Link to home
Start Free TrialLog in
Avatar of stevekorb
stevekorbFlag for United States of America

asked on

Digital Signatures

Could someone please help or explain what would be the best way to go about this.
I have excel documents that need to be signed for buy-off/approval. These documents then get scanned and put into a document management system. I would like to be able to create pdfs of these and use digital signatures. If I save on a server (internal) digital signature of all the individuals that need to sign these could they then at the time of buy-off use their digital signature for approval. Yes. Then If I receive a doc with someone else's sig on it, how do I verify that it is actually their's? I could create and import all the signatures from that server for validation. But what's to stop someone from pretending to be me and creating my signature?

The other problem is, these users do not have internet access. That would probably make it hard to go through verisign or geotrust right? Unless they can give me a certificate to put on our server.

Bottom line is, I don't really know what I'm doing here and need help...

Thanks,
Steve
Extremely urgent
Avatar of Zabulon777
Zabulon777

1. first of all you need to convert the documents to PDF... you can do it with many different tools for example:  http://www.clicktoconvert.com/index.html

2. create digital signatures (office)
http://office.microsoft.com/en-ca/assistance/HA010872981033.aspx

3. PDF digital signatures (Adobe)
http://www.adobe.com/security/digsig.html


Of course there is password protection, but sounds like you are looking for a more secure way of doing things. Please go through the links provided above.
Avatar of stevekorb

ASKER

I was looking for more than research that I've done as well. I would like to know if anyone is doing anything along the lines that I'm proposing. Thank you for your input. It is appreciated.
Avatar of cj_1969
From what I'm reading I don't think you have the right concept of the "digital signature" here.
There is only one "signature" on a file ... this is generally the creator's electronic signature to validate that they created the file and attest to its contents.

It sounds like what you are looking for is more of a document management/approval system.  So that people can "approve" the content before it gets distributed.  This is a different concept than digitally "signing" a document.

Generally for the later case, a forwarded email from the approver'a email account is accepted as the digital approval since email accounts are password protected it is presumed that only the owner of the account has access to their mailbox to forward on an approval message ... you would probably want a randomly generated document or message  ID associated with the email message to identify what document is being approved so that nobody can spoof an email from an approver if they know the "name" of the document being approved.

Take a look at this page, it might give you some ideas as to what you need to do or where you want to go with this  ... http://www.imarkup.com/products/server_dms.asp

You can see there is a section on what I am referring to ...
Digital signing (digital signatures) of PDF documents after approval;

This is just some background info, I'm not referring you to this product or anything.
If you can verify what it is you want/need to do we can further help you find a solution that meets your needs.

Well, perhaps I'm not using (or wanting to) as most people. But what I CAN do is sign a document with a self signed digital ID created by myself and one or many other individuals and sign that pdf, then use the drop down and select for example -I have reviewed this document- and it will use my ID and leave that comment on the signature field.

I would imagine that if they have those options that I am doing something that the program is designed to do.

What I'm looking for is ways to store and verify those Self signed digital IDs.

We have a document management system (ProjectWise) that we use now. I need people in my organization and out to sign these documents on site and off site.
ASKER CERTIFIED SOLUTION
Avatar of cj_1969
cj_1969
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Okay, you got it now... Yes, I need to determine which way to do it. You mentioned something that I'd not heard of before. Could you please described what you mean by 'my own certificate server'? How does this work.

One possible option that i've come up with is this:
Create the ID's as you have suggested. The pass them out to people on a request basis. In the email that I send them with their digital ID is the password for that ID file. I would also take all of those IDs and put them on a server that all of these individuals can access (in a read-only format). This would serve the purpose that if anyone needed to validate a signature they could go to this location and add IDs to their trusted IDs list. If the signature validates, then it is good. Since these signature's have PKCS#12 authentication on them, I can assume that is what is being read when validating the signature and signatures that are created with all of the users info would not work otherwise.

I would use this option instead of going through Verisign for 2 reasons. For one, cost, the other reason is most users here do not have internet access.

Does this sound good to you? can you poke any holes in this way of doing it???

Your input is appreciated.
Thanks,
Steve
With a Windows server you can install your own certificate server for issueing certificates based on your AD domain.
You should be able to set up a user on your domain to automatically trust a certificate issued from the same domain.
For external users, they would need to receive a certificate and then trust either the individual user certificates or trust the "publishing author" i.e. your domain.

I haven't dealt with these types of certificates BUT for the ones that I have worked with the process is pretty straight forward.
The user simply fills out the request for a certificate, filling in their personal information, submits the request and either the certificate is automatically generated or the request is submitted, an approver receives the request and approves or rejects.  If approved, the certificate is generated with a "response code"  (can't remember the actaul name) that the user then enters to retrieve their certificate.  The certificates and requests can be stored on disk so you can distribute them.

I don't know if there is any way to compare a certificate that has been used to sign a document against something in a repository.  The premise is that the certificate is produced by a "Trusted" party and once you agree to accept that trust there is no need to further verify the certificate.

Here's some info on the Microsoft Certificate Services ... this is based around Windows 2000, I don't think there were any major changes to it in 2003, so this should give you a decent overview.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/depopt/2000cert.mspx

This is, of course, assuming you have a Windows network.
There are other certificate services that you can use, depending on your network environment.  Let me know if you need to look into something else.