|
February 2001
Sign on the (Digital) Dotted Line
by Jim Minihan
When President Clinton signed the "Electronic Signatures in Global
and National Commerce Act" last June, he signed it twice. His first
signature was done in the traditional pen-and-ink method to legitimize
what he would do next. Using the password "Buddy" (his dog's name), the
president then used a smart card encoded with a numerical string that
was his digital signature. In doing so, the United States took a major
step forward in the use of digital signatures for completing
transactions in a fully electronic environment.
The federal legislation largely puts to rest the issue of the
acceptance of electronic documents, but just what are the technologies
that will make electronic transactions real? In fact, electronic and
digital signatures are actually two separate technologies, and they are
deployed and applied in very different ways.
The term "electronic signature" is a general reference to
technologies that allow a person (or machine) to mark a document. In
doing so, the document gains some level of authentication while its
content is locked down at the same time. In some cases, the document can
also be encrypted to prevent its being compromised.
There are many forms of electronic signatures. According to Benjamin
Wright, noted e-commerce attorney and co-author of "Law of Electronic
Commerce, "how, where and when electronic signatures are used require
the same care and common sense one would apply to the use of pen-and-ink
signatures." Wright cautions that there is no single technical approach
that dominates the field at this point.
A digital signature ensures that the content of a document has not
been altered and prevents the sender from repudiating the fact that he
or she signed and sent the document. Digital signature solutions rely on
the mathematically complex world of asymmetric cryptography.
According to the American Bar Association, in its "Technical
Guidelines on Digital Signatures," a signature is not part of the
substance of a transaction, but rather of its representation or form. A
signature serves the general purposes that follow, among others.
Evidence. A signature authenticates a writing by identifying the
signer with the document. When the signer makes a mark in a distinctive
manner, the writing becomes attributable to the signer.
Ceremony. The act of signing a document calls to the signer's
attention the legal significance of the signer's act, and thereby helps
prevent inconsiderate engagements.
Approval. In certain contexts defined by law or custom, a signature
expresses the signer's approval or authorization of the writing, or the
signer's intention of legal effect.
Efficiency and logistics. A signature on a written document often
imparts a sense of clarity and finality to the transaction and may
lessen the subsequent need to inquire beyond the face of a document.
Negotiable instruments, for example, rely upon formal requirements,
including a signature, to change hands with ease, rapidity and minimal
interruption.
Deterrence. To discourage transactions of doubtful utility.
To achieve these characteristics in the electronic world, a mark must
be associated with the signer. Therein lies the potential for problems.
Control of a signature is the obligation of the owner. When a signature
exists on a rubber stamp, the owner has an obligation to safeguard the
stamp.
Similarly, electronic signatures must be safeguarded. The
technologies and processes associated with such applications are meant
to do just that. In fact, some approaches go a step further by providing
encryption once the signature is applied to prevent document tampering.
There are several types of solutions, and although each is intended
to stand alone, most organizations will likely find that a combination
of technology is needed.
Electronic Signatures
The most basic approach to electronic signatures displays a bitmapped
image of a personal signature within the document to illustrate approval
of its contents and to identify the signer. This locks down the
document, and any change would void the signature. Approve It, from
Silanis Technology, Montreal, manages a complete approval process for a
document by allowing multiple signatures.
One concern often voiced is "control" of the signature. Some
electronic signature solutions require nothing more than a password to
apply the signature. If a user's password and PC are readily available
(like that rubber stamp signature left in an unlocked drawer), the
signature can be applied fraudulently. For this reason, some companies
take the "biometric" approach, which uses the physical characteristics
of a signature (such as stroke speed, pressure and character formation)
to verify the signer's identity. The document is locked along with a
digital record of the signature characteristics in the event the
signature is later challenged.
Sign-it, from PenOp, Redwood Shores, CA, offers such a product. Other
biometric approaches use scans of fingerprints, facial recognition,
voice recognition or even an eye's iris. Anonymous Data Corp., Las
Vegas, offers products that rely on either iris or fingerprint
identification.
Most electronic signature solutions require application software to
be available on both the signer's and the recipient's PC. While this
works well within an organization, it may not be practical to use
between otherwise unrelated individuals and organizations.
Digital Signatures
A digital signature is not a picture. It marks a document with one
half of a key pair and requires the second half to authenticate the
signer. This is commonly known as "Public Key Infrastructure" or
PKI.
In practice, a user installs one key on a PC or portable device such
as a smart card. This is a private key (signature) and must be
safeguarded. The matching key is public. It is a mathematical derivative
of the private key, but it is computationally infeasible to derive the
private key from the public key. This public key is available to anyone
who needs to authenticate a received signature.
Signing a document with a key creates an encryption or "hash" value
of the document. If the document is altered, the hash value no longer
corresponds to the original value. This invalidates both the document
and the virtual signature.
PKI systems comprise five elements. Two elements are the entities
applying the signature and the entities relying on the signature's
authenticity. The three remaining elements are:
- The Certification Authority (CA), which provides the key pairs.
- The Registration Authority (RA), which is responsible for the
"vetting" process that establishes an identity to the satisfaction of
the participants. Once satisfied, the RA authorizes the issuance of a
key pair.
- The Certificate Repository (CR), which keeps information about
public keys and the identity behind them. Users go here to authenticate
a message or signature.
PKI can be very complex, especially since it is also used to provide
message encryption in digital certificate implementations. Fortunately,
it is very simple for the end user to apply the signature in day-to-day
use.
Digital signature software and service providers include Entrust,
Plano, TX; and UserTrust, Salt Lake City, both of which provide
commercial CA services. Large organizations may also consider Verisign,
Mountain View, CA. Be advised that building a PKI is an enormous
undertaking, especially if unrelated third parties will rely on the
signatures.
Time will tell how quickly acceptance of electronic documents will
take hold. Electronic and digital signature solutions may bring legally
acceptable authentication to electronic documents, but the technology
may take time to reach widespread market acceptance.
Jim Minihan--Based in Warrenton, VA, Minihan is a partner with Imerge
Consulting. He specializes in digital signatures, workflow and process
management. Contact 540-937-9970 or jim@imergeconsult.com.
|
