数字签署数据，而不是文档 [英] Digitally Sign DATA, Not Documents

问题描述

什么构成网络表格的合法数字签名（不是文件）？



选项1 ：我参与了一个医生记录患者健康状况的项目。提交Web表单时，将生成PDF并使用数字.CER证书进行数字签名，并将PDF保存到文件系统。每个医生都有自己的.CER文件和密码，这是一个真正的PITA维护，生成，存储和备份PDF的开销非常高。



还有像CoSign这样的第三方解决方案，允许用户在表单提交时向CoSign进行身份验证，如果经过适当的身份验证，则会以某种方式对表单进行数字签名。我相信所有这些解决方案都需要导出到各种类型的文档然后存储文档，并要求最终签名者拥有CoSign帐户。这不会起作用......



所有这些签名都要求将数据存储在一个不适合许多项目的文档中。 />


选项2 ：我去了美国购物中心的微软商店并购买了一个新的Surface（稍后会退回：/）看看他们给了我一个平板电脑（具有讽刺意味的是它不是表面）和一支笔，我记下了我的签名。另一个例子是Square应用程序，它还要求用户在某种触摸屏上记下他们的签名。我会假设签名存储在数据库中的某个图像中但是这构成了一个合法文档吗？



我曾在一个小型医疗设备上工作过让他们的医生在网上评估测试并以数字方式签署他们的评估的公司，但所做的只是上传他们的签名保存在数据库中的图像。



选项3 ：我看到这样做的另一种方式是在当天填写我的FAFSA以获得大学学费援助。他们会要求你查看条款，yada yada，然后在底部我必须输入我的完整法定名称如上所示并提交表格。 他们在窗帘后面做什么 ??



我正在研究的项目是一份简单的一页建筑合同解释所有要呈现的服务并需要签名和日期的公司。该表单的电子版将收集Web表单中的所有必需数据并将其保存到数据存储中。



我最初的反应是提供<画布>基于HTML5的元素，可以在iPad或其他东西上签名。是否需要将数据导出到文档然后使用数字签名进行签名，或者数据是否合法并在数据存储中签名？

What constitutes a "legal" digital signature for a web form (not a document)?

OPTION 1: I worked on a project where a doctor makes notes on the health of a patient. When the web form is submitted a PDF is generated and digitally signed with a digital .CER certificate and the PDF is saved to the file system. Each doctor had their own .CER file and password which was a real PITA to maintain and the overhead of generating, storing, and backing up PDF''s is quite high.

There are also third-party solutions like CoSign which allow the user to authenticate to CoSign as the form submits and, if properly authenticated, somehow digitally signs that form. I believe all of these solutions require an export to various types of documents and then storage of the document and require the end signer to have an account with CoSign. That isn''t going to work...

All of these signatures require the data to be stored in a document which is not ideal for many projects.

OPTION 2: I went to the Microsoft store at the Mall of America and purchased a new Surface (to be later returned :/ ) and when checking out they gave me a tablet (ironically it wasn''t a Surface) and a pen and I jotted down my signature. Another example is the Square app which also requires the user to jot down their signature on a touchscreen of some sort. I would assume the signature is stored as an image somewhere in a database but does that constitute a "legal" document?

I''ve worked at a small medical device company which had their doctors evaluate tests on the web and digitally "sign" their evaluation, but all that did was upload an image of their signature saved in the database.

OPTION 3: Yet another way I''ve seen this done is when filling out my FAFSA for college tuition aid back in the day. They''d ask you to review the terms, yada yada, and then at the bottom I had to type in my full legal name "as it appears above" and the submit the form. What are they doing behind the curtains??

The project I''m working on is a simple one-page contract for a construction company which explains all of the services to be rendered and requires a signature and date. The electronic version of this form would collect all of the required data in a web form and save it to a data store.

My initial reaction was to provide a <canvas> based HTML5 element that can be signed on an iPad or something. Does the data need to be exported to a document and then signed using a digital signature or can the data be legal and "signed" in the data store?

推荐答案

I与迈克一致，您需要公司法律来定义您的要求有多严格。



您需要问我们信任谁，如果数据只在数据库中，我们是否需要一个系统来阻止DBA修改所谓的签名记录？ br />


我知道用于跟踪医生留下的药物样本的系统。常规事务记录位于数据库中，但是使用相同信息存储单独的加密Blob，并且Drs捕获签名。这是使用销售代表登录帐户加密的。这是出于法律目的的记录（并经FDA批准）。



因此它是防篡改 - dba无法操纵Blob数据，因为它们无法签署不同的记录，但常规交易数据可用于报告等。

I agree with Mike, you need the company legals to define how strict your requirements are.

You need to ask who do we trust, if the data is just in the database, do we need a system that prevents a DBA modifying supposedly signed records??

I know of a system used to track drug samples left with doctors. The regular transactional records were in the database, but a separate encrypted Blob was stored with the same information, and the Drs captured signature. This was encrypted with sales rep logon account. This was the record for legal purposes (and approved by the FDA).

Thus it was tamper proof - a dba couldn''t manipulate the Blob data, as they couldn''t sign a different record, yet the regular transactional data was available for reporting, etc.

这篇关于数字签署数据，而不是文档的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！