P
Pierre P.
Hello All,
I'm doing some preliminary research for products that allow and enable the
use of digital signatures on electronic documents, and I found references to
the InfoPath product.
I thought I would post my questions here to see if anyone can answer them,
so here goes:
For digital signatures and certificates::
1. What is used for a certificate store? (e.g. CAPI, Java, Proprietary,
etc.)
2. How does the signature mechanism work? How are signatures applied
to single/multiple documents? (flow diagrams would be very helpful)
3. Does the product support timestamping? Is it RFC:3161
<http://www.faqs.org/rfcs/rfc3161.html> compliant?
4. Who provides the crypto library? (e.g. Entrust, Microsoft, Adobe,
open source, other?)
5. Does the products support Elliptic Curve Signatures?
6. What key strengths are supported?
7. What hash types are supported?
8. Does the product(s) honour keyUsage and extendedKeyUsage
certificate fields?
9. Does it honour the certificatePolicy field?
* How is this propagated out to the individual users?
10. What format of signatures do they support? (PKCS7, XML-DigSig, etc.)
* If XML-DigSig, what form (Embedded, Detached, etc.)
11. Can they handle multiple signatures (a signature on a signed
document)? If so, are the signatures be applied sequentially?
12. What platforms is the software compatible with? Depending on the
platform, which certificate store is used (see Question 1)
* Does the certificate store used interface with SmartCards or
other security hardware devices?
13. Can they handle multiple signatures (a signature on a signed
document)? If so, are the signatures be applied sequentially?
14. At the time of signing of a / many documents, can the documents be
encrypted? Does this encryption use another certificate (i.e. it
uses one certificate for signing, and another for encryption)?
When validating digital signatures:
1. Does the product handle RFC:3280
<http://www.faqs.org/rfcs/rfc3280.html> (see Section 6 in
particular) Path Discovery and Validation?
2. How does the product handle trust anchors (as defined in RFC:3280)?
3. Which revocation mechanisms do it handle? CRL? OCSP? SCVP?
4. If it handles timestamping, how does the verification process work?
5. How is this validation conveyed to the user?
I know that these are many questions, but I would be grateful for any answers.
I'm doing some preliminary research for products that allow and enable the
use of digital signatures on electronic documents, and I found references to
the InfoPath product.
I thought I would post my questions here to see if anyone can answer them,
so here goes:
For digital signatures and certificates::
1. What is used for a certificate store? (e.g. CAPI, Java, Proprietary,
etc.)
2. How does the signature mechanism work? How are signatures applied
to single/multiple documents? (flow diagrams would be very helpful)
3. Does the product support timestamping? Is it RFC:3161
<http://www.faqs.org/rfcs/rfc3161.html> compliant?
4. Who provides the crypto library? (e.g. Entrust, Microsoft, Adobe,
open source, other?)
5. Does the products support Elliptic Curve Signatures?
6. What key strengths are supported?
7. What hash types are supported?
8. Does the product(s) honour keyUsage and extendedKeyUsage
certificate fields?
9. Does it honour the certificatePolicy field?
* How is this propagated out to the individual users?
10. What format of signatures do they support? (PKCS7, XML-DigSig, etc.)
* If XML-DigSig, what form (Embedded, Detached, etc.)
11. Can they handle multiple signatures (a signature on a signed
document)? If so, are the signatures be applied sequentially?
12. What platforms is the software compatible with? Depending on the
platform, which certificate store is used (see Question 1)
* Does the certificate store used interface with SmartCards or
other security hardware devices?
13. Can they handle multiple signatures (a signature on a signed
document)? If so, are the signatures be applied sequentially?
14. At the time of signing of a / many documents, can the documents be
encrypted? Does this encryption use another certificate (i.e. it
uses one certificate for signing, and another for encryption)?
When validating digital signatures:
1. Does the product handle RFC:3280
<http://www.faqs.org/rfcs/rfc3280.html> (see Section 6 in
particular) Path Discovery and Validation?
2. How does the product handle trust anchors (as defined in RFC:3280)?
3. Which revocation mechanisms do it handle? CRL? OCSP? SCVP?
4. If it handles timestamping, how does the verification process work?
5. How is this validation conveyed to the user?
I know that these are many questions, but I would be grateful for any answers.