##language:en
##language:de

Back -> ["Website_FTA_Wizard"][[BR]]
Zurück -> ["Website_FTA_Wizard"]

= Notes =
With permission of the iniciator, we'd like to take advantage of this article and integrate it in the effort for adapting the website to the needs of first-time-assurers/users.
Currently the present text is too tecnical and needs to be adapted to the end-user needs.
For more information about website adaption and the ongoing effort go to ["Website"].

= German =
||Handschriftliche Unterschrift||Digitale Unterschrift||
||Sie kreieren Ihre eigene, eindeutige und unverfälschliche Unterschrift||Ihr Computer generiert Ihre digitale Unterschrift die aus einer Zeichenreihe mit mindestens 1024 zufälligen Zeichen besteht||
||Sie unterschreiben ein Dokument mit Ihrer eigenen Unterschrift||Ihr eMail-Programm hängt vor dem Verstand Ihre digitale Unterschrift an Ihr eMail an||
||Sie erhalten ein Dokument unterschrieben von einer Person, die Sie kennen||Sie erhalten eine eMail mit einer digitalen Unterschrift, die as eMail-Programm bereits kennt||
||Sie erhalten ein Dokument unterschrieben von einer Person, die Sie nicht kennen||Sie erhalten eine eMail mit einer digitalen Unterschrift, die das eMail-Programm nicht kennt||
||Sie erhalten ein Dokument unterschrieben von einer Person, die Sie nicht kennen, doch die Unterschrift ist von einer        amtlichen Behörde beglaubigt||Sie erhalten eine eMail mit einer digitalen Unterschrift, die das eMail-Programm nicht kennt, doch die digitale Unterschrift ist von CAcert beglaubigt||

= English =
||Handwritten Signature||Digital Signature||
||You create your own, individual and unforgable signature.||Your computer generates your digital signature which consists of a row of number of at least 1024 random numbers||
||You sign a document with your own signature||Your email program attaches your digital signature to the email before sending it||
||You receive a document written by a person that you know||You receive an email with a digital signature, which your email program already knows||
||You receive a document with a signature from a person you do not know||You receive an email with a digital signature which the email program does not know||
||You receive a document with a signature that you don´t know, but the signature is notarized by an official authority||You receive an email with a digital signature, which the email program does not know, but the digital signature is approved by CAcert||

See also: SecurityLayer

With digital signatures, someone can sign a document (or a file, form-data, 
image or email).
Later someone else can verify that signature, to be sure, who signed it, that 
the document is the one that has been signed, and hasn´t been modified, ...

From the technical pespective digital signature is similar to Transport Level 
Security (SSL/TLS), both are using the same X.509 certificates for the 
identification.

The big difference between Transport Encryption and Digital Signature is the 
time. Transport Encryption is Realtime, Digital Signature has delayed 
verification. Sessions happen in the timeframe of seconds and minutes, 
Signatures happen in the timeframe of months and years.

Most security relevant organisations are talking about a necessary timeframe 
of minimum 30 years for digital signatures, to be verified successfully.

What does that mean organisatiorically?

The most important difference for a Certification authority is to differ 
between expiration and revoking:

Lets have a look at Bob and Alice:

Bob gets his CAcert certificate in October 2004, which is lasting 2 years, so 
it will expire in October 2006.
Bob signs an important document in 2005 with his private key and the CAcert 
certificate.
Afterwards the document and the signature are being archived.
In the year 2010, Alice gets the document from the archive, and verifies the 
signature.
The verification program will tell Alice the following:

Bob has signed this document in 2005.
The document is intact, and has not been modified.
Bob´s certificate was valid at the time of signature (2005).
Bob´s certificate has expired in 2006, but has never been revoked.

So in the context of Digital Signatures, it is very important to understand 
the role of "expiration", and the difference to "revokation".
Expiration means that it has run out, and that it cannot be used anymore for 
new signatures, or new communication sessions. Digital Signatures that have 
been made with this key while it was valid ARE STILL VALID.

Revocation means that the private key has leaked, or the certificate was 
wrongly issued (or any other reason), which means that ANY signatures that 
were ever made with this certificate are INVALID now.

Revocation of the certificate should only be used in the case of emergency, 
when all signatures are practically invalid, because of a security breach.

So lets take a look at the current rules of CAcert, and how they should be 
changed to support Digital Signature:

> When the Digital Certificate expires or is revoked the company  
> will permanently remove the certificate from the server on which it is 
> installed and will not use it for any purpose thereafter. 

If it expires, it should be archived for verification uses, destroying expired 
certificates is not necessary.

Some more things:

* Keys must be revokable after they expired.
* CRI (Certification Revocation Information (CRLs and OCSP)) should be made 
available even years after expiration of certificates.
* The CA should not revoke certificates without a good reason.

The next topic that is strongly attached to he Digital Signature is 
Key-Rollover:

> Your certificate is set to expire in approximately 45.00 days time, you can
> either wait till your certificate expires and then issue a new certificate, 
> or you can go to the following URL to revoke it:
> https://www.cacert.org/email.php?id=9
> Then this URL to issue a new certificate:
> https://www.cacert.org/email.php?id=7

Reissueing old certificates should be possible 45 days before expiration, 
WITHOUT having to revoke the old one. (Because the revocation would nullify 
all signatures unnecessarily)
