[thelist] Digital Signature of Documents

Chris Anderson Chris at activeide.com
Thu Mar 6 17:28:51 CST 2008

> We want to digitally sign all our communications with our clients
> (contracts, proposals, briefs,
> mockups, etc) avoiding the need to print-sign-fax/scan cycle.  We have
> Ideally, they go to our website, login to it, go to the get keys and
> then when a document is
> ready for them to review and sign, the workflow software will email

If the client can download the private and public keys using a username
and password, you might as well not bother with the keys...because
you've reduced the access to username/password authentication.

(If an attacker gained access via username/password, they could get the
keys and sign documents as the client!)

OTOH if you allowed the keys to be downloaded once only you could add a
verification step in (i.e. after the keys are downloaded, they cannot be
used to sign anything (or you reject even signed documents) until you
contact the client to check it was them.
The best way to distribute private keys though is via trusted courier!


More information about the thelist mailing list