tags:

views:

43

answers:

3
+1  Q: 

Are there existing web sites that use a photo as a electronic signature?

The use case: to sign a electronic document, users view the document, and if they agree take a picture of themselves with their webcam (done through Flash from the browser). Then a PDF is generated containing the document and the picture in place of signature.

This is a biometric signature, which is not as strong as a digital (cryptographic) signature, but stronger than having users draw their signature, as a photo is harder to forge than a drawn signature.

Has anyone seen this technique being used on an existing web site?

A: 

A photo is harder to forge? I think a photo is quite easily to forge. If you take a picture as someone, and use software to let the flash app take the picture as a photo, you have signed the document without the owners consent.

Ikke  2010-03-26 18:36:41
+1  A: 

What if I put up a picture of Jon Skeet before the webcam (seriously)?

This technique would be gimmicky but has very little real-life security benefit imo.

ChristopheD  2010-03-26 18:37:40
It will then be relatively easy for Jon to say that this is not a picture he took with his webcam that day, but someone holding a known picture of him in front of a webcam (he doesn't own that shirt anymore, anyway!).But I get your point, a signature is more secure than a photo in the sense that you don't necessarily know what Jon's signature looks like, and so it is harder for you to imitate it.
Alessandro Vernet  2010-03-26 22:59:26
+1  A: 

This idea isn't secure by itself. When talking about digital signatures, we are looking for these properties:

  1. It is easy to verify that the signature is authentic.
  2. It is nearly impossible to forge a signature
  3. The signature applies to a certain document (or message), and cannot be transferred to another document.

Your method fails at all three:

  1. It is hard to verify a signature, unless you already know the signer visually (also take into account that blind people do use computers)
  2. It is very easy to forge a signature.
  3. The signature can be easily transferred to another document, and it isn't possible to verify that the signature and the allegedly signed document match (since there is nothing that binds the signature to the document. PDF is not secure in any way!).
M.A. Hanin  2010-03-28 11:00:36
Of course, I agree. But note that conventional signature blatantly fail when reviewed under the properties you mentioned, and despite that are, in this world, considered to be good enough in most situations.
Alessandro Vernet  2010-03-29 06:21:08

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security