We don't seem to have a Public Key Infrastructure that makes digital (cryptographic) signatures useful for non-computer work. I think signing a document is a solemn act. So I don't want to just paste a .PNG of my signature, I want to actually sign it. I don't have a modern Linux device with a stylus. (Somewhere I have a ThinkPad x61 and a couple of Sharp Zaurus PDAs.) I do have an iPad and a ThinkPad C13 ChromeBook, both of which have styli. In each case it is a little intricate so I thought others might find my methods useful. Suggestions welcome. On the iPad: - I can plug in the ipad to a USB port of my desktop and instruct the iPad to act like an external disk drive - using Gnome Files, I can transfer the PDF to a directory on the iPad. - using the file browser on the iPad, I navigate to the PDF, long press on it, and select "Quick View". I don't want Adobe tools. - I can just write on the document with the stylus and save it. I usually save it with a different name, one that indicates that it is a signed document. - using Gnome Files, I copy the signed document from the iPad to my desktop. - Using Gnome Files, I "eject" the two removable filesystems that are the iPad's. I can then unplug the iPad On the Chromebook: - I have already installed the Linux subsystem. I start up the terminal in the Linux container. - I use scp to copy the PDF from the desktop to ChromeBook's Linux filesystem (my home directory) - I use the ChromeOS Files application to open the PDF file (the Linux container's filesystem is visible to Files). - I tap a snake-like symbol on the top of the screen (It seems to signify scribbling). - I write my signature - I save the result, with a distinct name, in the Linux Container filesystem - back in the terminal, I issue the scp with the arguments suitably adjusted (easy to type with bash's history mechanism). I find the ChromeBook a bit easier. Partly because WiFi is easier than wiring (I have only one lightening cable and it is usually hooked up to a charger). If I found an iOS SCP application that might even the platforms.
I miss this sorely in Canada. For my Estonian dealings, I've been signing documents (any file for that matter) electronically since 2003. https://en.wikipedia.org/wiki/Estonian_identity_card Ontario was to introduce a digital identity system by 2021 but we are still waiting. I haven't looked into it, so I'm not sure if the plan is to also provide PKI. I saw some nut job at an intersection in Mississauga the other day holding a banner against digital identity in Canada.
On Apr 12, 2023, at 14:54, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
We don't seem to have a Public Key Infrastructure that makes digital (cryptographic) signatures useful for non-computer work.
I think signing a document is a solemn act. So I don't want to just paste a .PNG of my signature, I want to actually sign it.
I don't have a modern Linux device with a stylus. (Somewhere I have a ThinkPad x61 and a couple of Sharp Zaurus PDAs.)
I do have an iPad and a ThinkPad C13 ChromeBook, both of which have styli. In each case it is a little intricate so I thought others might find my methods useful. Suggestions welcome.
On the iPad:
- I can plug in the ipad to a USB port of my desktop and instruct the iPad to act like an external disk drive
- using Gnome Files, I can transfer the PDF to a directory on the iPad.
- using the file browser on the iPad, I navigate to the PDF, long press on it, and select "Quick View". I don't want Adobe tools.
- I can just write on the document with the stylus and save it. I usually save it with a different name, one that indicates that it is a signed document.
- using Gnome Files, I copy the signed document from the iPad to my desktop.
- Using Gnome Files, I "eject" the two removable filesystems that are the iPad's. I can then unplug the iPad
On the Chromebook:
- I have already installed the Linux subsystem. I start up the terminal in the Linux container.
- I use scp to copy the PDF from the desktop to ChromeBook's Linux filesystem (my home directory)
- I use the ChromeOS Files application to open the PDF file (the Linux container's filesystem is visible to Files).
- I tap a snake-like symbol on the top of the screen (It seems to signify scribbling).
- I write my signature
- I save the result, with a distinct name, in the Linux Container filesystem
- back in the terminal, I issue the scp with the arguments suitably adjusted (easy to type with bash's history mechanism).
I find the ChromeBook a bit easier. Partly because WiFi is easier than wiring (I have only one lightening cable and it is usually hooked up to a charger). If I found an iOS SCP application that might even the platforms. --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
| From: Alex Kink via talk <talk@gtalug.org> | For my Estonian dealings, I've been signing documents (any file for that | matter) electronically since 2003. | https://en.wikipedia.org/wiki/Estonian_identity_card Certainly Estonia has been the leader. | I saw some nut job at an intersection in Mississauga the other day | holding a banner against digital identity in Canada. That guy was probably one of the people who think that there is a conspiracy (or a few) to impose a World Government on us. That's spill-over from the US. For the US, that would be a downgrade -- the US is close to a world government itself and yet only US Citizens get democratic control over it. The result for Canadians would be different. We need a hierarchy of governements to deal with issues at different scales. We do have some world-scale governance but it isn't very effective. A "digital identity" could be a single point of failure or attack. We need to be careful. I seem to remember that Estonia's system was hacked. Of course the current non-system is regularly hacked.
