DEFINITION: Digital signatures are special encrypted codes attached to an electronic message. The codes let the recipient know that the person sending the message really is who he claims to be. They are one of the promising ways of ensuring authenticity and establishing trust within e-commerce marketplaces. But there's still a lot of disagreement about what forms of encryption work best and how to set up digital signature networks.
Webster's defines a signature as "the name of a person written with his own hand."
OK. But how can you be sure a signature in cyberspace is the real thing?
The challenge in e-commerce is to eliminate the risk of false identity, says Paul Donfried, a vice president at Identrus LLC in New York. Identrus was formed by 12 of the world's largest banks to provide a global framework for trusted business-to-business commerce.
Right now, digital signatures hold the most promise of helping electronic businesses sort through the complex issues of identity risk and liability in cyberspace.
A digital signature binds a person's identity into an asymmetrically encrypted private key. This private key is issued to only one bearer and is used to digitally sign and encrypt a communication. The message can then be opened by someone with a public key.
More
Computerworld
QuickStudies
Digital signature systems are all established within a public-key infrastructure (PKI), which is maintained by a certificate authority. The certificate authority is responsible for assigning keys and ensuring the validity of certificates.
The ground rules for each digital signature network must be carefully spelled out. For instance, what type of encryption method will be used? And who will serve as the certificate authority?
Already, 50 states have enacted legislation to define electronic signatures, each state with different terms, definitions and amendments (for a full list, visit www.mbc.com/ ecommerce/legis/table01.html). And that's not to mention recently passed federal legislation and international laws.
Businesses can try to interpret this confusing mishmash of legislation. Or they can bind the digital signature with a prenegotiated contract that sets the terms and conditions of liability and recourse for any form of electronic transaction.
Old World Contracts
Ironically, the most trusted system for spelling out the terms of a digital signature network are traditional paper agreements that are physically signed by all parties.
"If the member stays within the framework of the contract, the actions will give legal force and effect," says Ted Barassi, co-founder of Phlair Inc., a business-to-business consumer application company in New York. Phlair helped develop digital signature guidelines for the American Bar Association in 1995.
"It's a clean, clear-cut way of promulgating those requirements without resorting to wholesale changes to domestic law relating to the use of digital signatures as legally binding signatures," Barassi says.
Lately, certain vertical industries - mainly banking, automotive and medical - have begun rolling out PKI trading networks that bind their digital signatures around paper contracts.
For example, in the Identrus pilot, two or more parties on each end of the transaction enter into legally binding contracts to use the digital signatures within the specified framework. Under those conditions, the banks themselves act as the certificate authority, manage the risk and accept liability, much like Visa International Inc. or MasterCard International Inc. assumes liability for lost or stolen credit cards among their member networks.
In the case of business-to-consumer transactions, there are no such contractual guarantees . . . yet.
In fact, online consumers have no way to contractually relinquish obligation on the part of a company the way that they can with Visa, MasterCard or American Express Co., says Ann Friedman Simmons, vice chairwoman of the Internet Council. The Council is sponsored by the National Association of Clearing Houses in Washington.
Rob Stuhlmuller, product manager at ActivCard Europe SA in Paris, says it's only a matter of time before credit-card-issuing banks will assume liability for online transactions.
"Banks, who right now are already the trusted entity, are well-poised to become third-party trusts and PKIs," Stuhlmuller says. "When that happens, you'll see this triangle effect, where three people are involved in online transactions - the bank, you and the online merchant."
Interoperability Difficulties
Visa and others have been testing such technology since 1995. But interoperability problems are holding up any global, contract-based business-to-consumer models.
While most PKI vendors claim high standards of interoperability (x.509) analysts say it's still very difficult to certify digital signature bearers in a PKI when there's a mix of vendor products and certificate authorities involved.
"This is one of the big issues we're dealing with. Unless all parties in our external trading network use the same certificate authority, you have to worry about cross-certification," says John McGraw, security analyst at a professional services firm in Texas.
This lack of consumer contractual protections is indirectly costing merchants and buyers the most important intangible commodity in cyberspace: trust.
"There has been no case law challenging whether a digital signature is legally binding," says Larry Zanger, chairman of McBride Baker & Coles, a Chicago-based IT and e-commerce law firm. "Everybody's fear is that some piece of the puzzle would lead some party in the deal to get stuck with a transaction that doesn't have money on the other side."
Radcliff is a contributing writer in Northern California. She can be reached at DeRad@aol.com.
See additional Computerworld QuickStudies