Digital Signatures

Could someone please help or explain what would be the best way to go about this.
I have excel documents that need to be signed for buy-off/approval. These documents then get scanned and put into a document management system. I would like to be able to create pdfs of these and use digital signatures. If I save on a server (internal) digital signature of all the individuals that need to sign these could they then at the time of buy-off use their digital signature for approval. Yes. Then If I receive a doc with someone else's sig on it, how do I verify that it is actually their's? I could create and import all the signatures from that server for validation. But what's to stop someone from pretending to be me and creating my signature?

The other problem is, these users do not have internet access. That would probably make it hard to go through verisign or geotrust right? Unless they can give me a certificate to put on our server.

Bottom line is, I don't really know what I'm doing here and need help...

Extremely urgent
Who is Participating?
cj_1969Connect With a Mentor Commented:
In looking at Adobe I see the options you are talking about ... I never knew they had this ... my appologies.

So, in understanding that you want the various users to digitally sing the document, it seems that your focus is on how to verify the authenticity of the signature on the file ... how do you know that the signature is from the person it says signed it.

It seems to me that you have 2 options ...
1. Verified 3rd party certificates.  If it is signed by Verisign then you can trust that it came from the person that it was sasigned to.
2. Have your own internal certificate server set up so that you can produce your own "trusted" certificates.  You can have a user request a certificate, produce it and provide it to them.  If it comes from your certificate server, then you can trust that it is authentic.

Self signed certificates MIGHT work.  The problem is that you would have to initially verify the authenticity of the certificate and add it to your key store.  If it is not coming from a secure provider (be it third party or under your control) then you open yourself to the risk that anyone could generate a certificate, sign the document and then claim that they had to generate a new one ... how do you validate that certificate?  This is where the problem is as I see it.

I think what you want to do will work.  You just need to determine what method of certificate veriification you want to go with.
1. first of all you need to convert the documents to PDF... you can do it with many different tools for example:

2. create digital signatures (office)

3. PDF digital signatures (Adobe)

Of course there is password protection, but sounds like you are looking for a more secure way of doing things. Please go through the links provided above.
stevekorbAuthor Commented:
I was looking for more than research that I've done as well. I would like to know if anyone is doing anything along the lines that I'm proposing. Thank you for your input. It is appreciated.
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

From what I'm reading I don't think you have the right concept of the "digital signature" here.
There is only one "signature" on a file ... this is generally the creator's electronic signature to validate that they created the file and attest to its contents.

It sounds like what you are looking for is more of a document management/approval system.  So that people can "approve" the content before it gets distributed.  This is a different concept than digitally "signing" a document.

Generally for the later case, a forwarded email from the approver'a email account is accepted as the digital approval since email accounts are password protected it is presumed that only the owner of the account has access to their mailbox to forward on an approval message ... you would probably want a randomly generated document or message  ID associated with the email message to identify what document is being approved so that nobody can spoof an email from an approver if they know the "name" of the document being approved.

Take a look at this page, it might give you some ideas as to what you need to do or where you want to go with this  ...

You can see there is a section on what I am referring to ...
Digital signing (digital signatures) of PDF documents after approval;

This is just some background info, I'm not referring you to this product or anything.
If you can verify what it is you want/need to do we can further help you find a solution that meets your needs.

stevekorbAuthor Commented:
Well, perhaps I'm not using (or wanting to) as most people. But what I CAN do is sign a document with a self signed digital ID created by myself and one or many other individuals and sign that pdf, then use the drop down and select for example -I have reviewed this document- and it will use my ID and leave that comment on the signature field.

I would imagine that if they have those options that I am doing something that the program is designed to do.

What I'm looking for is ways to store and verify those Self signed digital IDs.

We have a document management system (ProjectWise) that we use now. I need people in my organization and out to sign these documents on site and off site.
stevekorbAuthor Commented:
Okay, you got it now... Yes, I need to determine which way to do it. You mentioned something that I'd not heard of before. Could you please described what you mean by 'my own certificate server'? How does this work.

One possible option that i've come up with is this:
Create the ID's as you have suggested. The pass them out to people on a request basis. In the email that I send them with their digital ID is the password for that ID file. I would also take all of those IDs and put them on a server that all of these individuals can access (in a read-only format). This would serve the purpose that if anyone needed to validate a signature they could go to this location and add IDs to their trusted IDs list. If the signature validates, then it is good. Since these signature's have PKCS#12 authentication on them, I can assume that is what is being read when validating the signature and signatures that are created with all of the users info would not work otherwise.

I would use this option instead of going through Verisign for 2 reasons. For one, cost, the other reason is most users here do not have internet access.

Does this sound good to you? can you poke any holes in this way of doing it???

Your input is appreciated.
With a Windows server you can install your own certificate server for issueing certificates based on your AD domain.
You should be able to set up a user on your domain to automatically trust a certificate issued from the same domain.
For external users, they would need to receive a certificate and then trust either the individual user certificates or trust the "publishing author" i.e. your domain.

I haven't dealt with these types of certificates BUT for the ones that I have worked with the process is pretty straight forward.
The user simply fills out the request for a certificate, filling in their personal information, submits the request and either the certificate is automatically generated or the request is submitted, an approver receives the request and approves or rejects.  If approved, the certificate is generated with a "response code"  (can't remember the actaul name) that the user then enters to retrieve their certificate.  The certificates and requests can be stored on disk so you can distribute them.

I don't know if there is any way to compare a certificate that has been used to sign a document against something in a repository.  The premise is that the certificate is produced by a "Trusted" party and once you agree to accept that trust there is no need to further verify the certificate.

Here's some info on the Microsoft Certificate Services ... this is based around Windows 2000, I don't think there were any major changes to it in 2003, so this should give you a decent overview.

This is, of course, assuming you have a Windows network.
There are other certificate services that you can use, depending on your network environment.  Let me know if you need to look into something else.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.