Information Matrix Outline
Digital Signature Signing Tools
November 2, 2005

Product Name Key Store Whole Chain Revocation Operating Systems What Crypto What does it sign Multiple Signatures Signature Format Interoperability Timestamp Source Active Content Point in Time Validation and Logging Webform Signing Signing Options Industry Certifications Who is using product Other
InfoMosaic Windows or Netscape/Mozilla or PKCS-12 file yes, flexible CRL, OCSL, CAM Windows, soon Linux/Mac   anything yes XML D-sig XML D-Sig aware tools Local or Trusted Service some protection Can include CRL, OCSP, etc response in signed document     SecureXML is JITC certified Many  
E-lock DeskSeal Windows or PKCS-12 file   Operating System Windows Operating System Any file, added cost option to embed signature in a PDF Yes PKCS-7 Should work with any PKCS-7 or PDF with internal PKCS-7 signature Operating System, added cost option for 3rd party timestamp support   None apparent No Can include Reason to Sign and Location     A free verify reader is available
E-Lock DeskSeal Web Version Windows     Windows (none other shown on web site Operating System Any file that can be selected and uploaded Yes PKCS-7 Should work with PKCS-7 tools OS, other options may exist   Possibly something on server Yes Can include Reason to Sign and Location     Can sign files that are then uploaded or files that are already on the server
Microsoft Office Products (Word/Excel) Windows   Operating System Microsoft Windows Operating System A signature is placed into the Office document Yes   Microsoft Office products Operating System unknown none n/a Select certificate     Signature capability improved in Office 2003, exists in Office XP
Adobe Acrobat (Standard) Can use Windows Integration or PKCS12 yes yes, crl and ocsp Windows and Macintosh Internal?   PDF documents yes, also enables original signer to certify document ? Adobe - ? unknown Workstation, timestamp servers can be used Some checks are available Select certificate      
Open Office 2.0 Mozilla on Linux, ? on other OS     Windows, MacOS, Linux, Solaris, FreeBSD Can build with MSCrypto, OpenSSL, NSS, or GnuTLS OASIS standard OpenDocument documents Yes Standard XML signatures XML signature tools Operating System       Select Certificate      

Initial Candidate Products

http://www.adobe.com/security/digsig.html
http://www.arx.com/CoSign.html
http://www.elock.com/Default.asp
http://www.formdocs.com/products.htm
http://www.libertyims.com/manage_digital.html
http://office.microsoft.com/en-us/assistance/HP052495571033.aspx
http://www.pureedge.com/products/products/signatures/pki.php
http://www.infomosaic.net/Welcome.htm
Open Office 2.0
Table Column Definitions
  1. Key Store
    This column indicates which store or stores the application uses to hold certificates and private keys. For example, does it leverage the Microsoft operating system store under Windows, Keychain with MacOS, or use some private application-specific mechanism to hold key information? The key store information can be important since it can impact both the ease of use of the product and the level of assurance of the signatures that it verifies. The use of a native operating system key store typically means that users will have easy access to the certificates and keys that they use for other services and will find it easy to sign documents. The use of an application specific key store generally means that users will need to import certificates and keys making the application harder to use. However, with an application specific key store, more control over which root certificates are trusted is typically possible. This may be important for certian signature applications where the processes involved may not want to trust the dozens of root certificates in the browser's key store for signature validation.

  2. Whole Chain
    Does the application bunde all of the certificates needed to validate the digital signature into the document? Fewer signature verification problems are typically encountered when all of the certificates needed to validate the trust path are included in the document itself. Automatic intermediate certificate discovery is still difficult in many PKI implementations.

  3. Revocation
    What mechanisms does the application support for certificate revocation checking? Are CRLs and/or OCSP used. If so, are the revocation checks performed by the application itself or are APIs in the native operating system used.

  4. Operating Systems
    Which operating systems are supported by the product. Are the same digital signature and verification features available on all operating systems?

  5. Does the system contain its own crypto software or does it leverage functionality in the host operating system?
  6. What can the tool sign (e.g., PDF, Word, etc)
  7. Does the tool support multiple signatures on a document?
  8. What signature format is supported? (i.e XML DSig, CMS or PKCS7, Adobe are the 3 I am most familiar with but there could be some other proprietary format too)
  9. Can signatures created with the tool be verified by other 3rd party applications or must the verifier also have the same software?
  10. Does the time/date stamp come from the operating system or some trusted source?
  11. Does the tool do anytding to help with the signed active content problem?
  12. Does the tool do anything special to facilitate point in time signature validation and logging on receipt? If validation is logged, is the log cryptographically protected such tdat it can be validated at a later date.
  13. Does the product support signing web forms such that both the POST data from the user and the full data needed to display what the what the user saw when they pushed the "sign" button are included in the signed data?
  14. What signing options are available?
  15. What industry certifications do they have?
  16. Where are they being used today?
  17. How might the tool fit into the normal campus process workflow?
Package Summary Information