Electronic signature technologies: a tutorial. (Cover Story).AT THE CORE THIS ARTICLE EXAMINES: * acceptance, security, integrity, and authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. issues in electronic signature technologies * what qualifies an electronic signature as authentic * the role of public key infrastructure (PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of ) A step forward in one area of technology occasionally results in a leap forward in another. Just as the keystone in an arch allows the arch to carry the load of a bridge without having to build an entire supporting wall, one technology can bring others to finally complete an otherwise incomplete infrastructure. Electronic signature technology could well be such a keystone as it addresses the limited acceptance of electronic document and content management systems. For several years, electronic document management systems have struggled to reach broad market acceptance as necessary infrastructure. While some of the blame for this lack of acceptance can be placed on the fact that many products lack one important component or another, the real reasons are rarely discussed. Clearly, there is little sense in investing so heavily in computers and networks merely to pay lip service lip service n. Verbal expression of agreement or allegiance, unsupported by real conviction or action; hypocritical respect: to an ability to create, distribute, use, and manage our documents in a purely digital environment -- and never achieve that result. Why have so many spent so much to put in place a digital potential that still requires much of our work product to be printed? Even if we don't want to have to print it! The real issues are acceptance, security, integrity, and authentication. These have proved to be the four horseman of the digital document apocalypse. Acceptance: No one wants to be the first to have a contract denied effect or a court defense smashed because they relied on the electronic version of an all-important document that never saw a printer or the inside of a file cabinet. This most heinous hei·nous adj. Grossly wicked or reprehensible; abominable: a heinous crime. [Middle English, from Old French haineus, from haine, hatred, from horseman exists because of his cohorts. Security: In the digital world, the perception is that information can too easily be compromised. Consequently, the really important documents must be converted to paper where they can be entrusted to the rock-solid security of file cabinets for storage and the postal service postal service, arrangements made by a government for the transmission of letters, packages, and periodicals, and for related services. Early courier systems for government use were organized in the Persian Empire under Cyrus, in the Roman Empire, and in medieval -- or better yet, commercial express mail carriers -- for transport. Integrity: How does one know that the message or information that was sent was exactly what was received? We rest assured that no one could ever possibly manipulate paper-based information. Authentication: We can sign printed documents to establish them as authentic and add ceremony to the fact that we agree with the contents. The important act of signing a document is well established in English common law. Even with the best of fine-tip pens, we would have a hard time scribbling scrib·ble v. scrib·bled, scrib·bling, scrib·bles v.tr. 1. To write hurriedly without heed to legibility or style. 2. To cover with scribbles, doodles, or meaningless marks. v. our names on electrons. The irony here suggests that paper documents were never immune from any of these demons Demons See also devil; evil; ghosts; hell; spirits and spiritualism. ademonist one who denies the existence of the devil or demons. bogyism, bogeyism recognition of the existence of demons and goblins. . Nevertheless, the acceptance of electronic documents has been thoroughly hobbled by their existence -- real or imagined. Happily, the forces of change are gathering strength. Relevant Legislation On June 30, 2000, former U.S. President Bill Clinton, mere feet away from the location where the Constitution of the United States Constitution of the United States, document embodying the fundamental principles upon which the American republic is conducted. Drawn up at the Constitutional Convention in Philadelphia in 1787, the Constitution was signed on Sept. was signed in Philadelphia, signed the Electronic Signatures in Global and National Commerce Act The Electronic Signatures in Global and National Commerce Act (ESIGN, Pub.L. 106-229, 14 Stat. 464, enacted 2000-06-30, ) is a United States federal law passed by the U.S. . His first signature was done by the traditional pen and ink executed or done with a pen and ink; as, a pen and ink sketch s>. See also: Pen method since the law that would be signed was necessary to legitimize le·git·i·mize tr.v. le·git·i·mized, le·git·i·miz·ing, le·git·i·miz·es To legitimate. le·git what he would do next. Using the password "Buddy" (his dog's name) the president then used a smart card encoded with a numerical string that was his digital signature. By this action, a major step forward was taken to advance the use of electronic signatures to complete transactions in a fully electronic environment. With the stroke of both pen and digital device, the keystone was set. This allows a new bridge to be built between a history of pen and paper as the exclusive safe harbor Safe Harbor 1. A legal provision to reduce or eliminate liability as long as good faith is demonstrated. 