Originally published at: Texas A&M president resigns amid scandal over college withdrawing job offer to Black professor | Boing Boing
…
It’s definitely not the biggest part of the story; but that makes me wonder how they are messing up electronic signatures. You don’t just modify a signed payload without breaking the signature.
Yeah, that’d be me.
That works if you’re assuming it was digitally signed in the cryptography sense. In most of these cases the digital signature in question is just a scanned image of a physical signature pasted into a word document.
That does seem most likely; either an image cut and paste or a window ink object(if there are surface/tablet users around) is all too common for ‘digital signature’(and, realistically, those aren’t more broken than traditional signatures; just more obvious about it, and less irksome than the print/sign-with-pen/scan cycle). That said, it looks like Texas A&M has some sort of site license with DocuSign (switching to Adobe Sign at the end of October); and those guys are in the business of ‘digital signatures’ that combine both the unreadable cursive that soothes old people and the cryptographic signatures that actually secure documents; so it strikes me as a bit surprising(though not shocking, given the amount of apparent irregularity in this hiring process) that something like an offer letter would have been done through some janky ad-hoc workflow if that’s an established resource.
I realize that I’m getting into the weeds of the story because it’s the part that I have some familiarity with; but I’d be curious to know if, despite the availability of the tools, it’s normal for fairly high profile documents to be handled outside the lines; whether it’s absolutely not normal but easy enough to pull the original offer letter out of the usual workflow and do some janky copy/paste edits; or whether there might be some skullduggery by which the signature was obtained(especially with ‘managed’ signing services making off with the signing key is generally difficult; but getting signed in such that the service will let you use the signing key is often less so; especially if you are the university president and can lean on an IT minion).
Absolutely damning regardless of implementation, of course.
This topic was automatically closed after 5 days. New replies are no longer allowed.