Digital Signatures Certifications legal issues

Question

I am currently working on a project that deals with sensitivity customer data, and we are being recommended to use Digital Signatures as appose to Electronic Signatures due to its new scale and the sensitive nature of the customers' data.

I personally don't know what the legal issues are with Digital Signatures, but I know that sometimes a Certificate Authority are needed?

This program is being written in C# visual studios if that matters, but I don't really know where to start with this process. I know it works like a public and private key encryption , a Public Key Infrastructure, but I have been informed that you must "buy" a certification from a Certificate authority. You could also create your own?

I was also informed that I need to make sure this would also allow documents created by our program to be legally binding in the USA. That certain laws and procedures are different in different countries so I need to make sure these are in order before I even start coding.

I'm sorry if this sounds more like a legal question then a coding question. My searches aren't helping and I can't start coding until I know what I can and can't do.

Answer 1

SSL encrypts the data channel. It can be broken by the NSA and perhaps others but it is considered quite hard to do so.

I certainly think it is a reasonable and appropriate level of data security for many uses, but that is merely my personal opinion.

Digital Signatures do not encrypt your data. Digital signatures sign your data, assuring you and the recipients that the data was not changed en route, and giving you confidence that you know who signed the data.

You can use a digital certificate purchased from a certificate authority to sign data. Or you can create a self-signed key for your organization and then use subordinate signer keys. We have many many customers who do this.

Documents signed with digital signatures are legally binding everywhere in the world. In some jurisdictions, for some purposes, you need a qualified digital signature. That means that the certificate was issued to the signer by a recognized national certificate authority.

I suggest that you are a ways from coding--you need to better understand your business requirements first.

With digital signatures, protecting the security of the signers' private keys is extremely important. These days, centralized hardware-hardened appliances are often used.

Here are some APIs which make it easy to digitally sign documents and data while managing the keys via an appliance.

Disclosure: I work for CoSign.