I'm experimenting with digital signatures on MS Office files for an additional SOX control. It seems to work very nicely, especially with a MOSS workflow to collect signatures.
One thing that isn't obvious to me, and I can't seem to get a good google string: Lets say that a document is signed with an internal certificate. That employee leaves (or the certificate just expires), but a year from now an auditor opens the document. How is this missing or expired certificate displayed? In other words, will I be able to explain that while the certificate is currently invalid, a year ago, the certificate was valid and the document still has not been tampered with? I did one test with an internally signed document. Then I opened it from a non domain computer and it just indicated the root certificate was not trusted. I believe that is ok. One oddity I found and can't rationalize, once a document is signed, you can't use the Office button to send a copy. Kevin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
