On Thu, 02 Jan 2014 10:29:26 +0000, Carlos E. R. wrote:
>> I understand the issue is real for you and not a joke, but at the same
>> time, I wonder why one would do business with someone who’s not honest
>> enough to provide correct invoices.
>
> As signed PDFs are a legally binding documentation in Spain, everybody
> is using them. That Linux does not support those is of no consequence to
> people, as Windows is the de facto standard. It is my fault for using
> experimental and unfinished and unprofessional software such as Linux.
>
> That’s what they say, obviously, not me. But they have a point.
>
> I have no choice, in any case.
Certainly there’s the legal point, but there are a few things that work
in your favor, since it’s about verifying the signature and not you being
able to sign a PDF.
Do the people sending you invoices know that you use Linux and thus can’t
validate the signature? If they don’t, then it seems reasonable to think
that if they send you something, the signature is going to be valid.
If the invoice seems “wrong,” you can ask for further documentation for
what the invoice is for. If it were a MITM attack, the originator would
be able to confirm that the invoice is valid.
> No, the source would not falsify the documentation. I’m thinking of a
> man in the middle type of attack. And the fact that the legal validity
> of documentation is broken on my end.
You’re not a lawyer, though - and it’s not the validity that’s “broken” -
legally (bearing in mind IANAL), the signature either is or isn’t valid.
Whether you can verify that isn’t important from a legal standpoint.
Whether it can be validated in a court of law, should legal action be
taken based on the document - that’s what’s important.
So:
-
You receive an invoice. You know the alleged source, but the amounts
seem wrong or it seems to be for something you didn’t receive. So you e-
mail them or pick up the phone and call them and ask “What’s this for? I
have no record of receiving this item/performing this service.” The
signature isn’t going to prove anything in that regard, and you’re just
asking them for clarification on the invoice. -
Their response is going to be either: a) “Yes, we did issue that
invoice for that amount, and we show a delivery confirmation for the item/
other proof of services rendered,” or b) “No, we didn’t send that to
you. Can you send a copy to us along with the headers from the original
e-mail containing the attachment so we can figure out who’s pretending to
be us?”
Digital signatures don’t play into that at all.
>> I mean, if it’s a potential for someone to send you a fake invoice to
>> be paid under someone else’s name, it seems trivial to get in touch
>> with a representative of the organization that’s named on the invoice
>> to get verification and documentation based on the invoice number.
>
> In theory, yes
>
> In reality, I just boot up Windows and check the document there.
That works as well. Inconvenient, sure, but you get what you need.
> See, there are several proprietary and very used software pieces that
> are abandoning the Linux camp. Why? Flash, Acroread… Are they an
> attempt to force stop collaboration between the Windows and Free camps,
> limited as it were?
Both are Adobe products in this instance, so ask Adobe. (I seem to
remember saying that before somewhere… )
Jim
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C