Originally published November 30, 2000 on searchSecurity.com

It’s a matter of trust: Digital certificates and e-signatures

Fred Avolio, Avolio Consulting, Inc.

On October 1, 2000, the US Electronic Signatures in Global and National Commerce Act went into effect. The so-called e-signature law allows for electronic signatures to be as legally binding as handwritten signatures.

Digital Certificates

To understand digital signatures, we must first understand digital certificates. A digital certificate binds an entity (person, computer, or organization) to a public key. Public keys — large, unique, integer numbers — are used in encryption for confidentiality. They also allow a recipient of some data to know who created or sent the data in a way that the creator of the data cannot deny it.

A digital certificate shares some characteristics with a passport. A passport has identifying information, is forgery resistant and can be verified because it was issued by an official, trusted agency. Digital certificates also have identifying information, are secured against forgery through the use of cryptography and should have a certification authority standing behind it.

Digital signatures uniquely and unequivocally tie an entity (person, router, etc.) to a piece of data (file, disk image, e-mail message, word processing document, etc.) People do not have digital signatures. A digital signature is not a bitmap image of your handwritten signature (called a “wet” signature, when discussing types of signatures). Yet an individual may digitally sign an e-document. The act of signing — applying a digital certificate with a public key to digital data — establishes that the data being signed was in that exact form and in the possession of the person signing it. Any modification of the data, in effect, breaks the signature. Anyone can tell it has been tampered with.

The Promise

Electronic mail is very easy to forge. Electronic documents are easily modified. Digital signatures and the associated legislation allow customers and companies to conduct business online that was previously limited to paper with handwritten signatures.

But wait! Haven’t we been doing that for years? Well, yes. But e-commerce without e-signatures falls into two categories, credit card transactions and transactions we don’t care that much about. With the former, the credit card company protects both sides of the transaction in various ways. The latter are the common e-mail transactions that we authenticate by their content. We kind of can tell it’s from Aunt Ida because of what she writes and the subject matter. And who’d pretend to be her anyway?

What e-signatures enable are those transactions that are protected by contract law. For example, you’d be wise not to pack your family and belongings and move out of your house based on an e-mailed promise to buy it. But now, if that e-mailed offer and contract was digitally signed, it could be treated no differently than if you had a hard-copy contract in hand.

What Are We Waiting For?

The technology to digitally sign documents, e-mail, etc. has existed for 30 years. We also can issue digital certificates to individuals. What’s not there is “a certification authority standing behind” them. Companies want to provide this service. Companies already provide this service. Anyone who has bought something over an SSL connection on the web (the little lock icon is locked) has used digital certificates (rather your browser has). And companies your browser says are trusted issued the certificates. In IE, View Internet Options, select Content, and click on Authorities. Using Netscape Navigator, pull down on Communicator, then Tools, then Security Info and select Signers. You trust any certificate issued by those companies. I know, you’ve not heard of some of them. But, trust me, you trust them. But who says they are trusted? Netscape and Microsoft.

Another problem is that digital signatures, as we might use them today, require a connection between the individual and the data — usually a computer. When I sign a piece of paper with a pen I am holding the paper in my hands and acting on it. When I use a computer I am pushing a mouse button and trusting that the data I am signing matches the representation of that data I am viewing on the screen or the file name in a directory. I am trusting that the calculations made by the software are correctly implemented. It is possible for me to argue in court that while the e-document does appear to be e-signed by me, I never signed it. And it would be impossible to prove otherwise.

Is there nothing to do? No, there are many uses for digital certificates as implemented today. The evidence is in your web browser. Go ahead and edit or remove the entries for those certificate authorities and make an on-line purchase and see what happens. But for now… well, if someone sends you a digitally signed offer for your house, get it in writing before moving out.