[Cialug] touch screen devices

Zachary Kotlarek zach at kotlarek.com
Thu Oct 27 13:37:34 CDT 2011


On Oct 27, 2011, at 11:13 AM, Tim Champion wrote:

> I've looked into things like this, and thinking about the level of security it brings.  I always make the devils-advocate argument that once a signature is captured electronically, and that signature is tied to one document, what is to prevent someone who has the skills and "rights" to the database from taking that stored image, and fraudulently applying it to another document that the person did not sign?
> 
> In thinking further, it should be that no 2 signature images are exactly alike, so it should be possible to compare the stored images and make sure that each image is only applied once -- using a unique key in a database for example? Can a BLOB (Binary Large OBject) be marked unique?  *ponders*
> 
> making a copy of an electronic signature is akin to forging a signature, I guess.  The other idea we are starting to look at is using facial recognition (from the camera on a tablet) to do things like taking attendance in a classroom - in our case...
> 
> The "original signature" issue is the #1 biggest hang-up for is in moving to a paperless environment, so this subject is of great interest to me.


If only the computing power of these paperless document systems provided some way to calculate a value that would provide non-repudiation via a "signature" that is verifiably tied to a specific document.

I know generating and distributing keys is not a trivial problem, but neither is authenticating manual autographs. It's just for some reason we hold cryptographic signatures to a higher standard. For example, if I told you to fetch http://uberzach.com/uberzach.crt to validate this message's signature you could authenticate this message but you'd have no way to be sure the certificate itself was a valid. But you could verify that the same certificate was used on this message and my messages from say, 2 years ago, to be sure that I'm the same Zach you've encountered before. Even *that* is probably more credible evidence than most systems of trust based on manual autographs, and it doesn't require any trusted third-party, out-of-band key exchange, or manual keying by the user.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20111027/13c40f41/attachment.bin>


More information about the Cialug mailing list