Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Business-Suitable Document Authentication System?

timothy posted more than 4 years ago | from the sign-each-pigeon-as-it-flies-by dept.

Businesses 130

ram.loss writes "The company I work for has decided to go paperless for all memos and internal correspondence. In addition to the central administration, the company has three more or less autonomous, physically separated divisions; that means we do not have a common IT infrastructure across all of them. Since I am the only resemblance we have to an IT department at my division, I have been commissioned with evaluating the available technology to manage and authenticate all correspondence, although it is not my area of expertise (I have a CompSci degree, but for many years have specialized in transportation modeling software). My initial thought was to use a document management system like Plone (this is the system I'm familiar with); from what I have read, that would take care of the management part, but what about authentication? We need each document to be signed, and a fully auditable system that keeps track of who signed what document, who received it and when. It also must take into account the handling of external correspondence in the future, where a recipient outside the company must have the means to return an authenticated document as a response. I'm aware that I'm leaving out a lot of details, like how the documents will be signed, the legal implications, etc., but for the time being I'm only interested in the experiences of the Slashdot crowd with such systems, and hopefully finding out enough information to hand over the matter to (or hiring) somebody more qualified, once I know what to look for. Has anybody out there used a similar system? Am I in way over my head?"

Sorry! There are no comments related to the filter you selected.

In Soviet Russia... (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31548804)

Papers authenticate you.

SharePoint (3, Informative)

Anonymous Coward | more than 4 years ago | (#31548826)

Microsoft SharePoint can handle most of what you need out of box, and you can configure and customize what you need for the rest, I believe.

Re:SharePoint (2, Insightful)

moderators_are_w*nke (571920) | more than 4 years ago | (#31548864)

Only if you're standardised on MS Office. They do not have a common IT infrastructure.

Re:SharePoint (1)

Anpheus (908711) | more than 4 years ago | (#31551024)

Sharepoint doesn't require Microsoft Office, it only requires Windows Server.

If you have a relatively unused server running Windows 2008/2008 R2, install Sharepoint Foundation 2010 Beta [microsoft.com] and give it a try. It's OK, and it doesn't require IE to access the site.

Re:SharePoint (4, Insightful)

klubar (591384) | more than 4 years ago | (#31548982)

SharePoint is underrated-- it really has gotten pretty goood. Although you say that the firm doesn't have a common infrastructure, it's likely that you've standardized on Microsoft Office. If you're using (or can upgrade to) Office 2007 (or 2010), sharepoint plays extremely well with Office. SharePoint will handle all your office documents. If you need a comprehensive solution for scanned paper or integration with other applications, I'd look at some of the commercial document management solutioms (Documentum).

Don't cheap out and try to put together some homebrew solution. Remember as Click and Clack the Tappit Brothers [cartalk.com] say, it's the cheap man/women who spends the most.

Re:SharePoint (5, Informative)

YrWrstNtmr (564987) | more than 4 years ago | (#31549044)

One of the main issues with SharePoint (aside from the whole MS ecosystem) is that it is a large complex beast. Once you move beyond the base SharePoint Services and into SharePoint Server, the maintenance will drown you. Especially if you are only one deep.
And I say this as a SharePoint admin/developer for a large US govt organization.

But yes, the base SharePoint Services 3.0 and upcoming SP Foundation(2010) will do pretty much everything he's asking for. And it's free (beer), if you are already running Server2003 or Server2008.

Also, FAR more requirements gathering is needed. What do the bosses really want?

Re:SharePoint (1)

gbjbaanb (229885) | more than 4 years ago | (#31549708)

. It also must take into account the handling of external correspondence in the future, where a recipient outside the company must have the means to return an authenticated document as a response

this sounds like the hardest part - 3rd party person will not be in the AD, so cannot be authenticated or managed with a certificate associated with the userid. Obviously if the 3rd party doesn't modify the document you can prove its not modified (but that's easy). If they do.. how do they expect whatever they send in to be an 'authenticated' document.

Personally, I'd put everything in subversion - version control every document 'published' (ie committed) to the repository, you can then see the diffs and the user who did the commit. But that's just an idea based on the relatively vague requirements we've been given.

Re:SharePoint (1)

TheLink (130905) | more than 4 years ago | (#31550572)

Problem is subversion (and the other oss version control stuff I'm aware of) isn't "business document" aware for many of the popular business document formats (including openoffice).

So you can't really see the diffs. All you know is something is changed, which often isn't very useful.

And often all that has changed is someone printed the document (which can also cause fields to be updated), or say in the case of Excel there are often changes to the file even if they aren't really visible/material to the user, they could occur just because the user opened the document or viewed a different worksheet in a workbook.

I'd be interested to know of any OSS version control software that can produce human readable diffs of openoffice or MS Office docs.

I've tried using version control for such docs and I've also had cases where I want to pull out the older version without overwriting the newer version (this is partly because of the useless diff results).

Another thing is I often do want to change the names of the documents as well - especially to include the version so that the recipients of the document can more easily see what version it is without having to open it. Some version control software don't handle renames very well.

And I doubt any are able to handle merges of openoffice/msoffice docs - say you sent a doc to someone, and do changes to your copy, and the other person works on the doc you sent, and then sends it back to you, how do you merge the changes?

Re:SharePoint (1)

gbjbaanb (229885) | more than 4 years ago | (#31550770)

it varies on the version of the Word format - 97, 2003, docx etc, but when I view diffs of a Word doc in Tortoise, it fires up a side-by-side viewer that shows things crossed out, added in colours. Somewhat like the 'track revision' feature in Word.

You can change the difference tool for different types of document, so you can do PDFs too.

Obviously some do a better job than others, and none are as good as diffs of a text document, even Word's track revisions feature can be a pain to read.

Re:SharePoint (0)

Anonymous Coward | more than 4 years ago | (#31551538)

even Word's track revisions feature can be a pain to read.

install Word 2007 along tortoise svn, it's truly impressive.

Re:SharePoint (0)

Anonymous Coward | more than 4 years ago | (#31549064)

Just be aware, that Sharepoint is a trojan horse [zdnet.com] and Microsoft will suck you dry at some point for choosing it. If you are fine with that (likely because you intend to have a new job by then), go for it.

