On Jul 4, 2012, at 1:21 PM, Jan Bot wrote: > But if you don't know the user who signed the document, how are you going > to select the proper key to test against? Would the user specify which key > he used to sign a doc?
Generally you put the public key itself (possibly wrapped in a certificate) into the document along with the signature. Note that with signed documents, it becomes almost unimportant who the uploader of the document is. If someone PUTs a signed document to your database, its author is the principal who originally signed it; it doesn't matter who uploaded it. It could be uploaded anonymously and the system wouldn't necessarily lose any security. (This is very useful when designing P2P systems where documents might get routed/replicated to you via someone who's nearby but not necessarily trusted.) —Jens
