Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: digital signature



 The place I worked at which was subject to FDA's GMP regulations, used 
paper signatures.  They were converting to a process where the signed 
documents were scanned in, watermarked, then archived.  They would use 
the electronic version, with the paper version only ever being used if 
the electronic was lost or someone sued them or questioned the 
electronic document. 

Randy 

Stephen Adler wrote: 
> So here is the issue which has brought up my interest in digital 
> signatures. I'm setting up a quality system to develop software which 
> will pass the rigors of FDA compliance. What the FDA needs is to have 
> documents which are signed for approval my management types. (i.e. All 
> the documents which are generated need a signature and typically this 
> involves some secretary running around cubicles with a pen, getting 
> signatures on a hard copy document which is then filed away.) So using 
> a digital signature would be a great move forward, especially if I 
> want to set up a web based FDA control process. In the end, this all 
> gets very legal where as someone can sue for big bucks if a product 
> goes wrong in a hospital, and the quality system under which the 
> device was developed then comes into play. So this may give you a 
> better idea of how far I need to go with a digital signature. My 
> preference is to slide the bar as far to the "this is a properly 
> digitally signed document" which can hold up in a court of law. 
> 
> Cheers. Steve. 
> 
> Matthew Gillen wrote: 
>> Stephen Adler wrote: 
>>> To do this right, I believe, I want to get a key pair which is 
>>> registered with a 3rd party registry like verisign or 
>>> networksolutions.com or something like that. Is this not so? Say I 
>>> sign a document with a self generated key pair, how does a third 
>>> party know that the signature came from me and not someone posing as 
>>> me who generated their own pair of keys? 
>> As Dan pointed out, you build a web of trust, using the standard 
>> methods: 
>> - distribute your key (or at least the fingerprint for later 
>> verification of your key) when you meet people in person (sneakernet) 
>> - POTS (ie have them read off the fingerprint of your public key over 
>> the phone to you) 
>> - Post it on your business web site (generally thought to be less 
>> secure than the first two, although if people get your phone number 
>> from your website...) 
>> - if it's really important, hire a courier. 
>> 
>>> If I do need to go through the 3rd party registry route, who should 
>>> I use? 
>> You could probably do a hell of a lot better than the standard 
>> practice today (ie no verification beyond the "From" header in an 
>> email) without going overboard with air-tight verification.  It's 
>> really a matter of how far you want to move the slider from "easy to 
>> use, but no verification" to "it would almost be easier to fly there 
>> and deliver the document in person".   For business, you probably 
>> don't want to go too far toward the latter, lest it get in the way of 
>> things you're getting paid to do (unless verification is something 
>> the client is really interested in or knowledgeable about). 
>> 
>> Matt 
>> 
>> 
> 
> 


BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org