27 August 2002: W3C is pleased to announce the advancement of XML-Signature XPath Filter 2.0 to Proposed Recommendation. Comments are welcome through 24 September. The specification defines a means to digitally sign a document subset using XPath, the language for addressing parts of an XML document. Visit the XML Signature home page.
This press release got my attention. It has been two years since the federal E-SIGN Bill became law (October 1, 2000). You remember all the hype. There was also a model law individual states could adoptUETA (the Uniform Electronic Transactions Act). This legislation was designed to give electronic signatures and contracts the same legal weight as their paper counterparts. It was supposed to revolutionize financial services, banking, and insurance. It made it possible for legally complex business transactions to be completed instantly using the Internet. The popular press (and presumably Congress) expected this bill to transform the way we do business. It hasnt happened yet. Maybe it was a lot of sound and fury signifying nothing.
The insurance industry lives on paper. We have forms for every possible situation and claim. We have long and sometimes complex contractsall of which must be signed and authenticated before a policy can go into effect or a claim settled. The ability to process all these documents electronically would certainly streamline our process flow. (The industry obviously does process much paperwork electronicallysome insurance companies are virtually paperless. In this article, I am focusing on digital signatures, not computerized forms and documents.) Elimination of human touch points results in increased efficiency and reduced costs. Given that, why arent we doing business electronicallyand specifically, why arent we all using digital signatures? The single biggest delay in completing any contract (once the terms have been agreed upon) is in the delivery, signing, and witnessing of paper documents. I suggest this is another example where we have expected computers to solve problems that transcend their ability. Lets take a high-level look at electronic signatures.
What Is a Signature?
What significance is attached to signing a document? I realize there are formal legal definitions associated with a signature, but lets just stick with a common- sense approach. My mark or signature on a document signifies that:
I am associated with the document.
I approve the document.
I am who I represent myself to be.
I cannot deny the above.
When I sign a contract, I am asserting I agree with the contract and I am intentionally stating my agreement by attaching my signature. We often initial each page of an important document to further ensure we have examined and approved those specific pages. Very important documents require my signature be witnessed by one or more individuals who affirm I am in fact whom I say I am and I am making that signature.
What Is an Electronic Signature?
The E-SIGN bill defines an electronic signature as an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record. The legislation does not define what constitutes an electronic signature, nor does it specify how that signature can be securely delivered or authenticated. At National Underwriter Co., we use a click through license agreement for publications and products we deliver online. If you purchase a book at Amazon, that final click here to place your order is a valid electronic signature according to the federal legislation. What do you think your legal department would do if you made final acceptance of a multimillion-dollar Business Continuance Policy contingent upon a click here to accept button? I think they would get someone to help you clean out your office.
What Can We Do?
What can we, as the technology leaders of our firm, do to provide a digital environment in which the promises of E-SIGN become reality? Not all that much, I am thinking, because we are dealing with issues that cannot really be solved by technology at the present time.
Lets take a hypothetical document ABC that when executed will constitute a legally binding contract between XYZ Insurance and BIG Corporation. Our goal is to provide a means for both parties to examine the document in a secure manner; to make modifications to the document; and to digitally sign the document signifying their acceptance of the contract.
We already have a reasonably secure method of examining the document online. The SSL (Secure Sockets Layer) protocol is generally considered secure enough for online credit card transactions. In fact, it is probably overkill. People going after credit card numbers are not going to waste their time sniffing millions of packets. They are going to attack the server where all the data is stored or probably something even easier. Most credit card fraud is the result of people disclosing informationnot systems being hacked.
PKI
Finelets get back to the problem. An extremely reliable secure system already exists that will allow us to encrypt a document, to verify it hasnt been tampered with, and then to digitally sign itPublic Key Encryption, generally referred to as PKI (Public Key Infrastructure).
