Digital Signatures in Office 2010


Hello, my name is Shelley Gu and I am a Program Manager on the Trustworthy Computing Security team. I’d like to introduce some new features we have added to digital signatures in Office 2010. First I’ll briefly explain what digital signatures are and how to use them, and then I’ll dive into the details about how they work in Office 2010.

What are digital signatures?

More and more business transactions are being conducted electronically. Consequently, digital signatures are being used increasingly to legally bind relying parties to their transactions. A digital signature is used to verify the identity of the person who signed the document, and confirms that the content was not modified after the digital signature was applied to the document. Digital signatures provide security based in encryption technologies and help mitigate risk associated with electronic business transactions. With improvements to digital signing, Office aims to meet the information security needs of enterprises and public sector entities worldwide.

To create a digital signature, you must have a digital certificate, which proves your identity to relying parties, and should be obtained from a reputable certificate authority (CA). If you do not have a digital certificate, Microsoft has partners that provide digital certificates as well as other advanced signature services that are integrated into Office at the Office Marketplace.

Inserting a digital signature

In Word, Excel and PowerPoint 2010, a digital signature can be added by going to the Office Backstage View:

image

A signature line or signature stamp can be added in Word, Excel, and InfoPath by going to the Insert Tab:

image

A signature line looks like this:

image

A signature stamp (more commonly used in Eastern Asia) looks like this:

image

How do signatures work in Office?

Office 2007, and later versions, use an open signing standard called XML-DSig that replaces the less advanced binary signatures from Office 2003 and earlier versions. XML-DSig represents a signature in a mostly human-readable XML format. For more information on XML-DSig, see http://www.w3.org/Signature.

Office 2010 digital signatures are able to use advanced algorithms (like the elliptic curve public key algorithm) supported by Windows Vista and later. All supported operating systems also allow the use of more robust hashing algorithms, like SHA-512.

The most immediate problem with digital signatures is that the certificate you use will expire – usually in as little as one year. After the certificate has expired, no one should trust the signature. If you want to be able to trust a signature over a longer period, then you must keep copies of the information needed to validate the certificate. You might also need to worry about the cryptography becoming obsolete.

Fortunately, a solution to these problems is available in an extension to the XML-DSig standard called XAdES.

What is XAdES?

XAdES (XML Advanced Electronic Signatures) is a set of tiered extensions to XML-DSig, the levels of which build upon the previous to provide more and more reliable digital signatures.

By implementing XAdES, Office complies with the European Union Advanced Electronic Signature Criteria in Directive 1999/93/EC as well as a new Brazilian government directive which defines XAdES as the accepted standard for digital signing in Brazil.

Office 2010 can create different levels of XAdES signatures on top of XML-DSig signatures:

Table of different types of digital signiture levels.  If you can't view the information in the image, please e-mail OffTeam@microsoft.com and simply request the text based information backing the post.  Thanks.

The Office 2010 Beta only creates up to and including XAdES-T signatures, but Office 2010 RTM will be able to create all the signatures in the above table.

Time stamping and XAdES-T signatures

Time stamping digital signatures (XAdES-T signatures) is an important scenario we focused on in Office 2010. In order to create a time stamped signature, you’ll need to:

  • Set up a timestamp server that complies with RFC 3161.
  • Configure signature policy to let the client systems know where to locate the timestamp server. You’ll also need to add the timestamp server’s root certificate to the root certificate store.

Once everything is configured, you can just create signatures like you normally would. A timestamp from a trusted timestamp server extends the life of your signature, because even after the certificate expires, the timestamp proves that the certificate had not expired at the time of signing. As a result, time stamping protects against certificate expiration, and if the certificate was revoked after the signature was applied, the signature is still valid.

Creating XAdES signatures in Office 2010 RTM

By default, Office 2010 creates XAdES-EPES signatures. Registry settings are used to specify the level of signatures to create. There are two registry settings to control the type of signature Office creates, XAdESLevel and MinXAdESLevel.

Table of different types of digital signiture levels.  If you can't view the information in the image, please e-mail OffTeam@microsoft.com and simply request the text based information backing the post.  Thanks.

Table of different types of digital signiture levels.  If you can't view the information in the image, please e-mail OffTeam@microsoft.com and simply request the text based information backing the post.  Thanks.

The MinXAdESLevel setting allows you to ensure that created signatures meet your required XAdES level. A XAdES-T or higher signature will fail if the timestamp server isn’t available, and a XAdES-C or higher signature will fail if revocation information isn’t available. Having a minimum setting allows scenarios where you could attempt a XAdES-X-L signature, but fall back to XAdES-EPES if the timestamp server is down.

To create XAdES-T signatures and above you will need to provide Office with a time stamp server to query for time stamps:

Table of different types of digital signiture levels.  If you can't view the information in the image, please e-mail OffTeam@microsoft.com and simply request the text based information backing the post.  Thanks.

Recommendations for XAdES signatures

If you want to create XAdES signatures, we recommend using one of three levels:

  • XAdES-EPES – This setting is the default, because it has no additional requirements beyond what is needed to create an ordinary XML-DSig signature.
  • XAdES-T – This requires that a timestamp server be available that complies with RFC 3161, and that Office be configured to use the server. If you have a timestamp server, XAdES-T should be your default.
  • XAdES-X-L – If you have a timestamp server, and have a need for signatures that include full revocation and certificate chain information, use this setting.

Example:

Sam wants to create XAdES-X-L signatures. If this is not possible, he is willing to accept any signature that is at least a XAdES-T signature. He sets:

  • XAdESLevel = 5 (he’s requesting XAdES-X-L)
  • MinXAdESLevel = 2 (his minimum accepted type of signature is a XAdES-T signature)

In this case, Office attempts to create a signature up to the –X-L level. If Office is unable to create a XAdES-X-L signature, Office falls back to the last successful XAdES level provided that the level is not lower than MinXAdESLevel. In this case, XAdES-T, XAdES-C, and XAdES-X signatures would be acceptable if Office is unable to create a XAdES-X-L signature. Otherwise, Office does not add a signature.

Creating XAdES Signatures in Office 2010 Beta

As mentioned previously, Office 2010 Beta is only able to create up to XAdES-T signatures because we added the rest of the XAdES work in after the Beta. The XAdESLevel registry setting we explained above still applies, but the maximum level is 2 (XAdES-T). TheMinXAdESLevel setting isn’t present, but you can only create two types of XAdES signatures – with and without a timestamp, which is controlled by the TimestampRequired setting (which isn’t present in the RTM version).

Table of different types of digital signiture levels.  If you can't view the information in the image, please e-mail OffTeam@microsoft.com and simply request the text based information backing the post.  Thanks.

To create a XAdES-T signature, you will additionally need to set TimestampRequired (below) and TSALocation (see explanation above):

Table of different types of digital signiture levels.  If you can't view the information in the image, please e-mail OffTeam@microsoft.com and simply request the text based information backing the post.  Thanks.

The XAdES feature is one of many security enhancements we have made to Office 2010. Thanks for reading, and we look forward to hearing your feedback!


Comments (34)

  1. Anonymous says:

    The error happens as soon as I insert the digital signature in a document. I receive the message “Microsoft Word has stopped working”, which gives me two options: “Check online for a solution” or just “Close the program”.

    I’ve recorded the steps, but I don’t know how to send you the zipped file.

    Best regards

  2. Anonymous says:

    I’ve read in Word 2010 help that “Notarization” is one of the assurances that a signature help establish in Office 2010. Would you please clarify this point? I don’t understand it.

    Thanks in advance

  3. Anonymous says:

    Me too..I have the same problem that smukerji faces.

  4. Anonymous says:

    Will OneNote 2010 support digital signatures? OneNote would be perfect for a electronic laboratory notebook if only it supported digital signatures for intellectual property purposes.

  5. Anonymous says:

    Word 2010 is crashing when I try to digitally sign a word document. I’ve tried reinstalling Office 2010, with no success.

  6. Anonymous says:

    Thanks Peter!  Great catch and thanks for the comment.  We’ve fixed it up.

  7. John Tarbox says:

    I think it is great that Microsoft is improving support for digital signatures in Office! If everyone would use digital signatures spam email would be cirtually eliminated.

    Is there any chance Microsoft could start using digital signatures on email being sent to customers? Often I get emails claiming to be from Microsoft, but I have no way currently to know if they are genuine or phishing emails.

    Any chance for more posts on using digital signatures? For example can one sign a blog post using Windows Live Writer?

  8. Anne Enge says:

    Good product

  9. Peter Hazlehurst says:

    Hiya, the title of the story has a typo “Signatures” not “Signitures”.

    tx

    P

  10. Daniel Anthony says:

    This seems alot like the digital signatures already present in Adobe Reader. Will Office 2010 be compatible with PDF documents signed via Adobe Reader or other software?(Maybe through XAdES?)

    Thanks,

    Daniel

  11. Minmin says:

    Hey, it’s called Signatures not Signitures. Check your title first. :)

  12. Julián Inza says:

    These are excellent news. We are a Microsoft partner in Spain, highly specialized in electronic signature. probably we can help each other testing signatures. We have been participating in several ETSI XAdES Plugtests

  13. Andrew Brandt says:

    If you need to authenticate a document past one year, why not just mail the signed piece of paper?

  14. orta says:

    VERi good

  15. Curious says:

    Are you looking into providing Xades signature capabilities also via .NET API that support dealing with OPC packages (System.IO.Packaging)?

    It would be great if creation of Xades-* signatures and their validation capabilities would be avaialble in .NET platform as well.

  16. Jason Dossett says:

    Just curious, have there been any advances to support some common requirements for regulated industries to do things like a just-in-time reauthentication request?

  17. Trudy Hutzler says:

    We currently have our own certificate manager running on Server 2008.  We use these certificates to create digital signatures for our adobe forms.

    Can we use the users existing certificates from the certificate server to create their digital signatures in Office 2010?

  18. Marko says:

    Great news, also it would be great to have API for .NET, I guess that will be the case.

    Would it be ‘qualified’ digital signature in European union?

    ‘qualified’ – meaning to be in accordance with EU laws

  19. BJorne says:

    What about support for encrypted ODF documents that’s been missing in 2007? And 64-bit XP support please.

  20. Shelley [MSFT] says:

    Thanks for all the comments!

    @John Tarbox – It is really up to the sender to digitally sign their emails, and there is little incentive for spammers to do this. Just make sure you keep good spam filters. :) Also, right now there are no plans for more posts on digital signatures, but this could always change!

    @Daniel Anthony – Office 2010 is not able to timestamp PDF documents. PDF signatures in Acrobat are handled by Adobe.  

    @Andrew Brandt – When you digitally sign a document, the idea is that you do not need any hard copies of the document and signature. Everything is electronic.

    @Curious – As of this time, we don’t have XAdES digital signature APIs in .NET, but this is a great idea! I will follow up with the .NET team.

    @Jason Dossett – We do not currently support the ability to timestamp a signature right before its cert expires (if this is what you mean).

    @Trudy Hutzler – Office is able to use any valid X.509 certificate to create signatures, so yes, your users should be able to use their existing X.509 certificates to create Office digital signatures.

    @Marko – The EU supports Advanced Electronic Signatures (AES) and Qualified Electronic Signatures (QES). XAdES signatures are classified as AES and are legally binding in the EU.

  21. m says:

    ขอบคุณ

  22. MM says:

    Q1. What will happen if I try to verify a doc signed in 2010 in office 2007/Office 2007 ?

  23. Mihail Romanov says:

    Shelly, how can i use nationale algorithms, e.g. GOST (national standrd in Russia), for digital signatures in Office 2010?

  24. Patrick says:

    I have the same problem as Office User and smukerji when trying to digitally sign the document it crashes.

    Interesting no response or patch from MS!

  25. Shelley Gu [MSFT] says:

    smukerji, Office User, and Patrick:

    Could you give a little more detail about what your workflow was leading up to the crash? What type of signature are you trying to create, etc.? If you would like us to follow up offline, please email the blog with your email address. Thanks.

  26. Hikmer says:

    Digital signatures are a nice idea but in reality a huge headache….how can we be sure everyone is using Office 2007 or better?  When trying to email from within Office, you get an error saying it will break the signature…none of this is acceptiable.  There doesn’t seem to be any standardization so no one can reliably send docuemnts to each other and ensure they can view them….what F$cking good is that?

  27. Sergey Lipin says:

    It looks like Office 2010 Beta doesn’t support certificates with private keys stored in third-party CSPs on Windows 7 and Vista. Word, Excel, PowerPoint fail to sign documents with such certificates. The CAPI2 event log shows a failure in CryptAcquireCertificatePrivateKey that is being called with CRYPT_ACQUIRE_ONLY_NCRYPT_KEY_FLAG, which means that it doesn’t try to use legacy CryptoAPI.

    Is this the intended behavior or it is going to be fixed by the release? Thanks.

  28. Nacho says:

    Great news, just one question: where do you set-up the signature policies?

  29. Nick Pope says:

    Great to see XAdES being adopted in Office 2010.

    Dissappointed though that looking at the signature produced the content of most of the elements of the XAdES object in the _xmlsignaturessig1.xml were empty.

    Is there a beta available with the completed XAdES object?

  30. Dragan Spasic says:

    Thanks for information, with delay. Questions:

    1. Will Office 2010 support XAdES-A form (Archival electronic signatures)?

    2. I cannot find signature policy in Office 2010 XAdES-EPES form (Explicit policy Electronic Signature). Where is signature policy (ETSI TR 102 038)?

    3. I can find in the sig1.xml: "uri.etsi.org/…/v1.3.2. But, latest version is  V1.4.1 since 2009-06 (ETSI TS 101 903). Will you change this?

    4. When I open Office 2003 signed document in Office 2010, message is: "Invalid Signature". Why?

  31. Dragan Spasic says:

    Hello. I have additional questions:

    5. I can create Word 2010 XAdES-T (and higher) signature on the Windows 7 computer, but cannot on the Windows XP SP3 computer. Message is: "Signing cannot be completed due to problems applying the required timestamp. Check your network connection.". My configuration is:

    "XAdESLevel"=dword:00000005

    "TSALocation"="http://…"

    "MinXAdESLevel"=dword:00000002

    My network connection is good, because I can timestamping PDF document.

    Do you have experience with XAdES-T signatures on the Windows XP?

    6. I expected to find button "View Timestamp certificate" and status information of Timestamp certificate (valid, revoked, expired,…) on the form "Signature Details" or "Additional Information". Will you add this button in the next release?

    7. If Timestamp server require client authentication with username/password or client digital certificate, can I configure my username/password or client certificate within Office 2010?

    Note: Company (where I am working) will build public Time-Stamping Authority (TSA), with mandatory client authentication (username/password or client digital certificate).

    8. [Shelley Gu] Configure signature policy to let the client systems know where to locate the timestamp server.

    Where can I enter "TSA Policy Id" for the time-stamping request (RFC 3161) within Office 2010?

  32. Steve Wise says:

    When I receive a forwarded email with emails as attachments Outlook crashes immediately upon clicking on the email.  Sometimes I can open emails with embedded email attachments.  Is this a digital signature issue?  Or is it a PST issue?  I created a new PST and this did not help.  There has to be a setting somewhere that I dont' know about.  I am tired of this annoying problem and can't find a fix short of reformatting hard drive.

  33. Anonymous says:

    Pingback from Plan digital signature settings for Office 2010/2013 « Aloaha Software

  34. Anonymous says:

    Digital Signatures in Office 2010 – Microsoft Office 2010 Engineering – Site Home – TechNet Blogs