Electronic signature technologies: a tutorial. (Cover Story).
THIS ARTICLE EXAMINES:
* acceptance, security, integrity, and authentication issues in electronic signature technologies
* what qualifies an electronic signature as authentic
* the role of public key infrastructure (PKI)
A step forward in one area of technology occasionally results in a leap forward in another. Just as the keystone in an arch allows the arch to carry the load of a bridge without having to build an entire supporting wall, one technology can bring others to finally complete an otherwise incomplete infrastructure. Electronic signature technology could well be such a keystone as it addresses the limited acceptance of electronic document and content management systems.
For several years, electronic document management systems have struggled to reach broad market acceptance as necessary infrastructure. While some of the blame for this lack of acceptance can be placed on the fact that many products lack one important component or another, the real reasons are rarely discussed. Clearly, there is little sense in investing so heavily in computers and networks merely to pay lip service to an ability to create, distribute, use, and manage our documents in a purely digital environment -- and never achieve that result. Why have so many spent so much to put in place a digital potential that still requires much of our work product to be printed? Even if we don't want to have to print it!
The real issues are acceptance, security, integrity, and authentication. These have proved to be the four horseman of the digital document apocalypse.
Acceptance: No one wants to be the first to have a contract denied effect or a court defense smashed because they relied on the electronic version of an all-important document that never saw a printer or the inside of a file cabinet. This most heinous horseman exists because of his cohorts.
Security: In the digital world, the perception is that information can too easily be compromised. Consequently, the really important documents must be converted to paper where they can be entrusted to the rock-solid security of file cabinets for storage and the postal service -- or better yet, commercial express mail carriers -- for transport.
Integrity: How does one know that the message or information that was sent was exactly what was received? We rest assured that no one could ever possibly manipulate paper-based information.
Authentication: We can sign printed documents to establish them as authentic and add ceremony to the fact that we agree with the contents. The important act of signing a document is well established in English common law. Even with the best of fine-tip pens, we would have a hard time scribbling our names on electrons.
The irony here suggests that paper documents were never immune from any of these demons. Nevertheless, the acceptance of electronic documents has been thoroughly hobbled by their existence -- real or imagined. Happily, the forces of change are gathering strength.
On June 30, 2000, former U.S. President Bill Clinton, mere feet away from the location where the Constitution of the United States was signed in Philadelphia, signed the Electronic Signatures in Global and National Commerce Act. His first signature was done by the traditional pen and ink method since the law that would be signed was necessary to legitimize what he would do next. Using the password "Buddy" (his dog's name) the president then used a smart card encoded with a numerical string that was his digital signature. By this action, a major step forward was taken to advance the use of electronic signatures to complete transactions in a fully electronic environment. With the stroke of both pen and digital device, the keystone was set. This allows a new bridge to be built between a history of pen and paper as the exclusive safe harbor for official documents and our digital future where paper is a convenient viewer but no longer the only legally accepted medium for document-based information.
This federal legislation is not the only change pushing electronic documents and signatures forward. The National Council of Commissioners for Uniform Law has had growing acceptance of the Uniform Electronic Transactions Act (UETA). Many state legislatures around the United States have already approved this legislation, and the rest are likely to follow. Simply put, UETA says that an electronic document or transaction cannot be denied legal effect merely because it is electronic. At least one state, Kansas, went even further by combining their electronic signature law with UETA and so electronic documents and signatures clearly have the same status in law as paper and ink for most purposes. As a practical matter, the legal cloud surrounding electronic documents and signatures to support most transactions is gone.
Electronic signature generally refers to a number of technologies that allow a person (or machine) to electronically "mark" a document. In doing so, the document is provided some level of authentication by "locking down" the document's content at the time it is signed. In some cases, the document can also be encrypted to prevent its being compromised or viewed by unauthorized parties.
Technical neutrality on the use of electronic signature seems to be a hallmark of most of the legislation in effect at this time. This is done to prevent legislative obsolescence in the face of new technologies but also because more than one technology is available today and a comprehensive solution could make use of combinations of them.
There are many forms of electronic signatures. According to Benjamin Wright, noted e-commerce attorney and co-author of Law of Electronic Commerce, "How, where and when electronic signatures are used requires the same care and common sense that one would apply to the use of pen and ink signatures." Wright also cautions that there is no single technical approach that dominates the field at this point. Most approaches, however, are targeted at providing the same or greater confidence in the signed (digital) document as would be available to its paper, pen, and ink counterpart.
Historically, a signature is any mark made by persons with the intent that it be their signature. English common law (on which much of Western law is based) has defined what a signature is as well as the purpose it serves. According to the American Bar Association's "Technical Guidelines on Digital Signatures," a signature is not part of the substance of a transaction but rather of its representation. Signing a document serves the following abbreviated list of general purposes:
Evidence: A signature authenticates a written document by identifying the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer.
