Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
So here is the issue which has brought up my interest in digital signatures. I'm setting up a quality system to develop software which will pass the rigors of FDA compliance. What the FDA needs is to have documents which are signed for approval my management types. (i.e. All the documents which are generated need a signature and typically this involves some secretary running around cubicles with a pen, getting signatures on a hard copy document which is then filed away.) So using a digital signature would be a great move forward, especially if I want to set up a web based FDA control process. In the end, this all gets very legal where as someone can sue for big bucks if a product goes wrong in a hospital, and the quality system under which the device was developed then comes into play. So this may give you a better idea of how far I need to go with a digital signature. My preference is to slide the bar as far to the "this is a properly digitally signed document" which can hold up in a court of law. Cheers. Steve. Matthew Gillen wrote: > Stephen Adler wrote: >> To do this right, I believe, I want to get a key pair which is >> registered with a 3rd party registry like verisign or >> networksolutions.com or something like that. Is this not so? Say I >> sign a document with a self generated key pair, how does a third >> party know that the signature came from me and not someone posing as >> me who generated their own pair of keys? > As Dan pointed out, you build a web of trust, using the standard methods: > - distribute your key (or at least the fingerprint for later > verification of your key) when you meet people in person (sneakernet) > - POTS (ie have them read off the fingerprint of your public key over > the phone to you) > - Post it on your business web site (generally thought to be less > secure than the first two, although if people get your phone number > from your website...) > - if it's really important, hire a courier. > >> If I do need to go through the 3rd party registry route, who should I >> use? > You could probably do a hell of a lot better than the standard > practice today (ie no verification beyond the "From" header in an > email) without going overboard with air-tight verification. It's > really a matter of how far you want to move the slider from "easy to > use, but no verification" to "it would almost be easier to fly there > and deliver the document in person". For business, you probably > don't want to go too far toward the latter, lest it get in the way of > things you're getting paid to do (unless verification is something the > client is really interested in or knowledgeable about). > > Matt > >
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |