Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

under this by 4sPcVF0


									Jen YAN                                       Anthony LI
Remy MAGNIER            12/03/00       Nargiz UMAYEVA



Professor      Anil KUMAR

Jen YAN                                                                                 Anthony LI
Remy MAGNIER                                12/03/00                             Nargiz UMAYEVA


INTRODUCTION ........................................................................................ 3

1. SIGNATURES AND THE LAW ............................................................ 5
  1.1. THE GENERAL PURPOSES OF SIGNING WRITINGS ................................... 5
  1.2. THE REQUIRED ATTRIBUTES OF A SIGNATURE ....................................... 5
  2.1.    THE ASYMMETRIC CRYPTOSYSTEM (PRIVATE-PUBLIC KEY)...................... 7
  2.2.    THE HASH FUNCTION.......................................................................... 7
  2.3.    DIGITAL SIGNATURE CREATION AND VERIFICATION ............................... 7
  2.4.    THE LEGAL PURPOSES OF DIGITAL SIGNATURE ...................................... 9
  2.5.    PUBLIC KEY CERTIFICATES .............................................................. 10
  2.6.    SUMMARY OF DIGITAL SIGNATURES’ MECHANISM ................................. 12
  3.1. OTHER TYPES OF DIGITAL SIGNATURES .............................................. 13
  3.2. ADVANTAGES AND DISADVANTAGES .................................................. 13
4. CHALLENGES AND OPPORTUNITIES ............................................ 16
  4.1.    IMPACT ON THE BUSINESS WORLD ..................................................... 16
  4.2.    INTERNATIONAL OVERVIEW .............................................................. 18
  4.3.    THE COSTS OF DIGITAL SIGNATURES .................................................. 20
  4.4.    THE PROMISING SOLUTIONS .............................................................. 20
  4.5.    TODAY’S E-SIGNATURE PLAYERS ....................................................... 20
  4.6.    SOONER THAN LATER....................................................................... 21
REFERENCES ......................................................................................... 22

Jen YAN                                                                       Anthony LI
Remy MAGNIER                           12/03/00                        Nargiz UMAYEVA


Your signature is a personal thing, a unique notation that indicates your stamp of
approval on a document. You sign a petition to voice your agreement with an issue. You
sign a check to indicate that you authorize payment. You sign a loan agreement to
indicate that you will repay the money. In these transactions, your signature represents
you, and only you. Signatures accompany most of the financial and legal transactions in
our world today. Now imagine that you're about to conduct some business via email.
You want to hire someone to design a Web page for you. You email back and forth,
agreeing on a price and the amount of work to be done. You have email records of the
entire agreement, some even contain formal contract language, but you do not have a
piece of paper with handwritten signatures. Are these emails sufficient legal proof of the
agreement? Is this person really who he says he is?

Digital signatures are one solution to these types of problems. Digital signatures are the
"electronic fingerprints" of transactions in a digital world. An electronic signature is a
method of identification that is used with the intent to be bound to an electronic
document. A digital signature is an electronic signature that is irrefutable, unique and
impossible to copy or transfer -- and these signatures are immune to forgery, fraud and
denial. Affixed to an electronic document, a digital signature conveys the same meaning
of approval and personal identity as a handwritten signature. Digital signatures also
address several other problem areas such as document integrity and protection from
unauthorized access.

Already, 50 states in US have enacted legislation to define electronic signatures, each
state with different terms, definitions and amendments. And that's not to mention
recently passed federal legislation and international laws.

In today's commercial environment, establishing a framework for the authentication of
computer-based information requires a familiarity with concepts and professional skills
from both the legal and computer security fields. Combining these two disciplines is not
an easy task. Concepts from the information security field often correspond weakly to
concepts from the legal field, even in situations where the terminology is similar. For
example, from the information security point of view, "digital signature" means the result
of applying certain specific technical processes described below to specific information.
The historical legal concept of "signature" is broader. It recognizes any mark made with
the intention of authenticating the marked document. In a digital setting, today's broad
legal concept of "signature" may well include markings as diverse as digitized images of
paper signatures, typed notations such as "/s/ John Smith," or even addressing
notations, such as electronic mail origination headers.

Jen YAN                                                                         Anthony LI
Remy MAGNIER                            12/03/00                         Nargiz UMAYEVA
From an information security viewpoint, these simple "electronic signatures" are distinct
from the "digital signatures" described in this report and in the technical literature,
although "digital signature" is sometimes used to mean any form of computer-based
signature. This report defines "digital signature" only as it is used in information security
terminology, as meaning the result of applying the technical processes described here.
To explain the value of digital signatures in legal applications, this report begins with an
overview of the legal significance of signatures. It then sets forth the basics of digital
signature technology, and examines how, with some legal and institutional
infrastructure, digital signature technology can be applied as a robust computer-based
alternative to traditional signatures.

When first invented in the 1970s, digital signatures made an amazing promise: better
than a handwritten signature -- unforgeable and uncopyable -- on a document. Today,
they are a fundamental component of business in cyberspace. And numerous laws,
state and now federal, have codified digital signatures into law.

Jen YAN                                                                          Anthony LI
Remy MAGNIER                            12/03/00                          Nargiz UMAYEVA

   1.1. The general purposes of signing writings
A signature is not part of the substance of a transaction, but rather of its representation
or form. Signing writings serve the following general purposes:

 Evidence
A signature authenticates a writing by identifying the signer with the signed document.
When the signer makes a mark in a distinctive manner, the writing becomes attributable
to the signer.