Ceremony: The act of signing a document calls to the signer's attention the legal significance of the signer's act and thereby helps prevent poorly considered engagements.
Approval: In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization of the writing's content or the signer's intent that it have legal effect and force.
Efficiency and logistics: A signature on a written document often imparts a sense of clarity and finality to the transaction and may lessen the subsequent need to inquire beyond the face of a document. Negotiable instruments, for example, rely upon formal requirements, including a signature, for their ability to change hands with ease, rapidity, and minimal interruption.
Deterrence: To discourage transactions of doubtful utility.
To achieve these characteristics in the electronic world, our "mark" must somehow be associated with us. Therein lies the potential for problems. Control of one's signature is the obligation of the owner. If our signatures existed on a rubber stamp because we sign many documents, there is an obligation to safeguard the stamp. Similarly, electronic signatures must be protected. The technologies and processes associated with such applications are meant to do just that.
Is It Authentic?
What qualifies as an electronic signature can come about through how a transaction is interpreted within an organization or can do so by deliberate use of special applications. An example of a signature-by-interpretation can be found in the use of passwords, by originating an e-mail, or by simply typing one's name into an electronic document.
In these instances the implication that someone has "signed" something is defined by the organization and their relationship to it. For example, an insurance claims adjuster approving a claim electronically after logging onto the system using a password is capable of making such a transaction by delegation of authority. Signatures can be approvals of actions such as this, and if supervisors challenge the transaction, they would know who made it and be hard pressed to recover the payment that would have been made.
Many do not realize that when they send an e-mail it is considered a signed document. If it were used to make a transaction, repudiating it would be difficult without first establishing a reasonable case for whom else had access to one's e-mail. The writing is considered theirs, and they would have to defend their claim to the contrary.
An increasingly familiar way to sign a document is by use of direct-capture bitmap of the signature. Examples of this technology can be found in many retail environments where a stylus is used to sign a pad to authorize a credit card transaction. This captures the actual signature at the time of the card's use. This technology minimizes repudiation and the merchant's need to save paper receipts. An example of this approach is Approve It from Silanis Technology (www.silanis.com). This product allows the merchant to affix a bit map of a customer's signature to a document. In doing so, encryption techniques "lock" the document so that it cannot be tampered with without losing the signature. This technology also allows the user to manage a complete approval process for a document by allowing multiple signatures.
Some electronic signature solutions require nothing more than a password to apply the signature. If the individual's password and one's PC are both readily available (much like leaving a rubber stamp signature in an unlocked drawer) a signature can be applied without the signer's knowledge.
A more deliberate method of signing electronically comes in a variety of applications that tie the signer together with the act of signing by using some physical attribute of the signer. Biometric applications identify or confirm identity by using fingerprint or handprint, retinal pattern, face pattern, or voice characteristics. Biometric applications help address concerns over control of the password. By coupling what the signer knows (the password) with what the signer has (physical characteristics), biometric applications enable electronic signatures by addressing authentication and non-repudiation. Anonymous Data Corporation (www.adcx.com) is an example of a company that offers a product that uses either iris or fingerprint identification.
At least one product provides a hybrid solution by combining biometrics with the act of signing itself. Communication Intelligence Corporation's (www.cic.com) Sign-it product uses the physical characteristics of a signature (stroke speed, pressure, character formation) to validate the signer as genuine. The document is locked with a file of those characteristics in the event the signature is later challenged; it requires that a digital signature pad be available to the user.
Adoption of one approach over another is determined by the importance of the documents the organization wants to authenticate and secure. Often the document is just as effective without a signature. An example of this fact is an office memo about when the restrooms will be closed for repair. There was a time when this memo would have been initialed by the sender. Today, such a memo is distributed by e-mail. A surprise to many is the fact that this e-mail can be interpreted as "signed" simply because the author sent it and by the simple existence of their name on it. As long as the document is not repudiated, the document is the presumed author's writing.
Most e-signature solutions require the software application to be available on both the signer's and the document recipient's computers. While this approach works well within an organization, it may not be in wide use between otherwise unrelated individuals and organizations. Attempting to fill this larger need in digital signatures is public key infrastructure (PKI).
A digital signature is a method of signing electronic documents that provides the recipient with a way to verify the sender's identity and the authority of the sender. Additionally, it can determine that the content of the document has not been altered since it was signed and thus prevent senders from repudiating the fact that they signed and sent the document.