Re:SharePoint (1)

LordThyGod (1465887) | more than 4 years ago | (#31549124)

And every time you buy a MS product, you feed the beast. And before long just about everybody will be using that stuff, and thinkin' its the only game in town. Best to just say "no".

Re:SharePoint (0, Troll)

TheReaperD (937405) | more than 4 years ago | (#31549084)

SharePoint? I doubt the OP wants to spend $50,000 in dedicated server equipment and software licenses to run this solution in search of a problem called SharePoint. Several other posters here have offered solutions that will do the job much better and cheaper than SharePoint could ever hope to live up to.

I hope one day, some good will come out of SharePoint. There does need to be more integration between different applications. But, like many Microsoft server solutions, they take 10x the hardware and money to do that same job as other solutions. I bang my head against it almost every day as I work in an "all Microsoft shop". What a waste of time and money.

Re:SharePoint (3, Insightful)

Kaboom13 (235759) | more than 4 years ago | (#31549550)

Please, enlighten me why sharepoint costs $50,000? I have several customers who run it on a single server, that also has other duties (unless you have a very large number of users, sharepoint server uses little resources). You will need licensing of Office and Windows for every employee, but the majority of offices in the real world already have that. At the end of the day, sharepoint is just a web server, it does not need anything special from the hardware. So lets say 2 redundant servers, about 2.5k each. Licenses for server 2008, iirc around $700 each. If they are a Windows shop already (and if not, then sharepoint is a bad idea_ they already have CALs and office licenses for all their users, so that's not an issue. Lets say $1k for some sort of backup solution. So before labor, and there's a ton of competition in the sharepoint world so labor is fairly cheap, we are at what, $7400 in "dedicated hardware and licenses" for a solution that could probably serve a few thousand users quite well depending on the nature of how they use it. I'm assuming of course the actual documents are stored on a separate file server/SAN hardware already. Seeing how his whole division has no real IT staff, I doubt they even have that many users.

There's a lot of things not to like about Sharepoint, it's a proprietary solution with the usual problems proprietary solutions have. But it integrates quite well with Office and is easy enough to use and customize the secretary can figure it out. To be honest, I would probably not recommend Sharepoint for his situation simply because when amateurs try to maintain a Sharepoint installation things tend to go horribly wrong, mostly because the patches and upgrades can be a bit of a clusterfuck if you don't carefully follow the steps to prepare for them. Where you came up with $50,000, especially without even knowing the number of end users, is a mystery to me.

Re:SharePoint (1, Informative)

owlstead (636356) | more than 4 years ago | (#31549644)

SharePoint is underrated???? Oh, my god. It's vastly overrated. It's Microsofts proprietary, not well thought of solution on how to do distributed, eh, things with Office document. I've had horrible problems even when doing any kind of version control on documents. I mean, isn't that the whole point of SharePoint? I can delete a document, upload a new one with the same name and it will *revert back* to the old version! Oh, yeah, you can do it online, if you use IE *and* know how to do it.

Recently I've been using the discussion board of SharePoint to distribute programming tips. I've never had a program refuse *those* particular (perfectly valid) HTML tags - without any warning whatsoever of course. I've made a howto on how to read the posts on the discussion board - never mind posting your own. You ask: what's that got to do with it? Well, the whole implementation of SharePoint lets any apt programmer scream Nooooooooooohhhhhhhhh from behind it's terminal. It's simply *that* bad.

I mean, I cannot even find anything using the software. I created the discussion board, and I could not get it to the front page, neither could the administrator. It's just a horrible mess. I mean, this is software that refuses to put a PDF icon in front of PDF files! Oh, yee gods, I hate that piece of crap.

As for the signing and verifying - the request of the Ask SlashDot: do you say that there is a good method of doing just that? Because I haven't seen it, but that might be because it is there and I refused to RTFM - if only to skip reading the EULA that's undoubtedly put right in front of it.

Re:SharePoint (1)

obarthelemy (160321) | more than 4 years ago | (#31551124)

What would you recommend then ?

Re:SharePoint (1)

owlstead (636356) | more than 4 years ago | (#31551386)

Sorry, I've got no recommendations. But I don't doubt that there are many good ones that get modded up, I've already mailed a few of them to my work mail address to see if we can put an OS solution instead of the thing that is SharePoint. I have to work with SharePoint since my company does not let me use anything else and it has left some deep scars. Unfortunately I'm not the one making the choices (or fortunately, evaluating this kind of software aint my thing).

Re:SharePoint (1)

dyerto (1750266) | more than 4 years ago | (#31549006)

SharePoint is not the most elegant or user-friendly system ever made. I have used it now at work for a few years, and it is used a lot, and does a lot, but nothing is fast or simple to use. New and current users require a lot of training. It doesn't seem to do anything very well, simply because it tries to do too much. It will integrate with Microsoft Office and you can embed InfoPath forms etc, but it never seems quite as integrated as the documentation suggests.

Re:SharePoint (1)

drjzzz (150299) | more than 4 years ago | (#31549076)

Well-under-stated, dyerto, I agree from my perspective as a user and Sharepoint site organizer (low-privilege admin). Either there is no unifying approach or else it is extremely obscure. By chance I sat next to an IT guy on a plane and complained about Sharepoint; he was returning from a week-long course on Sharepoint and he pulls out a huge tome.... that is so wrong. All I wanted was a wiki and to share some docs. Also, editing practically requires Windows, which is a problem with academic scientists, many of whom use Macs.

Re:SharePoint (1)

jonwil (467024) | more than 4 years ago | (#31549130)

The #1 problem with SharePoint is idiots who try and use SharePoint for things it was NOT designed to be used for.

Re:SharePoint (1)

YrWrstNtmr (564987) | more than 4 years ago | (#31549162)

Seconded. The requests we get weekly for someone wanting to do X, or 'can we make the OK button do something else?' is just insane.

Re:SharePoint (1)

pasamio (737659) | more than 4 years ago | (#31549176)

Like document management, lists, wiki's and information sharing...wait

Business suitable? (1)

hey! (33014) | more than 4 years ago | (#31548832)

How about iButton crypto cufflinks?

