Topic: Secure Digital Signatures

[KnuckleBuckett]

I need a solution....

We are considering creating and employing a new purchase requisition system.  In doing this, we would like to go paperless at least as far as the required signatures.  Is there a way to create secure digital signatures?  Not just a scanned in hand signature that anyone can misuse but a safe and easy way to verify each person along the requisition, purchasing, and receipt trail?

[micah]

check out http://www.adobe.com/security/digsig.html

you can encrypt and digitally sign PDFs.

/i've never done it though

[Mike]

How tech savvy are the users?  Are the users local (could you have them come into your office [or vice versa] once)?

What you can do is create a key-pair and a signed certificate (once you've verified it was them).  Then along the process whenever you need a signature you create a hash of some relevant piece of data (say like order number + who is signing + date + some other data that makes it unique) and then have them sign the hash with their private key which you store.  To audit/confirm you recreate that hash, decrypt their signed hash with their public key and compare them.

Now the fatal flaw in all this is if you can't trust the user to keep their private key private.  Ideally the private key should be password protected so if the file itself got out it can't be used as easily.

[ober]

We use Adobe's digital signatures on everything from contracts to training docs.  Still requires you to scan (one time) in a hand-written signature that gets put on the document you sign, but it's pretty easy otherwise.  That's the only process I would really recommend.

[charlie]

Crap that reminds me... I've got a contract I've got to sign.

[Dumah]

PGP/GnuGP have a great set of tools for this, but they are not good if you are't tech savvy