Digital signatures come into focus

Most government workers are aware of the benefits of electronic communications. In many agencies, the Internet, intranets, Web portals and e-mail enable collaborators to send document drafts back and forth in the blink of an eye. But when a document must be legally binding, the workflow slows to a snail's pace because someone has to sign the document. And that requirement engenders a whole series of inefficient manual operations, including printing, mailing, filing and creating a system for retrieving the document.

To cut down on paperwork, the Government Paperwork Elimination Act of 1998 requires agencies to give the public, businesses and other agencies the option of submitting information electronically. It also mandates the use and acceptance of electronic signatures to bind such transactions.

Digital signature technology involves a group of different tools of varying costs and complexity to authenticate that the people signing documents are who they say they are. To choose the right technology, agencies must consider how important authentication and nonrepudiation, which means that a document's validity cannot be denied, are for the particular document or process.

"If you're about to receive a document from a co-worker who just called you and told you to expect the document, the security level for the digital signature can be relatively low," said Sarah Rosenbaum, director of Acrobat product management at Adobe Systems Inc. "But if the document is something you might end up in court about at some point, the security needs are much greater."

Adobe Acrobat 5.0 includes a "self-sign" feature that enables users to sign and lock a document but does not authenticate the sender. For more stringent e-signing requirements, Adobe allows third-party digital signature vendors, such as Entrust Inc. and VeriSign Inc., to plug into Acrobat.

The highest level of authentication is a public-key infrastructure, which uses digital certificate technology. The Labor Department's Office of Labor-Management Standards is using PKI with labor organization annual reports from union officers because of its high level of nonreputability.

"These forms are legal documents and could very well end up as part of a court case," said Sheila Farrell, the office's senior manager for electronic filing.

The Office of Labor-Management Standards created a CD-ROM-based program that enables users to fill out these forms electronically. They have the option of printing, signing and mailing the form, or transmitting it electronically. To sign a form electronically, union officials must first apply for a digital certificate from the government's Access Certificates for Electronic Services (ACES) program.

Digital Signature Trust, a Salt Lake City-based subsidiary of Identrus LLC, acts as a certificate authority within the ACES program. Via the Web, the company collects personal information from an applicant, such as name, address, and driver's license and credit card numbers. The system checks the data's accuracy against a public records database and then sends a digital certificate — a public key with an accompanying private encryption key — to the user.

Next, the company mails an authorization code to the user. The code enables the user to electronically sign a form, which involves clicking a button and entering an authorization code. Under the hood, however, it involves encrypting the message via a private key and sending it to the recipient with the associated public key, which unencrypts the digital signature.

Keren Cummins, Digital Signature Trust's vice president of government services, said that the ACES authorization process, including mailing the authorization code, is a bit onerous and time-consuming. But users only have to go through the certification process once every two years. "The more agencies that people use it with, the less bothersome it will seem," she said.

The Securities and Exchange Commission also uses a PKI program, with VeriSign of Mountain View, Calif., as the certificate authority and PureEdge Solutions Inc. of Victoria, British Columbia, creating the electronic disclosure forms. In this case, the entire authorization process is accomplished online. "We're very concerned about filer burden," said Rick Heroux, manager of the SEC's Electronic Data Gathering, Analysis and Retrieval system. However, the SEC requires some initial authentication in-house before it allows someone to sign up for a VeriSign digital certificate.

At the other end of the user- convenience spectrum is the personal identification number method. Although a PIN does not authenticate the user at the time the password is assigned or chosen, it has the advantage of being less expensive and more user-friendly. For example, the Education Department enables students to electronically sign their student loan applications using only a PIN. One advantage is that a PIN-based program was already in place at the department to allow students to view loan information such as balances and recent payments.

As a result, the e-signing system, called the Student Authentication Network, developed by NCS Pearson Inc. of Bloomington, Minn., was relatively easy to deploy. "It wasn't a very large step either in terms of technology or user acceptance from [using a PIN for] data access to legal transactions," said Neil Sattler, project director for innovations and e-commerce at Education.

But Sattler acknowledged that the PIN method would not be appropriate for all e-signing applications.

"Built into our system are a lot of levels of authentication apart from the PIN," he said. "The school knows who the student is. If there's a local lender, they know the student. PKI would have been overkill for us."

One way to enhance the authentication level of a PIN is to add a token, such as a smart card, or a biometric identifier, such as a fingerprint. The Air Force recently added a digital signature element to the Standard Asset Tracking System (SATS) developed by Gemplus Corp. of Redwood City, Calif.

Delivery personnel carry a bar code/smart card reader, which is used to scan the smart card of the recipient. The screen displays the cardholder's name, rank and identification number, which the delivery person checks against the recipient's ID card. The deliverer then scans the bar code on the shipment. The screen displays if the person receiving the shipment is authorized to do so. If the delivery is authorized, the recipient enters a PIN, which serves as the digital signature, into the reader.

Pete Ramirez, SATS project manager, said the Air Force opted for a smart card instead of a card with a bar code or magnetic strip because it can hold more data and can be rewritten if, for example, someone's rank or authorization changes. "It gives us a lot of flexibility," he said.

Fortunately, the Government Paperwork Elimination Act's 2003 deadline comes at a point when there are many options for e-signing. To choose the right method, agencies must determine the level of trust they require and balance that against the cost and convenience levels of the various options.

Stevens is a freelance journalist who has written about information technology since 1982.