)
    > A> which leads me to think why the signatory process couldn't be tied to
    > A> the verification process. hmmm....
    >
    > I am not sure that I understand your point/question. The problem with
    > absense of timestamping is that when the signature is verified several years
    > later, the certificate, used to sign the document, will most likely be
    > expired. If there's no timestamp, the validator will alert the user that the
    > certificate has expired. If the certificate is revoked and this is
    > discovered by the validator, the validator will complain about this too.
    >
    > Timestamping lets the validator check when the timestamp was made and not to
    > alert the user about the expired certificate. If the certificate was
    > revoked, the validator will compare the revocation moment with the timestamp
    > and will have a chance to figure out whether the signature was made with a
    > valid or revoked certificate.
    >
    > Timestamping authority timestamps the signature (to be precise, the hash of
    > some data), it doesn't care about what was used to produce the hash.


    I see what your saying but the most important process is the authentication
    of the *identity* of the signer. If there is no ID that is verified, then
    the rest doesn't matter. I can use your Adobe on your computer to sign in
    your name as long as I can get to your software.

    Which is my point. Why not incorporate the system that determines that it
    is *you* accessing your Adobe, or PDFBlackBox seamlessly with the digital
    signature capabilities? Rather than have two or more programs to do this.
     
    Ari, Dec 31, 2007
    #12
  13. Hello!
    You wrote on Mon, 31 Dec 2007 04:14:03 -0500:

    A> By "look-a-like, I mean that the signature needs to be a duplicate of
    A> the Signer's handwriting. The only way I know to do this (easily) is by
    A> using a digital pad, then having that signature inserted.

    This is what I am saying about. Scan a signature into the graphic file and
    insert the graphic file.

    With best regards,
    Eugene Mayevski
     
    Eugene Mayevski, Dec 31, 2007
    #13
  14. Hello!
    You wrote on Mon, 31 Dec 2007 04:22:28 -0500:

    A> I see what your saying but the most important process is the
    A> authentication of the *identity* of the signer. If there is no ID that
    A> is verified, then the rest doesn't matter. I can use your Adobe on your
    A> computer to sign in your name as long as I can get to your software.

    That's a totally different story. Digital signatures don't prove the
    identity of the user, they prove the set of "what the person has" and "what
    the person knows". With digital means you can't reliably prove "what the
    person is", i.e. whether the signature or fingerprint - once they are placed
    into the document, they can be duplicated.

    Example: you can copy the signature (or fingerprint) from the document I
    signed, then come to my computer and use it to create another document.
    Afaik there's no reliable solution for this problem.

    With best regards,
    Eugene Mayevski
     
    Eugene Mayevski, Dec 31, 2007
    #14
  15. Ari

    Ari Guest

    On Mon, 31 Dec 2007 11:51:20 +0200, Eugene Mayevski wrote:

    > Hello!
    > You wrote on Mon, 31 Dec 2007 04:22:28 -0500:
    >
    > A> I see what your saying but the most important process is the
    > A> authentication of the *identity* of the signer. If there is no ID that
    > A> is verified, then the rest doesn't matter. I can use your Adobe on your
    > A> computer to sign in your name as long as I can get to your software.
    >
    > That's a totally different story. Digital signatures don't prove the
    > identity of the user, they prove the set of "what the person has" and "what
    > the person knows". With digital means you can't reliably prove "what the
    > person is", i.e. whether the signature or fingerprint - once they are placed
    > into the document, they can be duplicated.
    >
    > Example: you can copy the signature (or fingerprint) from the document I
    > signed, then come to my computer and use it to create another document.
    > Afaik there's no reliable solution for this problem.
    >
    > With best regards,
    > Eugene Mayevski


    Yes, that is what I am saying, why not have a single program that will do
    both? Your identity is carried to the signature; if the signature is
    queried, the ID proof could emerge as well.
     
    Ari, Dec 31, 2007
    #15
  16. Ari

    Ari Guest

    On Mon, 31 Dec 2007 11:48:25 +0200, Eugene Mayevski wrote:

    > Hello!
    > You wrote on Mon, 31 Dec 2007 04:14:03 -0500:
    >
    > A> By "look-a-like, I mean that the signature needs to be a duplicate of
    > A> the Signer's handwriting. The only way I know to do this (easily) is by
    > A> using a digital pad, then having that signature inserted.
    >
    > This is what I am saying about. Scan a signature into the graphic file and
    > insert the graphic file.
    >
    > With best regards,
    > Eugene Mayevski


    Yeah, I see the issue is that we have dumb users and the concept of having
    them digitize their signatures, then manually add the signature (with the
    graphic file) isn't going to work. Which is why I am thinking of coding the
    ID security, the digital signature capability and the signature look-a-like
    insertion all into one.
     
    Ari, Dec 31, 2007
    #16
  17. Ari

    Arthur T. Guest

    In Message-ID:<flae2r$8sj$>,
    "Eugene Mayevski" <> wrote:

    >Hello!
    >You wrote on Mon, 31 Dec 2007 04:22:28 -0500:
    >
    > A> I see what your saying but the most important process is the
    > A> authentication of the *identity* of the signer. If there is no ID that
    > A> is verified, then the rest doesn't matter. I can use your Adobe on your
    > A> computer to sign in your name as long as I can get to your software.
    >
    >That's a totally different story. Digital signatures don't prove the
    >identity of the user, they prove the set of "what the person has" and "what
    >the person knows". With digital means you can't reliably prove "what the
    >person is", i.e. whether the signature or fingerprint - once they are placed
    >into the document, they can be duplicated.
    >
    >Example: you can copy the signature (or fingerprint) from the document I
    >signed, then come to my computer and use it to create another document.
    >Afaik there's no reliable solution for this problem.


    -----BEGIN PGP SIGNED MESSAGE-----

    You're forgetting that a good digital signature is a
    transformation of a secure hash of the original. Take this
    signature and see if it works with any other document:

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.3 for non-commercial use
    <http://www.pgp.com>

    iQCVAwUBR3k7HkktjQmm3DQRAQFsLgP+ILXyjljJPm3A3xWt1XF6xoS4sK9W0t8e
    rYjnAG5M04CJtL3yqNgLj3S+ntOAMHauzvDfTKX3ZEWAjNc1zzXI+jt2y7GtpYsu
    vevdhu7Fw+kMQw07l1VqamNgeQTda2HCZMg5qDGzJltEvVOj70373sYGrOWKKWB4
    PFhyX4vxEQQ=
    =88A3
    -----END PGP SIGNATURE-----


    --
    Arthur T. - ar23hur "at" intergate "dot" com
    Looking for a z/OS (IBM mainframe) systems programmer position
     
    Arthur T., Dec 31, 2007
    #17
  18. Ari

    Unruh Guest

    Arthur T. <> writes:

    >In Message-ID:<flae2r$8sj$>,
    >"Eugene Mayevski" <> wrote:


    >>Hello!
    >>You wrote on Mon, 31 Dec 2007 04:22:28 -0500:
    >>
    >> A> I see what your saying but the most important process is the
    >> A> authentication of the *identity* of the signer. If there is no ID that
    >> A> is verified, then the rest doesn't matter. I can use your Adobe on your
    >> A> computer to sign in your name as long as I can get to your software.
    >>
    >>That's a totally different story. Digital signatures don't prove the
    >>identity of the user, they prove the set of "what the person has" and "what
    >>the person knows". With digital means you can't reliably prove "what the
    >>person is", i.e. whether the signature or fingerprint - once they are placed
    >>into the document, they can be duplicated.
    >>
    >>Example: you can copy the signature (or fingerprint) from the document I
    >>signed, then come to my computer and use it to create another document.
    >>Afaik there's no reliable solution for this problem.


    Well, no. Digital signatures of a document usually combine something which
    uniquely identifies the document with something you have.
    Thus take the AES sum of the document, and then encrypt that with your
    private key. Anyone can then use your public key to unencrypt it and check
    whether the AES signature agrees with their generated signature of the
    document. Noone else can do that. They can take the AES sum of the
    ducument, but cannot encrypt it with your private key.
    Ie, you CANNOT use the signature from document 1 to sign document 2. The
    AES hashes will not agree.




    > You're forgetting that a good digital signature is a
    > transformation of a secure hash of the original. Take this
    > signature and see if it works with any other document:


    Agreed. Just amplifying.
     
    Unruh, Dec 31, 2007
    #18
  19. Hello!
    You wrote on Mon, 31 Dec 2007 14:23:21 -0500:

    AT> You're forgetting that a good digital signature is a
    AT> transformation of a secure hash of the original. Take this
    AT> signature and see if it works with any other document:

    I was talking about graphic signature or a fingerprint, i.e. "what the
    person is". Please read more attentively.

    With best regards,
    Eugene Mayevski
     
    Eugene Mayevski, Jan 1, 2008
    #19
  20. Hello!
    You wrote on Mon, 31 Dec 2007 21:40:52 GMT:

    U> Well, no. Digital signatures of a document usually combine something
    U> which uniquely identifies the document with something you have.

    I was talking about graphic signature or a fingerprint, i.e. "what the
    person is". Please read more attentively.

    With best regards,
    Eugene Mayevski
     
    Eugene Mayevski, Jan 1, 2008
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. joseph white

    Multiple email signatures?

    joseph white, Nov 22, 2004, in forum: Firefox
    Replies:
    5
    Views:
    670
  2. Jim

    Newsgroup signatures

    Jim, May 21, 2005, in forum: Firefox
    Replies:
    2
    Views:
    478
  3. Dennis J. Tuchler

    FF Signatures

    Dennis J. Tuchler, Jul 26, 2005, in forum: Firefox
    Replies:
    2
    Views:
    566
    Dennis J. Tuchler
    Jul 26, 2005
  4. Roberto Franceschetti

    Security Flaw in how Outlook verifies Digital Signatures

    Roberto Franceschetti, Feb 17, 2005, in forum: Computer Security
    Replies:
    5
    Views:
    543
    Roberto Franceschetti
    Feb 19, 2005
  5. E-Lock Digital Signature

    Digital Signatures in PDF documents for complete security and privacy

    E-Lock Digital Signature, Apr 27, 2007, in forum: Computer Support
    Replies:
    0
    Views:
    664
    E-Lock Digital Signature
    Apr 27, 2007
Loading...

Share This Page