Try Knowledgetree (5, Informative)

PdbAqB (1534237) | more than 4 years ago | (#31548842)

Try Knowledgetree - It's open source, has workflow and it is fully audited: http://www.knowledgetree.com/solutions/industry-solutions [knowledgetree.com] We use it in our law firm (I manage it - we are relatively small http://1p.com.au/ [1p.com.au] and it runs without any specific expertise. I have previously tried other solutions without success. We also really appreciate knowledgetree's ability to interact seamlessly with MSOffice etc. Good luck

Memos and Correspondence.... (1)

omnichad (1198475) | more than 4 years ago | (#31548852)

Am I crazy for suggesting email? It's trivial to lock it down to a LAN if needed, and if some documents need signed and passing out to the real world, that sounds like PDF to me. You know, because PDF is portable.
 
Yes, I know you need a "history." And there are so many email archiving systems out there, that one of them must be good for actually going through that data.

Re:Memos and Correspondence.... (2, Insightful)

julesh (229690) | more than 4 years ago | (#31548898)

Am I crazy for suggesting email?

Yes. Email is great for certain document-management applications, particularly where you need everything time ordered, but it has a few key drawbacks:

* very poorly searchable (particularly if stuff is in PDF or images, as it's likely to be if it's correspondence coming from outside), which is a huge issue for some applications.
* no support for automatic workflow management.

Plone and the other suggestions here are all much better at these two than any system built on e-mail.

Doesn't mention searchability or workflow (1)

Colin Smith (2679) | more than 4 years ago | (#31549334)

Plone and the other suggestions here are all much better at these two than any system built on e-mail.

The requirements are uselessly fuzzy. Neither searchability nor workflow are specifically mentioned, though searchability is implied in "management".

It sounds to me like even MS Exchange with public folders (and therefore just about any IMAP server) could handle the requirements as
specified. Signing, authentication, tracking, indexed searching are all bog standard features of any modern email system.

You typically won't get it all in one box with OSS (but could assemble your own) but Microsoft (exchange), IBM (Notes) and a host of others have prepackaged groupware systems based round a core of email. 99% of users never use the encryption, key management, signing, tracking features, but there you go.

The primary benefit is the network effect. Email works everywhere.

Re:Memos and Correspondence.... (1)

AlXtreme (223728) | more than 4 years ago | (#31548914)

Or use email in combination with company-wide smartcards/PGP. That should take care of the signing part.

What? Are you trying to do? (4, Insightful)

Manip (656104) | more than 4 years ago | (#31548862)

Sounds like you have serious requirement overload. You need to go back and ask them what they ACTUALLY want.

For example, what is a "document?" Who is signing it? How long should the audit trail be? How many millions are you investing in this needlessly complex internal system?

What you're after simply doesn't exist and likely never will. Even if it did implementing it would be hugely expensive and time consuming.

What I don't understand is how this can replacing a paper system? Paper systems lack almost all of the features you requested... So clearly do do not NEED this stuff and thus we came around full circle to requirement overload.
 

Re:What? Are you trying to do? (4, Insightful)

twisteddk (201366) | more than 4 years ago | (#31548938)

I couldn't agree more. As a comp.sci. major, you should be able to ask the questions of: What, why, where and who (and today probably also, how much).

You need to get a decent requirement spec going, and from then on choose the system you want. There's no need to spend more money and time on features or systems that wont be used. Buying a fully fledged EDHS would be nuts if you can make due with a common fileserver and an intranet bulletin board system. Also, you might want to look at the business you're supporting, maybe there's an industry standard that might be handy to keep up with if you suddenly need to cooperate with, buy or be bought by someone else in the industry.

Also, you'd want to mimic the current working processes as closely as possible. There's nothing more deadly to a project than employees unwilling to adapt to new systems. So make the system cater to their needs instead of making them having to do things differently. Include key personel in the implementation or descision process, so that they feel that their needs are being heard and met, so they will welcome the new system. Social engineering isn't just a skill for politicians, it's one for developers too ;)

Re:What? Are you trying to do? (0)

Anonymous Coward | more than 4 years ago | (#31549018)

You need to get a decent requirement spec going

The summary has a pretty clear one. Search for "We need" and start reading from there.

Re:What? Are you trying to do? (1)

Hognoxious (631665) | more than 4 years ago | (#31550080)

Actually it doesn't at all. One, what users say they "need" is very often either what they want (not the same thing at all, if it was all systems would have a pony in them), or their attempt at a solution.

Two, it doesn't even state what industry it is, what type of documents they are, where they're coming from & going to etc etc. Take authentication - what does that mean? That you can see internally who it came from, that you can show to a third party, or that you can prove it?

Re:What? Are you trying to do? (0)

Anonymous Coward | more than 4 years ago | (#31550558)

Yeah it's always fun to separate the real needs from the fantasy wishes, but what makes you think the poster hasn't already gone through that process?

what type of documents they are

Why not be general and assume that documents can be any sequence of bytes?

Listen, the submitter asked for experiences with similar systems. If you don't have any similar experience, then shut up, and stop pretending that you would help out if only you were given a 20-page detailed explanation.

Re:What? Are you trying to do? (0)

Anonymous Coward | more than 4 years ago | (#31549962)

As a comp.sci. major, you should be able to ask the questions of: What, why, where and who (and today probably also, how much).

Unless he's Indian. They never ask questions of specs because it's showing weakness and/or criticising a superior.

Re:What? Are you trying to do? (1)

truetorment (919200) | more than 4 years ago | (#31550488)

It does indeed sound like a law firm, or at least something similar to it, with the idea of several autonomous practicing groups. If he's looking for industry standards, most of the firms use Interwoven's Worksite [interwoven.com] for a DMS. It would do most of what he's looking for, except for the external document signing portion, I believe (although I can't say for sure on the latest version, or if such a feature is built in or not--the firms I've worked at had no interest in external signing). And honestly, I don't know that there's a solution out there besides PGP signing that would allow a company to have external documents signed before receipt, without some sort of third-party product in use by the external party as well. Either way, I agree with the parent & GP here: it sounds like requirement creep, where everything under the sun is being thrown in, when (from personal experience with document management systems) you'll struggle to get staff to use even half of the features correctly even years after the transition to electronic documentation.

Re:What? Are you trying to do? (1)

value_added (719364) | more than 4 years ago | (#31549036)

Paper systems lack almost all of the features you requested... So clearly do do not NEED this stuff and thus we came around full circle to requirement overload.

