Digital Signing of Microsoft® 2007 Office

August 2007

System Documents
 Table of Contents
Cover is for
Introduction
position only 2
What is a Digital Signature? 4
What Digital Signatures Accomplish...................................................................4
Requirements for Digital Signatures..................................................................5
Digital Signatures in the Business Environment...................................................5
Compatibility Issues........................................................................................6
Using Digital Signatures 7
Transparent or Invisible Digital Signatures.........................................................7
How to Add an Invisible Signature.....................................................................7
Add a Signature Line.....................................................................................13
Digital Certificates 19
Summary 21

i
www.microsoft.com/office
Introduction
2007 Microsoft Office is a complete suite of productivity and database software that will
help you save time and stay organized. Powerful contact management features help you
manage customer and prospect information in one place. You can develop professional
marketing materials for print, e-mail, and the Web, and produce effective marketing
campaigns in-house. You can create dynamic business documents, spreadsheets, and
presentations, and build databases with little experience or technical staff.
You will learn new features rapidly using the new Microsoft® Office Fluent™ user
interface that presents the right tools when you need them. New task-based menus and
toolbars automatically display the commands and options you can use, making it faster
and easier to find the software features you need. And the new Live Preview feature
makes it easy to sample your changes before you apply them. The new tools help you
work faster and create more professional documents, spreadsheets, and presentations.
These tools help you quickly accomplish routine tasks so you can spend more time with
your customers and building your business. But in today’s business world, getting the
work done quickly and accurately is not enough. It’s also important to protect your
Microsoft 2007 Office system documents against unauthorized access and tampering.
In addition to the robust productivity enhancements included with the Microsoft 2007
Office system are new security advances. The Microsoft 2007 Office system was built with
security in mind, using Microsoft’s new Security Development Lifecycle approach for
software development which provides a comprehensive framework of design, production,
and testing methods and tools to ensure that software meets and exceeds current and
anticipated security demands. The Microsoft 2007 Office system represents the most
secure version of Office yet.
Security encompasses many factors, and Microsoft uses a number of technologies to help
secure your Office documents. Digital document signing is one of the ways you can help
protect information in your Microsoft 2007 Office system documents. When you sign a
document, you confirm that you are the originator of the document and that you vouch
for the contents of the document. If the document is changed in any way, the digital
signature is invalidated. Digital signatures on Microsoft 2007 Office system documents
i
www.microsoft.com/office
help ensure that no changes to a document are made as the document moves through a
“chain of custody.”

i
www.microsoft.com/office
What is a Digital Signature?
You can digitally sign a document for many of the same reasons you might place a
handwritten signature on a paper document. A digital signature is used to help
authenticate the identity of the creator of (authenticate: The process of verifying that
people and products are who and what they claim to be. For example, confirming the
source and integrity of a software publisher’s code by verifying the digital signature used
to sign the code.) digital information — such as documents, e-mail messages, and
macros — by using cryptographic algorithms.
Digital signatures are based on digital certificates. Digital certificates are verifiers of
identity issued by a trusted third party, called a certification authority or CA. This works
similarly to the use of standard identity documents in the non-electronic world. For
example, a trusted third party such as a government entity or employer issues identity
documents such as driver’s licenses, passports and employee ID cards on which others
rely to verify that a person is whom he/she claims to be.
Digital certificates can be issued by CAs within an organization, such as a Windows®
Server 2003 server running Windows Certificate Services, or a public CA such as VeriSign
or Thawte.

What Digital Signatures Accomplish

Digital signatures help to establish the following authentication measures:
• Authenticity The digital signature helps to assure that the signer is whom he or she
claims to be. This helps prevent others from pretending to be the originator of a
particular document (the equivalent of forgery on a printed document).
• Integrity The digital signature helps to assure that the content has not been
changed or tampered with since it was digitally signed. This helps prevent documents
from being intercepted and changed without knowledge of the originator of the
document.
• Non-repudiation The digital signature helps to prove to all parties the origin of the
signed content. "Repudiation" refers to the act of a signer's denying any association
with the signed content. This helps prove that the originator of the document is the
i
www.microsoft.com/office
 true originator and not someone else, regardless of the claims of the signer. A signer
cannot repudiate the signature on that document without repudiating his or her digital
key, and thus other documents signed with that key.

Requirements for Digital Signatures

To establish these conditions, the content creator must digitally sign the content by using
a signature that satisfies the following criteria:
• The digital signature is valid. A certification authority that is trusted by the operating
system must sign the digital certificate on which the digital signature is based.
• The certificate is associated with the digital signature is not expired.
• The signing person or organization (known as the publisher) is trusted by the
recipient.
• The certificate associated with the digital signature is issued to the signing publisher
by a reputable certification authority (CA).
Microsoft Office Word 2007, Office Excel 2007 and Office PowerPoint 2007 detect these
criteria for you and alert you if there appears to be a problem with the digital signature.
Information about problematic certificates is easily viewed in a certificate task pane that
appears within the Microsoft 2007 Office System program. Microsoft 2007 Office System
applications allow you to add multiple digital signatures to the same document.

Digital Signatures in the Business Environment

The following scenario illustrates how digital signing of documents can be used in a
business environment:
1. An employee uses an Excel spreadsheet to create an expense report. The employee
then creates three signature lines: one for herself, one for her manager and one for
accounting. These lines are used to identify that the employee is the originator of the
document, that no changes will take place in the document as it moves to the
manager and the accounting division, and that there is proof that both the manager
and accounting department have received and reviewed the document.
2. The manager receives the document and adds her digital signature to the document,
confirming that she has reviewed and approved it. She then forwards it to the
accounting department for payment.
i
www.microsoft.com/office
 3. A representative in the accounting department receives the document and signs it,
confirm receipt of the document.
This example demonstrates the ability to add multiple signatures to a single Microsoft
office document. In addition to the digital signature, the signer of the document can add
a graphic of her actual signature, or use a tablet PC to actually write a signature into the
signature line in the document. There is also a “rubber stamp” feature that can be used
by departments, indicating that a member of a specific department received the
document.

Compatibility Issues
2007 Microsoft Office, unlike its predecessors, uses the XMLDSig format for digital
signatures. It is important to note that digital signatures are not compatible across
Microsoft Office platforms. For example, if a document is signed using Microsoft 2007
Office system and opened in a Microsoft Office 2003 application with the Office
Compatibility Pack installed, the user will be informed that the document was signed by a
newer version of Microsoft Office and the digital signature will be lost, as seen in figure 1.

Figure 1: Warning that the digital signature is moved when opened in a earlier version of Office

i
www.microsoft.com/office
Using Digital Signatures
There are two ways you can apply a digital signature to a Microsoft 2007 Office system
document, spreadsheet or presentation:
• Add a transparent or invisible digital signature
• Add one or more digital signature lines
In the following sections you will see examples of both methods of adding digital
signatures to Microsoft Office documents

Transparent or Invisible Digital Signatures

If you do not need to insert visible signature lines into a document, but you still want to
provide assurance as to the authenticity, integrity, and origin of a document, you can add
an invisible digital signature to the document. You can add invisible digital signatures to
Word documents, Excel workbooks, and PowerPoint presentations.
Unlike an Office signature line, an invisible digital signature cannot be seen within the
contents of the document itself, but recipients of the document can determine that the
document has been digitally signed by viewing the document's digital signature or by
looking for the Signatures button on the status bar at the bottom of the screen
After a document has been digitally signed, it becomes read-only to prevent
modifications.

How to Add an Invisible Signature

Perform the following steps to add a transparent digital signature to an Microsoft 2007
Office system document:
1. Click the Office Button, point to Prepare and click Add a Digital Signature
2. You will see a Microsoft Office dialog box that provides you with information about
adding digital signatures. Read this information and then put a checkmark in the
Don’t show this message again checkbox. Click OK. Note that this dialog box also
contains an option to obtain signature services from the Office Marketplace online.

i
www.microsoft.com/office
Figure 2: Office dialog box providing information about digital signatures

3. A Microsoft Office dialog box appears informing you that before you can add a
signature, you have to save the document in a format that supports digital
signatures. You can save the file in the new Office formats (.docx, .xlsx and .pptx) or
the old ones (.doc, xls and .ppt). Click Yes and the document will be saved the
format you’ve set as the default for the Office application.

Figure 3: Office dialog box providing information about document type required for signing

4. In the Save As dialog box, select a location to save the document and give the
document a name. Make sure that you save the document in the .doc or .docx
format. Click Save.

i
www.microsoft.com/office
Figure 4: Selecting a location to save the document

5. In the Sign dialog box, you can enter a reason for signing the document in the
Purpose for signing this document text box. You can also leave this field blank if
you want. Note that there is a default user entered in the Signing as section. You
can change the signer of the document by clicking the Change button.

