1. Field of the Invention
Embodiments of the present invention generally relate to digital signatures and, more particularly, to a method and apparatus for one-step signature trust for digitally-signed documents.
2. Description of the Related Art
Digital documents can make use of digital signatures. Digital signatures contain a “certificate” component confirming the identity of the signer and a “signature” component based on the Public Key Infrastructure, PKI, processing of the document content, useful for confirming the integrity of the document content. Often, the digital certificate is issued by a Certificate Authority (CA) such as VeriSign®, and links the identity of the signer to ownership of a unique public key. However, in the case of a signature using a self-signed certificate, the certificate is issued directly by the signer. For a variety of reasons, one or more digital signatures within a document may fail integrity checks when the document is opened by its recipient.
Often, a recipient will open a digitally signed document and receive a warning that the signature status of the document is unknown. Although digital signatures are a more reliable mechanism for identifying and certifying the signer of a document than a traditional paper “wet signature”, failures like this undercut a recipient's perception of trust in the individual or organization who provided the document, as well as the recipient's trust in the software application providing the document as a conduit for reliable, trustable, digital documents.
In many cases, the only reason for a document to receive an unknown signature status is that the document was signed using a digital certificate that was not trusted for signing on the recipient's machine. This is particularly prevalent in cases of self-signed documents, that is, documents where the digital certificate included within the digital signature is not rooted in any Certificate Authority (CA). It also occurs when a CA is inaccessible, which occurs when a certificate has a chain of CAs that extend beyond itself but is unreachable for various reasons (e.g., network outage, a private CA that is internal to an organization, server problems at the CA, national calamity, etc.) Current software applications do a poor job of dealing with this failure mode; they simply present an error message and expect the recipient to resolve it, typically with little or no guidance about how to do so.
Therefore, there is a need for a method and apparatus for one-step signature trust for digitally-signed documents.