The Federal Electronic Signatures in Global and National Commerce Act" (signed by President Bill Clinton on June 30th, 2000) formally recognized the validity of contracts that have been electronically endorsed, and makes them legally enforceable.
Its definition of "electronic signature" is very broad, allowing the parties to the agreement(s) to choose their preferred technological method for such signature. The text of the law only states that an electronic signature is "an electronic sound, symbol, or process, attached to or logically associated with a contract." Even the process of clicking the mouse on a link may now generate a legal relationship: for example, it would give legal weight to website product disclaimers and copyright notices.
The law has no security requirement. For example, there is no cryptographic authentication mandate of the sort used by the commercial provider VeriSign or the generally-released PGP(R) (Pretty Good Privacy) software.
the ability to establish not only that the individual is agreeing to conduct the transaction electronically
but also that the individual actually is who they say they are;
that is, the ability to guarantee the authenticity of the documents to which the digital signature attached.
the ability to conceal the contents of a transaction from all but those to whom the transaction is specifically directed.
Digital IDs are one type of authentication. Also referred to as "digital certificates," they enable Web surfers to establish their own identities as well as to authenticate everything from documents they send to the Web sites they visit. Using a digital ID, a user can create an electronic signature and then safely encrypt the document before sending it over the Internet.
VeriSign, a Mountain View-based company that strongly supported the new law, already makes digital IDs available to consumers, though its main market is businesses. For $14.95 individuals can download a digital certificate from the VeriSign Web site.
To make a message tamper-proof requires another step: encryption. While this may sound complicated, the technology behind digital IDs makes it happen with a keystroke. It works by encrypting computer files in such a way that they can only be opened with a special code or "key," like a person securely locking a document in a box that will be opened by someone else. To solve the problem, two keys are needed: a "private" key to lock the box and a "public" key to open it. (In some instances, the sequence of keys is reversed.)
Dubbed "public key infrastructure" or PKI, this process was and remains virtually impregnable to code crackers. At first, its developers failed to find a widespread commercial application for the process, but in the late 1990s businesses began going online in large numbers and quickly discovered a need for secure communications that could not be readily repudiated. The official United States distribution site of the PGP PKI software is MIT Distribution Site and the international distribution site is The International PGP Home Page. Commercial distributors are PGP, Inc. and Network Associates (a previous vendor, ViaCrypt, was absorbed by PGP, Inc.). A related technology is known as Secure Socket Layer, or SSL, which uses an algorithm based on public key cryptography.
At its most basic as a concept, PKI involves publishing one's "public key" to the world, and encrypting documents with one's private key. This public/private key pair are unique to each other: only documents encoded with the private key may be decoded with the public key, and the public key will only decode documents encoded with the private key.
For more on PKI encryption, see Public Key Encryption.
There are a number of different types of digital signatures. One is the interactive use of the "digital certificate" mentioned above. Other options, which may control access to specific program, include the following:
Sometimes a physical signature needs to be printed on a form or an encoded signature needs to be affixed to an electronic document. Before this can happen, some software requires the user to enter a user-id and a password, which then enables the document to be printed with the signature or, as noted above with digital certificates, an electronic document to be transmitted with an encoded digital signature.
This technology captures some physical element of the user. Two examples include the following:
which captures the signature as a graphic image;
however, it also has a "muscle memory" that has the ability to recall the order in which a signature's elements are made
(i.e., when a "t" or "f" is crossed, when an "i" or "j" is dotted). If all elements of the signature do not match
(the shape as well as the process of making the signature) the software will reject the signature.
This type of software is being used in some credit card applications (see, for example,
Cyber SIGN).
which scans the users retina and compares it with a permanent record of the retina. If the scans do not match, the user is rejected as the authorized user. Other scans may be of the iris, a finger, or the hand of the user (see, for example, International Biometric Group).
Any of these may be included with digital certificates to authenticate the access of the person using the system. For example, a computer has an access code to a digital certificate on its hard disk. The computer requires a user-id and a password for a user to log on and have access to that access code. The computer may also be protected by software that requires a thumb scan for access.
|
Document: http://
Revised: |