Document Signing Considerations

There are many things to consider when determining a document signing solution.  Here is a short list.  Each item is explained more thoroughly below.

  • What Types Of Documents Are Supported?  Does the signature solution support all the types of documents you would conceivably want to sign?  DBsign supports all types of documents and files.
  • How Are Documents Transferred Between Users?  There are serious security risks to emailing documents.  Using a centralized system, URL links to the documents are emailed and the centralized system enforces access permissions.
  • Are Proprietary Technologies Used?  Proprietary signing solutions come with both short and long term operational issues.  DBsign signs the entire unmodified document and stores the signature in an open standard, interoperable format.
  • Must Recipients Install Software To Verify The Document Signature(s)?  With most document signing products, the recipients must have the same software, introducing operational problems.  With DBsign, all signature verifications happen on the server and the recipients are not required to perform any software installations.
What Types Of Documents Are Supported?  One consideration is the types of documents you will be signing: PDF, Word, Excel, RTF, AutoCAD, OpenOffice, XML, HTML, text files, image files, etc.  The types of documents that will be signed may be a big factor in determining the most appropriate digital signature product.  There are products designed to only sign PDF, or only MS Office documents, etc.  Managing one solution for PDF, and another for MS Office, and another for XML can be an operational and licensing nightmare.  There are products, such as DBsign, which will sign any type of document, or any type data or file.
How Are Documents Transferred Between Users?  Another consideration is how the documents are transferred through a work flow.  If the documents are generated by end users and emailed to other users and never end up in a centralized repository, then signed email (i.e., SMIME) may be a good solution.    If not, then full-featured signing and verification software must be installed on each end user's workstation.  However, there are many advantages to managing documents in a centralized system.  Centralized systems can provide an authorization function to control who has access to the documents and who can change them as well as work flow functionality to route documents to the proper people.  Centralized systems can also provide version control and auditing to provide a history of the changes to the document.  With decentralized email based systems, you never know which version of the document is the most recent.  DBsign digital signatures work well in centralized environments and add security to the auditing, version control and work flow features of the system.  In a centralized system, documents can be signed when checking them into the systems and the signatures are verified when the documents are accessed.  With DBsign, end-users access signing functionality via a web page which contains a small signing component (the DBsign Universal Web Signer) which downloads automatically as part of the web page.  In centralized systems, instead of emailing the document itself, a URL link is emailed instead.  The URL link retrieves the document from the centralized system which enforces proper access and change control so that relying parties are ensured that they are receiving a genuine, valid, official document through the proper channels.  Emailing the documents themselves, even if they are digitally signed, can also be a big privacy/confidentiality risk since there is no enforceable access control mechanism.  The document can be accidentally or maliciously forwarded to unauthorized users.  Centralized systems prevent such vulnerabilities.
Are Proprietary Technologies Used?  Another consideration is whether there are any proprietary technologies involved in the digital signature process.  Document signing products use proprietary technology to determine which parts of the documents are digitally signed and how to extract and format this data for the digital signature process.  They also use proprietary mechanisms to embed the digital signature within the document itself.  This use of proprietary mechanisms means that documents signed with one document signing product are not interoperable with another document signing product.  For long-lived documents, or documents with a long retention period, this poses a risk that the software product (or prior version of the product) required to verify the signatures on those document may not be available in the future.  Try opening a Word 3.1 document from 1995 with Word 2007.  Using DBsign with a centralized document management system solves all these concerns.  DBsign signs the entire document file and makes no modifications to it.  The signature is in open standard CMS format (Cryptographic Message Syntax, RFC 5652 -- the same format used for SMIME secure email) that most any public key cryptographic library can process (e.g., OpenSSL, Network Security Services, Java Cryptographic Extensions, etc).  The document's signature is stored centrally as document metadata.  The end result of signing a standalone document with DBsign is the unchanged document itself and an open standard CMS digital signature.  The DBsign customer is not locked into using DBsign forever because of proprietary technologies. 
Must Recipients Install Software To Verify The Document's Signature(s)?  Another consideration is that most document signing products must be installed on both the signer's workstation and the verifier's workstation.  This is a problem for several reasons.  More licenses of the signing product must be purchased (for both signers and verifiers), which is particularly problematic when the recipient of the document is in a different organization and doesn't have the ability to buy or install software on his workstation.  Additionally, if there are multiple signing products for multiple types of files, then multiple software installations and licenses for multiple products must be managed.  Another problem with document signing products is that the recipient may be using an operating system platform that is not supported by the document signing product.  Another issue is that the signing product must perform revocation checking which may be slow or inaccessible due to network bandwidth and access permissions.  DBsign, when used in a centralized document management system, solves all these issues.  Since the documents are access via a web site (or emailed URL link), they are signed with the DBsign Universal Web Signer, a small cross-platform signing component, and document signatures are verified on the DBsign Server.  No software must be installed by either the signer or the verifier.  Also, centralized system are more likely to have reliable, high speed network connections to recovation status checking resources (e.g., CRLs, OCSP, etc.).
So, as you can see, there are many advantages to using DBsign to digitally sign your standalone documents in the context of a centralized document management system.  Using DBsign in centralized systems
  • increases security,
  • increases performance and availability,
  • reduces operational, licensing, configuration management and document lifecycle/retention problems,
  • eliminates obsolescence risk associated with the digital signature product itself, and 
  • allows your system to digitally sign and verify any type of data, file or document.
General Topics