Public key cryptography or asymmetric cryptography uses two keys: a public key and a private key. A user generates a public-private key pair. The public key is used to encrypt the message and the private key to decrypt the message. Suppose XYZ Insurance wishes to send BIG Corporation a contract that is encrypted and can only be read by BIG. BIG generates a public-private key pair and then freely distributes the public key to anyone who wants to send it an encrypted message. XYZ encrypts the contract using BIGs public key. The resulting encrypted message can be decrypted only using BIGs private key. This is very securethe encrypted object can only be decrypted if the private key is available. The best known and most widely used public key cryptography algorithm is RSA (the algorithm was developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adlemansee http://www.rsa.com). The ability to encrypt electronic documents securely is not unique to PKI. In fact, symmetric or private-key encryption can accomplish exactly the same thing. One of the unique features of public-key encryption is the ability to authenticate the sender and verify the integrity of the document.
The relationship between the public-private key pairs is a two-way street. Earlier we encrypted a message using the public half of the key pair and decrypted it with the private half. Now we go the other way. XYZ encrypts a signature using its private key. That signature can only be decrypted using its public key. When I correctly decrypt the signature using XYZs public key, I will know the message had to originate from XYZ. What about document integrity?
The digital signature is actually a two-step process. The encrypted message is transformed by an algorithm that creates a hash or digest of the message. This is a one-way processit is not possible to change a message digest back into the original message. It is possible, however, to use the hash to verify document integrity by running the hash algorithm on the receiving end and comparing the results. The message digest or hash is now encrypted using the senders private key, and this is attached as the digital signature for this document.
BIG Corporation receives that document and decrypts it using XYZs public key, transforming it back into a message digest. This ensures the message is from XYZ because only XYZ has the private key that is linked to the public key. The hashing algorithm is applied to the message, and the result is compared with the decrypted digest. If they are identical, then BIG can be ensured the message was not tampered with during transmission. The message body is now decrypted using XYZs public key.
Lets add one more level of authentication. We need to be certain the public key we are using is actually associated with the party we expect. Couldnt anyone represent himself as BIG Corporation and present us with a public key? Sure. Thats why we have Certification Authorities (CA). A CA is a trusted third party who will issue a certificate asserting this public key is actually the key for BIG Corporation.
So What?
This is all very cool and very secure and very sophisticated. But at the end of the day, what do I really have? I know the document I have is probably secure from decryption; I know it hasnt been altered; I know that it has a digital signature that matches the public key I have; and I know the CA vouches that the public key really is whose it claims to be. What I dont know is who really has possession of that private key. This is where all our sophisticated electronic security is useless. In most cases, the private key is really just associated with a computer. If you can get my password and log on my computer, you can impersonate me and digitally sign anything and everything. If my private key is on a so-called smart card (President Clinton signed the E-SIGN bill with a pen and a smart card), all you need is my card and password and you are in business with my signature. There is no way to be certain the human user of the system is the intended user. And there is no way around that dilemma. User names and passwords are easily stolen or spoofed or discovered. In the future, I suspect that biometric devices will actually be used to provide real user authentication.
There are, of course, other considerations to take into account before using an electronic signature system.
There is currently no standard for digital signatures that is or will be universally accepted. The PKI solution is just one of many and may end up being the BetaMax of the lot. Maybe the W3C initiative mentioned in the opening press release will set the standard. That organization has certainly proven its value in setting standards.
Someone is going to have to pay for all this. Implementation of sophisticated technology is not cheap. Real signatures may slow down the process, but they dont add a lot of expense, either.
The wet signaturethe penis still universally accepted and will continue to be for the foreseeable future.
Like so many things associated with technology and security, the weak link is always human. There is no adequately secure way to ensure the person operating the smart card or the computer is really whom they claim to be. The electronic systems we discussed here fail to provide adequately for the four requirements of a signature listed earlier. I am afraid until we are all willing to have DNA verifiable biochips implanted in our bodies, a digital signature will never replace the real thing. I hope we never see that day. There are already too many ways to track us and our actions. I dont like to give out my Social Security number. Whats the big deal about signatures anyway? My own real signature is so illegible and unidentifiable it has no apparent relationship to me anyway.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.