2. A form of shark repellent implemented by a target company acquiring a business that is so poorly regulated that the target itself is less attractive. for official documents and our digital future where paper is a convenient viewer but no longer the only legally accepted medium for document-based information. This federal legislation is not the only change pushing electronic documents and signatures forward. The National Council of Commissioners for Uniform Law has had growing acceptance of the Uniform Electronic Transactions Act The Uniform Electronic Transactions Act (UETA) is one of the several United States Uniform Acts proposed by the National Conference of Commissioners on Uniform State Laws (NCCUSL). Since then 46 States, the District of Columbia, and the U.S. (UETA UETA Uniform Electronic Transactions Act ). Many state legislatures around the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. have already approved this legislation, and the rest are likely to follow. Simply put, UETA says that an electronic document or transaction cannot be denied legal effect merely because it is electronic. At least one state, Kansas, went even further by combining their electronic signature law with UETA and so electronic documents and signatures clearly have the same status in law as paper and ink for most purposes. As a practical matter, the legal cloud surrounding electronic documents and signatures to support most transactions is gone. Electronic Signatures Electronic signature generally refers to a number of technologies that allow a person (or machine) to electronically "mark" a document. In doing so, the document is provided some level of authentication by "locking down" the document's content at the time it is signed. In some cases, the document can also be encrypted to prevent its being compromised or viewed by unauthorized parties. Technical neutrality on the use of electronic signature seems to be a hallmark of most of the legislation in effect at this time. This is done to prevent legislative obsolescence ob·so·les·cent adj. 1. Being in the process of passing out of use or usefulness; becoming obsolete. 2. Biology Gradually disappearing; imperfectly or only slightly developed. in the face of new technologies but also because more than one technology is available today and a comprehensive solution could make use of combinations of them. There are many forms of electronic signatures. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Benjamin Wright, noted e-commerce attorney and co-author of Law of Electronic Commerce, "How, where and when electronic signatures are used requires the same care and common sense that one would apply to the use of pen and ink signatures." Wright also cautions that there is no single technical approach that dominates the field at this point. Most approaches, however, are targeted at providing the same or greater confidence in the signed (digital) document as would be available to its paper, pen, and ink counterpart. Historically, a signature is any mark made by persons with the intent that it be their signature. English common law (on which much of Western law is based) has defined what a signature is as well as the purpose it serves. According to the American Bar The American Bar is a drinking establishment at the Savoy Hotel in London. Opened in 1898 when cocktail were being first introduced to London. The term American Bar comes from the 1930s when cocktails were first gaining popularity in the United States. Association's "Technical Guidelines on Digital Signatures," a signature is not part of the substance of a transaction but rather of its representation. Signing a document serves the following abbreviated list of general purposes: Evidence: A signature authenticates a written document by identifying the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer. Ceremony: The act of signing a document calls to the signer's attention the legal significance of the signer's act and thereby helps prevent poorly considered engagements. Approval: In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization of the writing's content or the signer's intent that it have legal effect and force. Efficiency and logistics: A signature on a written document often imparts a sense of clarity and finality fi·nal·i·ty n. pl. fi·nal·i·ties 1. The condition or fact of being final. 2. A final, conclusive, or decisive act or utterance. Noun 1. to the transaction and may lessen the subsequent need to inquire beyond the face of a document. Negotiable instruments, for example, rely upon formal requirements, including a signature, for their ability to change hands to change owners. to change sides, or change owners. See also: Change Hand with ease, rapidity, and minimal interruption. Deterrence: To discourage transactions of doubtful utility. To achieve these characteristics in the electronic world, our "mark" must somehow be associated with us. Therein lies the potential for problems. Control of one's signature is the obligation of the owner. If our signatures existed on a rubber stamp because we sign many documents, there is an obligation to safeguard the stamp. Similarly, electronic signatures must be protected. The technologies and processes associated with such applications are meant to do just that. Is It Authentic? What qualifies as an electronic signature can come about through how a transaction is interpreted within an organization or can do so by deliberate use of special applications. An example of a signature-by-interpretation can be found in the use of passwords, by originating an e-mail, or by simply typing one's name into an electronic document. In these instances the implication that someone has "signed" something is defined by the organization and their relationship to it. For example, an insurance claims adjuster approving a claim electronically after logging onto the system using a password is capable of making such a transaction by delegation of authority The action by which a commander assigns part of his or her authority commensurate with the assigned task to a subordinate commander. While ultimate responsibility cannot be relinquished, delegation of authority carries with it the imposition of a measure of responsibility. . Signatures can be approvals of actions such as this, and if supervisors challenge the transaction, they would know who made it and be hard pressed to recover the payment that would have been made. Many do not realize that when they send an e-mail it is considered a signed document. If it were used to make a transaction, repudiating it would be difficult without first establishing a reasonable case for whom else had access to one's e-mail. The writing is considered theirs, and they would have to defend their claim to the contrary. An increasingly familiar way to sign a document is by use of direct-capture bitmap of the signature. Examples of this technology can be found in many retail environments where a stylus stylus: see pen. (1) A pen-shaped instrument that is used to "draw" images or select from menus. Styli (the plural of