Multiple signatures on a single file
btober at seaworthysys.com
Mon Sep 5 13:41:19 CEST 2005
>-----BEGIN PGP SIGNED MESSAGE-----
>Berend Tober wrote:
>>Is it possible to have multiple persons sign a single file? If so, how
>>is this done?
>>The particular scenario is currently this: Employees submit expense
>>reports for business travel using a spread sheet. Current practise is
>>the the employee fills out spread sheet via computer (or optionally
>>prints blank spread sheet template and writes by hand with a pen),
>>physically signs using pen and ink, physically delivers signed hardcopy
>>to supervisor for supervisor pen-and-ink signature prior to payment
>>Desired practise is to eliminate both producing hard copy and
>>pen-and-ink signatures, and then re-work the process using gpg
>>electronic signatures. Thus, employee would enter data into expense
>>report spread sheet, save, gpg sign, mail to supervisor, supervisor
>>would (presumably) open and review spread sheet, close without changing,
>>gpg sign, and then return to employee or forward to accounting dept.
>>Sounds straightforward, but I didn't spot in the various
>>manuals/guides/how-to's for gnupg how a second individual could add
>>their signature after me.
>Use detached signatures? Generate a key to sign the document with, and
>have that key signed by the supervisor?
What I don't like about doing that explicitly is that every additional
signature, at least in the default operational mode, appends an
additional ".sig" file extension. Further more, the signatures are
wrapped withing one another, so that to verification would require
serial verification of each preceding outer layer signature. What I've
been refining during the last couple days uses a command line script to
append additional detached signatures into a single signature file. This
approach models more directly the co-signature concept of legacy
contracts, i.e., think of buying a house -- you and you spouse are
co-signators rather than having one sign the contract and the other sign
the others signature. What you suggested models the concept of a notary
public witnessing a signature, but that we already have by signing
public keys in the trust model.
More information about the Gnupg-users