For some reason digital signatures are hard to grasp. Why is that? Well, it’s because to understand why digital signatures work the way they do it’s best to have a rudimentary understanding computer security. So let’s forget about computer security and start with something you know: your regular signature that you put on contracts, and checks, and routine correspondence.
Your regular signature is a form of document security. You probably don’t think about it that much, but that’s what a signature is. When you physically sign a document a person who later reads the document can assume that: (1) you’ve physically inspected the document before you signed it, and; (2) you accept the document in the form it was in when you signed it (obviously if it was altered after you signed it you wouldn’t accept it with the alterations).
So now let’s talk about what a digital signature is used for. Well, obviously a digital signature has to accomplish at least as much as a physical signature. And it does. In fact, the security of a digitally signed document is much better than a physically signed document. Of course, the act of signing a document digitally is a little more cumbersome too. At least, at first. So let’s talk about reading digitally signed documents.
Reading a digitally signed document is easy. Still when you read a digitally signed document you will encounter a new concept: signature validation. Well, maybe it’s not really new; but it seems new, or at least strange. Again, let’s talk about how it works in the world of paper.
When you get a document signed by Joe Somebody that you never met you just accept that the signature on the document is his. From there on out, if you are interested in making sure that Joe Somebody really signed it, you just compare later signatures to the one on the first document that you received. I’m assuming you never met Joe because any security system has to account for that common scenario.
The weakness in that scenario is pretty obvious. Someone could pretend to be Joe Somebody and send you a letter with their signature. Later, if they sent you more letters, you’d rely on them as though they were from Joe because they had a signature that you had decided was Joe’s. Scams have been premised on this exact scenario. But in most business correspondence the opportunity for a scam is low and we accept signatures from people we’ve never met without too much worry. In other words, we use common sense to guide our suspicions.
Computers, however, don’t have common sense to guide their trust mechanisms. They only have rigid mathematical rules. So the trust system that a computer can use has to be based on rigid rules. That’s the bad news in digital signatures; they are a little more cumbersome.
The good news is that once you automate the process is it is not that much more cumbersome to digitally sign an electronic document that it is to physically sign a paper document. And the digitally signed document is extremely reliable. Always and without fail. Whereas the paper document, even in the most rigorous of schemes, is fairly easily forged or manipulated for nefarious purposes.
To illustrate how this works, I’d like to show you an example of digitally signed document. But first, if you can, right click on this link [FDF: 4 KB] and save the file to your desktop. This is a digital certificate that you will need to validate the document that I have signed. Now, to see the digitally signed document, click here [PDF: 32 KB]. The rest of the information is in that document.