stylus, pronounced "sty-lye") come with handheld devices that have touch screens, such as PDAs and video games. is used to sign a pad to authorize a credit card transaction. This captures the actual signature at the time of the card's use. This technology minimizes repudiation See non-repudiation. and the merchant's need to save paper receipts. An example of this approach is Approve It from Silanis Technology (www.silanis.com). This product allows the merchant to affix affix v. 1) to attach something to real estate in a permanent way, including planting trees and shrubs, constructing a building, or adding to existing improvements. a bit map of a customer's signature to a document. In doing so, encryption techniques "lock" the document so that it cannot be tampered with without losing the signature. This technology also allows the user to manage a complete approval process for a document by allowing multiple signatures. Some electronic signature solutions require nothing more than a password to apply the signature. If the individual's password and one's PC are both readily available (much like leaving a rubber stamp signature in an unlocked drawer) a signature can be applied without the signer's knowledge. A more deliberate method of signing electronically comes in a variety of applications that tie the signer together with the act of signing by using some physical attribute of the signer. Biometric applications identify or confirm identity by using fingerprint or handprint hand·print n. An outline or indentation left by a hand. , retinal retinal /ret·i·nal/ (ret´i-n'l) 1. pertaining to the retina. 2. the aldehyde of retinol, derived from absorbed dietary carotenoids or esters of retinol and having vitamin A activity. pattern, face pattern, or voice characteristics. Biometric applications help address concerns over control of the password. By coupling what the signer knows (the password) with what the signer has (physical characteristics), biometric applications enable electronic signatures by addressing authentication and non-repudiation. Anonymous Data Corporation (www.adcx.com) is an example of a company that offers a product that uses either iris or fingerprint identification. At least one product provides a hybrid solution by combining biometrics with the act of signing itself. Communication Intelligence Corporation's (www.cic.com) Sign-it product uses the physical characteristics of a signature (stroke speed, pressure, character formation) to validate the signer as genuine. The document is locked with a file of those characteristics in the event the signature is later challenged; it requires that a digital signature pad be available to the user. Adoption of one approach over another is determined by the importance of the documents the organization wants to authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. and secure. Often the document is just as effective without a signature. An example of this fact is an office memo about when the restrooms will be closed for repair. There was a time when this memo would have been initialed by the sender. Today, such a memo is distributed by e-mail. A surprise to many is the fact that this e-mail can be interpreted as "signed" simply because the author sent it and by the simple existence of their name on it. As long as the document is not repudiated, the document is the presumed author's writing. Most e-signature solutions require the software application to be available on both the signer's and the document recipient's computers. While this approach works well within an organization, it may not be in wide use between otherwise unrelated individuals and organizations. Attempting to fill this larger need in digital signatures is public key infrastructure (PKI). Digital Signatures A digital signature is a method of signing electronic documents that provides the recipient with a way to verify the sender's identity and the authority of the sender. Additionally, it can determine that the content of the document has not been altered since it was signed and thus prevent senders from repudiating the fact that they signed and sent the document. A digital signature relies on the mathematically complex world of asymmetric cryptography See public key cryptography. . In use for many years to provide encryption of messages for security, the same technology is used to create a virtual signature. A digital signature, however, is not a picture of a signature in any sense. It is a means of marking a document with one-half of a key pair in such a way as to require the second half of the key pair to authenticate the signer. On receipt of the key pair, one of the keys is installed on the signer's PC or some portable device, such as a smart card. This is the private key (one's signature); it must be handled with care. The other part of the key pair is the public key. It is a mathematical derivative of the private key, but it is computationally infeasible to derive the private key from the public key. This public key is available to anyone that would want to authenticate a signature. When one "signs" a document, the key is used to create a "hash value The fixed-length result of a one-way hash function. See hash function and hash total. " of the document. If the document is tampered with, the hash value no longer corresponds to the original value, thereby invalidating in·val·i·date tr.v. in·val·i·dat·ed, in·val·i·dat·ing, in·val·i·dates To make invalid; nullify. in·val the document and the virtual signature. PKI is comprised of a number of elements that may be controlled within a single organization or in a service delivery environment using multiple organizations. Typically, there are five elements five elements, n.pl fire, water, earth, wood, and metal; in Chinese medicine, each of these five components is used to organize phenomena for use in clinical applications. Each of the elements corresponds to a specific function (i.e. . Two of them are the entities using (applying) the signature or relying on the signature's authenticity. The other elements, which carry out the infrastructure, are * Certification authority See CA. (CA): The organization that provides the key pairs * Registration authority (RA): Responsible for the "vetting" process where the signer establishes his identity to the satisfaction of the participants