What is the best way for an user to sign/timestamp data with his private key?

Question

I am still new to security issues so my problem may actually be just a misunderstanding.

The system I am working has the requirement that users should sign/timestamp data somewhere in the web application. However, in order to sign with a digital certificate, users should input their privates keys on the system. Giving the fact that a third party is involved, we as a company should guarantee that only the end user is allowed to sign/timestamp data.

The only way I see out of this, is to create a desktop application, that can certificate data. But still I should need somewhere the ability of timestamping, and this would require communication with an external server, which could be a way of our company 'stealing' their private keys.

Is there a pattern for signing/timestamping data on the Internet and specifically on a web app? How could this be implemented?

Answer 1

So you have a server and users. Users perform digital signing of data on their systems. Timestamping is done together with signing (it proves the signing time). Timestamping is performed by trusted thirdparty TSA (Timestamping Authorities). The code which will do signing will contact the TSA (usually using HTTP or HTTPS protocol) and timestamping will be performed that way. TSA's certificate is included with the timestamp so that the timestamp can be validated later.

Now about technical side. For web application your best option is to create an applet or ActiveX control which will be downloaded to user's browser and which will do signing.

Our company offers pre-created solution for this, and I described it in details in this answer.

Of course you can let the user download the document and sign it using Acrobat stuff or some other client-side application, then upload the document back. If you decide to write such application yourself, you would need signing components, eg. IText or our SecureBlackbox.