The purpose of this policy is to provide guidance on when digital signatures are considered accepted means of validating the identity of a signer in CrowdFiber electronic documents and correspondence, and thus a substitute for traditional “wet” signatures, within the organization. Because communication has become primarily electronic, the goal is to reduce confusion about when a digital signature is trusted.

Digital Signatures

  • A digital signature is an acceptable substitute for a wet signature on any intra-organization document or correspondence, with the exception of those noted in the employee handbook.
  • CrowdFiber will maintain an organization-wide list of the types of documents and correspondence that are not covered by this policy.
  • Digital signatures must apply to individuals only. Digital signatures for roles, positions, or titles (e.g. the CFO) are not considered valid.

Responsibilities

Digital signature acceptance requires specific action on both the part of the employee signing the document or correspondence (hereafter the signer), and the employee receiving/reading the document or correspondence (hereafter the recipient).

Signer Responsibilities

  • Signers must obtain a signing key pair from the CTO. This key pair will be generated using CrowdFiber’s Public Key Infrastructure (PKI) and the public key will be signed by CrowdFiber’s Certificate Authority (CA).
  • A commercial document signing tool approved by the IT Department may be used in place of CrowdFiber’s Public Key Infrastructure (PKI) when required by business needs. CrowdFiber’s Public Key Infrastructure (PKI) must be used to authenticate all documents within the company.
  • Signers must sign documents and correspondence using software approved by CrowdFiber’s IT organization.
  • Signers must protect their private key and keep it secret.
  • If a signer believes that the signer’s private key was stolen or otherwise compromised, the signer must contact CrowdFiber’s Identity Management Group immediately to have the signer’s digital key pair revoked.

Recipient Responsibilities

  • Recipients must read documents and correspondence using software approved by CrowdFiber’s IT department.
  • Recipients must verify that the signer’s public key was signed by CrowdFiber’s Certificate Authority (CA), by viewing the details about the signed key using the software they are using to read the document or correspondence.
  • If the signer’s digital signature does not appear valid, the recipient must not trust the source of the document or correspondence.
  • If a recipient believes that a digital signature has been abused, the recipient must report the recipient’s concern to CrowdFiber’s Identity Management Group.