Frequently Asked Questions - Digital Signatures
You can create a timestamp of your data without using the Digital Signature option. Below is information about creating your personal digital signature if you choose to use this option. Creating a personal digital signature is a little more complicated because it involves using a personal signing key - explained below.
Expand All FAQ items :
A directory of FAQ's on other subjects is here.
You will need a signing certificate to create a signature. This is not required if you will just be using the timestamp capability.
In brief, a signing certificate binds the identity of the person to a signing key. The Certificate Authority(CA) issues a signing certificate in a process that confirms the identity of the requester. Synonyms for a signing certificate include public key certificate and x.509 certificate.
The process of confirming a person's identity and associating this with a public/private key pair can vary and this results in different levels of trust. For example, a signing certificate that is issued based only on an e-mail address likely has little trust. With a greater trust model usually comes some additional expense related to the issuance of a signing certificate. For additional details about using certificates in the IP-Protector software and implying trust click here.
|Screen shots from the software on this subject:|
A Certificate Authority has additional activities beyond issuing signing certificates, including managing the revocation of certificates in the event the user notifies them of a compromise and then publishing these Revocation Lists (CRL). When implementing digital signature technology within an organization, the organization can either operate its own CA system, or use the CA service of a commercial CA.
Please click here to see instructions on how to create your certificate and then how to use it in our client software application, IP-Protector. Trial (free) certificates are available from several vendors on this page.
Please click here to see instructions on how to create your private key and signing certificate. Where to store the file that contains the private key? We suggest that you put this file on a removable floppy disk. The certificate file is encrypted and could be stored anywhere on your computer. Consider these additional details:
The Java environment that our desktop software uses keeps the private key in a encrypted file (PKCS12) that is protected by a password that you chose. Choose a strong password for this file's protection.
Keep this password protected file on a removeable medium (floppy, CD) and then securely store. Only use this when signing. This approach does make signing a slightly more difficult task. But, signing as deliberate act that requires you to retrieve and unlock the key is probably appropriate.
The most secure solution with current technology is a smartcard. This solution could include the smartcard creating the actual signature within the card after you supply a PIN directly on the cards embedded key pad. We have additional information about using a smartcard with our desktop software is here.
The process to create your private signing key typically involves using your Internet browser. During the export process from browser, it is suggested that you delete the private key from your browser.
We charge only for the timestamp transactions. There is no up-front charge for the software or digital signatures. However, the software does require that when you create a signature, it must also be timestamped. The cost for a timestamp starts at 40 cents ($0.40 USD) and is described here with volume price adjustments.
There are important exceptions within E-SIGN legislation to exclude using digital signatures on some types of legal documents. For example, creation or signing of wills or testamentary trusts; state laws regarding adoption, divorce or other family law matters; certain sections of the Uniform Commercial Code; court documents required in connection with court proceedings. The E-SIGN act does not apply to documents required for transportation or handling of hazardous, toxic or dangerous materials. The E-SIGN act does not apply to the following important notices of:
- cancellation of utility services
- notices of default, repossession, foreclosure, eviction, etc. regarding residential real estate
- cancellation of health or life insurance benefits
- product recalls or material product failures that risk endangering health or safety
|Attest to "when" a digital file was signed|
A digital signature provides who signed the digital file. A timestamp of that digital signature provides when the digital file was signed. These are two basic ingredients to properly execute e-commerce transactions and other business agreements. It is similar to signing a document before a notary - the notary can testify that you appeared before them on a given day to sign a document.
|In the event your PKI private key is compromised|
In the event your PKI private key is compromised
If your private key were to be revealed, then others could sign data files as yourself. This would not compromise all data files you ever signed with that key if you also timestamped all of those previous signatures. Because DigiStamp countersigns the data files, those signatures created before the private key was compromised are still valid.
As a general practice, to maintain the veracity of digital signatures you accept, they should be timestamped to avoid the other party from later stating that their private key was revealed; and therefore, any of their signatures with that key might be a forgery.
