Reply by Gerry/VT on 2/10/05 7:20am
Msg #20046
People who are up on computer security use "digital signature" to mean a document that has been mathematically signed using public key cryptography. This can be done fairly easily in several programs, including Microsoft Word. People who are not up on the latest terminology might mean a picture of an ink signature that is placed in a document; you should find out from FASS (whoever that is) which they mean. I will use the first meaning.
The process works like this:
1. You use your computer to get a digital certificate from a certification authority. Perhaps the best known is verisign.com (http://www.verisign.com/products-services/security-services/pki/pki-application/email-digital-id/index.html). Another certificaton authority is GeoTrust; an advantage with their certificate is it works with the US Postal Service's Electronic Postmark. See http://www.verisign.com/products-services/security-services/pki/pki-application/email-digital-id/index.html.
The purpose of the digital certificate is to show that the certification authority has made some effort to verify that the person with the digital certificate really is the person named on the certificate. Usually there are two versions available; for $20 per year they run a credit check to verify your identity, but there is no in-person verification. For somewhat more per year, they send a form that you get notarized in person and send back.
2. The certification authority notifies you your certificate is ready, and you download it and install it over the web. It will be available to Microsoft Word, Outlook Express, Outlook, and other programs. You can set your system to require a password every time the certificate is used.
3. In Microsoft Word XP, click Tools in the menu bar, then Options. Click the Security tab in the Options menu. In the middle of the menu, click Digital Signatures.... In the Digital Signatures menu that appears, click Add.... If you only have one certificate, it will be highlighted in blue. Click OK. You will be asked for the password that allows the certificate to be used; enter the password and click OK. The document is now digitally signed.
What happened is that the computer scanned everything in the document, and created a number that is based on the contents of the document, called a message digest. The document can be rescanned at any time, and it should produce the same number. If even a single character changes, the original number and the new number will disagree. Also, it is virtually impossible to design a different document that comes out to the same number.
Next, the computer combines the message digest with the secret part of your digital certificate to form a number that is the digital signature.
3. You send the document to FASS, for example, as an email attachment. Most of your digital certificate is included, but the secret part is left out.
4. FASS uses Microsoft Word to check the signature. First, Word checks that the certificate was issued by a well known certfication authority. Then Word decodes the digital signature, using information from the certificate to find the message digest. Finally, Word rescans the document and makes sure the new message digest is the same as the original message digest.
I suggest using either the US Postal Service Electronic Postmark, or some other service that provides a secure timestamp. That way, if access to your computer and digital certificate is ever compromised, you can prove which documents were signed before the compromise, and which were signed after the compromise.
This description applies to signatures in your capacity as a private person. If you wish to sign something in your capacity as a notary public, your state might have special regulations.
I have much more experience as an electronics engineer (licensed in Vermont) than as a notary public.
|
Reply by PAW_Fl on 2/10/05 8:54am
Msg #20053
I concur ...
Excellent description of what is needed and how it works. However, the URL for GeoTrust was missing. It is -> http://www.geotrust.com/signing_services/epmcredentials.htm
Gerry inadvertently provided the url for Verisign, twice.
|
Reply by Gerry/VT on 2/10/05 10:58am
Msg #20066
Re: I concur ...
Thank you for the kind words. I actually meant to include the web site for the USPS Electronic Postmark service, which is https://www.uspsepm.com/crm/main.adate
The web site says that certificates from many vendors may be used, but only GeoTrust is specifically named.
|