Figure 5: Providing a reason for the digital signature

i
www.microsoft.com/office
6. The Select Certificate dialog box appears after clicking the Change button in the
Sign dialog box. If you have multiple user certificates, you can select one from this
box. This is most useful when you are using a shared computer. Before selecting one,
you can view details about the certificates, including issuer, expiration dates, the
certificate path and whether the certificate is trusted.
7. Click Cancel, then click Sign in the Sign dialog box.

Figure 6: Option for selecting an alternate certificate

8. The Signature Confirmation dialog box appears, informing you that the signature
was saved with the document and that if the document is changed, the signature will
become invalid. Click OK to dismiss the dialog box.

Figure 7: Confirming that the document was signed

9. A Signatures task pane appears on the right side of the application window. In this
example there appears to be a problem with the signature, as indicated by the
Certificate issues warning icon.

i
www.microsoft.com/office
Figure 8: The Signatures task pane informs about certificate issues

10. Click on the problematic signature and then click the pull down arrow. Click
Signature details to discover the problem with the signature.

Figure 9: Investigating problems with the digital certificate

11. In the Signature Details detail box, there is information indicating that the problem
with the signature is that it is not trusted. The signature used in this example is a
self-signed certificate created by Microsoft 2007 Office system. This type of certificate
would typically be used in small and medium sized businesses that do not have a
public key infrastructure (PKI) in place. In the enterprise environment where there is
an established PKI, this problem would indicate that the machine this document is
being read on does not trust the CA that signed the user’s digital certificate. In this
example, we can choose to trust the user’s certificate by clicking the Click here to
trust this user’s identity.

i
www.microsoft.com/office
Figure 10: Assessing issues with a digital certificate

12. After clicking Click here to trust this user’s identity, the Signature Details dialog
box indicates that the signature is valid. If you wish, you can see additional signing
information by clicking the See the additional signing information that was
collected link.

Figure 11: Verifying the valid signature

13. In the Additional Information dialog box, you can see information about what the
signature signs, the system date/time, the version of Windows, the version of
Microsoft Office, the version of the Office application signing the document, the
number of monitors on the machine, and the resolution of the primary monitor. Click
OK to dismiss this dialog box and then click Close in the Signature Details dialog
box.

i
www.microsoft.com/office
 Figure 12: Viewing additional information about the signed document

14. If there are no problems with the certificate, the certificate task pane will not appear.
However, if you want to view details of the signers and their certificates, you can click
the red “ribbon” icon in the status bar of the office application. This will enable the
Signatures task pane.

Figure 13: Digital signature indicator and enabling the Signature task pane

Add a Signature Line

Another way to add a digital signature to a document is to add one or more digital
signature lines. The following procedures describe how to create a digital signature line:
1. Click the Insert tab and then click the Signature Line button. The Signature Setup
dialog box appears. Enter information about the Suggested signer, Suggested
signer’s title, and Suggested signer’s e-mail address. Put a checkmark in the
Allow the signer to add comments to the Sign dialog if you want the signer to
add additional information into the signature line, and put a checkmark in the Show
sign date in signature line checkbox to add the date the document was signed in
the text box. Click OK.

i
www.microsoft.com/office
Figure 14: Signature setup

2. A digital signature line now appears in the document. Double click the signature line
to provide more information.

Figure 15: The digital signature line

3. In the Sign dialog box you can type your name or if you have a table PC, you can
write your name into the text box. If you don’t have a tablet PC, but would like an
image of your actual signature to be included in the signature line, you can click the
Select Image link and insert a graphic file containing your handwritten signature. In
this example we will click the Select Image link to insert a graphic of an actual
signature.

i
www.microsoft.com/office
Figure 16: Inserting the digital signature

4. In the Select Signature Image dialog box, select the image of your signature and
click the Select button.

Figure 17: Selecting the digital signature graphic

i
www.microsoft.com/office
5. The image appears in the Sign dialog box. Before signing the document, you can
enter a reason for signing the document in the Purpose for signing this document
text box. Click Sign to digitally sign the document.

Figure 18: Entering the purpose for digitally signing the document

6. The Signature Confirmation dialog box appears informing you that the digital
signature has been applied to the document.

Figure 19: Confirming the digital certificate was applied

7. Note in this example that there appears an Invalid signature warning in the
signature line box. Click Invalid signature to investigate reasons why the signature
is valid.

i
www.microsoft.com/office
Figure 20: Warning that the signature may not be valid

8. In the Signature Details dialog box you will see that the certificate is not trusted.
You can choose to trust the certificate by clicking the Click here to trust this user’s
identity link.

