##language:en ##language:de = Notes = ''Note that digital signing is currently not recommended by CAcert. This is recorded in the [[https://www.cacert.org/policy/CertificationPracticeStatement.php#p1.4|CPS]] ('''DRAFT''') which warns that CAcert certificates are not currently issued for digital signing in a human sense. See 1.4.3 and 1.4.4 for more details. The CPS is a controlling document (and therefore overrides the below).'' Main location for information is DigitalSigning page. == Comparison == '''DEPRECATED:''' === German === ||Handschriftliche Unterschrift||Digitale Unterschrift|| ||Sie kreieren Ihre eigene, eindeutige und unverfälschliche Unterschrift||Ihr Computer generiert Ihre digitale Unterschrift die aus einer Zeichenreihe mit mindestens 1024 zufälligen Zeichen besteht|| ||Sie unterschreiben ein Dokument mit Ihrer eigenen Unterschrift||Ihr eMail-Programm hängt vor dem Verstand Ihre digitale Unterschrift an Ihr eMail an|| ||Sie erhalten ein Dokument unterschrieben von einer Person, die Sie kennen||Sie erhalten eine eMail mit einer digitalen Unterschrift, die as eMail-Programm bereits kennt|| ||Sie erhalten ein Dokument unterschrieben von einer Person, die Sie nicht kennen||Sie erhalten eine eMail mit einer digitalen Unterschrift, die das eMail-Programm nicht kennt|| ||Sie erhalten ein Dokument unterschrieben von einer Person, die Sie nicht kennen, doch die Unterschrift ist von einer amtlichen Behörde beglaubigt||Sie erhalten eine eMail mit einer digitalen Unterschrift, die das eMail-Programm nicht kennt, doch die digitale Unterschrift ist von CAcert beglaubigt|| === English === ||Handwritten Signature||Digital Signature|| ||You create your own, individual and unforgable signature.||Your computer generates your digital signature which consists of a row of number of at least 1024 random numbers|| ||You sign a document with your own signature||Your email program attaches your digital signature to the email before sending it|| ||You receive a document written by a person that you know||You receive an email with a digital signature, which your email program already knows|| ||You receive a document with a signature from a person you do not know||You receive an email with a digital signature which the email program does not know|| ||You receive a document with a signature that you don´t know, but the signature is notarized by an official authority||You receive an email with a digital signature, which the email program does not know, but the digital signature is approved by CAcert '''Wrong. CAcert does not approve a signature, but does know the person who owns the key.'''|| See also: SecurityLayer == Discussion == With digital signatures, someone can put a digital signature on a document (or a file, form-data, image or email) if they have the appropriate software. Later, someone else can verify that digital signature, which will provide an indication as to who signed it, that the document is the one that has been signed, and that it has not been modified. ==== Lifetime ==== Users of signatures have varying timeframes: days to years. Some security relevant organisations are talking about a necessary timeframe of minimum 30 years for digital signatures, to be verified successfully. [[DigitalSigningProtocol| Protocols for digital signing]] should preserve the certificate for that length of time. ==== Revocation of a Signature ==== One important difference for a signing protocol is to understand if there is a difference between expiration and revoking. Consider Bob and Alice: # Bob gets his CAcert certificate in October 2004, which lasts 2 years, so it will expire in October 2006. # Bob signs an important document in 2005 with his private key and the CAcert certificate. # Afterwards the document and the signature are being archived. # In the year 2010, Alice gets the document from the archive, and verifies the signature. The verification program will hopefully tell Alice the following: * Bob's key signed this document in 2005. * The document is intact, and has not been modified. * Bob´s certificate was valid at the time of signature (2005). * Bob´s certificate has expired in 2006, but has never been revoked. So in the context of Digital Signatures, it is very important to understand the role of "expiration", and the difference to "revocation". Expiration should mean that it has run out, and that it cannot be used anymore for new signatures, or new communication sessions. Digital Signatures that have been made with this key while it was valid ARE STILL VALID. Revocation means that the private key has leaked, or the certificate was wrongly issued (or any other reason). This will invalidate signatures made after the revocation, and ''may cast doubt in signatures made before'' because the revocation date will come after the effective loss of control over the key. Some software acts as if revocation nullifies all signatures, effectively invalidating them. This would then can cause problems with contracts as there is now an easy way to get out of a contract, by revoking a key. Some more things: * If revocation is the signal to invalidate all signatures, certificates may need to be revocable after they expired. * CRI (Certification Revocation Information (CRLs and OCSP)) should be made available even years after expiration of certificates. * The CA should not revoke certificates without a good reason. * A good [[DigitalSigningProtocol|digital signing protocol]] will divorce itself from all this. ==== Rollover ==== The next topic that is strongly attached to the Digital Signature is Key-Rollover. When a cert is set to expire, rolling over the key into a new certificate may help to avoid complications with digital signatures. Especially, if software treats the expired certificates bluntly, it may tell the user things like the signatures are expired or that they are revoked. ==== Caveats ==== All in all, DigitalSigning is a very difficult application. The (wip) CPS says that it is not reliable. For this reason, there is an attempt to create a [[DigitalSigningProtocol|digital signing protocol]] that incorporates additional protection to overcome the above issues.