Signing document: How does this work?

HCL Domino Domino Forum
1

Hi,

until now I thought that i understand how “signing” of documents works. :-))

The user uses his “private key” from his ID-file to sign the document. Then all others can use the “public key” from the users person document in the Domino Directory to validate if the signature is valid.

So far so good.

But now i tried to place some code which uses signatures into an scheduled agent and it works fine as well. The created documents are signed correctly with the “signer” of the agent. Thats nice, but how does this work ?

The agent does not have access to an id-file.

So where does he get the private key from ? (Is the private key stored in every signed agent-design-document)

Or can a signature be created from an other signature even if I dont have the private key ?

How can this work and isnt it a security problem ?

Can anyone shed some light into this ?

Thanks in advance for any comments.

Bye

Lars

2

Subject: Signing document: How does this work ?

The agent is signed with a user id.It might run as the server id even.

The document’s fields are then calculated with some sort of checksum and then encrypted using the certificate keys stored in the server’s user document.

if you look in a person document in the name and address book names.nsf on the server there is a tab for certificates, that’s what it uses.

I think anyway, it might use the server’s certificate regardless of user, or a combination of the two.

There is no security leak. This code is tried and trusted for over 8 years+ now.

Have you come from a microsoft background?

This security and signing business all seems foreign doesn’t it? :slight_smile: Only joking!

-Adam Foster

http://www.AdFos.com

http://www.NotesNinjas.com

3

Subject: RE: Signing document: How does this work ?

Hi,

thanks for the answer.

I dont think that this is a security problem at all. Actually it works excatly like i need it to work.

But the problem is that I dont understand it. :-))

If my knowledge (of Lotus Notes which i have for 6 years +) is right then you need the PRIVATE key to create a signature. All the keys stored in the documents in the domino directory are PUBLIC keys. So you can’t use them. (You may need them to verify the signature but thats an other story). So how does it work ?

Or is it my mistake and a document can be signed if you have only the public key, and you dont need the private one for this action at all ? (But I am pretty sure about this.)

Bye

Lars