On Thu, 16 May 2002, Andre John Cruz wrote: > i'm thinking of coming up with open source software that allows people to > digitally sign forms/documents. the question that's bugging me is, how do > people establish the authenticity of the digital signature?
In the case of PGP, your peers can authenticate your public key. Most people have one or more peers that authenticate their public keys. In the case of SSL or openSSL, companies like Verisign, Thawte, etc can sign your certificate. Or you can have a company-installed public key server for employees of that company. Why should authentication be the exclusive right of Verisign, etc., when each company should have its own certificate authority. > what > technologies on linux can be used for this? PGP, GPG, openSSL, etc. > my plan is to come up with a web-based system for this, but i don't know > how to deal with storing private keys...i don't think it's a wise idea to > store them in a database server. You don't deal with them. You let each owner store his own private key wherever the owner feels it is safe to store it. In fact you do not know the private key of other people, even if you administer the public key infrastructure. That's the idea of private keys. Only the owner knows his private key. But public keys are a different matter altogether. You want the whole world to know that this person's public key is this, and surely this. PMana _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