It's entirely possible that most of the features requested will never be used and is someone's idea of an ideal scenario. What's being described sounds, at least to me, like the functioning of a court or parts of a large law firm. The legal field has traditionally relied on paper (lots of it, along with multiple copies for everyone), but I'm sure even they've moved on to computerised record keeping. Maybe someone else an chime in.

Me, I've alway liked carbon paper. ;-)

Re:What? Are you trying to do? (4, Informative)

ram.loss (151102) | more than 4 years ago | (#31550594)

Hi, original poster here.

Yes, I am aware there are too many details left hanging, that's why I need to hear from someone that has worked with a similar system to at least have an idea what kind of project are we dealing with. From listening to the managers, we need some serious talking to do before a formal proposal is made.

For starters, there's not much money available for the hypothetical system, so that will probably be a showstopper. When i say "documents" I mean anything that when printed on paper has to have a signature (as in "written with a pen") that identifies who wrote it/approved it, most likely a PDF file when talking about an electronic document.

I share your bafflement about the purpose of all this, presumably they want to eliminate all the time needed to move paper around four different locations, and it can't be done by e-mail due to the signature requirements (internal rules, legal implications among other things, lets not delve too much into that just now). But I think they really have not thought through all the added costs.

Re:What? Are you trying to do? (3, Insightful)

obarthelemy (160321) | more than 4 years ago | (#31551222)

This is a trap.

What your bosses want to do (go fully paperless, including all correspondence, contracts, worksheets...) is a very big project, that requires much thought, planning, management support, time, and money.

By asking you to do it on the cheap, your bosses show that they really don't understand what this is about, and when the whole thing blows, it will of course be your fault.

The one vital thing you must do is findexamples of companies of a comparable size / business that did it, with a broad idea of what it took it terms of money, time, manpower, glitches... Don't even touch the technical side, products... until you have those case studies. Pass them on to your bosses, and see if they want to go ahead.

As for getting a hold of such examples, try classmates, business partners, ask the bosses where they got the idea from, ask slashdot that question (instead of the technical one), ask potential providers for references (if you're an MS shop, MS may help)...

How big is the company (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31548866)

If this is a large company, don't cheap out there. Budget the right amount of money and buy what's available and implement it properly. That means baking it in seamlessly with the business process

It's okay to do that y'know. Sometimes saving money costs the company too much money.

Bulletin board or PDM software and Acrobat (1)

larwe (858929) | more than 4 years ago | (#31548868)

For the internal case, a bulletin board style web-based system's PM facility will provide you with delivery and confirmation of receipt. Or you could go the whole hog and install PDM software like Agile... but I doubt you want to do that ;) For the external case, I suggest using fillable PDF documents, with a secure signature generated by the addressee (this is instant and free in Adobe Reader).

Lotus NotesDomino (5, Informative)

kirthn (64001) | more than 4 years ago | (#31548886)

Lotus Notes/Domino by IBM takes care of all that...including external branches, ditigital signatures, track of who has been reading it, who where the previous readers etc etc... etc...we have been using it extensively and provides everything you just described.....

Re:Lotus NotesDomino (2, Insightful)

pasamio (737659) | more than 4 years ago | (#31549194)

Yes, notes immediately popped into mind because you can track when and where a document was as well as who did what to it. The problem with notes is that the domino management is yet another thing to learn and if you're not using it for email its another chunky client on the desktop.

Re:Lotus NotesDomino (0)

Anonymous Coward | more than 4 years ago | (#31549308)

Yes, notes immediately popped into mind...

I had the same reaction, then I remembered that Lotus Notes is freaking TERRIBLE.

http://www.ihatelotusnotes.com/

Re:Lotus NotesDomino (2, Informative)

kirthn (64001) | more than 4 years ago | (#31550138)

it's because Lotus notes is not being used well....the outsiders think it's an e-mail system, while in fact that aspect is only 10% of its capabilities...

it's a basically a high-security databse system with unique features...like replication and deep built-in security and encryption....just like that out of the box...

don't use a hammer as a screwdriver ;)

Re:Lotus NotesDomino (2, Insightful)

ajm (9538) | more than 4 years ago | (#31550840)

I think the famous last words ought to be "but then he'd be using Lotus Notes". Having to use Lotus Notes is not a pleasant experience for anyone and I don't think you should increase the amount of misery in the world, which is what you'd be doing if they switched to notes.

Re:Lotus NotesDomino (1)

kirthn (64001) | more than 4 years ago | (#31551146)

I do agree it's not the best experience when using as an e-mail client....not as best as for example using "Mail" or Eudora

as a document, approval,tracking and knowledge system it's unmatched...

and available for multiple platforms additionally....server runs on Linux as well by the way....clients for Mac/Windows (linux i believe?) and webbased clients....

clustering, replication and security together, it's unmatched....

Re:Lotus NotesDomino (1)

kirthn (64001) | more than 4 years ago | (#31551202)

additionally it's a 15 year or more proven technology, with a lot of programming and developping possibilities...from C to Java to LotusScript with already from long time a ago a range of protocols from X500 to LDAP to XML (already from year 2000 included)....

No other product has that track record ;) (and no, I don't work in a IT-related job/environmet/sales or business related) ;)

PGP + really any collaboration software (3, Interesting)

DarkOx (621550) | more than 4 years ago | (#31548906)

Give every a copy of PGP or gnupg and use your favorite collaboration program to store and version the documents. I would consider just signing the docs and not encrypting them when they are not sensitive, encryption just adds risk that you could lose data more easily. Its really important to know that it really was the comptroller who authorized the PO for that new delivery van but its not a secret the company purchased a new truck.

This should also give you some flexibility going forward. If you don't like the work flow solution you don't have to change the authentication solution or the other way around.

EPM (3, Informative)

hkabbaj (468528) | more than 4 years ago | (#31548926)

Look at https://www.uspsepm.com/ [uspsepm.com] document integrity and authentication. https://my.inscrybe.com/ [inscrybe.com] supports workflow and multiple signings and incorporates the epm.

Maybe I'm not understanding the question... (1)

Em Emalb (452530) | more than 4 years ago | (#31548952)

But couldn't something like Postini do the trick for you?

