Digital signatures

A digital signature on an electronic document or other object is created by using a form of cryptography and is equivalent to a personal signature on a written document.

A digital signature provides proof of the object's origin and a means by which to verify the object's integrity. A digital certificate owner "signs" an object by using the private key that is associated with the certificate in a signature generation operation. The recipient of the object uses the public key that is contained within the certificate in a signature verification operation to verify the signature, which in turn, verifies the integrity of the signed object and verifies the sender as the source.

A Certificate Authority (CA) signs certificates that it issues. This signature is a binary data string that is created by using the Certificate Authority's private key in a signature generation operation. Any user can then verify the signature on the certificate by using the Certificate Authority's public key in a signature verification operation.

A digital signature is an electronic signature that you or an application creates on an object by using a digital certificate's private key in a signature generation operation. The digital signature on an object provides a unique electronic binding of the identity of the signer (the owner of the signing key) to the origin of the object. When you access an object that contains a digital signature, you can verify the signature on the object to verify the source of the object as valid (for example, that an application you are downloading actually comes from an authorized source such as IBM®). This verification process also allows you to determine whether there have been any unauthorized changes to the object since it was signed.

An example of how a digital signature works

A software developer has created an IBM i application that he wants to distribute over the Internet as a convenient and cost-effective measure for his customers. However, he knows that customers are justifiably concerned about downloading programs over the Internet due to the increasing problem of objects that masquerade as legitimate programs but really contain harmful programs, such as viruses.

Consequently, he decides to digitally sign the application so that his customers can verify that his company is the legitimate source of the application. He uses the private key from a digital certificate that he has obtained from a well-known public Certificate Authority to sign the application. He then makes it available for his customers to download. As part of the download package he includes a copy of the digital certificate that he used to sign the object. When a customer downloads the application package, the customer can use the certificate's public key to verify the signature on the application. This process allows the customer to identify and verify the source of the application, as well as ensure that the contents of the application object has not been altered since it was signed.