Mailinglist Archive: opensuse (878 mails)

< Previous Next >
Re: [opensuse] Signing PDFs
On Thu, Aug 6, 2015 at 11:34 AM, Anton Aylward
<opensuse@xxxxxxxxxxxxxxxx> wrote:
On 08/06/2015 01:21 PM, John Andersen wrote:
How many pages actually have to be signed? One? usually. Not that big of a
deal.

The issue isn't printing it. The issue isn't wasting paper.

If I can download the form electronically from a web site in digital format;

if I can cut and paste a signature image onto it;

if I can generate/obtain an electronic certificate/proof of ID for
electronically signing or certifying documents/email

why can't I submit this electronically?

Mix two parts: Because people are stupid and bad at their jobs.
Mix one part: Because properly signed PDFs is a PITA.

Anyone can create a self-signed certificate, and use that to esign a
PDF. And it's a pain to do that. It's even more of a pain to acquire a
legitimate 3rd party certificate, and use that to esign a PDF.

But even if you do go to the effort of getting a 3rd party cert and
sign your PDF, it's mainly because so many people are stupid and bad
at their jobs that they don't know how to verify your esigned PDF, in
order to accept it. Or they don't have a policy for how to accept it
without verification, equivalent to merely accepting a signed fax
without sending it to a handwriting expert. They don't have a policy
and they're too lazy to create one.

In defense however, digital signing is simply not easy, or an exact
analog of, physically signing a document. Legally in most countries it
now has the same weight which could work if there's authentication of
the public-private key pair. But that's not easy or automatic or
integrated.

Those grocery store pads where you use a fake pen to sign your name on
a touch sensitive screen? Complete b.s. Ask any handwriting expert and
they'll explain it but basically there is no angular or pressure
information conveyed in that signature which is integral in pen on
paper handwriting analysis and signature authentication. Scans of,
including faxes, can convey some of this information but obviously
it's quite a bit noisier than the original, the idea originally was
that there was in fact a hard copy original the facsimile is based on
and in cases of important communication that original was filed.
That's no longer true so really no one should be accepting PDFs with
only visible signatures that aren't digitally signed, anymore than a
PNG or TIFF of the same.

And you as the creator of this document shouldn't send one that isn't
editable, and is digital signed in such a way that at least it's
provable that the document has been altered since it was signed. So if
some company asks for a PDF with a handwritten signature, you should
still digital sign it with at least your own self-signed cert, to
encrypt it, prevent it from being edited, and thus able to prove
whether it's been modified since signing. You can also disallow
printing and copying of such a PDF (within the limits of software
honoring this policy, obviously the fact it's being displayed at all
means anyone could do an end run around the no printing policy).

Why do I have to use technology that has no means of proving who the
sender is, the validity of the message, even though the import of the
message may have far reaching consequences?

Why do I have to do this when secure means with better identification
and authentication mechanisms exist?


People who don't know what they're doing. *shrug*

--
Chris Murphy
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >