Slightly off beat this one, but you might be interested in the increasing use/acceptability of digital signatures to sign legal documents. Thus I have a) Digitally signed RSC copyright forms with submission of manuscripts, which has been accepted by them b) Digitally signed the Cambridge CSD renewal form, which has just been accepted by them c) I note that the NSF in the USA will REQUIRE all grant applications made to them from June of this year to be so signed d) Noted that the ACS do not so accept copyright transfers, insisting instead on a fax. The technicalities are simple. Firstly you acquire a digital certificate from Verisign (about $150 and install it into your email program or into eg the your profile of the Windows operating system. Using it you can sign email (using so called S/MIME email programs, which include Outlook, and the various Netscape messenger programs), Acrobat files or Word XP documents. These certificates are used for two quite distinct reasons a) To date stamp as authentic a document. This requires only your certificate, and shows any recipient that the document is yours, and has not been tampered with since it was created b) To encrypte a document. This requires not only your certificate, but the so called public portion of the recipients certificate, which you must first have been sent by them. This means only they can read the document. In most case, the document is both signed AND encrypted, and either can be done independent of the other. In future, one could also use one's certificate as an authentication for access to protected sites instead of a regular password. Thus entering a web site, the browser would probe for your certificate, and it it maches its own access control list, let you in. Certificates of course can be installed not just on computers, but into eg smart cards etc etc. I would be interested to hear if indeed their use has now become common (they have been around for more than 3 years) or whether indeed their use is still very rare indeed. -- Henry Rzepa. +44 (0870) 132 3747 (eFax) +44 0778 6268 220 (Mobile) http://www.ch.ic.ac.uk/rzepa/ Dept. Chemistry, Imperial College, London, SW7 2AY, UK. chemweb: A list for Chemical Applications of the Internet. To post to list: mailto:chemweb@ic.ac.uk Archived as: http://www.lists.ic.ac.uk/hypermail/chemweb/ To (un)subscribe, mailto:majordomo@ic.ac.uk the following message; (un)subscribe chemweb List coordinator, Henry Rzepa (mailto:rzepa@ic.ac.uk)
On Friday 26 April 2002 14:43, Rzepa, Henry wrote:
Slightly off beat this one, but you might be interested in the increasing use/acceptability of digital signatures to sign legal documents.
Thus I have
a) Digitally signed RSC copyright forms with submission of manuscripts, which has been accepted by them b) Digitally signed the Cambridge CSD renewal form, which has just been accepted by them c) I note that the NSF in the USA will REQUIRE all grant applications made to them from June of this year to be so signed d) Noted that the ACS do not so accept copyright transfers, insisting instead on a fax.
The technicalities are simple. Firstly you acquire a digital certificate from Verisign (about $150 and install it into your email program or into eg the your profile of the Windows operating system.
Using it you can sign email (using so called S/MIME email programs, which include Outlook, and the various Netscape messenger programs), Acrobat files or Word XP documents.
How is this different from PGP/GPG signatures? Is it the same? These signitures do not cost me $150 and I can sign and encrypt documents in my email program too... Egon chemweb: A list for Chemical Applications of the Internet. To post to list: mailto:chemweb@ic.ac.uk Archived as: http://www.lists.ic.ac.uk/hypermail/chemweb/ To (un)subscribe, mailto:majordomo@ic.ac.uk the following message; (un)subscribe chemweb List coordinator, Henry Rzepa (mailto:rzepa@ic.ac.uk)
On Fri, 26 Apr 2002, E.L. Willighagen wrote:
How is this different from PGP/GPG signatures? Is it the same? These signitures do not cost me $150 and I can sign and encrypt documents in my email program too...
The technology is similiar. You can create self-signed certs with http://www.openssl.org/ quite easily. See below for simple instructions http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/custom-guide/s1-inst... The idea of certs is built on trust. In absence of a web of trust in the scientific community (because the average scientist is too dense to grok basic concepts of trust and public key cryptography) you rely on an authority -- Thawte/Verisign in this case -- doing the work for you. Inasmuch the authority exercises the proper diligence to verify your identity (by relating to already existing trust agencies, as e.g. verifying your photo ID since Thawte can't possibly know every John Doe) is everybody's guess. In theory a self-signed cert even in absence of a web of trust can build reputation, the question is whether people and agencies will go though pains to track the reputation. chemweb: A list for Chemical Applications of the Internet. To post to list: mailto:chemweb@ic.ac.uk Archived as: http://www.lists.ic.ac.uk/hypermail/chemweb/ To (un)subscribe, mailto:majordomo@ic.ac.uk the following message; (un)subscribe chemweb List coordinator, Henry Rzepa (mailto:rzepa@ic.ac.uk)
On Friday 26 April 2002 18:31, Eugen Leitl wrote:
On Fri, 26 Apr 2002, E.L. Willighagen wrote:
How is this different from PGP/GPG signatures? Is it the same? These signitures do not cost me $150 and I can sign and encrypt documents in my email program too...
The technology is similiar. You can create self-signed certs with http://www.openssl.org/ quite easily. See below for simple instructions
http://www.redhat.com/docs/manuals/linux/RHL-7.2-Manual/custom-guide/s1-in stallation-selfsigned.html
The idea of certs is built on trust. In absence of a web of trust in the scientific community (because the average scientist is too dense to grok basic concepts of trust and public key cryptography) you rely on an authority -- Thawte/Verisign in this case -- doing the work for you.
Inasmuch the authority exercises the proper diligence to verify your identity (by relating to already existing trust agencies, as e.g. verifying your photo ID since Thawte can't possibly know every John Doe) is everybody's guess.
The Debian (www.debian.org) community has very strict rules for setting up a web of trust, and it works very good. GPG/PGP keys can be verified and signed by other people as so-called keysigning parties/meetings. At those sessions the attending people exchange key signatures and show their passports for identification. As such it works similar like the proces Verisign works (as I understand). Debian packages are also signed with the keys of the developer that uploaded the package. I guess it is all politics which key signing software is supported by Acrobat, Office XP etc, but it would be nice if it would support such signs too... (yes, i know that will not likely happen) BTW, an Outlook plugin for PGP is available (http://www.pgpi.org/). I think it is even included in the PGP distribution. Egon chemweb: A list for Chemical Applications of the Internet. To post to list: mailto:chemweb@ic.ac.uk Archived as: http://www.lists.ic.ac.uk/hypermail/chemweb/ To (un)subscribe, mailto:majordomo@ic.ac.uk the following message; (un)subscribe chemweb List coordinator, Henry Rzepa (mailto:rzepa@ic.ac.uk)
participants (4)
-
E.L. Willighagen
-
Egon Willighagen
-
Eugen Leitl
-
Rzepa, Henry