Alphax wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Berend Tober wrote:
Is it possible to have multiple persons sign a single file? If so, how
is this done?

The particular scenario is currently this: Employees submit expense
reports for business travel using a spread sheet. Current practise is
the the employee fills out spread sheet via computer (or optionally
prints blank spread sheet template and writes by hand with a pen),
physically signs using pen and ink, physically delivers signed hardcopy
to supervisor for supervisor pen-and-ink signature prior to payment
processing.

Desired practise is to eliminate both producing hard copy and
pen-and-ink signatures, and then re-work the process using gpg
electronic signatures. Thus, employee would enter data into expense
report spread sheet, save, gpg sign, mail to supervisor, supervisor
would (presumably) open and review spread sheet, close without changing,
gpg sign, and then return to employee or forward to accounting dept.

Sounds straightforward, but I didn't spot in the various
manuals/guides/how-to's for gnupg how a second individual could add
their signature after me.


Use detached signatures? Generate a key to sign the document with, and
have that key signed by the supervisor?
What I don't like about doing that explicitly is that every additional signature, at least in the default operational mode, appends an additional ".sig" file extension. Further more, the signatures are wrapped withing one another, so that to verification would require serial verification of each preceding outer layer signature. What I've been refining during the last couple days uses a command line script to append additional detached signatures into a single signature file. This approach models more directly the co-signature concept of legacy contracts, i.e., think of buying a house -- you and you spouse are co-signators rather than having one sign the contract and the other sign the others signature. What you suggested models the concept of a notary public witnessing a signature, but that we already have by signing public keys in the trust model.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to