What good, standard digital signature / timestamp verification clients are widely or easily deployed?

Clients? That rather misses the point. It's really about file formats and protocols.

x509 is a cornerstone of encryption implementations. Although its just a starting point for implementing software on, it should probably be your starting point for looking for software.

About 10 years ago, I needed to implement a PKI for my then employers. The route I took was to set up a root Certification Authority using openSSL. At that time x509 verification was available for email required plugins for MSOutlook Express and Eudora (but not for the Bat!). IIRC, these are now built-in as standard. Wincrypt (file encryption) was available as a free download and Stunnel had just been ported to MSWindows.

Certainly 10 years is a long time in encryption circles - but the nice thing about x509 is it accomodates different algorithms / key sizes. It also builds on the same basis as LDAP.

More recently there are have been many more tools implemented using SSL type encryption - e.g. Gnu Anubis (OK, it doesn't actually add the sigs - but provides hooks for calling openssl), smart cards


One option would be to digitally sign a message with the XML attachment with S/MIME. Use an online page on which users can enter their email address to which a copy will be sent.

Another option would be to use a signed PDF. The PDF standard allows PDF documents to be digitally signed and supports attached documents. The XML can be attached to the PDF as an attachment. The complete PDF including the attachments will be signed.

If you want to make it easier for end-users to check the signature, you should make sure that you use a universally trusted x.509 certificate or, use your own certificate and publish the thumbprint of the certificate somewhere.

Martijn Brinkers


Signatures which adhere to an open standard, can be validated on [...] Mac [...]

On the Mac, there's a Certificate, Key and Trust service which is built in all over the place. That means that you could send them S/MIME data and they'd be able to inspect the certificate and its trust path in the mail client. On the other hand, the UI just looks like a little tick or cross in a bar above the message. That's also the problem with using TLS - it works, but it works silently, and in some situations it fails silently too. Everything in between needs special knowledge to comprehend.

There is a third-party plugin for GPG in Apple Mail, but as you observed in your question registration and subsequent correct use of OpenPGP is hard.