A client of a web design team I am on wants to have an online edocket system, where after logging in to the system, filers can submit legal documents that will be aumatically filed into a web accessible database. I have a question regarding proving the validity of the filer and their document. Is it acceptable to use their login success as proof of document validity, or must they purchase a digital signature from a third party? I think the IRS allows online filing via login, I need to know this as the client is also a goverment agency. Basically the filers will be attorneys from public utility ortganizations, and the type of documents being filed are transcripts. Thanks in advance for your input.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Security question for electronic submission of documents
- Thread starter rkaic
- Start date
If it were me, I'd want them to digitally sign the documents with PGP or GPG. Many sites authenticate users based on a simple userid/password pair, but the ones that I have looked at in detail have trivial problems that allow other users to hijack or tailgate on a session with some relatively trivial techniques.
Digital signatures, on the other hand, are much more difficult to forge (again, not impossible). But some form of Public Key Encryption is definitely more secure than a userid/password pair, even if your server is running SSL.
It will also benefit you to log as much information as you possbily can, like source IP address, browser type, any email addresses associated with the browser, etc. If you link that audit trail with the documents that were received, you will greatly improve your ability to "verify" the authenticity of a given document. You will probably be required to perform this type of verification at some point because of a legal case, so you might as well prepare in advance.
I'd really want the utilities to invest in Certs though, so that you can authenticate the person connecting with you. The government has been pushing for the implementation of X.509 certs and PKI for some time. Make them put their money where their mouth is. With Certs like this, you can associate a given document with a inidividual, rather than just an organization. You can be your own CA, so you don't have to invest in Verisign or Entrust certs. Of course, the certs will only be valid for your site, but then again, do you really care?
pansophic
Digital signatures, on the other hand, are much more difficult to forge (again, not impossible). But some form of Public Key Encryption is definitely more secure than a userid/password pair, even if your server is running SSL.
It will also benefit you to log as much information as you possbily can, like source IP address, browser type, any email addresses associated with the browser, etc. If you link that audit trail with the documents that were received, you will greatly improve your ability to "verify" the authenticity of a given document. You will probably be required to perform this type of verification at some point because of a legal case, so you might as well prepare in advance.
I'd really want the utilities to invest in Certs though, so that you can authenticate the person connecting with you. The government has been pushing for the implementation of X.509 certs and PKI for some time. Make them put their money where their mouth is. With Certs like this, you can associate a given document with a inidividual, rather than just an organization. You can be your own CA, so you don't have to invest in Verisign or Entrust certs. Of course, the certs will only be valid for your site, but then again, do you really care?
pansophic
- Status
Similar threads
- Locked
- Question