Digital signatures have many uses. In
S/MIME and
OpenPGP-compatible
email systems, a verified digital
signature is an assurance
that the email was sent by the owner of the signing key and that it was
not altered in transit.
But digital signatures have uses far beyond emails. Some
jurisdictions have enacted legislation which makes properly prepared
digital signatures legally binding on contracts. If you have contracts
or other important documents which must be signed with verifiable
signatures, digital signatures can be extremely useful. Instead of
sending a courier or scheduling time-consuming meetings, you might be
able to conduct important business securely through email while
fulfilling all legal requirements. Digital
signatures guarantee that the document is authentic (was not changed in
transit) and was signed by the keyholder (non-repudiation). This is a
complicated topic and the laws vary widely so it's wise to involve
legal counsel. On the technical end, we can explain how signatures are
used and what their limitations are.
Privacy Systems, Ltd. can generate keys and
X.509
signing
certificates for our clients which can be used to sign documents from
applications including
OpenOffice.org
and
Adobe's Acrobat and for other
uses. Even though it's possible to use the same key you use for
S/MIME email to make digital signatures on documents, there are
additional considerations and in certain cases it may be better to have
one key for email and another key for signing any non-email documents
and files. Different certification requirements may dictate
separate S/MIME email and signing keys. For example, you may not
wish to include information such as your name, city of residence, and
other personal details on email certificates, where it is usually
enough just to verify the email address itself. However, an email
address alone is often not sufficient for a useful signature
certificate where your goal is to provide assurance that you are the
signing authority. We can generate X.509 certificates appropriate
for the target use.
OpenPGP offers several signing options
including a feature called
"clear-signing."
Clear-signing
is
a
way to produce an electronically verifiable digital signature of any
text document in which the signature is wrapped around the document
text
and visible to the human eye. You don't
have to encrypt email to use clear-signing. In some cases, you
may
not want to encrypt a document at all; instead, you need to sign it so
that anyone can verify that they're using an unaltered
document. When a document is clear-signed, even people who don't have
OpenPGP can read and use it. If they do have
OpenPGP, they can also
verify the authenticity and integrity of the document.
Next page...