Digitally signed documents/Strong Encryption: Python modules ??

[Steve Purcell]

Thomas Weholt wrote:
> I want to create digitally signed documents using Python and some standard
> protocoll or technology.
> More specific; I got a xml-document, I want to create a signature so that
> people can verify that the document isn't tampered with. Legal issues, ie.
> making digitally signed documents/files, legally binding, are also very
> interesting.
> 
> Generating a SHA checksum seems a little "light". What are my choices?


To digitally sign a document, the document provider would typically use his
GPG, PGP or similar private key to sign the document prior to distributing it.
Recipients would verify the signature with the provider's public key.

A signature alters the document itself. e.g., signed e-mails have additional
signature data inserted during the signing process, either inline or in a
MIME attachment.  Additional work is required by the receiver in order to
extract the signed content from the document.  A valid signature shows
that there was no tampering.

But, to just detect tampering, try using a non-invasive technique like an
MD5 checksum signed with the secret GPG or PGP key of the document provider.
This is a typical way of certifying the integrity of linux packages, and
does not require that the document itself be altered.

The receiver gets the document from wherever, and separately obtains the
signed checksum and public key of the document provider.  Using the public
key he can verify that the checksum is the correct one, and he can compare
this checksum with the one he calculates from the document.

Google for gpg, pgp or cryptography for more info.

Best wishes,

-Steve

-- 
Steve Purcell, Pythangelist
Get testing at http://pyunit.sourceforge.net/
Any opinions expressed herein are my own and not necessarily those of Yahoo