There are several parts to using signatures effectively. To see why let's just think about paper signatures.
Suppose you get a document claiming to be from someone. It might have a signature on it. Does the signature prove anything? Of course not by itself. But do you have their signature on file? Then you can check it, it becomes worth something.
It's the same with digital signatures. The signed document alone is UTTERLY WORTHLESS. When you make the signature you get a "public certificate". You can share this, perhaps send it to key people, and confirm by telephone that the signature is real. Then, when they later get a signed document from you, software can compare with the public certificate and check it's real. (Using the public certificate you can't make a fake signature, that needs something else, the "private certificate" that you must keep safe and secure).
So, this works for a handful of motivated people. It breaks down very quickly with many people (many is probably somewhere around five). In this case we go for a different scheme, called a "certificate repository". Here, a central organisation issues the certificates, gives you a private certificate, and lets everyone check the public certificates. The organisation arranges automatic trusting of their repository.
In the wider world, there are global repositories.
Hope this makes sense of the underlying way it's used.
1
Reply
AdChoices