OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

office message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [office] Digital signature proposal

Thomas,

I think you misunderstood Uri.

The signatures are W3C DSIG - no discussions about the format/content/PKI.

Uri didn't propose to add additional signer information to ODF.

He proposes to additionally add the possibility to have text fields or something like that, where the different elements of the signature(s) can be *displayed*.
See Adobe Acrobat, where you can spawn some area on the document, where you want data from your signature/certificate to be displayed.

Not a bad thing, IMHO.

Malte.




Thomas Zander wrote, On 02/20/07 15:52:
> On Tuesday 20 February 2007 15:03, Uri Resnitzky wrote:
>   
>> I would like to propose a functional extension to your proposal.
>> From our experience with digital signature for documents in the
>> marketplace and from looking at the digital signature functionality in
>> other document formats such as PDF and OOXML, I believe that visual
>> signatures are extremely important.
>> Your proposal creates invisible signatures in the sense that the
>> signature is not visible in the document content itself.
>> I think we should amend the proposal to include the option of adding an
>> interactive signature field (or signature line) to the document with the
>> ability to display in this field the graphical signature image of the
>> signer as well as other information (signer name, date/time, validity
>> marks).
>>     
>
> Any signature has, by nature, a reference to the name / email of the signer.
> If the signature is to be checked, that information needs to be present on the 
> computer of the one checking if the signature is relevant.
>
> This has the effect that if you get a signed document from me, you can only be 
> sure it is actually from _me_ by checking against your local key from me.  So 
> sending any such info in the ODF is useless and counter productive.
> After all, if you receive a document with my name and a signature you don't 
> have (because its false, for example) you might just think that since the 
> name is OK, the document must be OK. And that silly computer doesn't know me.
>
> In the end a gpg signature thus needs a gpg public key. And that key holds my 
> name, email and other data like a picture (optional).
> So, for your request all that is needed is support from the application, and 
> its actually a bad idea to add ODF support for it.
>
> Cheers!
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]