OpenOffice.org supports digital signatures (1)

Anonymous Coward | more than 4 years ago | (#31548960)

OpenOffice.org directly supports digital signatures:
Digital Signing of documents [openoffice.org]

Try the LOPSA mailing list (3, Informative)

Saint Aardvark (159009) | more than 4 years ago | (#31548986)

Try posting this on the LOPSA [lopsa.org] mailing list. It's an excellent resource, with lots of sysadmins in different environments hanging out. If you're not a member [lopsa.org] , email me (aardvark atsign saintaardvarkthecarpeted dot com) if you'd like me to post to the list on your behalf. You might also want to try the IRC channel #lopsa on Freenode.

Membership [lopsa.org] is only $50/year, and access to the mailing list alone is worth every penny. I'm a member, and it's saved my butt on occasion. Even if you're not a sysadmin, this is definitely a sysadmin-type question, and I think you'd benefit from being able to ask questions on the list.

Re:Try the LOPSA mailing list (0)

Anonymous Coward | more than 4 years ago | (#31549180)

Wow! ONLY $50 a year! For a mailing list! OMG! That dollar sign means your list must be the BESTEST!!!

Re:Try the LOPSA mailing list (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31549690)

> email me (aardvark atsign saintaardvarkthecarpeted dot com)

Why don't you write it out properly - aardvark@saintaardvarkthecarpeted.com?

Re:Try the LOPSA mailing list (0)

Anonymous Coward | more than 4 years ago | (#31549920)

I'm sure Saint Aardvark will want to thank you for the spam.

Re:Try the LOPSA mailing list (1)

Onymous Coward (97719) | more than 4 years ago | (#31550760)

A wee bit of regex contemplation gets you:

(\w+)\s*(?:@|at|atsign)\s*(\w+)\s*(?:\.|dot|period)+\s*(com|net|org)

I think address munging has to be a little more sophisticated than this example to materially reduce harvesting.

Re:Try the LOPSA mailing list (1)

ram.loss (151102) | more than 4 years ago | (#31550950)

Thank you for your kind offer. I think I will hold it until I have a more specific request to make, or at least until I know exactly what kind of system will adopt.

I am afraid...I see trouble ahead (3, Insightful)

bogaboga (793279) | more than 4 years ago | (#31548992)

Since I am the only resemblance we have to an IT department at my division, I have been commissioned with evaluating the available technology to manage and authenticate all correspondence, although it is not my area of expertise (I have a CompSci degree, but for many years have specialized in transportation modeling software).

From what you say, I can conclude that your company's staffing is anaemic in the IT department. Because of this, I suggest that you abandon this project for the time being as you build up man power and expertise in IT. Hire more folks so that they can get to know the business logic and flow of information at your company then kick start this project.

Take a clue from Munich with its Linux migration efforts.

Bottom line: A drastic change in the way you work will create lots of headache for you given that as you say, "...Since I am the only resemblance we have to an IT department at my division...".

I worried for you, but wish you the best at the same time.

Re:I am afraid...I see trouble ahead (1)

ram.loss (151102) | more than 4 years ago | (#31550696)

Yeah, worry was my initial reaction. But still I need to describe the size and implications of such an undertaking if I am to convince the managers that it is not practical to implement this system at this time. Or who knows, maybe talking things through with all the divisions we can reach more specific requirements and bring the project down to a practical size.

Possibly Lotus Domino; Need more info (4, Informative)

thebiss (164488) | more than 4 years ago | (#31549016)

You'll need to elaborate on two things to get good answers:
  - What is a document? Rich text, or scanned paper, physical paper, or something else?
  - What is authentication? Tracking electronic versions from creation, through revisions, to finalization, or something different like confirming that physical document "A" is the same as physical document "B"?

I know of solutions for the case where documents are soft copy rich text with images and and attached scanned documents. A Lotus Notes database can be easily created to track such documents, prevent over-writes, track revision histories, etc. I work for a pretty big consulting firm, and we use Domino-based systems for things like this all the time.

Some caveats -
- Domino's is easily setup, but requires product knowledge to perform well and scale. How big is your firm?
- Users will need to have Notes IDs to work with the system, as ID (certificate) + password based PKI is the foundation of Domino's authentication mechanism.

Some benefits -
- Depending upon the setup, users will be able to work with documents via your corporate intranet.
- Depending upon the setup, replication (think synchronization) can enable users to keep local copies of this data, for access while they are outside of the intranet.

Access for outsiders is more complex.
- If the outsiders are trusted (e.g. auditors,) the solution may be to give them Notes IDs and grant them access to the intranet and this system.
- If the outsiders are end-users (e.g. E&Y clients submitting their 2010 US tax forms,) then you may be into custom application space. I'll skip the plug for my company.

Re:Possibly Lotus Domino; Need more info (1)

ram.loss (151102) | more than 4 years ago | (#31550900)

I want to thank all the answers so far, in spite of the blurry account of the problem I have. I now have better understanding of what kind of project I'm facing.

As I have mentioned in a previous post; currently, a "document" is a printed paper that has a signature written with a pen on it. Oversimplifying, the proposal boils down to converting these to (probably) pdf files with an equivalent method of "signing" them and confirming to auditors that the stored files have not been tampered with after signing.

I think Domino is a good option, specially because there are some people within the company (not me) that have some experience with it. But there is still the matter of costs and personnel and even before that the question of how much it is an improvement over the current situation.

alfresco (1)

bmsleight (710084) | more than 4 years ago | (#31549030)

I have been looking at http://www.alfresco.com./ [www.alfresco.com] Looks like it will be included in Ubuntu soon.

Re:alfresco (2, Interesting)

profdeadmeat (1771780) | more than 4 years ago | (#31549586)

I would second the idea of looking into alfresco. I have not used it.
However, what it will do for you is that it will make sure that you can be using a common file system with revision control. So what would happen is that you would allow your users to network mount the alfresco filesystem across the firm. Users would read and save files to this filesystem. Anytime, it is saved, versions are created.

