How to convince your CIO and your legal counsel
In order to convince your CIO and/or your legal counsel that your implementation of digital signature in your application meets all the legal requirements you should prepare document with the following items:
1. Explain the digital signature process including a half page overview of PKI
2. Explain the XML Signature format: SignedInfo, Reference, Transforms,SignatureValue etc.
3. Show a printout of the XML Form before it has been filled, after it has been filled and after it has been signed. Highlight the data being signed.
4. Show the result of the signature verification process. Show them the signed content extracted by the Infomosaic SecureXML Digital Signature after signature verification.
5. Show a block diagram for the certificate validation which takes place during the signing process and during the signature verification process.
6. Show a tampered signed XML Form and show a screen shot of the system where it shows the signature verification failure.
7. Show what happens if a user tries to use an expired or revoked certificate.
8. Show the result of signed document access which was created using a valid certificate but was subsequently revoked. The system should report a valid signature. The best way to achieve this is to include the CAM/OCSP Validation response or the fetched CRL during signature creation and then get the certificate status from this response if the current status of the certificate is revoked. Alternately you can compare the certificate revocation time with signature creation time and report the status at the time of the signature creation.
9. Show the result of signed document access which was created using a valid certificate which is now expired. The system should report a valid signature and certificate as of the signature creation time.
If you need help preparing such a document or any other issues related to digital signature usage and/or technology, please feel free to contact me.
1. Explain the digital signature process including a half page overview of PKI
2. Explain the XML Signature format: SignedInfo, Reference, Transforms,
3. Show a printout of the XML Form before it has been filled, after it has been filled and after it has been signed. Highlight the data being signed.
4. Show the result of the signature verification process. Show them the signed content extracted by the Infomosaic SecureXML Digital Signature after signature verification.
5. Show a block diagram for the certificate validation which takes place during the signing process and during the signature verification process.
6. Show a tampered signed XML Form and show a screen shot of the system where it shows the signature verification failure.
7. Show what happens if a user tries to use an expired or revoked certificate.
8. Show the result of signed document access which was created using a valid certificate but was subsequently revoked. The system should report a valid signature. The best way to achieve this is to include the CAM/OCSP Validation response or the fetched CRL during signature creation and then get the certificate status from this response if the current status of the certificate is revoked. Alternately you can compare the certificate revocation time with signature creation time and report the status at the time of the signature creation.
9. Show the result of signed document access which was created using a valid certificate which is now expired. The system should report a valid signature and certificate as of the signature creation time.
If you need help preparing such a document or any other issues related to digital signature usage and/or technology, please feel free to contact me.
<< Home