Figure 21: Trusting the digital identity

9. After choosing to trust the signature, the Signature Details dialog box will confirm
that the signature is valid. Click Close.

Figure 22: Signature details confirms that the signature is trusted

i
www.microsoft.com/office
10. The signature line no longer shows a problem with the certificate and the date the
document was signed now appears above the signature line.

Figure 23: Signature line now reflects a trusted digital identity

i
www.microsoft.com/office
Digital Certificates
In the above examples we used self-signed certificates. These are certificates that are
created by the Microsoft 2007 Office system and can be used to digitally sign and
encrypted Microsoft 2007 Office system documents. Self-signed certificates are typically
used by individuals and small businesses who do not wish to set up a public key
infrastructure for their organizations and do not want to purchase a commercial
certificate.
The primary drawback of using self-signed certificates is that they are only useful if you
exchange documents with those who know you personally and are confident that you are
the actual originator of the document. With self-signed certificates, there is no third-party
that validates the authenticity of your certificate. Each person that receives your signed
document will need to decide on her own whether or not to trust your certificate.
Larger organizations have two other options that scale much better than self-signed
certificates. These are:
• Certificates created by a corporate public key infrastructure (PKI)
• Commercial certificates
Organizations have the option to create their own PKI. In this scenario, the company sets
up one or more certification authorities which can create digital certificates for machines
and users throughout the company. When combined with Microsoft Active Directory, a
company can create a complete PKI solution so that all corporate managed machines
have the corporate certificate authority chain installed and both users and machines are
automatically assigned digital certificates for document signing and encryption. For more
information on using a Microsoft PKI, please see the Public Key Infrastructure for
Windows Server 2003 page at
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx
Another option is to use commercial certificates. A commercial certificate is one that is
purchased from a company whose line of business is to sell digital certificates. The main
advantage of using commercial certificates is that the commercial certificate vendor’s
root CA certificate is automatically installed on Windows operating systems, which
enables these machines to automatically trust these certificate authorities. Unlike the
i
www.microsoft.com/office
corporate PKI solution, commercial certificates enable you to share your signed
documents with users who do not belong to your organization.
There are three types of commercial certificates:
• Class 1 Class 1 Certificates are issued to Individuals with valid e-mail addresses.
Class 1 Certificates are appropriate for Digital Signatures, encryption, and electronic
access control for non-commercial transactions where proof of identity is not required
• Class 2 Class 2 Individual Certificates are appropriate for Digital Signatures,
encryption, and electronic access control in transactions where proof of identity based
on information in the Validating database is sufficient. Class 2 Device Certificates are
appropriate for device authentication; message, software, and content integrity; and
confidentiality encryption
• Class 3 Class 3 Certificates are issued to Individuals, Organizations, Servers,
Devices, and Administrators for CAs and RAs. Class 3 Individual Certificates are
appropriate for Digital Signatures, encryption, and access control in transactions
requiring a high assurance about the subscriber's identity. Class 3 Server Certificates
are appropriate for server authentication; message, software, and content integrity;
and confidentiality encryption
For more information on commercial certificates, please visit the Microsoft Office
Marketplace at http://office.microsoft.com/en-us/marketplace/EY010504841033.aspx
Companies that are interested in signing documents that are only shared among other
employees in the organization will prefer a corporate PKI to reduce costs. For companies
that wish to share signed documents with people outside their organization, a commercial
certificate may fit their needs best.

i
www.microsoft.com/office
Summary
Microsoft 2007 Office system provides many security improvements over its
predecessors. One of the improvements is in the area of digital document signing. By
digitally signing a document, you can confirm that you are the originator of the document
and help prove that the document has not changed since the time you signed it. Digital
signatures depend on digital certificates. Smaller organizations can use “self-signed”
certificates, while larger organizations will prefer to use a corporate public key
infrastructure. Microsoft 2007 Office system documents can have invisible signatures or
signatures lines added to them. When used together with other Microsoft 2007 Office
system security technologies and security technologies included in the Microsoft Office
Servers and Windows operating system, digital signatures provide another significant
component of a strong defense in depth approach to security data stored in Microsoft
2007 Office system documents, workbooks and presentations.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part
of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO
THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in
this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not
give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2007 Microsoft Corporation. All rights reserved.

i
www.microsoft.com/office