E-Signature Act may drive demand for authentication technology

From...

by Jenny Oh

(IDG) -- Some deals are still done with a signature on the dotted line, even with the advent of the Net. Take leases for heavy machinery or office furniture. San Francisco-based LeaseExchange can process a rental request in less than a minute, but it can take days to execute the leases – that is, getting everyone to sign the paperwork. CEO Aaron Ross admits it's "a very inefficient process right now." He's eager to see whether authentication technologies will speed things up without harming customer relationships.

Relief is on the way, although it's likely to present a host of new complexities. On Oct. 1, the Electronic Signatures in Global and National Commerce Act, or E-Sign, will take effect, giving electronic signatures the same legal standing as their paper-and-pen counterparts.

This expansive federal legislation considers facsimiles of an original signature and recorded agreements over the telephone as forms of electronic signatures. However, it doesn't dictate whether an electronic signature needs to be secured, nor does it specify a type of technology. To further complicate matters, the law also lets each state regulate its own authentication technology.

The easiest and least expensive kind of electronic signature is an unsecured fax, but businesses aren't likely to rely on them since they can be an open invitation for fraud. Digital signatures – the online equivalent of a wax seal on an envelope – offer a basic level of security for transmitting a signature over a public network, such as the Internet. But these scrambled John Hancocks only make sure the signature was not tampered with when sent; the systems don't verify the the signer's identity.

That's where digital certificates come in handy. This form of secure identification can be stored on personal computers, portable devices and even smartcards. Large corporations and banks have been using them for several years to confirm the identities of parties doing business online. The current use of digital certificates is limited to corporations and governmental agencies primarily because of cost concerns. A typical in-house setup can cost millions of dollars when you factor in staff. Nevertheless, the number of global companies using digital certificates will surge from 30 percent today to 98 percent by 2003, according to the Aberdeen Group, a Boston-based research firm.

The figures for consumers are not so clear, though. For example, Wells Fargo is evaluating vendors that could help it issue digital certificates, using what's known as a public key infrastructure. And even if one is built, digital certificates "won't completely replace the physical signature," says Debra Rossi, executive VP of business Internet services at the San Francisco bank, because customers might not feel comfortable with the technology.

MORE COMPUTING INTELLIGENCE

IDG.net home page

The Standard.com

TechInformer: The Thinking Internaut's Guide to the Tech Industry

Wireless tracking of shipments readied

Standards issue mars e-signatures

Reviews & in-depth info at IDG.net

E-BusinessWorld

Industry Standard email newsletters

Questions about computers? Let IDG.net's editors help you

Industry Standard daily Media Grok

Search IDG.net in 12 languages

News Radio

Fusion audio primers

Computerworld Minute

A more budget-conscious option is electronic-signature software. Montreal-based Silanis, for example, offers a $149-per-user package that can transfer a scanned or stylus-written signature into a digital file. Although the company says its standalone technology meets the basic requirements of E-Sign, Mary Ellen Power, Silanis' VP of marketing, admits that certain businesses will want to add security to it.

Identity Crisis

The ambiguous language of E-Sign lets companies try different tiers of signature security. But with all this wiggle room, it appears that companies with large value transactions are going for additional security above and beyond a scanned signature. For instance, Chase Manhattan, with more than $400 billion in assets, began using digital certificates in 1998 for managing fund transfers with its deep-pocketed corporate-banking customers. The bank needed to verify the identity of any person initiating large transactions, according to Joseph Calaceto, Chase's VP of security strategy and infrastructure. So it decided to set up a PKI for issuing digital certificates.

The main component of a PKI is a certificate authority, which issues the certificate, keeps a repository of valid certificates and manages a protocol for registering, revoking or verifying them. The certificate itself contains the issuer's name (for example, Chase Manhattan), a serial number, a signature algorithm ID, an expiration date, an employee's public key and unique identifiers for both the issuer and the employee. The certificates are generated by a third-party vendor like Entrust Technologies. Chase pays a software licensing fee to Entrust to generate its certificates, which are stored and retrieved from a server.

