| |
|
| |
|
 |
What is a signing
certificate? |
| |
| You will
need a signing certificate to create a signature.
This is not required if you will just be using
the time stamp capability. In brief, a
signing certificate binds the identity of
the person to a signing key. The Certificate
Authority(CA) issues a signing certificate
in a process that confirms the identity
of the requester. Synonyms for a signing
certificate include public key certificate
and x.509 certificate.
The process of confirming a person's identity
and associating this with a public/private
key pair can vary and this results in different
levels of trust. For example, a signing
certificate that is issued based only on
an e-mail address likely has little trust.
With a greater trust model usually comes
some additional expense related to the issuance
of a signing certificate. For additional
details about using certificates in the
IP-Protector software and implying trust
click here.
| Screen shots from
the software on this subject: |
|
|
 |
A Certificate Authority has additional
activities beyond issuing signing certificates,
including managing the revocation of certificates
in the event the user notifies them of a
compromise and then publishing these Revocation
Lists (CRL). When implementing digital signature
technology within an organization, the organization
can either operate its own CA system, or
use the CA service of a commercial CA. |
Back
to top
|
|
| |
|
|
How do I get a
signing certificate? |
| |
| Please
click here
to see instructions on how to create your
certificate and then how to use it in our
client software application, IP-Protector.
Trial (free) certificates are available from
several vendors on this page. |
Back
to top
|
|
| |
|
|
How do I protect
my private key? |
| |
Please
click here
to see instructions on how to create your
private key and signing certificate. Where
to store the file that contains the private
key? We suggest that you put this file on
a removable floppy disk. The certificate file
is encrypted and could be stored anywhere
on your computer. Consider these additional
details:
| 1. |
The Java environment that our desktop
software uses keeps the private key
in a encrypted file (PKCS12) that is
protected by a password that you chose.
Choose a strong password for this file's
protection. |
| 2. |
Keep this password protected file
on a removeable medium (floppy, CD)
and then securely store. Only use this
when signing. This approach does make
signing a slightly more difficult task.
But, signing as deliberate act that
requires you to retrieve and unlock
the key is probably appropriate. |
| 3. |
The most secure solution with current
technology is a smartcard. This solution
could include the smartcard creating
the actual signature within the card
after you supply a PIN directly on the
cards embedded key pad. We have additional
information about using a smartcard
with our desktop software is here. |
The process to create your private signing
key typically involves using your Internet
browser. During the export process from browser,
it is suggested that you delete the private
key from your browser. |
Back
to top
|
|
| |
|
|
How much does this
service cost? |
| |
| We
charge only for the time stamp transactions.
There is no up-front charge for the software
or digital signatures. However, the software
does require that when you create a signature,
it must also be time stamped. The cost for
a time stamp starts at 40 cents ($0.40 USD)
and is described here
with volume price adjustments. |
Back
to top
|
|
| |
|
|
What types of documents can be signed? |
| |
There are important exceptions within E-SIGN legislation to exclude using
digital signatures on some types of legal documents. For example, creation
or signing of wills or testamentary trusts; state laws regarding adoption,
divorce or other family law matters; certain sections of the Uniform Commercial
Code; court documents required in connection with court proceedings. The
E-SIGN act does not apply to documents required for transportation or handling
of hazardous, toxic or dangerous materials. The E-SIGN act does not apply
does not apply to the following important notices of:
* cancellation of utility services
* notices of default, repossession, foreclosure, eviction, etc. regarding
residential real estate
* cancellation of health or life insurance benefits
* product recalls or material product failures that risk endangering health
or safety
Additional important considerations. |
Back
to top
|
|
| |
|
|
Why is it important
to time stamp a signature? |
| |
| |
| Attest
to "when" a digital file was signed |
| |
A digital
signature provides who signed the digital
file. A time stamp of that digital signature
provides when the digital file was signed.
These are two basic ingredients to properly
execute e-commerce transactions and other
business agreements. It is similar to signing
a document before a notary - the notary can
testify that you appeared before them on a
given day to sign a document. |
| |
| In
the event your PKI private key is compromised |
| |
In the event your PKI
private key is compromised
If your private key were to be revealed, then
others could sign data files as yourself.
This would not compromise all data files you
ever signed with that key if you also time-stamped
all of those previous signatures. Because
DigiStamp countersigns the data files, those
signatures created before the private key
was compromised are still valid.
As a general practice, to maintain the veracity
of digital signatures you accept, they should
be time-stamped to avoid the other party from
later stating that their private key was revealed;
and therefore, any of their signatures with
that key might be a forgery.
Second is that the process to create a digital
signature involves using your secret, private,
signing key.There is risk that your private
key will be stolen or compromised. It is important
that you are able to distinguish the documents
that you signed with your private key from
those that were signed after the key was compromised.
If you time stamp all of your signatures,
then those signatures created after the compromise
can be distinguished. It is important in this
process to notify the Certificate Authority
that the key was compromised. This process
can be compared to calling a credit card company
to inform them when your credit card was lost
or stolen. Once informed, the credit card
company can identify inappropriate charges.
|
Screen shots from the software on this
subject: |
|
|
|
| |
|
| Create
a binding receipt |
| |
When your signed documents
are sent to a trading partner, ask for an
immediate receipt. A receipt is the receiving
party’s time-stamped signature of the
document you sent, which is strong evidence
that they had receipt of the document at the
specified time. |
Back
to top
|
|
| |
|
|
What is the purpose
of supporting multiple signatures of a document? |
| |
Some business
documents may only be valid if they
bear more than one signature. For example,
this is the case generally when a contract
is signed between two parties. The sequence
that the signatures are applied (i.e.
time stamp of the signature) may or
may not be important.
