Jason Kraus wrote:
Hello all,
Recently this year the FDA publishes a new 21 CFR 11 guideline. For those
that don't know, this standard primarily deals with security regarding
electronic documents and signatures. One of the recent
additions/clarifications is that an electronic signature cannot be
falsified
by a single person. Most software that claims to be 21 CFR 11 compliant do
not do this. After all, many of this software has a root account that has
full access to the system and do not implement any safeguards against root
forging signatures. I was contemplating how it would be done and I was
thinking perhaps using PGP signatures.
I have two questions, what do you guys think? and does Compiere have the
feature to somehow PGP sign (or something equivalent) actions done by a
user? The reason why I am interested in Compiere is that I know that it is
being used in an FDA regulated environment and it seems to be the only open
source ERP software in that environment.
Every time I hear about computer security using digital signatures, I
remind myself that, some biometrics aside, the only thing a digital
signature can guarantee is that a specific _computer_ was the source of
the signature, not a specific _person_.
There is no way to know the identity of the person at the computer on
the other end. Only that that person at the right moment had the
capability, by whatever means, to tell his computer what you needed to
know to trust what his computer did.
--
Best Regards,
~DJA.
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