I don't recall it ever being hacked but it did suffer from the ROCA vulnerability few years ago. https://en.wikipedia.org/wiki/ROCA_vulnerability
On Apr 12, 2023, at 15:59, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
I seem to remember that Estonia's system was hacked. Of course the current non-system is regularly hacked.
On 2023-04-12 14:54, D. Hugh Redelmeier via talk wrote:
We don't seem to have a Public Key Infrastructure that makes digital (cryptographic) signatures useful for non-computer work.
I think signing a document is a solemn act. So I don't want to just paste a .PNG of my signature, I want to actually sign it.
I don't have a modern Linux device with a stylus. (Somewhere I have a ThinkPad x61 and a couple of Sharp Zaurus PDAs.)
I do have an iPad and a ThinkPad C13 ChromeBook, both of which have styli. In each case it is a little intricate so I thought others might find my methods useful. Suggestions welcome.
You could do like my mother-in-law did. Just take a pen to the screen on her laptop. In her defense she it 94 and computers are truly magical to her. Other than the immediate laugh at the situation after successfully cleaning the screen. I can understand how someone raised in the age of paper and pens would see that as a way to sign a document. But I would like to see the Canadian government provide a PIK service since they are the owners of the SIN number which is used for all our tax and government interactions. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On Wed, Apr 12, 2023 at 2:54 PM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
We don't seem to have a Public Key Infrastructure that makes digital (cryptographic) signatures useful for non-computer work.
We do, but it might not be a "we" that intersects with our "we". The building industry in Ontario has been using digital contracts (real ones, not that cryptocurrency sham nonsense) for some years. The PKI has been managed by one of the building trades associations, who (unsurprisingly) see it as a revenue stream and charge accordingly. Consequently, it is beyond the reach of mere mortals. Digital signatures - even self-signed signatures created in Adobe tools and some others - are as valid in Ontario as wet signatures. One of the weirdest places I found a full PKI setup in frequent (if unwitting) use is in ARRL's Logbook of the World (LoTW). Thousands of ham radio operators submit their contact logs to LoTW, and they're all cryptographically signed. Every user gets their own P12 certificate file. Unfortunately, ARRL's certificate isn't distributed with any browser or PDF reader, so it's not generally useful as a signing tool. Some years ago, I did try to get amateur radio types to be interested in using the LoTW certificate to authenticate other files, but it never caught on. The PortableSigner Java application was how I added signatures to PDFs. Stewart
On Apr 12, 2023, at 15:46, Stewart Russell via talk <talk@gtalug.org> wrote:
Digital signatures - even self-signed signatures created in Adobe tools and some others - are as valid in Ontario as wet signatures. By "digital signatures" you still mean cryptographic digital signatures, right, not scribbles on a PDF?
Who and in what context would accept them? I haven't tried, but I doubt anyone would accept my cryptographic digital signature in Ontario, since to begin with, they wouldn't even know what that is.
On 2023-04-12 15:54, Alex Kink via talk wrote:
By "digital signatures" you still mean cryptographic digital signatures, right, not scribbles on a PDF?
The proper way to do digital signatures is with X.509 certificates. When I was at IBM, in the late 90s, we used them in Lotus notes. There are some public key sources available, but it's not very common outside of large organizations.
| From: James Knott via talk <talk@gtalug.org> | The proper way to do digital signatures is with X.509 certificates. When I was | at IBM, in the late 90s, we used them in Lotus notes. There are some public | key sources available, but it's not very common outside of large | organizations. Maybe. The troubles include: - issuers should take on the responsability to validate what they are vouching for. It is hard to make this simultaneously useful and inexpensive. - cert vendors are mostly rent-seeking. That goes with the territory of being at the top of a hierarch - X.509 is complicated in ways that are not useful The PGP web of trust is/was interesting but it doesn't seem to work for most people. Perhaps due to lack of motivation.
I think you are conflating physically signing a doc, with digital signature. When you use a digital pen to sign a doc, your signature does not matter, it's completely cosmetic. The doc is signed under the hood electronically using PKI with a trusted chain based on how you authenticated to the signing application. On Wed, Apr 12, 2023 at 4:11 PM D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: James Knott via talk <talk@gtalug.org>
| The proper way to do digital signatures is with X.509 certificates. When I was | at IBM, in the late 90s, we used them in Lotus notes. There are some public | key sources available, but it's not very common outside of large | organizations.
Maybe.
The troubles include:
- issuers should take on the responsability to validate what they are vouching for. It is hard to make this simultaneously useful and inexpensive.
