Notes

Note that digital signing is currently not recommended by CAcert. This is recorded in the CPS (DRAFT) which warns that CAcert certificates are not currently issued for digital signing in a human sense. See 1.4.3 and 1.4.4 for more details. The CPS is a controlling document (and therefore overrides the below).

Main location for information is DigitalSigning page.

Comparison

DEPRECATED:

German

Handschriftliche Unterschrift

Digitale Unterschrift

Sie kreieren Ihre eigene, eindeutige und unverfälschliche Unterschrift

Ihr Computer generiert Ihre digitale Unterschrift die aus einer Zeichenreihe mit mindestens 1024 zufälligen Zeichen besteht

Sie unterschreiben ein Dokument mit Ihrer eigenen Unterschrift

Ihr eMail-Programm hängt vor dem Verstand Ihre digitale Unterschrift an Ihr eMail an

Sie erhalten ein Dokument unterschrieben von einer Person, die Sie kennen

Sie erhalten eine eMail mit einer digitalen Unterschrift, die as eMail-Programm bereits kennt

Sie erhalten ein Dokument unterschrieben von einer Person, die Sie nicht kennen

Sie erhalten eine eMail mit einer digitalen Unterschrift, die das eMail-Programm nicht kennt

Sie erhalten ein Dokument unterschrieben von einer Person, die Sie nicht kennen, doch die Unterschrift ist von einer amtlichen Behörde beglaubigt

Sie erhalten eine eMail mit einer digitalen Unterschrift, die das eMail-Programm nicht kennt, doch die digitale Unterschrift ist von CAcert beglaubigt

English

Handwritten Signature

Digital Signature

You create your own, individual and unforgable signature.

Your computer generates your digital signature which consists of a row of number of at least 1024 random numbers

You sign a document with your own signature

Your email program attaches your digital signature to the email before sending it

You receive a document written by a person that you know

You receive an email with a digital signature, which your email program already knows

You receive a document with a signature from a person you do not know

You receive an email with a digital signature which the email program does not know

You receive a document with a signature that you don´t know, but the signature is notarized by an official authority

You receive an email with a digital signature, which the email program does not know, but the digital signature is approved by CAcert Wrong. CAcert does not approve a signature, but does know the person who owns the key.

See also: SecurityLayer

Discussion

With digital signatures, someone can put a digital signature on a document (or a file, form-data, image or email) if they have the appropriate software. Later, someone else can verify that digital signature, which will provide an indication as to who signed it, that the document is the one that has been signed, and that it has not been modified.

Lifetime

Users of signatures have varying timeframes: days to years. Some security relevant organisations are talking about a necessary timeframe of minimum 30 years for digital signatures, to be verified successfully. Protocols for digital signing should preserve the certificate for that length of time.

Revocation of a Signature

One important difference for a signing protocol is to understand if there is a difference between expiration and revoking. Consider Bob and Alice:

The verification program will hopefully tell Alice the following:

So in the context of Digital Signatures, it is very important to understand the role of "expiration", and the difference to "revocation". Expiration should mean that it has run out, and that it cannot be used anymore for new signatures, or new communication sessions. Digital Signatures that have been made with this key while it was valid ARE STILL VALID.

Revocation means that the private key has leaked, or the certificate was wrongly issued (or any other reason). This will invalidate signatures made after the revocation, and may cast doubt in signatures made before because the revocation date will come after the effective loss of control over the key. Some software acts as if revocation nullifies all signatures, effectively invalidating them. This would then can cause problems with contracts as there is now an easy way to get out of a contract, by revoking a key.

Some more things:

Rollover

The next topic that is strongly attached to the Digital Signature is Key-Rollover. When a cert is set to expire, rolling over the key into a new certificate may help to avoid complications with digital signatures. Especially, if software treats the expired certificates bluntly, it may tell the user things like the signatures are expired or that they are revoked.

Caveats

All in all, DigitalSigning is a very difficult application. The (wip) CPS says that it is not reliable. For this reason, there is an attempt to create a digital signing protocol that incorporates additional protection to overcome the above issues.

DigitalSignature (last edited 2009-11-21 23:35:58 by SunTzuMelange)