Second is that the process to create a digital signature involves using your secret, private, signing key.There is risk that your private key will be stolen or compromised. It is important that you are able to distinguish the documents that you signed with your private key from those that were signed after the key was compromised. If you timestamp all of your signatures, then those signatures created after the compromise can be distinguished. It is important in this process to notify the Certificate Authority that the key was compromised. This process can be compared to calling a credit card company to inform them when your credit card was lost or stolen. Once informed, the credit card company can identify inappropriate charges.
|Create a binding receipt|
When your signed documents are sent to a trading partner, ask for an immediate receipt. A receipt is the receiving party’s timestamped signature of the document you sent, which is strong evidence that they had receipt of the document at the specified time.
Some business documents may only be valid if they bear more than one signature. For example, this is the case generally when a contract is signed between two parties. The sequence that the signatures are applied (i.e. timestamp of the signature) may or may not be important.
Another example from an organization's procedures manual: "In instances where reimbursement for out-of-pocket business expense is to be paid to an individual, who happens to be the disbursing authority for the account to which the expense will be charged, a second signature should be obtained. The signature may be from either of the following: (1) a person of higher authority or (2) the business manager or other person designated to review and approve expense transactions for the department, school, college or division."
First, a review of the technical perspective by comparing a countersignature with a signature: A signature is created over the content of the document; a countersignature is created over the previously created signature.
In a general sense, when you apply your countersignature, you are accepting that the "previous signature" is authentic. When you apply your signature, you are accepting and agreeing with the contents of the document.
An example of using a countersignature in a research organization is when the creator/author of the research data signs and timestamps that data. Then, a colleague verifies the signature and timestamp of the author and applies the countersignature. The countersignature is not a statement of ownership or authorship of the data, but it is a statement of a review that the author did sign the research data.
Signature qualifiers are additions to your signature that record the purpose or intent of your signature. A standard set of qualifiers have been defined and can be optionally added to your signature, for example: Approve, Receipt, Originate.
|For more details click here or a screen shot||from the IP-Protector application.|
1. Signing and timestamping your work may not involve sending the work anywhere as you do with an e-mail.
2. Often business is conducted around signing "documents"; as compared to signing an e-mail.
3. E-mail does not support multiple signatures or countersignatures.
4. You might choose to use e-mail encryption features because your e-mailed documents are being sent over the Internet and others could see the content. Use our software to create and manage the document signatures, then attach them to an e-mail. Encrypting documents is different than signing, and you could easily use a different certificate for encryption as compared to signing. See the next 2 FAQ's for further information.
No, we do not provide tools for document encryption. We focus on document authentication with timestamps and digital signatures.
We perceive a distinction between the creation of signatures and the management of encrypted data. These two functions can use similar technologies. But the differences of when you use encryption and manage the encrypted data is very different from signing. See the FAQ below related to separate keys for these functions.
This is technically possible, but we suggest that you separate these two functions. The two keys need to be managed differently:
- An encryption key must be available for as long as any data is still encrypted. For example, it is very important to have a backup copy of this key or you will not be able to decrypt valuable information.
- A signing key should only have one copy that is under only your control and the destruction of that key is not a problem. If the key is destroyed, then all signatures that you created with that key can still be authenticated with the public key certificate (from your CA).
In summary, the security features of the Java Web Start environment and the ease of distributing updates is why we chose this tool. Each time you use our application, it is checked that no tampering has occurred to the software. The Java Web Start environment uses digital signatures (code signing technique) to allow users to verify that the software has not been tampered with and that signed code is tied to the identity of the author.
We have made a provision for you to have a copy of the source code related to private key handling. This is the only source code distributed at this time.
The design allows you to add a code plug-in to our software. The design allows the necessary private key handling to occur within that plug-in. We provide example source code that you can modify, compile, and install into the IP Protector software. Details are here.
We have an option for you to supply the smart card and a Java software plug-in to manage the card access. In the plug-in code that you provide, you provide smart card access for signature generation. The IP-Protector manages the "verify" step and optionally the SHA-1 hash generation. Details are here.