Alfresco Documents [alfresco.com]

Also, it does handle signatures with the plugin from http://www.viafirma.org/ [viafirma.org] (note, that is in spanish but works fine with google translate) http://viafirma.googlecode.com/svn/ [googlecode.com]

Those saying stop working on this and hire people are thinking that you have a large firm. That is not really a great option.
What I would recommend is that you do setup single signon if you can.
The first start is to have an LDAP server.
ActiveDirectory does provide that. If you want to provide kerberos/active directory and ldap there are open source solutions.

alfresco and sharepoint (1, Informative)

Anonymous Coward | more than 4 years ago | (#31549052)

I second the "Alfresco" suggestion. It has Records Management capabilities that satisfy the Government Records keeping requirements (5015.2). SharePoint is another option that has similar record keeping functionality that can be added.

All Good Suggestions For the Most Part... (3, Insightful)

DarkKnightRadick (268025) | more than 4 years ago | (#31549056)

...but everyone is ignoring the pink elephant in the room.

No common IT infrastructure? I'd tell them to attack that before implementing anything new company wide. Without a common IT infrastructure you'd have to get a poll for exactly what each division has (does each division have a common infrastructure, I hope so) and pray that each division has standardized on something whether it be *Nix, Windows, Mac or whatever. Once you have that, getting an electronic document handling system will be much easier as you'll have only to worry about file formats from one office suite (and possibly PDFs).

As for signing of documents, PDF is the only format that handles that internally, though I guess you could get people to get their own PGP keys, though I think the hassle would not be welcome.

To summarize:
1. Get company to implement standard IT infrastructure company wide
2. Get IT department to implement EDHS
3. ???
4. Profit! --- very important to companies, apparently less so to /.ers :p

Re:All Good Suggestions For the Most Part... (1)

ronoholiv (1216262) | more than 4 years ago | (#31549208)

Agreed. No common IT infrastructure means months of headaches in implementation, especially if one of the divisions has a much higher security than the others.

HQ and the three "autonomous" divisions need to pool their IT resources together first and make sure that whatever solution(s) they come up with is really usable across every organization. There needs to be a commonality across what is supported both internally and externally before even thinking about what the best solution is. Then you've got security across the four entities to consider, any and all legal implications, disagreements between the IT departments...ugh.

This is a huge undertaking, and I feel bad for you. Good luck anyway.

Re:All Good Suggestions For the Most Part... (2, Interesting)

sphealey (2855) | more than 4 years ago | (#31549322)

> No common IT infrastructure? I'd tell them to attack that before implementing anything
> new company wide. Without a common IT infrastructure you'd have to get a poll for
> exactly what each division has (does each division have a common infrastructure, I
> hope so) and pray that each division has standardized on something whether it
> be *Nix, Windows, Mac or whatever. Once you have that, getting an electronic document
> handling system will be much easier as you'll have only to worry about file
> formats from one office suite (and possibly PDFs).

Well, that's one school of thought. And one which has been on the ascendancy for the last ten years, in part because there are philosophical arguments for it and in part because it fits very well with the business/sales model of the large consulting/outsourcing firms. And of course if "standardized" means "standardized on Microsoft" then MS is in favor too ;-)

However, there are other theories of business organization, and I have worked for quite large organizations which reject the concept of company-wide standardization. In their view, such efforts lead directly to lack of flexibility, growth of "preventer of IT services" bureaucracies (or any other service, not just IT), and rapidly inflating costs. So don't assume that the OP's executives _want_ a nice tidy "architecture" for their firm.

sPh

Re:All Good Suggestions For the Most Part... (0)

Anonymous Coward | more than 4 years ago | (#31549522)

As for signing of documents, PDF is the only format that handles that internally, though I guess you could get people to get their own PGP keys, though I think the hassle would not be welcome.

Well, ODF 1.2 will standardize signing too. OpenOffice.org already implements it in a easy to use way for some time.

Voltage Secure-stuff? (1)

Bazman (4849) | more than 4 years ago | (#31549062)

I recently got some data from a health agency, and they sent it using Voltage SecureMail.

Not sure of the exact specifics, but it seems that when they send an email with a secure attachment the file is stripped, stuffed on a repository, then I get a link. I have to register and sign in, then I can download the attachment. Personally I'd rather all attachments worked this way rather than people sending individual multi-megabyte files over SMTP to multiple recipients, most of which wont bother reading them... But I digress.

  So I had a look at the Voltage web site and it seems they may be a solution provider who can synergise your workflow experience management:

http://www.voltage.com/products/ [voltage.com]

  I'm sure they'll love to hear from you.

 

Re:Voltage Secure-stuff? (1)

peragrin (659227) | more than 4 years ago | (#31549198)

I don't. we mail multi page PDF's and excell sheets back and forth where I work. Having to log into a separate website and download pdf's 10-50 times a day would be more annoying.

What is needed is for email to move into the 21st century. redesigned to handle all the things that it is asked to do.

Re:Voltage Secure-stuff? (0)

Anonymous Coward | more than 4 years ago | (#31551610)

I don't. we mail multi page PDF's and excell sheets back and forth where I work. Having to log into a separate website and download pdf's 10-50 times a day would be more annoying.

Starting with outlook 2003 (and maybe earlier) you can have attachments automagically go into a sharepoint repository. The recipient doesn't need a separate login, they just click on the attachment like any other. Works pretty well.

Sense/net, SharePoint, OpenText, Interwoven (1)

charnov (183495) | more than 4 years ago | (#31549118)

Sense/net, SharePoint, OpenText, Interwoven ordered by cost. My personal favorite is Interwoven TeamSite as it hooks directly into Office.
Documentum is awesome but so is the price...

The are multiple document management solutions (1)

Omnifarious (11933) | more than 4 years ago | (#31549220)

But no real authentication systems that accomplish the goals you lay out. Even PGP (if you can convince people to use it and educate people on how it works) only accomplishes signing. It will not track these documents in the manner you describe.

And PGP has significant problems. People understand what passwords are. They do not have a clue what a 'private key' is, or what it means to use one. This requires significant education effort. And unfortunately the user interfaces surrounding products that use PGP do little to help this educational process. Most of them seem to be designed by crypto-geeks who assume that everybody already knows these things and just wants a convenient way to manage them.

And, unfortunately, PGP is not widely supported in email clients outside of the GNU/Linux sphere. Even Thunderbird requires a plugin for adequate support. Everybody else seems to have assumed that the bletcherous, ugly, stupid mess that is an X.509 certificate is what people will use, if they use anything at all.