Although Calaceto declined to disclose how much Chase invested in its PKI, he says the costs have decreased dramatically since the bank started researching secure signatures in 1996. Indeed, in 1998 Aberdeen concluded that Entrust was the most expensive digital-certificate supplier, compared with VeriSign and Netscape. The research group calculated the total cost of ownership for 5,000 users over a three-year period was nearly $1 million, or approximately $198 per user.

Based on recent quotes by Entrust, however, the price is now $7 per user. But that doesn't reflect the cost of internally managing and staffing a certificate authority, which usually is the most expensive component in a PKI.

Calling the management of an in-house PKI "quite burdensome," Calaceto notes some of the costs Chase incurs come from issuing its own certificates to customers. For instance, before the bank issues a certificate, the bank snail-mails a document containing unique information the customer must use to activate the digital certificate.

The trustworthiness of a digital certificate ultimately depends on how the issuer has safeguarded their digital ID. Banks by their very nature are familiar with stringent security processes. Their customers, either individuals or corporations, assume their financial institutions are trustworthy in sensitive services like digital certificates.

That trust is essential, with or without E-Sign – a law so broad it's making companies read between the legislation's lines and model their own approaches. "At the end of the day," says Aberdeen analyst Jim Hurley, "what a customer using digital certificates asks is, Can I really count on the receivables on this piece of paper?"

Sign Language

A brief glossary of key terms in secure electronic signatures.

Certificate authority (CA): A trusted third party that issues digital certificates (digital IDs) and makes its public keys widely available to intended audiences.

Cryptography: The conversion of data into a secret code (known as encryption) for transmission over a public network. The encryption algorithm uses a key, which is a binary number that is typically from 40 to 128 bits in length. The greater the number of bits in the key (cipher strength), the more possible the key combinations and the longer it would take to break the code. The data is encrypted, or locked, by combining the bits in the key mathematically with the data bits. At the receiving end, the key is used to unlock the code and restore the original data.

Digital signature: A digital guarantee that a document has not been altered, as if it were carried in an electronically sealed envelope. The "signature" is an encrypted digest of the text that is sent with the text message.

Digital certificate: The digital equivalent of an ID card used in conjunction with a public key encryption system. Also called "digital IDs," digital certificates are issued by trusted third parties known as certificate authorities after verifying that a public key belongs to a certain owner. The certification process varies depending on the CA and the level of certification.

Public key encryption: The published part of a two-part, public key cryptography system. The private part is known only to the owner.

Private key encryption: The private part of a two-part, public key cryptography system. The private key is kept secret and never transmitted over a network.

Public key infrastructure (PKI): The policies and procedures for establishing a secure method for exchanging information. It includes the use of certification authorities and digital signatures, as well as all the hardware and software used to manage them. Signature dynamics relies on a handwriting analysis of two signatures to verify identity.

RSA: A highly secure cryptography method created by RSA Data Security of Redwood City, Calif. It uses a two-part key: The private key is kept by the owner; the public key is published. Data is encrypted by using the recipient's public key, which can be decrypted only by the recipient's private key.

Digital signatures create market potential
July 31, 2000
Clinton signs e-signature bill into law
June 30, 2000
Senate sends e-signature bill to president's desk
June 16, 2000
U.S. government moves to electronic transactions
July 25, 2000
CNNdotCOM Tools: Paperless bill-paying
July 14, 2000

Digital signatures create market potential
(InfoWorld)
ABA to offer online authentication
(Computerworld)
President Clinton signs digital signature bill
(IDG.net)
Digital signature bill enables e-commerce
(InfoWorld)
Wireless tracking of shipments readied
(InfoWorld)
Digital signatures now legally admissible in U.K.
(IDG.net)
German Cabinet approves digital signature bill
(IDG.net)
Standards issue mars e-signatures
(Computerworld)

LeaseExchange
Wells Fargo

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.