[thelist] Digital Signature of Documents

Daniel Burke dan.p.burke at gmail.com
Thu Mar 6 23:57:06 CST 2008

WHOA there's a big problem....

The whole purpose of private keys is that they're private. Personally,
if someone issues me a private key, I'll burn it right there and then.
The only private key I trust is one I generate myself.

A good method is Launchpad's method, where you register your public
key with them, and then sign a document with your private key, to
prove that you control you private key (They can verify it is your
signature with your public key).

Alternatively, they send your site a copy of their public key, and you
encrypt a unique secret with it and send it back to them. They decrypt
the secret, and send it to you, plain text is fine. The secret could
be a link with a unique id in the URL.

https://launchpad.net/~dan-p-burke - Here's my launchpad profile, so
you can have a look at how it works

They use GnuPG, and I use the Seahorse frontend to it, which is very
easy to use.
http://www.gnupg.org - there is a windows version, but it is only
command line. It should be easy enough to whip up a basic interface in
pythong in a few days. Of course without an entropy gatherer I would
feel dubious about keys it generates.

On numerous occasions I have been described as paranoid, so you may
feel Chris's post is much more feasable. Though I must insist private
keys are not ever distributed!

On Fri, Mar 7, 2008 at 9:58 AM, Chris Anderson <Chris at activeide.com> wrote:
> > We want to digitally sign all our communications with our clients
>  > (contracts, proposals, briefs,
>  > mockups, etc) avoiding the need to print-sign-fax/scan cycle.  We have
>  ...
> > Ideally, they go to our website, login to it, go to the get keys and
>  > then when a document is
>  > ready for them to review and sign, the workflow software will email
>  If the client can download the private and public keys using a username
>  and password, you might as well not bother with the keys...because
>  you've reduced the access to username/password authentication.
>  (If an attacker gained access via username/password, they could get the
>  keys and sign documents as the client!)
>  OTOH if you allowed the keys to be downloaded once only you could add a
>  verification step in (i.e. after the keys are downloaded, they cannot be
>  used to sign anything (or you reject even signed documents) until you
>  contact the client to check it was them.
>  The best way to distribute private keys though is via trusted courier!
>  Chris
>  --
>  * * Please support the community that supports you.  * *
>  http://evolt.org/help_support_evolt/
>  For unsubscribe and other options, including the Tip Harvester
>  and archives of thelist go to: http://lists.evolt.org
>  Workers of the Web, evolt !


More information about the thelist mailing list