Frequently Asked Questions - Digital Signatures
You can create a timestamp of your data without using the Digital Signature option. Below is information about creating your personal digital signature if you choose to use this option. For example, by using Adobe Reader or Microsoft Office. Creating a personal digital signature is a little more complicated because it involves using a personal signing key - some information is below that we hope is helpful. DigiStamp is not a vendor of "signing certificate"
FAQs on other subjects here.
You will need a signing certificate to create a signature. This is not required if you will just be using the timestamp capability ( in Adobe products you can create just a timestamp. In Microsoft products you need to first create a signature).
In brief, a signing certificate binds the identity of the person to a signing key. The Certificate Authority(CA) issues a signing certificate in a process that confirms the identity of the requester. Synonyms for a signing certificate include public key certificate and x.509 certificate.
The process of confirming a person's identity and associating this with a public/private key pair can vary and this results in different levels of trust. For example, a signing certificate that is issued based only on an e-mail address likely has little trust. With a greater trust model usually comes some additional expense related to the issuance of a signing certificate.
A Certificate Authority has additional activities beyond issuing signing certificates, including managing the revocation of certificates in the event the user notifies them of a compromise and then publishing these Revocation Lists (CRL). When implementing digital signature technology within an organization, the organization can either operate its own CA system, or use the CA service of a commercial CA.
Please ..... need this text
Please click here to see instructions on how to create your private key and signing certificate. Where to store the file that contains the private key? We suggest that you put this file on a removable floppy disk. The certificate file is encrypted and could be stored anywhere on your computer. Consider these additional details:
- The Java environment that our desktop software uses keeps the private key in a encrypted file (PKCS12) that is protected by a password that you chose. Choose a strong password for this file's protection.
- Keep this password protected file on a removeable medium (floppy, CD) and then securely store. Only use this when signing. This approach does make signing a slightly more difficult task. But, signing as deliberate act that requires you to retrieve and unlock the key is probably appropriate.
- The most secure solution with current technology is a smartcard. This solution could include the smartcard creating the actual signature within the card after you supply a PIN directly on the cards embedded key pad. We have additional information about using a smartcard with our desktop software is here.
The process to create your private signing key typically involves using your Internet browser. During the export process from browser, it is suggested that you delete the private key from your browser.
We charge only for the timestamp transactions. There is no up-front charge for the software or digital signatures. However, the software does require that when you create a signature, it must also be timestamped. The cost for a timestamp starts at 40 cents ($0.40 USD) and is described here with volume price adjustments.
There are important exceptions within E-SIGN legislation to exclude using digital signatures on some types of legal documents. For example, creation or signing of wills or testamentary trusts; state laws regarding adoption, divorce or other family law matters; certain sections of the Uniform Commercial Code; court documents required in connection with court proceedings. The E-SIGN act does not apply to documents required for transportation or handling of hazardous, toxic or dangerous materials. The E-SIGN act does not apply to the following important notices of:
- cancellation of utility services
- notices of default, repossession, foreclosure, eviction, etc. regarding residential real estate
- cancellation of health or life insurance benefits
- product recalls or material product failures that risk endangering health or safety
A digital signature provides who signed the digital file. A timestamp of that digital signature provides when the digital file was signed. These are two basic ingredients to properly execute e-commerce transactions and other business agreements. It is similar to signing a document before a notary - the notary can testify that you appeared before them on a given day to sign a document.
In the event your PKI private key is compromised
If your private key were to be revealed, then others could sign data files as yourself. This would not compromise all data files you ever signed with that key if you also timestamped all of those previous signatures. Because DigiStamp countersigns the data files, those signatures created before the private key was compromised are still valid.
As a general practice, to maintain the veracity of digital signatures you accept, they should be timestamped to avoid the other party from later stating that their private key was revealed; and therefore, any of their signatures with that key might be a forgery.
Second is that the process to create a digital signature involves using your secret, private, signing key.There is risk that your private key will be stolen or compromised. It is important that you are able to distinguish the documents that you signed with your private key from those that were signed after the key was compromised. If you timestamp all of your signatures, then those signatures created after the compromise can be distinguished. It is important in this process to notify the Certificate Authority that the key was compromised. This process can be compared to calling a credit card company to inform them when your credit card was lost or stolen. Once informed, the credit card company can identify inappropriate charges.
When your signed documents are sent to a trading partner, ask for an immediate receipt. A receipt is the receiving party’s timestamped signature of the document you sent, which is strong evidence that they had receipt of the document at the specified time.
Adobe Reader does support creating multiple in the PDF. Some business documents may only be valid if they bear more than one signature. For example, this is the case generally when a contract is signed between two parties. The sequence that the signatures are applied (i.e. timestamp of the signature) may or may not be important.
Another example from an organization's procedures manual: "In instances where reimbursement for out-of-pocket business expense is to be paid to an individual, who happens to be the disbursing authority for the account to which the expense will be charged, a second signature should be obtained. The signature may be from either of the following: (1) a person of higher authority or (2) the business manager or other person designated to review and approve expense transactions for the department, school, college or division."
First, a review of the technical perspective by comparing a countersignature with a signature: A signature is created over the content of the document; a countersignature is created over the previously created signature.
In a general sense, when you apply your countersignature, you are accepting that the "previous signature" is authentic. When you apply your signature, you are accepting and agreeing with the contents of the document.
An example of using a countersignature in a research organization is when the creator/author of the research data signs and timestamps that data. Then, a colleague verifies the signature and timestamp of the author and applies the countersignature. The countersignature is not a statement of ownership or authorship of the data, but it is a statement of a review that the author did sign the research data.
Signature qualifiers are additions to your signature that record the purpose or intent of your signature. A standard set of qualifiers have been defined and can be optionally added to your signature, for example: Approve, Receipt, Originate.
1. Signing and timestamping your work may not involve sending the work anywhere as you do with an e-mail. Or timestamp well in advance of emailing to other parties.
2. Often business is conducted around signing "documents"; as compared to signing an e-mail.
3. E-mail does not support multiple signatures or countersignatures (generally).
4. You might choose to use e-mail encryption features because your e-mailed documents are being sent over the Internet and others could see the content. Use our software to create and manage the document signatures, then attach them to an e-mail. Encrypting documents is different than signing, and you could easily use a different certificate for encryption as compared to signing. See the next 2 FAQ's for further information.
No, we do not provide tools for document encryption. We focus on document authentication with timestamps and digital signatures.
We perceive a distinction between the creation of signatures and the management of encrypted data. These two functions can use similar technologies. But the differences of when you use encryption and manage the encrypted data is very different from signing. See the FAQ below related to separate keys for these functions.