Wednesday, December 7, 2016

How to tell if a digital signature is trustworthy

How to tell if a digital signature is trustworthy

Digital signatures play a central role in software security. This article explains what a digital signature is, and how you can check to make sure that a digital signature is trustworthy.

The Office Blog

In this article

What is a digital signature?

View a digital signature in a signed document

View a digital signature in a signed e-mail message

View a digital signature for a signed macro

How to tell if a digital signature is trustworthy

What is a digital signature?

A digital signature is used to authenticate digital information — such as documents, e-mail messages, and macros — by using computer cryptography. Digital signatures help to establish the following assurances:

  • Authenticity     The digital signature helps to assure that the signer is who they claim to be.

  • Integrity     The digital signature helps to assure that the content has not been changed or tampered with since it was digitally signed.

  • Non-repudiation     The digital signature helps to prove to all parties the origin of the signed content. "Repudiation" refers to the act of a signer's denying any association with the signed content.

To make these assurances, the content must be digitally signed by the content creator, using a signature that satisfies the following criteria:

  • The digital signature is valid.

  • The certificate associated with the digital signature is current (not expired).

  • The signing person or organization, known as the publisher, is trusted.

  • The certificate associated with the digital signature is issued to the signing publisher by a reputable certificate authority (CA).

The 2007 Microsoft Office system programs detect these criteria for you, and alert you if there is a problem with the digital signature. For details, see the last section in this article, How to tell if a digital signature is trustworthy.

Top of Page

View a digital signature in a signed document

Which 2007 Microsoft Office system program are you using?

Excel

Excel

When you review any signed content, you should look at the attached signature details and the certificate used to create that signature to find out whether there are any potential problems.

  1. With the document open, click the Microsoft Office Button Office button image , and then click Prepare.

  2. Click View Signatures.

    Tip: You can also click the signatures button at the bottom of your screen.

    Signatures button

  3. In the Signatures pane, click the signature that you want to view, click the arrow next to the signature name, and then click Signature Details.

    Signatures details

  4. In the Signature Details dialog box, click View.

Evaluating the digital signature is covered in the last section in this article, How to tell if a digital signature is trustworthy.

Top of Page

PowerPoint

When you review any signed content, you should look at the attached signature details and the certificate used to create that signature to find out whether there are any potential problems.

  1. With the document open, click the Microsoft Office Button Office button image , and then click Prepare.

  2. Click View Signatures.

    Tip: You can also click the signatures button at the bottom of your screen.

    Signatures button

  3. In the Signatures pane, click the signature that you want to view, click the arrow next to the signature name, and then click Signature Details.

    Signatures details

  4. In the Signature Details dialog box, click View.

Evaluating the digital signature is covered in the last section in this article, How to tell if a digital signature is trustworthy.

Top of Page

Word

When you review any signed content, you should look at the attached signature details and the certificate used to create that signature to find out whether there are any potential problems.

  1. With the document open, click the Microsoft Office Button Office button image , and then click Prepare.

  2. Click View Signatures.

    Tip: You can also click the signatures button at the bottom of your screen.

    Signatures button

  3. In the Signatures pane, click the signature that you want to view, click the arrow next to the signature name, and then click Signature Details.

    Signatures details

  4. In the Signature Details dialog box, click View.

Evaluating the digital signature is covered in the last section in this article, How to tell if a digital signature is trustworthy.

Top of Page

View a digital signature in a signed e-mail message

  1. Open the digitally signed message.

  2. Look at the Signed By status line and note the e-mail address of the person who signed the message.

    Signed By status line

    Important: It is not enough to check the e-mail address in the From line, because it is necessary to verify who actually signed the message, and not just who sent it. If the e-mail address in the From line does not match the e-mail address in the Signed By status line, the Signed by line is the one to use in identifying who actually sent the message.

    Digital signature

  3. Check to see whether the signature is valid or invalid.

    • If the button on the Signed By status line appears similar to the following Signature button Button image , the signature is valid. For more information about the status of the signature, click the button.

    • If a red underline appears under the Signed By status line and if the button appears as an exclamation mark, the signature is invalid. For more information about the status of the signature, click the button.

      Signed By

  4. To see more information about why there is a problem with the digital signature, such as the certificate being invalid, click Details.

    Digital Signature Invalid

  5. In the next security dialog box that appears, click View Details to see information about the certificate used in the digital signature.

Top of Page

View a digital signature for a signed macro

When you open a document that contains a signed macro project and there is a problem with the signature, the macro is disabled by default and the Message Bar appears to notify you of a potentially unsafe macro. However, this does not occur if you are opening the document from a trusted location.

Message Bar

If the macros have been signed, you can view the certificates for the files by doing the following:

  1. On the Message Bar, click Options.

  2. If the macros are signed, you see in the security dialog box a Signature area that looks similar to the following illustration.

    Signature

  3. Click Show Signature Details.

Top of Page

How to tell if a digital signature is trustworthy

This section describes what you should look for when you evaluate the trustworthiness of a digital signature.

The digital signature is OK

A valid digital signature is identified by a message at the top of the Digital Signature Details dialog box, confirming that the digital signature is OK. You should also note the timestamp details under Countersignatures. The timestamp details indicate that the certificate authority — in this example, VeriSign — has verified and approved the digital signature.

Digital Signature Details dialog box

The date for the time stamp — in this case, August 7, 2003 — should be within the Valid from date range in the certificate. To see the date range in the digital signature, click View Certificate.

Certificate dialog box

The publisher — in this case, Microsoft Corporation — should be a trusted publisher by default on computers running the Microsoft Windows operating system. Certificates for Microsoft are located in the Trusted Root Certification Authorities store. If the publisher is not trusted by default, you must explicitly trust the publisher. Otherwise, the content signed by that publisher does not pass the security software checks.

Checking for the red X

A digital signature that presents problems shows the image with a red X.

Digital Signature Details dialog box

The red X can appear for the following reasons:

  • The digital signature is invalid for some reason. (For example, the content has been altered since it was signed.)

  • This digital signature is expired.

  • The certificate associated with the digital signature was not issued by a certificate authority (CA). For example, it might be a self-signed certificate created by using Selfcert.exe.

  • The publisher is not trusted.

What you should you do if there is a problem with a signature

When there is a problem with a digital signature, then depending upon your situation, you can do any of the following:

  • You can contact the source of the signed content, and let them know that there is a problem with the signature.

  • Contact the IT administrator in charge of your organization's security infrastructure.

  • If you feel that the macro or other active content associated with the document is trustworthy, you can save the document to a trusted location. Documents in trusted locations are allowed to run without being checked by the Trust Center security system. Using trusted locations is a better option than lowering your security level settings for all macros.

  • You can explicitly trust the publisher.

Top of Page

at

2 comments:

  1. hariJune 9, 2021 at 2:39 PM

    To explore more about Digital signature online visit our website

    ReplyDelete
  2. suveeraAugust 25, 2022 at 2:08 PM


    You can think of a digital signature as your electronic fingerprint. Signing a document electronically while verifying the identity of the signer is possible with this tool. The mathematical code proves the document's authenticity and ensures it won't be altered on the way to the recipient.What Is A Digital Signature Certificate

    ReplyDelete

Subscribe to: Post Comments (Atom)