5

Users are making a deal using the website. Website generated PDF file (something like contract or report). Users perform digital signing of this file (analogous to hand-written signature on paper contract). They use government-issued RSA certificates.

Currently this works as follows:

I'm generating PDF file once. Then I calculate SHA-512 checksum of that file. I send this checksum to users, they perform digital signing of this checksum and sending me their certificate and their signature.

When I generate PDF, I incorporate QR-code with URL: https://server.com/deal/123/report. User can print PDF, scan this QR-code, navigate this URL, enter his login details and download PDF using that URL. There's nothing to prove that anyone signed that PDF (though I have signatures in database and can prove if necessary).

Is there some standard for those things? Like digital signature, printing it on paper, verifying with some standard software, etc.

I'm thinking now of the following approach:

Start is the same as now, but when users signing first PDF, second PDF generates with their signature incorporated as QR-code. First PDF is not removed, of course, so user can download first PDF and using information from QR-codes of second pdf user can check that signatures are indeed correct. But, of course, he needs special software to check that.

vbezhenar
  • 257
  • 2
  • 6
  • Usually the signature is placed *within* the PDF document, not over all of the bytes. You may want to look if a *qualified signature* is required by the government, and what kind of terms and conditions apply to create one. – Maarten Bodewes Mar 10 '15 at 12:33
  • The main point of signature is to be usable in printed form. PDF is just used because it's a standard to prepare printed document. As far as I understand, PDF signature inside document is not used at all when printed. Our goverment does not have any rules related to digital signature I'm aware of, unfortunately and every developer invents its own solutions. They just issue goverment-signed RSA certificates. – vbezhenar Mar 10 '15 at 12:47
  • You'll need to verify the signature using the *digital content* of the PDF. I don't see how you can do that unless you can both convert the printed PDF including the signature back into bytes. Trusting some kind of QR code seems suspicious to me, it would be easy to point to allmost.com instead of almost.com. – Maarten Bodewes Mar 10 '15 at 14:22
  • Nice question. Since you need to verify the contents and the signature, I guess you might want to limit yourself to OCR-able documents, so how about plain-text document + QR code in a corner which includes the signature. – domen Mar 10 '15 at 16:50
  • Documents should look pretty and solid enough, probably text document is not a viable option. – vbezhenar Mar 11 '15 at 10:50
  • If from the webpage pointed to by the QR code the user can download the original PDF file and two "gpg detached signature" files that can be used to verify two digital signatures using `gpg --verify file.pdf.user1.sig file.pdf` and `gpg --verify file.pdf.user2.sig file.pdf`, that should be enough. – Z.T. Mar 30 '15 at 22:51

1 Answers1

5

Your question is a good one. The basic issue is that a digital signature is associated with digital data. And (equally importantly), access to the original digital data is required in order to verify the signature or signatures.

Therefore, the transmission medium needs to be digital.

Three answers:

The paper copy is a pointer to the real (digital) original

In this scenario, the paper print out contains a QR code to the real original, which is stored on a server. There is no need to worry about proving the validity of the paper print out since it is merely a pointer to the real original, which is stored on your server.

The recipient (the relying party) would always need to look up the server copy to see what it contains and to verify its standard digital signature.

You would want to put a minimum of information on the paper printout since you do not want a recipient to think that they can rely on the contents of the paper printout--they can't and shouldn't rely on it, it is not reliable.

The paper copy would simply say "The agreement was digitally signed on date by signer. Download the original and verify its signatures by using the QR code."

I would suggest that you not require any user names or passwords in addition to what is contained in the QR code itself.

The paper copy's data can be verified

In this case, you want the recipient to be able to verify the paper copy's data without needing an online version of the data. Unfortunately, regular print on paper is not digital (OCR is not 100% accurate or repeatable.)

So I would re-cast your question to be "How can I reliably transmit digital data using paper?"

There are answers for that these days including 3d bar codes and special OCR fonts. Depending on how much content there is, you would include the original text as a digitally signed pdf file in the QR code. You could include a copy of the original text on the page.

You would have the same problem as above--if the document's text is readable on the page, then verification that it is the exact same as the text that was signed is very difficult or impractical. On the other hand, disputes are infrequent. The printed version could be verified when necessary.

The paper copy is a representation of the signed data

These types of documents are accepted by relying parties all the time (they're called faxes). There is plenty of case law about the legal validity of a faxed document. The laws differ by state and country, so consult a local lawyer.

If a facsimile of the original document is acceptable and legal, then you can simply print out a representation of the digitally signed document. Hopefully a graphic signature was supplied by the digital signer. If not, you can create one using the signer's common name from their certificate and a script font. The important issue would be to include a reference number to enable the original, digitally signed document to be retrieved if needed by a challenge. DocuSign and other vendors do this. Note the reference number for the online version.

A DocuSign visible signature. Note the reference number for the online version.

Larry K
  • 591
  • 2
  • 11