TechWhirl (TECHWR-L) is a resource for technical writing and technical communications professionals of all experience levels and in all industries to share their experiences and acquire information.
For two decades, technical communicators have turned to TechWhirl to ask and answer questions about the always-changing world of technical communications, such as tools, skills, career paths, methodologies, and emerging industries. The TechWhirl Archives and magazine, created for, by and about technical writers, offer a wealth of knowledge to everyone with an interest in any aspect of technical communications.
Dick Margulis wrote:
>
> Sylvia Braunstein wrote:
> >
> > Our Company wishes to send out by e-mail signed documents files
> > (Word97/Pdf, other?).
> > What are the alternatives to add the signatures to the documents and how
> > is it done?
> > Do we have to scan the signatures?
> > Thanks
> > Sylvia
> >
> Heavens no! A scanned signature becomes a graphic that anyone can copy
> and use. Therefore it carries no authentication value. ...
Yes, and several countries are in the process of changing laws so
that digital signatures are legally recognised. Talk to lawyers
before relying on them for business.
> The whole point, as I understand it, of electronic signature is
> authentication at a distance, not simulation of handwriting.
Exactly.
It is done using public key cryptography. Keys come in pairs. Encrypt
with one and only its mate can decrypt. Each user creates a pair and
keeps one half of it secret. The other half, the public key, can be
published in the phone book or whatever.
Omitting some details, I can then send you a message encrypted with
your public key & only you can decrypt because only you have the
matching private key.
To sign a document, compute a hash of it (crunch all the binary digits
exceeding thoroughly to get, say, a 128-bit result that depends on every
bit of input). Encrypt the hash result with your private key. Stick the
encrypted hash and your name at the end of the message.
Now I can hash all of the message myself and get some 128-bit result.
I can also decrypt your encrypted hash with your public key. If my hash
matches the decrypted one, I accept the signature. It could have been
produced only by someone with a copy of the document and access to
your private key.
Have a look at PGP. It is clearly the standard for this sort of thing.
There are even a couple of RFCs defining it.
The US considers cryptography a munition, so the MIT site has
export restrictions. For info on PGP availability elsewhere: http://cryptography.org/getpgp.htm