In my opinion, this state of affairs is ripe for some kind of solution. It was one of the problems I meant to address when I started CAKE [cakem.net] years ago. But that project has stalled out because of time and a the general fact that unless I'm being paid, I tend to drop things as soon as I prove to myself that they work.

Re:The are multiple document management solutions (0)

Anonymous Coward | more than 4 years ago | (#31551380)

In my opinion, this state of affairs is ripe for some kind of solution. It was one of the problems I meant to address when I started CAKE [cakem.net] years ago. But that project has stalled out because of time and a the general fact that unless I'm being paid, I tend to drop things as soon as I prove to myself that they work.

NSFW! Don't click it! the cake is a lie!

You are on the right path... (1)

medea (38161) | more than 4 years ago | (#31549266)

...but I assume in your case you should probably have a look at something backed by a commercial company which will take the hassle to certify the system and your workflows. Have a look at Alfresco (alfresco.com) which already has some certifications (e.g. http://www.alfresco.com/media/releases/2009/10/records-management/ [alfresco.com] ).

Alfresco rocks (0)

Anonymous Coward | more than 4 years ago | (#31549296)

Alfresco can be a pain to get setup the first time, (though they have improved it a lot) it has user and group based access that can reference Active directory using NTLM, Kerberos or LDAP and single sign on is an option (so it pickups desktop credentials so you never use a username and password). you can have windows file shares through CIFS/SMP that you transparently sign on to from windows.

it even has the SharePoint protocol support so you dont have to download a document to edit it....you can edit online.

it also has document conversions, workflows, rules, can receive and file documents via email, and has a robust api

the "who recieved it when bit" is not built in but you could easily extend it its functionality. it will though keep track of any modifications. It does have auditing that i have never explored and may keep greater track of things than i am aware

YUO` FAIL IT (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31549386)

hav3 somebody just to 4ave regular

depends on what you mean by 'signing' (1)

BuffPustule (519330) | more than 4 years ago | (#31549396)

The question I have is what you mean by 'signing' a document.

If you mean that a piece of paper has been physically signed by someone and then scanned and an image retained, then you need a document imaging system.

If you mean to go paperless and can get people to fill out online forms, you can make the case that they are doing the electronic equivalent of signing when they log into the system with their own username and password AND they click on a given button (eg. "Submit" or "Apply Signature") and perhaps type in their initials into a small text field.

There are at least two ways you can handle online forms with Plone: PloneFormGen or custom content types via Archetypes. If you use custom content types, the History tab shows you changes to the content item (who, when), and if you have a workflow assigned to it, the workflow history is retained as well, showing when the item was transitioned to, say, the "signed" state and by whom. If you use PloneFormGen, simply include in the form two hidden and/or non-user-editable fields (datetime with default value the current date/time, and username with default value the currently logged in user).

Try http://indorse-tech.com/ (0)

Anonymous Coward | more than 4 years ago | (#31549428)

http://indorse-tech.com/ [indorse-tech.com] -- the have a software product that signs your documents and can track when people open and view them via a "Call Home" technology. Runs on top of sharepoint or stand alone, iirc. Tracks Microsoft Office, PDF, etc...

Ask the other divisions? (3, Interesting)

BitZtream (692029) | more than 4 years ago | (#31549438)

I realize your company may not make it easy to do so, or the other departments may not help but ...

Have you considered, since you're the only one in your portion that asking them for help may useful?

I'm making a lot of assumptions about an ideal situation that may not apply to you, I realize that, so it may not be possible for you.

If it were though, you might find that you can save yourself a lot of time just by working with the other groups.

You could also very well create a new position for yourself, pull all 3 divisions together and save some money in IT and you might end up in charge of all of them. (if you want to do that, personally I still prefer to be in the trenches).

Either way, you may find that they've already done this research and found something that didn't work for them, but might work for you, OR might work for everyone if you all got together to do it, versus not being cost effective for one group to do it.

A company I worked for was bought out a long time ago, we basically continued to operate as 2 companies under one name for a long time. Then our IT department started pushing to integrate, taking the best parts of both companies and merging into a better structure overall. We ended up saving a lot of money.

Interestingly enough, our IT was killed off and released shortly after we suggested that moving the web servers that had a window view of wall street to somewhere that we could run them for 10 years for the same cost as single day in their current data center ... So you may want to be careful what you suggest.

Another interesting twist was that shortly after we got 'released', the company was bought once again, by a company near Atlanta, which promptly closed all the offices on Manhattan, including the one that was chosen over us. Senior management from our original company passed along the word that the new buyers made it clear that stupid choices like killing our data center and keeping one in Manhattan is exactly why they were now going to be looking for new jobs themselves.

We were vindicated, but some of us were still unemployed unfortunately. Either way, it may still be worth your while to try.

Re:Ask the other divisions? (0)

Anonymous Coward | more than 4 years ago | (#31551446)

Someone call a bwaaaaahmbulance.

Re:Ask the other divisions? (1)

ram.loss (151102) | more than 4 years ago | (#31551678)

Yes, there will be talks with representatives of all divisions. We're just in the process of gathering the necessary information to at least have something concrete to talk about.
Another factor to consider is the fact that the IT department at the central offices is not as undermanned, although they have their hands full. So I need to cooperate with them if a solution is eventually adopted.

Oracle? (0)

Anonymous Coward | more than 4 years ago | (#31549462)

If you're looking for a paid-for solution, you might go talk to Oracle. They have some interesting options in content management. Not sure if it's the right fit for your case though.

Pharmaready DMS (1)

Gushi (210940) | more than 4 years ago | (#31549516)

PharmaReady [pharmaready.com] has a DMS system that should be able to do what you ask provided you have the webserver available outside your intranet. Instead of passing documents via email, authorized users would upload them themselves and then pass a link. The system is designed with FDA regulations in mind and keeps an audit trail of all activities and has well defined users and user permissions.

Open Text FirstClass & Social Media (1)

kannontech (1771804) | more than 4 years ago | (#31549546)

Open Text FirstClass & Social Media are easy to manage secure messaging, document management, and online communication and collaboration solutions that can do what you need without large IT infrastructure.