in the environment. This could be as routine as providing your name and address over the Web or as complex as appearing at a physical site with multiple forms of identification. Once satisfied, the RA authorizes the issuance of the key pair. * Certificate repository (CR): The keeper of information about public keys and the identity behind them. This is where a person would go to authenticate a message or signature. PKI can be very complex to understand, especially since it is also used to provide message encryption when used in a digital certificate implementation. Fortunately, in day-to-day use it is simple for the end user to apply the signature. The cornerstone characteristics of PKI are its ability to scale to vast numbers of users and be implemented within a group of unrelated users. In the most rigorous environments, obtaining a key pair can require proof of identification provided in person, as for a passport or notarization of a document. The registration authority that checks and validates the individual's identification begins a "chain of trust" that can be used by any number of relying parties who trust the registration authority to have performed its duty sufficiently. This also makes the registration authority and the certificate authority parties to the use of the signature. When a relying party wishes to validate the identity of the signer, all the information used to establish the authenticity of the signer is called upon as evidence of that identity. There are a number of software and service providers that can provide digital signatures and certificates. Baltimore Technology (www.baltimore.com) provides commercial certificate authority services as does Entrust (www.entrust.com) and USERTrust (www.usertrust.com). Larger organizations that wish to control the entire environment can purchase the software solution. Although it also offers services, Verisign (www.verisign.com) sells the software with which an organization can establish its own PKI. Building a PKI is an enormous undertaking, however. Digital signature (certificates) and PKI are already in broad use. Secured socket layer (SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. ), a technology that uses digital certificates, is found in hundreds of Web sites providing security for electronic transactions. The federal government has so many agencies establishing their own PKI that they have had to establish the Federal Bridge Management Authority. This organization sets U.S. standards to act as a gateway or a clearinghouse for the individual certificate policies that stand behind the various levels of keys in use by each agency. The U.S. Department of Defense and NASA NASA: see National Aeronautics and Space Administration. NASA in full National Aeronautics and Space Administration Independent U.S. both use digital signatures for a number of internal transactions and transactions with commercial suppliers. The United States Patent and Trademark Office The United States Patent and Trademark Office (PTO or USPTO) is an agency in the United States Department of Commerce that provides patent protection to inventors and businesses for their inventions, and trademark registration for product and intellectual property (USPTO USPTO abbr. United States Patent and Trademark Office ) is working on implementing a PKI that would recognize and be recognized by other countries and the United Nations to enable international patent and trademark filings. Time will tell if the enhanced stature of electronic documents will bring renewed interest to document management tools. Electronic signatures are bringing a newfound new·found adj. Recently discovered: a newfound pastime. Adj. 1. newfound - newly discovered; "his newfound aggressiveness"; "Hudson pointed his ship down the coast of the newfound sea" acceptance and authentication to digital documents. Ability and action, however, are very different things. So, a final question remains: How long will we continue converting digital content to paper solely to manage its credibility and authenticity? Those who do can no longer point to the need for wet-ink signature. Paper/Pen/Ink Issues * Authenticity * Authorization * Identity * Confidentiality * Audibility Digital Document Concerns * Interception * Tampering tampering The adulteration of a thing. See Drug tampering. * Deception * Non-repudiation * Authenticity Paper/Pen/Ink Solutions * Notary public A public official whose main powers include administering oaths and attesting to signatures, both important and effective ways to minimize Fraud in legal documents. * Power of attorney * Identification (e.g., driver's license Noun 1. driver's license - a license authorizing the bearer to drive a motor vehicle driver's licence, driving licence, driving license license, permit, licence - a legal document giving official permission to do something ) * Certified mail certified mail n. Uninsured first-class mail for which proof of delivery is obtained. certified mail (US) n → Einschreiben nt * Return receipt Digital Document Solutions * Secure socket layer (SSL) * "Hash" (encryption) * Digital certificate * Legal digital signature * Vetting ABOUT THE AUTHOR: Jim Minihan is a Partner and President of IMERGE Consulting in Warrenton, Virginia Warrenton is a town in Fauquier County, Virginia, United States. The population was 6,670 at the 2000 census. It is the county seat of Fauquier CountyGR6. . He is an Information Management Specialist in the areas of workflow and process management and is an author and instructor on advanced management practices, technology evaluation, and acquisition and implementation strategies. He has recently consulted with organizations in the use of digital signature and public key infrastructure. The author may be reached at jim@imergeconsult.com REFERENCES Digital Signature Guidelines. Chicago: American Bar Association American Bar Association (ABA), voluntary organization of lawyers admitted to the bar of any state. Founded (1878) largely through the efforts of the Connecticut Bar Association, it is devoted to improving the administration of justice, seeking uniformity of law , 1996. Wright, Benjamin. Law of Electronic Commerce: Edi, Fax, and e-Mail: Technology, Proof, and Liability. Boston: Liffle, Brown, 1991. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion