How to tell if a digital signature is trustworthy

Digital signatures play a central role in software security. This article explains what a digital signature is, and how you can check to make sure that a digital signature is trustworthy.In this article

bookmark link What is a digital signature?

bookmark link View a digital signature in a signed document

bookmark link View a digital signature in a signed e-mail message

bookmark link View a digital signature for a signed macro

bookmark link How to tell if a digital signature is trustworthy

What is a digital signature?

A digital signature is used to authenticate digital information - such as documents, e-mail messages, and macros - by using computer cryptography. Digital signatures help to establish the following assurances:

Authenticity The digital signature helps to assure that the signer is who they claim to be.
Integrity The digital signature helps to assure that the content has not been changed or tampered with since it was digitally signed.
Non-repudiation The digital signature helps to prove to all parties the origin of the signed content. "Repudiation" refers to the act of a signer's denying any association with the signed content.

To make these assurances, the content must be digitally signed by the content creator, using a signature that satisfies the following criteria:

The digital signature is valid .
The certificate associated with the digital signature is current (not expired).
The signing person or organization, known as the publisher, is trusted .
The certificate associated with the digital signature is issued to the signing publisher by a reputable certificate authority (CA) .

The Microsoft Office system programs detect these criteria for you, and alert you if there is a problem with the digital signature. For details, see the last section in this article, How to tell if a digital signature is trustworthy.

View a digital signature in a signed document

This section applies to the following Microsoft Office system programs: Excel, Word, and PowerPoint.

When you review any signed content, you should look at the attached signature details and the certificate used to create that signature to find out whether there are any potential problems.

With the document open, click the Microsoft Office Button , and then click Prepare.
Click View Signatures.
Tip You can also click the signatures button at the bottom of your screen.
In the Signatures pane, click the signature that you want to view, click the arrow next to the signature name, and then click Signature Details.
In the Signature Details dialog box, click View.

Evaluating the digital signature is covered in the last section in this article, How to tell if a digital signature is trustworthy.

View a digital signature in a signed e-mail message

Open the digitally signed message.
Look at the Signed By status line and note the e-mail address of the person who signed the message.

Important It is not enough to check the e-mail address in the From line, because it is necessary to verify who actually signed the message, and not just who sent it. If the e-mail address in the From line does not match the e-mail address in the Signed By status line, the Signed by line is the one to use in identifying who actually sent the message.
Check to see whether the signature is valid or invalid.
- If the button on the Signed By status line appears similar to the following Signature button , the signature is valid. For more information about the status of the signature, click the button.
- If a red underline appears under the Signed By status line and if the button appears as an exclamation mark, the signature is invalid. For more information about the status of the signature, click the button.
To see more information about why there is a problem with the digital signature, such as the certificate being invalid, click Details.
In the next security dialog box that appears, click View Details to see information about the certificate used in the digital signature.

View a digital signature for a signed macro

When you open a document that contains a signed macro project and there is a problem with the signature, the macro is disabled by default and the Message Bar appears to notify you of a potentially unsafe macro. However, this does not occur if you are opening the document from a trusted location.

If the macros have been signed, you can view the certificates for the files by doing the following:

On the Message Bar, click Options.
If the macros are signed, you see in the security dialog box a Signature area that looks similar to the following illustration.
Click Show Signature Details.

How to tell if a digital signature is trustworthy

This section describes what you should look for when you evaluate the trustworthiness of a digital signature.

The digital signature is OK

A valid digital signature is identified by a message at the top of the Digital Signature Details dialog box, confirming that the digital signature is OK. You should also note the timestamp details under Countersignatures. The timestamp details indicate that the certificate authority - in this example, VeriSign - has verified and approved the digital signature.

The date for the time stamp - in this case, August 7, 2003 - should be within the Valid from date range in the certificate. To see the date range in the digital signature, click View Certificate.

The publisher - in this case, Microsoft Corporation - should be a trusted publisher by default on computers running the Microsoft Windows operating system. Certificates for Microsoft are located in the Trusted Root Certification Authorities store. If the publisher is not trusted by default, you must explicitly trust the publisher. Otherwise, the content signed by that publisher does not pass the security software checks.

Checking for the red X

A digital signature that presents problems shows the image with a red X.

The red X can appear for the following reasons:

The digital signature is invalid for some reason. (For example, the content has been altered since it was signed.)
This digital signature is expired.
The certificate associated with the digital signature was not issued by a certificate authority (CA) . For example, it might be a self-signed certificate created by using Selfcert.exe.
The publisher is not trusted.

What you should you do if there is a problem with a signature

When there is a problem with a digital signature, then depending upon your situation, you can do any of the following:

You can contact the source of the signed content, and let them know that there is a problem with the signature.
Contact the IT administrator in charge of your organization's security infrastructure.
If you feel that the macro or other active content associated with the document is trustworthy, you can save the document to a trusted location. Documents in trusted locations are allowed to run without being checked by the Trust Center security system. Using trusted locations is a better option than lowering your security level settings for all macros.
You can explicitly trust the publisher.