Some consider these laws breakthroughs for e-commerce and online financial services while others point out their potential pitfalls. The question everyone is struggling to answer is this: what can we really expect from digital signatures?
Evaluating the impact of these regulations requires an understanding of how digital signatures work, which in turn requires a basic understanding of public-key cryptography concepts. A number of good tutorials are available on the Internet.
The most important points are that:
- a public key and the corresponding private key have a special relationship: things encrypted by one key can be decrypted only by the other key, and
- your private key is bound to your identity by a digital certificate (root certificate) issued and signed by a trusted certificate authority (CA).
A digital signature is the result of computations involving the message to be signed and the signer's private key. First, the signer's software applies a hash function is to the message, producing a message digest (a fixed-size representation of the message unique to that particular message). Then the software applies the signer's private key to encrypt the digest, and transmits the result along with the message and the signer's digital certificate to the intended recipient. The recipient's software generates a message digest (using the same hash function) for the received message, and uses the signer's public key to decrypt the digest generated by the signer. The recipient's software may be configured to validate the signer's certificate to ensure that a trusted CA issued it and that the CA has not revoked it. If the two digests are the same, the recipient has successfully verified the digital signature.
A verified digital signature assures the recipient that a) the message wasn't modified, and b) the message came from the signer. The latter forms the basis of the concept of non-repudiation with proof of origin - cryptographic non-repudiation.
This is a sticking point. More accurately, a verified digital signature assures the recipient that the message wasn't modified and that the message was signed using the signer's private key. The possibility of fraud exists. Desktop computers, left untended, could be used to digitally sign contracts without the private keyholder's knowledge. With the growing popularity of 'always on' Internet connections like cable modems and DSL, the opportunities for hackers to access private keys multiply. Consumers are vulnerable.
And another frightening scenario exists: using fraud as an argument, legitimately signed contracts might be legally repudiated by signers who simply want out of their signed contracts. Businesses are vulnerable.
Reasonable people and institutions must be aware of these risks. Most businesses and people understand that they can't eliminate all risk all the time. Rather than completely avoiding risk, they focus on reducing their exposure.
Consumers with 'always on' Internet connections can minimize their risk by turning their computers off after use and by using reliable personal firewall software to deter hacker intrusion. Alternatively, they can use smartcards to store their private keys, locking the card in a drawer between uses.
Businesses consider a 'risk continuum,' taking steps to mitigate risk. Digital signatures can reduce risk. At present, the most common way to purchase goods at an e-commerce site is to send your credit card number, your name, billing address and a shipping address to the e-business's server via a secure connection. How does that business know that you personally entered the information and that your credit card is being used with your authorization? A digital signature provides greater assurance that you authorized the transaction than businesses have had in the past. By allowing digitally signed credit card transactions, web merchants can move down the risk continuum by shifting charge-back liability from themselves to the card-issuing banks.
If you think about it, digital signatures are no worse than handwritten signatures in a court of law. If O.J. Simpson's own DNA wasn't enough to prove that blood found at the crime scene was his, despite expert witness testimony that there was only a 1 in 170 million chance that the blood was someone else's, why would a case involving someone's hand signature be any different? This possibility doesn't stop handwritten signatures from being trusted and used. If digital signatures are at least as strong as handwritten signatures, why not use them where it makes sense?
The benefits of digital signatures, while sometimes exaggerated, are undeniable. Consider the following examples.
Digital signatures can expedite dispute resolution. Resending a digitally signed purchase order to a purchaser confirming his order is much easier than faxing a purchase order he hand-signed and misplaced. In reality, not all disputes result in lawsuits; instead, corporate lawyers wrangle with each other for hours to come to a menial resolution. If a company official signed the order and the recipient has a digital signature as proof, there's not much to argue about.
Digital signatures complement automation, bringing benefits that include faster, more efficient processing and reduced error rates and administrative costs. While digital signatures aren't necessary for automation, using them may net incremental benefits.
Digital signatures are well suited for wireless Internet-enabled devices, which people tend to keep close to them. When consumers push the "buy" button from these devices, they are consciously saying, "yes, I am buying this." In the wired world, people leave their desktop computers unattended at work, increasing the chances that someone might fraudulently use their private key to sign on their behalf.
Wired customers complain that client-side digital signing is still clunky on desktops, and that the certificate registration process is confusing. Considering the long forms and all the warning messages involved (e.g. when trusting a new root certificate), they have a point. By contrast, application developers for wireless devices are striving to make the registration process transparent to the user, saving time and improving the user experience. They have learned from the pitfalls of the wired world.
What can businesses and consumers expect? Businesses involved in high-value transactions, such as the banking and financial sectors, will embrace the technology first - some companies in these industries are already using them. Both desktop and wireless platforms will be supported, since consumers require on-the-go convenience for making such transactions.
Because of the issues surrounding the lack of standardization of digital signature solutions, broader acceptance of digital signatures will lag somewhat. They will be embraced in inter-and intra-business transactions first, particularly in large corporations where network security infrastructures already exist.
The obvious advantages of digital signatures on wireless devices will lead to their acceptance for e-commerce transactions. Since the whole wireless industry is working on digital signature support for these devices, they may be widely used for digital signatures before desktop computers begin to catch up.
As digital signature technology matures and solutions providing cross-platform interoperability are generally available, digital signatures will be ubiquitous - as natural as a handwritten signature. Ordinary people will reap the benefits of digital signatures. This evolution will take a few years, but it will happen.
Rett Summerville is product manager trust services for Certicom (www.certicom.com).