A digital signature relies on the mathematically complex world of asymmetric cryptography. In use for many years to provide encryption of messages for security, the same technology is used to create a virtual signature. A digital signature, however, is not a picture of a signature in any sense. It is a means of marking a document with one-half of a key pair in such a way as to require the second half of the key pair to authenticate the signer. On receipt of the key pair, one of the keys is installed on the signer's PC or some portable device, such as a smart card. This is the private key (one's signature); it must be handled with care. The other part of the key pair is the public key. It is a mathematical derivative of the private key, but it is computationally infeasible to derive the private key from the public key. This public key is available to anyone that would want to authenticate a signature. When one "signs" a document, the key is used to create a "hash value" of the document. If the document is tampered with, the hash value no longer corresponds to the original value, thereby invalidating the document and the virtual signature.
PKI is comprised of a number of elements that may be controlled within a single organization or in a service delivery environment using multiple organizations. Typically, there are five elements. Two of them are the entities using (applying) the signature or relying on the signature's authenticity. The other elements, which carry out the infrastructure, are
* Certification authority (CA): The organization that provides the key pairs
* Registration authority (RA): Responsible for the "vetting" process where the signer establishes his identity to the satisfaction of the participants in the environment. This could be as routine as providing your name and address over the Web or as complex as appearing at a physical site with multiple forms of identification. Once satisfied, the RA authorizes the issuance of the key pair.
* Certificate repository (CR): The keeper of information about public keys and the identity behind them. This is where a person would go to authenticate a message or signature.
PKI can be very complex to understand, especially since it is also used to provide message encryption when used in a digital certificate implementation. Fortunately, in day-to-day use it is simple for the end user to apply the signature.
The cornerstone characteristics of PKI are its ability to scale to vast numbers of users and be implemented within a group of unrelated users. In the most rigorous environments, obtaining a key pair can require proof of identification provided in person, as for a passport or notarization of a document. The registration authority that checks and validates the individual's identification begins a "chain of trust" that can be used by any number of relying parties who trust the registration authority to have performed its duty sufficiently. This also makes the registration authority and the certificate authority parties to the use of the signature. When a relying party wishes to validate the identity of the signer, all the information used to establish the authenticity of the signer is called upon as evidence of that identity.
There are a number of software and service providers that can provide digital signatures and certificates. Baltimore Technology (www.baltimore.com) provides commercial certificate authority services as does Entrust (www.entrust.com) and USERTrust (www.usertrust.com). Larger organizations that wish to control the entire environment can purchase the software solution. Although it also offers services, Verisign (www.verisign.com) sells the software with which an organization can establish its own PKI. Building a PKI is an enormous undertaking, however.
Digital signature (certificates) and PKI are already in broad use. Secured socket layer (SSL), a technology that uses digital certificates, is found in hundreds of Web sites providing security for electronic transactions. The federal government has so many agencies establishing their own PKI that they have had to establish the Federal Bridge Management Authority. This organization sets U.S. standards to act as a gateway or a clearinghouse for the individual certificate policies that stand behind the various levels of keys in use by each agency. The U.S. Department of Defense and NASA both use digital signatures for a number of internal transactions and transactions with commercial suppliers. The United States Patent and Trademark Office (USPTO) is working on implementing a PKI that would recognize and be recognized by other countries and the United Nations to enable international patent and trademark filings.
Time will tell if the enhanced stature of electronic documents will bring renewed interest to document management tools. Electronic signatures are bringing a newfound acceptance and authentication to digital documents. Ability and action, however, are very different things. So, a final question remains: How long will we continue converting digital content to paper solely to manage its credibility and authenticity? Those who do can no longer point to the need for wet-ink signature.
Digital Document Concerns
* Notary public
* Power of attorney
* Identification (e.g., driver's license)
* Certified mail
* Return receipt
Digital Document Solutions
* Secure socket layer (SSL)
* "Hash" (encryption)
* Digital certificate
* Legal digital signature
ABOUT THE AUTHOR: Jim Minihan is a Partner and President of IMERGE Consulting in Warrenton, Virginia. He is an Information Management Specialist in the areas of workflow and process management and is an author and instructor on advanced management practices, technology evaluation, and acquisition and implementation strategies. He has recently consulted with organizations in the use of digital signature and public key infrastructure. The author may be reached at firstname.lastname@example.org
Digital Signature Guidelines. Chicago: American Bar Association, 1996.
Wright, Benjamin. Law of Electronic Commerce: Edi, Fax, and e-Mail: Technology, Proof, and Liability. Boston: Liffle, Brown, 1991.
|Printer friendly Cite/link Email Feedback|
|Publication:||Information Management Journal|
|Date:||Oct 1, 2001|
|Previous Article:||Moving forward. (From The Editors).|
|Next Article:||Legal issues in documenting: e-commerce transactions. (Cover Story).|