Solved

Digital Signatures

Posted on 2006-06-26
7
642 Views
Last Modified: 2009-12-16
Could someone please help or explain what would be the best way to go about this.
I have excel documents that need to be signed for buy-off/approval. These documents then get scanned and put into a document management system. I would like to be able to create pdfs of these and use digital signatures. If I save on a server (internal) digital signature of all the individuals that need to sign these could they then at the time of buy-off use their digital signature for approval. Yes. Then If I receive a doc with someone else's sig on it, how do I verify that it is actually their's? I could create and import all the signatures from that server for validation. But what's to stop someone from pretending to be me and creating my signature?

The other problem is, these users do not have internet access. That would probably make it hard to go through verisign or geotrust right? Unless they can give me a certificate to put on our server.

Bottom line is, I don't really know what I'm doing here and need help...

Thanks,
Steve
Extremely urgent
0
Comment
Question by:stevekorb
  • 3
  • 3
7 Comments
 
LVL 1

Expert Comment

by:Zabulon777
Comment Utility
1. first of all you need to convert the documents to PDF... you can do it with many different tools for example:  http://www.clicktoconvert.com/index.html

2. create digital signatures (office)
http://office.microsoft.com/en-ca/assistance/HA010872981033.aspx

3. PDF digital signatures (Adobe)
http://www.adobe.com/security/digsig.html


Of course there is password protection, but sounds like you are looking for a more secure way of doing things. Please go through the links provided above.
0
 
LVL 3

Author Comment

by:stevekorb
Comment Utility
I was looking for more than research that I've done as well. I would like to know if anyone is doing anything along the lines that I'm proposing. Thank you for your input. It is appreciated.
0
 
LVL 22

Expert Comment

by:cj_1969
Comment Utility
From what I'm reading I don't think you have the right concept of the "digital signature" here.
There is only one "signature" on a file ... this is generally the creator's electronic signature to validate that they created the file and attest to its contents.

It sounds like what you are looking for is more of a document management/approval system.  So that people can "approve" the content before it gets distributed.  This is a different concept than digitally "signing" a document.

Generally for the later case, a forwarded email from the approver'a email account is accepted as the digital approval since email accounts are password protected it is presumed that only the owner of the account has access to their mailbox to forward on an approval message ... you would probably want a randomly generated document or message  ID associated with the email message to identify what document is being approved so that nobody can spoof an email from an approver if they know the "name" of the document being approved.

Take a look at this page, it might give you some ideas as to what you need to do or where you want to go with this  ... http://www.imarkup.com/products/server_dms.asp

You can see there is a section on what I am referring to ...
Digital signing (digital signatures) of PDF documents after approval;

This is just some background info, I'm not referring you to this product or anything.
If you can verify what it is you want/need to do we can further help you find a solution that meets your needs.

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Author Comment

by:stevekorb
Comment Utility
Well, perhaps I'm not using (or wanting to) as most people. But what I CAN do is sign a document with a self signed digital ID created by myself and one or many other individuals and sign that pdf, then use the drop down and select for example -I have reviewed this document- and it will use my ID and leave that comment on the signature field.

I would imagine that if they have those options that I am doing something that the program is designed to do.

What I'm looking for is ways to store and verify those Self signed digital IDs.

We have a document management system (ProjectWise) that we use now. I need people in my organization and out to sign these documents on site and off site.
0
 
LVL 22

Accepted Solution

by:
cj_1969 earned 500 total points
Comment Utility
In looking at Adobe I see the options you are talking about ... I never knew they had this ... my appologies.

So, in understanding that you want the various users to digitally sing the document, it seems that your focus is on how to verify the authenticity of the signature on the file ... how do you know that the signature is from the person it says signed it.

It seems to me that you have 2 options ...
1. Verified 3rd party certificates.  If it is signed by Verisign then you can trust that it came from the person that it was sasigned to.
2. Have your own internal certificate server set up so that you can produce your own "trusted" certificates.  You can have a user request a certificate, produce it and provide it to them.  If it comes from your certificate server, then you can trust that it is authentic.

Self signed certificates MIGHT work.  The problem is that you would have to initially verify the authenticity of the certificate and add it to your key store.  If it is not coming from a secure provider (be it third party or under your control) then you open yourself to the risk that anyone could generate a certificate, sign the document and then claim that they had to generate a new one ... how do you validate that certificate?  This is where the problem is as I see it.

I think what you want to do will work.  You just need to determine what method of certificate veriification you want to go with.
0
 
LVL 3

Author Comment

by:stevekorb
Comment Utility
Okay, you got it now... Yes, I need to determine which way to do it. You mentioned something that I'd not heard of before. Could you please described what you mean by 'my own certificate server'? How does this work.

One possible option that i've come up with is this:
Create the ID's as you have suggested. The pass them out to people on a request basis. In the email that I send them with their digital ID is the password for that ID file. I would also take all of those IDs and put them on a server that all of these individuals can access (in a read-only format). This would serve the purpose that if anyone needed to validate a signature they could go to this location and add IDs to their trusted IDs list. If the signature validates, then it is good. Since these signature's have PKCS#12 authentication on them, I can assume that is what is being read when validating the signature and signatures that are created with all of the users info would not work otherwise.

I would use this option instead of going through Verisign for 2 reasons. For one, cost, the other reason is most users here do not have internet access.

Does this sound good to you? can you poke any holes in this way of doing it???

Your input is appreciated.
Thanks,
Steve
0
 
LVL 22

Expert Comment

by:cj_1969
Comment Utility
With a Windows server you can install your own certificate server for issueing certificates based on your AD domain.
You should be able to set up a user on your domain to automatically trust a certificate issued from the same domain.
For external users, they would need to receive a certificate and then trust either the individual user certificates or trust the "publishing author" i.e. your domain.

I haven't dealt with these types of certificates BUT for the ones that I have worked with the process is pretty straight forward.
The user simply fills out the request for a certificate, filling in their personal information, submits the request and either the certificate is automatically generated or the request is submitted, an approver receives the request and approves or rejects.  If approved, the certificate is generated with a "response code"  (can't remember the actaul name) that the user then enters to retrieve their certificate.  The certificates and requests can be stored on disk so you can distribute them.

I don't know if there is any way to compare a certificate that has been used to sign a document against something in a repository.  The premise is that the certificate is produced by a "Trusted" party and once you agree to accept that trust there is no need to further verify the certificate.

Here's some info on the Microsoft Certificate Services ... this is based around Windows 2000, I don't think there were any major changes to it in 2003, so this should give you a decent overview.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/depopt/2000cert.mspx

This is, of course, assuming you have a Windows network.
There are other certificate services that you can use, depending on your network environment.  Let me know if you need to look into something else.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now