- cert vendors are mostly rent-seeking. That goes with the territory of being at the top of a hierarch
- X.509 is complicated in ways that are not useful
The PGP web of trust is/was interesting but it doesn't seem to work for most people. Perhaps due to lack of motivation. --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On 2023-04-12 16:10, D. Hugh Redelmeier via talk wrote:
The PGP web of trust is/was interesting but it doesn't seem to work for most people. Perhaps due to lack of motivation.
I thought the issue was no central authority. With X.509, the top authorities sign each other and everyone else gets signed directly or indirectly by one of them. PGP is fine for groups of people, but not general use.
| From: James Knott via talk <talk@gtalug.org> | I thought the issue was no central authority. That's a feature, not a bug. Central authorities have power which stimulates various kinds of corruption. | With X.509, the top authorities | sign each other and everyone else gets signed directly or indirectly by one of | them. PGP is fine for groups of people, but not general use. In some sense, everyone who needs to sign something has a relationship. Everyone in our society has some kinds of relationship.
On 2023-04-13 15:41, D. Hugh Redelmeier wrote:
In some sense, everyone who needs to sign something has a relationship. Everyone in our society has some kinds of relationship.
So, if I have a signing party with my group of friends and you have one with yours, how do I verify your signature, if I don't know your friends?
On 2023-04-13 15:41, D. Hugh Redelmeier wrote:
In some sense, everyone who needs to sign something has a relationship. Everyone in our society has some kinds of relationship.
So, if I have a signing party with my group of friends and you have one with yours, how do I verify your signature, if I don't know your friends?
| From: James Knott via talk <talk@gtalug.org> | | So, if I have a signing party with my group of friends and you have one with | yours, how do I verify your signature, if I don't know your friends? <https://en.wikipedia.org/wiki/Web_of_trust>
On 2023-04-13 16:20, D. Hugh Redelmeier wrote:
| From: James Knott via talk <talk@gtalug.org> | | So, if I have a signing party with my group of friends and you have one with | yours, how do I verify your signature, if I don't know your friends?
I'm aware of this. However, if we are in independent groups, with no connection, how do I trust your group? How do know that everyone in your group is real? With X.509, my group and yours could be traceable to the root authorities. Think of DNS. What if there were separate groups of root servers that didn't communicate. How would that work out for the Internet?
On 2023-04-13 16:20, D. Hugh Redelmeier wrote:
| From: James Knott via talk <talk@gtalug.org> | | So, if I have a signing party with my group of friends and you have one with | yours, how do I verify your signature, if I don't know your friends?
BTW, I bought the Simson Garfinkle PGP book, from O'Reilly, in 1995. Have it right here.
On 12/04/2023 15.54, Alex Kink via talk wrote:
By "digital signatures" you still mean cryptographic digital signatures, right, not scribbles on a PDF?
Both. Those squiggles you left on someone's Square app? Valid signature.
Who and in what context would accept them? I haven't tried, but I doubt anyone would accept my cryptographic digital signature in Ontario, since to begin with, they wouldn't even know what that is.
Is your PDF signed with a certificate where Acrobat Reader (say) has a copy of the master certificate? If so, and you're presenting the document electronically, it's as valid as if it were wet signed. This is a big "in theory", though. Legally, it's valid. If the receiving party decides they don't understand it/accept it, wet signed on paper it has to be. Ask me about the project I worked on where an Ontario government agency promised they would accept cryptographically-signed PDFs, then the project officer we were assigned did a "Computer Says No «cough»". We had to chase round southern Ontario trying to track down 300 contractors with box files of paperwork ... Stewart
On Apr 12, 2023, at 20:42, Stewart C. Russell via talk <talk@gtalug.org> wrote:
Is your PDF signed with a certificate where Acrobat Reader (say) has a copy of the master certificate? If so, and you're presenting the document electronically, it's as valid as if it were wet signed.
This is a big "in theory", though. Legally, it's valid. If the receiving party decides they don't understand it/accept it, wet signed on paper it has to be. Ask me about the project I worked on where an Ontario government agency promised they would accept cryptographically-signed PDFs, then the project officer we were assigned did a "Computer Says No «cough»". We had to chase round southern Ontario trying to track down 300 contractors with box files of paperwork ...
I see. Yes, that's one of the things universal government run PKI will (should) solve. Even my 87 year old grandmother understands and regularly uses digital signing. That's of course mostly because she is forced to, both because she is in Canada most of the time and because the government and large corporations in Estonia often make those things that can be done online, nearly impossible to do in person, forcing everyone to get on with the program. That's not the Canadian way.
participants (7)
-
Alex Kink -
Alvin Starr -
Ansar Mohammed -
D. Hugh Redelmeier -
James Knott -
Stewart C. Russell -
Stewart Russell