-
Notifications
You must be signed in to change notification settings - Fork 816
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: building documenso part 2 #1083
Conversation
ElTimuro
commented
Apr 6, 2024
•
edited
edited
- blog article "building documenso part 2"
WalkthroughThe updates aim to deepen the comprehension of digital signatures within Documenso's ecosystem. The changes begin by highlighting the pivotal role of signing certificates. Subsequently, a detailed exploration of signature validity delves into the complexities of eIDAS-compliant electronic signatures, emphasizing certificate levels, trusted lists, and the challenges associated with maintaining highly compliant digital signature solutions. Changes
Recent Review StatusConfiguration used: CodeRabbit UI Files selected for processing (1)
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Thank you for following the naming conventions for pull request titles! 💚🚀 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 9
Actionable comments outside the diff hunks (7)
apps/marketing/content/blog/building-documenso-pt1.mdx (7)
Line range hint
28-28
: Consider revising "on the topic of" to a more concise form for clarity.- on the topic of signature validity + on signature validity
Line range hint
44-44
: "In many cases" could be replaced with a less frequent alternative for variety.- legally acceptable in many cases + legally acceptable in numerous instances
Line range hint
56-56
: The term "endeavour" is British English; consider aligning with one variant of English throughout the document.- incredibly complex endeavour + incredibly complex endeavor
Line range hint
62-62
: Mixing "organisation" and "organization" within a single text can be confusing. Stick to one spelling variant for consistency.- Advanced Personal Certificates for Companies/Organisations + Advanced Personal Certificates for Companies/Organizations
Line range hint
77-77
: The repetition of "While" at the beginning of successive sentences can be rephrased for better flow.- While this is our setup, for now, we have a bigger plan for this topic. While globally trusted SSL Certificates have been available for free, courtesy of Let’s Encrypt, for a while now, there is no such thing as document signing. + This is our current setup, but we have a bigger plan for this topic. Globally trusted SSL Certificates have been available for free, courtesy of Let’s Encrypt, for a while now, yet there is no such thing as free document signing.
Line range hint
79-79
: Consider adding "please" for a more polite request.- As always, let me know in the comments + As always, please let me know in the comments
Line range hint
88-88
: The informal phrase "talk about" could be replaced with a more professional alternative.- here we talk about a document + here we discuss a document
|
||
1. **Simple Electronic Signatures (Level 1/ SES):** This is just a visual signature or even a checkbox on a document. | ||
|
||
2. **Advanded Electronic Signatures (Level 2/ AES)**: An actual crypographic signature (not just a seal on the whole document, but a specific signature), using a certificate linked to the identification data of the signer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct the spelling mistake in "Advanded" to "Advanced".
- Advanded Electronic Signatures
+ Advanced Electronic Signatures
Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.
2. **Advanded Electronic Signatures (Level 2/ AES)**: An actual crypographic signature (not just a seal on the whole document, but a specific signature), using a certificate linked to the identification data of the signer. | |
2. **Advanced Electronic Signatures (Level 2/ AES)**: An actual crypographic signature (not just a seal on the whole document, but a specific signature), using a certificate linked to the identification data of the signer. |
Correct the spelling mistake in "crypographic" to "cryptographic".
- An actual crypographic signature
+ An actual cryptographic signature
Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.
2. **Advanded Electronic Signatures (Level 2/ AES)**: An actual crypographic signature (not just a seal on the whole document, but a specific signature), using a certificate linked to the identification data of the signer. | |
2. **Advanded Electronic Signatures (Level 2/ AES)**: An actual cryptographic signature (not just a seal on the whole document, but a specific signature), using a certificate linked to the identification data of the signer. |
|
||
A: No, it means the provider (Wisekey) is not on a list maintained by the EU. The cryptographic signature is just as strong as any other | ||
|
||
For someone who does not deal with this stuff daily, this can be hard to comprehend. Whether you use a certificate you generated yourself, one generated by a certificate authority (CA) like Wisekey, or one by another on the EU trust list (e.g., Bundesdruckerei), the cryptographic security guaranteeing that the document has not been tampered with is always the same. Many providers like Documenso, DocuSign, PandaDoc, and Digisigner all use this method for their regular plans. That means if you were to run a document signed by them through the validator above, the result would be the same[1]. The interesting question is why? Why do it like this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider using a synonym to avoid repetition and enhance the writing style.
- this can be hard to comprehend
+ this can be difficult to understand
Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.
For someone who does not deal with this stuff daily, this can be hard to comprehend. Whether you use a certificate you generated yourself, one generated by a certificate authority (CA) like Wisekey, or one by another on the EU trust list (e.g., Bundesdruckerei), the cryptographic security guaranteeing that the document has not been tampered with is always the same. Many providers like Documenso, DocuSign, PandaDoc, and Digisigner all use this method for their regular plans. That means if you were to run a document signed by them through the validator above, the result would be the same[1]. The interesting question is why? Why do it like this? | |
For someone who does not deal with this stuff daily, this can be difficult to understand. Whether you use a certificate you generated yourself, one generated by a certificate authority (CA) like Wisekey, or one by another on the EU trust list (e.g., Bundesdruckerei), the cryptographic security guaranteeing that the document has not been tampered with is always the same. Many providers like Documenso, DocuSign, PandaDoc, and Digisigner all use this method for their regular plans. That means if you were to run a document signed by them through the validator above, the result would be the same[1]. The interesting question is why? Why do it like this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 3
/> | ||
|
||
<figcaption className="text-center"> | ||
If a tree does not comply with the EU trust list, does it make a sound when validating?r |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider correcting the typo in "validating?r" to "validating?".
- If a tree does not comply with the EU trust list, does it make a sound when validating?r
+ If a tree does not comply with the EU trust list, does it make a sound when validating?
Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.
If a tree does not comply with the EU trust list, does it make a sound when validating?r | |
If a tree does not comply with the EU trust list, does it make a sound when validating? |
|
||
While there are some actual expenses involved in providing AES and QES, the blunt reality is that it's just good business to charge for them per signature, making it unsuitable for the "standard offerings"; almost no one has the resources to set this up themselves. While this initial process of becoming a QES-certified entity is really expensive, selling the certificates afterward is very lucrative. This leads to less innovation in the space and only big players providing these high-compliance services. Even certificates only used to seal documents without being QES certified are sold for a large range of prices, and they cost almost nothing to produce. | ||
|
||
## Why Though? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove the comma after "Why Though?" for correct punctuation in headings.
- ## Why Though?,
+ ## Why Though?
Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.
## Why Though? | |
## Why Though? |
\ | ||
\ | ||
\ | ||
[1] The signature format (e.g. PKCS7-B) will vary. It's the format what the signature inserted into the document looks like. eIDAS itself does not specifically require any given format, but the PAdES defined by the EU is mostly used by european providers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clarify the sentence to improve readability.
- It's the format what the signature inserted into the document looks like.
+ It's the format that determines what the inserted signature looks like in the document.
Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.
[1] The signature format (e.g. PKCS7-B) will vary. It's the format what the signature inserted into the document looks like. eIDAS itself does not specifically require any given format, but the PAdES defined by the EU is mostly used by european providers. | |
[1] The signature format (e.g. PKCS7-B) will vary. It's the format that determines what the inserted signature looks like in the document. eIDAS itself does not specifically require any given format, but the PAdES defined by the EU is mostly used by european providers. |