I think you are conflating physically signing a doc, with digital signature.

When you use a digital pen to sign a doc, your signature does not matter, it's completely cosmetic. The doc is signed under the hood electronically using PKI with a trusted chain based on how you authenticated to the signing application.

On Wed, Apr 12, 2023 at 4:11 PM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:

| From: James Knott via talk <talk@gtalug.org>

| The proper way to do digital signatures is with X.509 certificates. When I was
| at IBM, in the late 90s, we used them in Lotus notes. There are some public
| key sources available, but it's not very common outside of large
| organizations.

Maybe.

The troubles include:

- issuers should take on the responsability to validate what they are
vouching for. It is hard to make this simultaneously useful and
inexpensive.

- cert vendors are mostly rent-seeking. That goes with the territory
of being at the top of a hierarch

- X.509 is complicated in ways that are not useful

The PGP web of trust is/was interesting but it doesn't seem to work for
most people. Perhaps due to lack of motivation.
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk