Question about signed documents

classic Classic list List threaded Threaded
11 messages Options
Tom Williams Tom Williams
Reply | Threaded
Open this post in threaded view
|

Question about signed documents

Hi!  I recently learned LibreOffice 6 supports PGP signed documents.  My
question:  why would anyone want to digitally sign a document?

Peace...

"The Other" Tom

--
/When I leave, I don't know what I'm hoping to find,
And when I leave, I don't know what I'm leaving behind.../

--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy
hymie hymie
Reply | Threaded
Open this post in threaded view
|

Re: Question about signed documents

Tom Williams writes:
>why would anyone want to digitally sign a document?

The two most obvious answers are:

(*) confirm authorship
(*) verify integrity of contents

I'm sure there are plenty of other reasons as well.

--hymie!     http://lactose.homelinux.net/~hymie    [hidden email]

--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy

James Knott-2 James Knott-2
Reply | Threaded
Open this post in threaded view
|

Re: Question about signed documents

In reply to this post by Tom Williams
On 01/31/2019 10:33 AM, Tom Williams wrote:
> Hi!  I recently learned LibreOffice 6 supports PGP signed documents. 
> My question:  why would anyone want to digitally sign a document?

When you take out a loan, etc., don't you sign the document?  There are
many times you sign things.  This is just  a digital way to verify you
did.  Without this, you'd have to print out the document, sign it and
then get it to the recipient.  With digital signing, you digitally sign
it and then can email it, right from LibreOffice.



--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy
Tom Williams Tom Williams
Reply | Threaded
Open this post in threaded view
|

Re: Question about signed documents

In reply to this post by hymie
On 1/31/19 7:38 AM, [hidden email] wrote:
> Tom Williams writes:
>> why would anyone want to digitally sign a document?
> The two most obvious answers are:
>
> (*) confirm authorship
> (*) verify integrity of contents
>
> I'm sure there are plenty of other reasons as well.

Thanks for the reply.  :)   The reason I asked is, I've never considered
the need to digitally sign a document I created or modified in
LibreOffice.  So, I was wondering why anyone would want to do so.  Your
examples make sense.

Peace...

"The Other" Tom

--
/When I leave, I don't know what I'm hoping to find,
And when I leave, I don't know what I'm leaving behind.../

--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy
Tom Williams Tom Williams
Reply | Threaded
Open this post in threaded view
|

Re: Question about signed documents

In reply to this post by James Knott-2
On 1/31/19 7:50 AM, James Knott wrote:
> On 01/31/2019 10:33 AM, Tom Williams wrote:
>> Hi!  I recently learned LibreOffice 6 supports PGP signed documents.
>> My question:  why would anyone want to digitally sign a document?
> When you take out a loan, etc., don't you sign the document?  There are
> many times you sign things.  This is just  a digital way to verify you
> did.  Without this, you'd have to print out the document, sign it and
> then get it to the recipient.  With digital signing, you digitally sign
> it and then can email it, right from LibreOffice.
>
Now, this is interesting.  So, the digital signing you describe would
generate a digital version of my signature?  I have experience with
digitally signing a document, using a third party service, like
DocuSign.  In those cases, a "signature" font is used to represent my
actual signature.  I initially though the digital signing LibreOffice
supported added a digital signature to the document, itself, providing
some verification that I am who I claim to be.  Does it also add the
signature, in the manner you describe?

Thanks!

Peace...

"The Other" Tom


--
/When I leave, I don't know what I'm hoping to find,
And when I leave, I don't know what I'm leaving behind.../

--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy
James Knott-2 James Knott-2
Reply | Threaded
Open this post in threaded view
|

Re: Question about signed documents

In reply to this post by Tom Williams
On 01/31/2019 11:50 AM, Tom Williams wrote:
> The reason I asked is, I've never considered the need to digitally
> sign a document I created or modified in LibreOffice.

At least one bank I'm aware of allows digital signing of documents.  So,
you might download a form to open an account, take out a loan, etc. fill
it out and digitally sign it.

Also, think about the current practice of many lawyers and other
professionals, who still fax documents.  It would be far more secure
than any fax could be.  In fact, given how easy it is to edit scanned
images, spoof phone numbers, etc., there's no way fax can be considered
secure these days.  Yet, people still use them.


--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy
James Knott-2 James Knott-2
Reply | Threaded
Open this post in threaded view
|

Re: Question about signed documents

In reply to this post by Tom Williams
On 01/31/2019 11:54 AM, Tom Williams wrote:
> Now, this is interesting.  So, the digital signing you describe would
> generate a digital version of my signature?  I have experience with
> digitally signing a document, using a third party service, like
> DocuSign.  In those cases, a "signature" font is used to represent my
> actual signature.  I initially though the digital signing LibreOffice
> supported added a digital signature to the document, itself, providing
> some verification that I am who I claim to be.  Does it also add the
> signature, in the manner you describe?

No, it doesn't generate a digital version of your signature.  It uses a
process, related to encryption, to generate a signature of the entire
document, that verifies it could have only come from you.  This is
commonly done with X.509 digital certificates, which are traceable back
to some top level certificate authority.  As an example of a bank
perhaps, they'd issue you your own public/private keys, which could be
traced back to the bank and to the top level authority beyond.  Since
that signature couldn't possibly have come from anyone else, it is your
signature.

You may want to read up on how public/private key encryption works and
X.509 certificates.

https://en.wikipedia.org/wiki/X.509

--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy
Joshua Kramer Joshua Kramer
Reply | Threaded
Open this post in threaded view
|

Re: Question about signed documents

QWhat's interesting about this is you can use a a smartcard to sign your
documents.  Libreoffice supports standard PIV smart cards (at least under
Linux).  If you have everything configured right, you can use an x509 that
is resident on the smart card to sign the document.  This can provide much
higher security, especially if the smart card is configured with a PIN.

Also keep in mind that the document is not "read only" with the signature.
It is completely possible to open a signed document, not realize it's
signed, accidentally insert a period somewhere, and resave it.  As soon as
you modify a signed document the signature is dropped.

On Thu, Jan 31, 2019, 12:08 PM James Knott <[hidden email] wrote:

> On 01/31/2019 11:54 AM, Tom Williams wrote:
> > Now, this is interesting.  So, the digital signing you describe would
> > generate a digital version of my signature?  I have experience with
> > digitally signing a document, using a third party service, like
> > DocuSign.  In those cases, a "signature" font is used to represent my
> > actual signature.  I initially though the digital signing LibreOffice
> > supported added a digital signature to the document, itself, providing
> > some verification that I am who I claim to be.  Does it also add the
> > signature, in the manner you describe?
>
> No, it doesn't generate a digital version of your signature.  It uses a
> process, related to encryption, to generate a signature of the entire
> document, that verifies it could have only come from you.  This is
> commonly done with X.509 digital certificates, which are traceable back
> to some top level certificate authority.  As an example of a bank
> perhaps, they'd issue you your own public/private keys, which could be
> traced back to the bank and to the top level authority beyond.  Since
> that signature couldn't possibly have come from anyone else, it is your
> signature.
>
> You may want to read up on how public/private key encryption works and
> X.509 certificates.
>
> https://en.wikipedia.org/wiki/X.509
>
> --
> To unsubscribe e-mail to: [hidden email]
> Problems?
> https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
> Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
> List archive: https://listarchives.libreoffice.org/global/users/
> Privacy Policy: https://www.documentfoundation.org/privacy
>

On Thu, Jan 31, 2019, 12:08 PM James Knott <[hidden email] wrote:

> On 01/31/2019 11:54 AM, Tom Williams wrote:
> > Now, this is interesting.  So, the digital signing you describe would
> > generate a digital version of my signature?  I have experience with
> > digitally signing a document, using a third party service, like
> > DocuSign.  In those cases, a "signature" font is used to represent my
> > actual signature.  I initially though the digital signing LibreOffice
> > supported added a digital signature to the document, itself, providing
> > some verification that I am who I claim to be.  Does it also add the
> > signature, in the manner you describe?
>
> No, it doesn't generate a digital version of your signature.  It uses a
> process, related to encryption, to generate a signature of the entire
> document, that verifies it could have only come from you.  This is
> commonly done with X.509 digital certificates, which are traceable back
> to some top level certificate authority.  As an example of a bank
> perhaps, they'd issue you your own public/private keys, which could be
> traced back to the bank and to the top level authority beyond.  Since
> that signature couldn't possibly have come from anyone else, it is your
> signature.
>
> You may want to read up on how public/private key encryption works and
> X.509 certificates.
>
> https://en.wikipedia.org/wiki/X.509
>
> --
> To unsubscribe e-mail to: [hidden email]
> Problems?
> https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
> Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
> List archive: https://listarchives.libreoffice.org/global/users/
> Privacy Policy: https://www.documentfoundation.org/privacy
>

--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy
Michael Jeltsch Michael Jeltsch
Reply | Threaded
Open this post in threaded view
|

Re: Question about signed documents

Document signing in LibreOffice revisited: What is absent from this
conversation is the fact that one needs a certificate that is anchored to a
well-known certificate authority in order for a random other person to
verify the signature. And such certificate does not come automatically with
a LibreOffice install. In fact, to my best knowledge, there are no free
certificate providers anymore that are generally trusted. E.g. when you want
to sign a PDF document (e.g. with LibreOffice Draw), the receiving end
typically will use Adobe Acrobat Reader to verify the signature. The only
libre work-around is to generate a self-signed certificate, then convince
your receiving party to get the certificate via an independent, secure way
of transmission and then have them install this self-signed certificate into
their computer. Good luck with that.
The only way I know of to get a (free as in beer) signature with a generally
accepted certificate is HelloSign (their free plan allows for signing of 3
documents per month). Besides that, it is technically possible to convert
e.g. a free Let's encrypt cert for document signing, but since Let's encrypt
is not designed for document signing, these certs are not part of e.g. the
cert list trusted by Adobe.  

It is even more sad that even the method using self-signed certificates it
is broken in LibreOffice (at least in a frequently used scenario:
preinstalled LibreOffice under Ubuntu 18.04). Any GPG keys (or other certs)
that are available on the system are not accessible when invoking the
signing task from within LibreOffice. Under Ubuntu 18.04, LibreOffice
invokes the Seahorse key manager, which starts but never gets populated with
the available keys/certs (and also new key generation is dysfunctional in
this somehow isolated environment).

I am still trying to sign a single document with LibreOffice. Any help?
Where can I change how OpenOffice invokes Seahorse (or for that matter any
other certificate manager? The fact that this functionality is broken shows
how few people really do sign their documents. I guess in the corporate
setting, this is done more frequently, but NOT with LibreOffice. Sad, but
true.



--
Sent from: http://document-foundation-mail-archive.969070.n3.nabble.com/Users-f1639498.html

--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy

James Knott-2 James Knott-2
Reply | Threaded
Open this post in threaded view
|

Re: Question about signed documents

On 2019-08-01 07:28 AM, Michael Jeltsch wrote:
> Document signing in LibreOffice revisited: What is absent from this
> conversation is the fact that one needs a certificate that is anchored to a
> well-known certificate authority in order for a random other person to
> verify the signature. And such certificate does not come automatically with
> a LibreOffice install. In fact, to my best knowledge, there are no free
> certificate providers anymore that are generally trusted.

I use cacert.org.  It's still free.

I have signed this message.  I also sent it to you direct, in case the
list blocks it.




--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy
Philip Jackson-2 Philip Jackson-2
Reply | Threaded
Open this post in threaded view
|

Re: Question about signed documents

In reply to this post by Michael Jeltsch
On 01/08/2019 13:28, Michael Jeltsch wrote:

>
> It is even more sad that even the method using self-signed certificates it
> is broken in LibreOffice (at least in a frequently used scenario:
> preinstalled LibreOffice under Ubuntu 18.04). Any GPG keys (or other certs)
> that are available on the system are not accessible when invoking the
> signing task from within LibreOffice. Under Ubuntu 18.04, LibreOffice
> invokes the Seahorse key manager, which starts but never gets populated with
> the available keys/certs (and also new key generation is dysfunctional in
> this somehow isolated environment).
>
> I am still trying to sign a single document with LibreOffice. Any help?
> Where can I change how OpenOffice invokes Seahorse (or for that matter any
> other certificate manager? The fact that this functionality is broken shows
> how few people really do sign their documents. I guess in the corporate
> setting, this is done more frequently, but NOT with LibreOffice. Sad, but
> true.
I was intrigued by your remarks above because a couple of years' or so ago I had to sign a lot of documents and I used a CAcert certificate which I had imported into Thunderbird and Firefox. LO Writer had no difficulty using my certificate from the Firefox or Thunderbird certificate store. That must have been on UbuntuStudio 1404 or even 1604.

Now I'm on 1804 with LO 6.0.7.3 and I just checked. It offers to sign my doc but only with an old certificate which expired in June this year. My new cert is in both Firefox and Thunderbird but LO appears unable to find it. When I click on the Start Certificate Manager button in the LO dialogue box, it informs me that it couldn't find any certificate manager.

The LO Help files still instruct to use the Firefox and Thunderbird cert stores but some change has evidently been introduced. And yet again the help files seem out of date.

Philip

--
To unsubscribe e-mail to: [hidden email]
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/users/
Privacy Policy: https://www.documentfoundation.org/privacy