Validated systems (1)

Attila Dimedici (1036002) | more than 4 years ago | (#31549710)

What you are looking for is similar to what is used in GLP/GMP validation. You are in over your head. There is software that does what you need, but in order to get it set up so that it is legally binding requires a specialized knowledge set.
It is not that it would be impossible, or even ridiculously difficult, for you to set this up. However, if your company wants to do this in any sort of reasonable time frame (less than a year), you will need to work on this as your primary task. You will, also, need the authority to demand responses from a lot of different people in the company. If you don't have somebody who has the authority to fire anybody in the company backing it (by backing it, I mean insisting on updates every so often and leaning on whoever you are waiting for a response from) , it won't happen. Basically, the story is, this is something that requires company-wide buy in.

Re:Validated systems (0)

Anonymous Coward | more than 4 years ago | (#31549840)

Sorry to disagree but GLP/GMP is just an overcomplicated way of saying what processes you use for development. support, maintenance of software etc. I think you may be confusing those regs with CFR 21 PART 11, which is all about legally non-reputable source data using electronic signatures, digital signatures etc. http://en.wikipedia.org/wiki/Title_21_CFR_Part_11

ECM (1)

ArhcAngel (247594) | more than 4 years ago | (#31549846)

Perhaps I am misunderstanding the inquiry but it sound like you are asking about enterprise content management [google.com] .

Sendside may be perfect (1)

pyite69 (463042) | more than 4 years ago | (#31549890)

https://www.sendside.com

Secure document management, electronic signatures, and many other features, using a SaaS model like Salesforce

NetDocuments (1)

bradvoy (686502) | more than 4 years ago | (#31549906)

Take a look at NetDocuments [netdocuments.com] . It's SaaS, so you don't have to maintain servers, and sharing documents between multiple offices is trivial. It includes digital signature functionality.

NextDocs/Sharepoint (1)

SemperUbi (673908) | more than 4 years ago | (#31549956)

We found that Sharepoint didn't offer the level of document authentication that we needed for the FDA-inspected laboratory in our organization. NextDocs is a 'bolt-on' to Sharepoint that offers an electronic signature feature. We're rolling that out now and it seems pretty useful. So if you go the Sharepoint route and it isn't enough, this is worth checking out. Also, you get to say 'bolt-on' in conversation, with maybe an accidental 'strap-on' now and then.

yes I am a human (1)

adaviel (1189751) | more than 4 years ago | (#31549978)

what's this "You failed to confirm you are a human. Please start from the beginning and try again. If you are a human, we apologize for the inconvenience" thing ?

Adobe Acrobat has cross-platform support (1)

adaviel (1189751) | more than 4 years ago | (#31549986)

Adobe Acrobat will do some of this, if not all. It does not require a central document repository and works across platforms - at least, as I recall, documents can be signed and verified on Linux though must at present be created in Distiller on Windows. As PDF is a somewhat open standard there is at least the possibility of other tools supporting the digital signatures.
A document may have multiple signatures placed in the document body in a natural way - i.e. where you might have an ink signature box. You need a certificate authority of your own to issue certificates to signers - after all, anyone can get a Verisign certificate, and who's to say that Joe Bloggs, even he is the real Joe with passport to prove it, can sign off on your reactor design ?
There are some options to set when the document is created that control whether it can be signed by the free cross-platform reader or only by the paid-for Distiller.
Drawbacks vs. GPG digital signatures - only works on PDF files, must be created on Windows.
Advantages - natural signing/verification mechanism built into the reader.

More info needed (1)

ulski (1173329) | more than 4 years ago | (#31550968)

English is not my native language but I’ll do my best. I agree with the people here that told you to find out more about what the company really needs, and maybe your company should think about getting a common IT infrastructure first. In general it would be a good idea to try to document your processes (what is supposed to happen when we receive this and that type of document? and what will you need to do with these documents? Just store them? or are the documents meant to be edited by multiple sub contractors? For some companies it makes sense to have systems that functions as both crm and document control system. It might also be nice to be link to other types of systems and that is why you would be better off if you have a common it infrastructure. There are many big vendors - some are "general purpose" systems and some focus on specific industries. In the plant/ oil and gas industry contractors and oil companies use systems which can handle documents in ways required be local government. You should check out if your company needs to follow state rules regarding how to handle documentation. Some systems are really good at handling cad files - the best of them got support for reference drawings and revisions as well as functionally needed for controlling documents linked to each other per project. They might also have support for setting up the cad application to follow a drawing standard per project (a type of super template). People here mentioned Documentum and Sharepoint, and there are of course many more and I can add 2 to the list: Bentley Systems (Projectwise) and Software Innovation (Proarc).

Have a look at Lotus Forms (1)

NotesSensei (997996) | more than 4 years ago | (#31550986)

Lotus Forms (not to be confused with Lotus Notes or LotusLive Forms Turbo) is a XForms implementation that has an XML extension for pixel perfect form rendering (there's an add-on that even allows you to scan your empty paper forms for conversion. It can run off a forms server or even without a connection using a forms client. It allows for overlapping digital signatures (you sign your stuff, I cross sign, so you can't change your mind) including signing of attachments. Two aspects are remarkable: Since the form is kept in every file you always will see the original as filled in (so both form and data is signed). Since data is stored in an XForms instance extraction of data is easy using XPath. Disclaimer: I work for IBM.

RUNA, nuxeo (1)

WetCat (558132) | more than 4 years ago | (#31551020)

You can try to make a solution for your problem by using Runa-WFE http://wf.runa.ru/About [wf.runa.ru]
It's free software, and, as far as I know, can handle your tasks.
Also you can try to look to http://www.nuxeo.org/xwiki/bin/view/Main/ [nuxeo.org]
Both products are based on Jboss

Consider XAdES (1)

fritsd (924429) | more than 4 years ago | (#31551516)

I must admit I'm not terribly familiar with the problem, but consider XAdES [w3.org] (XML Advanced Electronic Signatures) wikipedia [wikipedia.org] ) as requirement of signing your documents, because it seems a reasonably well backed standard if ETSI standardized it since 2002 and the EU encourages it [telecomforum.eu] for intergovernmental correspondence. It also seems future-proof if it has the signing algorithm as a parameter instead of predefined.
Also, the upcoming ODF 1.2 supports it (see ODF spec part 3 chapter 4).

Try Nextlabs (0)

Anonymous Coward | more than 4 years ago | (#31551680)

Sounds like you're looking for an Information Compliance solution. Take a look at http://www.nextlabs.com

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?