JanetK_CA asked "I don't recall seeing any standards included in this bill (directly or indirectly) about device security for RON notaries or data storage standards for video recordings, etc., etc. (Or did I just miss it?)" Back in 2000 Congress passed the ESIGN law which requires esignatures to be technology neutral, and this requirement was placed on the states as well as the federal government. So a state can give a performance standard, such as an esignature shall be tamper-evident. But it can't specify that a certain technology, such as Adobe PDF Reader, be used. It makes it hard to write a law that anybody understands. On the other hand, there is no hope of a legislature keeping up with the changes in technology, so this way is really the only way it could be done.
A simple (maybe too simple) guide to detecting tampering can be found at
https://www.signix.com/blog/bid/101422/how-to-detect-tampering-in-a-digitally-signed-document
In a crude way, Adobe Reader and Acrobat, and Microsoft Word protect against tampering by someone who isn't really good with computers by simply not saving the digital signature after a signed file is altered. Here are the steps in Microsoft Office 365 as of today:
1. I create a Microsoft Word document, add a signature line at the end, and sign it with a digital signature, which in turn uses a digital certificate issued by IdenTrust. During the signing process the document is saved with the signature in it.
2. I close the document.
3. I reopen the document. I notice at the top the document is marked as final to discourage editing. To edit it I have to click a box that says "Edit Anyway". I also see a note at the top that says "This document contains valid signatures."
4. I click "Edit Anyway". The statement "This document contains valid signatures" goes away and "This document needs to be signed" appears. The signature line, which used to have a text signature on it, is now blank.
A more sophisticated attack would be to use a program, such as Notepad, to alter the document and go around all the restrictions created by Word or Adobe Acrobat. But when you do that, Word considers the file to be corrupted and can't open it. You would have to know how to repair the corruption, and I don't know how.
Assuming somebody out there does know how to repair the corruption, when the altered file is read into Word, the signature would somehow be marked as invalid. Similar procedures apply to the Adobe products. |