Another example from an organization's
procedures manual: "In instances
where reimbursement for out-of-pocket
business expense is to be paid to an
individual, who happens to be the disbursing
authority for the account to which the
expense will be charged, a second signature
should be obtained. The signature may
be from either of the following: (1)
a person of higher authority or (2)
the business manager or other person
designated to review and approve expense
transactions for the department, school,
college or division." |
|
Back
to top
|
|
| |
|
|
What is a countersignature? |
| |
First,
a review of the technical perspective by comparing
a countersignature with a signature: A signature
is created over the content of the document;
a countersignature is created over the previously
created signature.
In a general sense, when you apply your countersignature,
you are accepting that the "previous
signature" is authentic. When you apply
your signature, you are accepting and agreeing
with the contents of the document.
An example of using a countersignature in
a research organization is when the creator/author
of the research data signs and time stamps
that data. Then, a colleague verifies the
signature and time stamp of the author and
applies the countersignature. The countersignature
is not a statement of ownership or authorship
of the data, but it is a statement of a review
that the author did sign the research data. |
Back
to top
|
|
| |
|
|
What are signature
qualifiers? |
| |
Signature
qualifiers are additions to your signature
that record the purpose or intent of your
signature. A standard set of qualifiers have
been defined and can be optionally added to
your signature, for example: Approve, Receipt,
Originate.
| For more details click
here or a screen shot |
|
from the IP-Protector application. |
|
Back
to top
|
|
| |
|
|
How is this different
from using my e-mail package to sign e-mails? |
| |
1.
Signing and time stamping your work may not
involve sending the work anywhere as you do
with an e-mail.
2. Often
business is conducted around signing "documents";
as compared to signing an e-mail.
3. E-mail
does not support multiple signatures or countersignatures.
4. You
might choose to use e-mail encryption features
because your e-mailed documents are being
sent over the Internet and others could see
the content. Use our software to create and
manage the document signatures, then attach
them to an e-mail. Encrypting documents is
different than signing, and you could easily
use a different certificate for encryption
as compared to signing. See the next 2 FAQ's
for further information. |
Back
to top
|
|
| |
|
|
Is data encryption
included with IP Protector ? |
| |
No,
we do not provide tools for document encryption.
We focus on document authentication with time
stamps and digital signatures.
We perceive a distinction between the creation
of signatures and the management of encrypted
data. These two functions can use similar
technologies. But the differences of when
you use encryption and manage the encrypted
data is very different from signing. See the
FAQ below related to separate keys for these
functions. |
Back
to top
|
|
| |
|
|
Should my signing
key be the same as my encryption key? |
| |
This
is technically possible, but we suggest that
you separate these two functions. The two
keys need to be managed differently:
 |
An encryption key must
be available for as long as any data
is still encrypted. For example, it
is very important to have a backup copy
of this key or you will not be able
to decrypt valuable information. |
|
A signing key should only have one
copy that is under only your control
and the destruction of that key is not
a problem. If the key is destroyed,
then all signatures that you created
with that key can still be authenticated
with the public key certificate (from
your CA). |
|
Back
to top
|
|
| |
|
|
Why is Java
Web Start used by the software? |
| |
| In
summary, the security features of the Java
Web Start environment and the ease of distributing
updates is why we chose this tool. Each time
you use our application, it is checked that
no tampering has occurred to the software.
The Java Web Start environment uses digital
signatures (code signing technique)to allow
users to verify that the software has not
been tampered with and that signed code is
tied to the identity of the author. There
is more about security warnings and details
here. |
Back
to top
|
|
| |
|
|
Can I have the
software source code? Especially considering the
security nature of this application? |
| |
We
have made a provision for you to have a copy
of the source code related to private key
handling. This is the only source code distributed
at this time.
The design allows you to add a code plug-in
to our software. The design allows the necessary
private key handling to occur within that
plug-in. We provide example source code that
you can modify, compile, and install into
the IP Protector software. Details are here. |
Back
to top
|
|
| |
|
|
Can I use a smart
card to create my signatures? |
| |
| We
have an option for you to supply the smart
card and a Java software plug-in to manage
the card access. In the plug-in code that
you provide, you provide smart card access
for signature generation. The IP-Protector
manages the "verify" step and optionally
the SHA-1 hash generation. Details are here. |
Back
to top
|
|
| |
|
|
What signing algorithms
are supported? |
| |
| RSA
with key lengths to 2048 using SHA-1 digest.
DSA support is planned. Please write
to DigiStamp if you have additional needs. |
Back
to top
|
|
| |
|
|
I am a user of
Version 2, can I copy my time stamps into this new
version 3? |
| |
Version
2 is still supported. Version 2 creates and
verifies time stamps, but does not include
the digital signature features. If you would
like to begin using Version 3:
|
Install
Version 3 as new software. This
installation will not impact or change
your Version 2 copy of our software.
Your existing account number and password
are used in the new version. |
|
Copy your existing time stamp from
Version 2 into Version 3. Instructions
are here.
|
|
Back
to top
|
|