 Ceremony
The act of signing a document calls to the signer's attention the legal significance of the
signer's act, and thereby helps prevent "inconsiderate engagements”, for example take
advantage of mentally challenged people.

 Approval
In certain contexts defined by law or custom, a signature expresses the signer's
approval or authorization of the writing, or the signer's intention that it have legal effect.

 Efficiency and logistics
A signature on a written document often imparts a sense of clarity and finality to the
transaction and may lessen the subsequent need to inquire beyond the face of a
document. Negotiable instruments, for example, rely upon formal requirements,
including a signature, for their ability to change hands with ease, rapidity, and minimal

The formal requirements for legal transactions, including the need for signatures, vary in
different legal systems, and also vary with the passage of time. There is also variance in
the legal consequences of failure to cast the transaction in a required form. The statute
of frauds of the common law tradition, for example, does not render a transaction invalid
for lack of a "writing signed by the party to be charged," but rather makes it
unenforceable in court, a distinction which has caused the practical application of the
statute to be greatly limited in case law.

   1.2. The required attributes of a signature
During this century, most legal systems have reduced formal requirements, or at least
have minimized the consequences of failure to satisfy formal requirements.
Nevertheless, sound practice still calls for transactions to be formalized in a manner
which assures the parties of their validity and enforceability. In current practice,
formalization usually involves documenting the transaction on paper and signing or
authenticating the paper. Traditional methods, however, are undergoing fundamental
change. Documents continue to be written on paper, but sometimes merely to satisfy
the need for a legally recognized form. In many instances, the information exchanged to
effect a transaction never takes paper form. Computer-based information can also be
utilized differently than its paper counterpart. For example, computers can "read" digital

Jen YAN                                                                        Anthony LI
Remy MAGNIER                           12/03/00                         Nargiz UMAYEVA
information and transform the information or take programmable actions based on the
information. Information stored as bits rather than as atoms of ink and paper can travel
near the speed of light, may be duplicated without limit and with insignificant cost.
Although the basic nature of transactions has not changed, the law has only begun to
adapt to advances in technology. The legal and business communities must develop
rules and practices which use new technology to achieve and surpass the effects
historically expected from paper forms.

To achieve the basic purposes of signatures outlined above, a signature must have the
following attributes:

 Signer authentication
A signature should indicate who signed a document, message or record, and should be
difficult for another person to produce without authorization.

 Document authentication
A signature should identify what is signed, making it impracticable to falsify or alter
either the signed matter or the signature without detection.
Signer authentication and document authentication are tools used to exclude
impersonators and forgers and are essential ingredients of what is often called a
"nonrepudiation service" in the terminology of the information security profession. A
nonrepudiation service provides assurance of the origin or delivery of data in order to
protect the sender against false denial by the recipient that the data has been received,
or to protect the recipient against false denial by the sender that the data has been sent.
Thus, a nonrepudiation service provides evidence to prevent a person from unilaterally
modifying or terminating legal obligations arising out of a transaction effected by
computer-based means.

 Affirmative act
The affixing of the signature should be an affirmative act which serves the ceremonial
and approval functions of a signature and establishes the sense of having legally
consummated a transaction.

 Efficiency
Optimally, a signature and its creation and verification processes should provide the
greatest possible assurance of both signer authenticity and document authenticy, with
the least possible expenditure of resources.
Digital signature technology generally surpasses paper technology in all these
attributes. To understand why, one must first understand how digital signature
technology works.

Jen YAN                                                                        Anthony LI
Remy MAGNIER                            12/03/00                        Nargiz UMAYEVA

   2.1. The asymmetric cryptosystem (private-public key)
Digital signatures are created and verified by cryptography, the branch of applied
mathematics that concerns itself with transforming messages into seemingly
unintelligible forms and back again. Digital signatures use what is known as "public key
cryptography," which employs an algorithm using two different but mathematically
related "keys"; one for creating a digital signature or transforming data into a seemingly
unintelligible form, and another key for verifying a digital signature or returning the
message to its original form. Computer equipment and software utilizing two such keys
are often collectively termed an "asymmetric cryptosystem."

The complementary keys of an asymmetric cryptosystem for digital signatures are
arbitrarily termed the private key, which is known only to the signer and used to create
the digital signature, and the public key, which is ordinarily more widely known and is
used by a relying party to verify the digital signature. If many people need to verify the
signer's digital signatures, the public key must be available or distributed to all of them,
perhaps by publication in an on-line repository or directory where it is easily accessible.
Although the keys of the pair are mathematically related, if the asymmetric cryptosystem
has been designed and implemented securely it is "computationally infeasible to derive
the private key from knowledge of the public key. Thus, although many people may
know the public key of a given signer and use it to verify that signer's signatures, they
cannot discover that signer's private key and use it to forge digital signatures. This is
sometimes referred to as the principle of "irreversibility."

   2.2. The hash function
Another fundamental process, termed a "hash function," is used in both creating and
verifying a digital signature. A hash function is an algorithm which creates a digital
representation or "fingerprint" in the form of a "hash value" or "hash result" of a standard
length which is usually much smaller than the message but nevertheless substantially
unique to it. Any change to the message invariably produces a different hash result
when the same hash function is used. In the case of a secure hash function, sometimes
termed a "one-way hash function," it is computationally infeasible to derive the original
message from knowledge of its hash value. Hash functions therefore enable the
software for creating digital signatures to operate on smaller and predictable amounts of
data, while still providing robust evidentiary correlation to the original message content,
thereby efficiently providing assurance that there has been no modification of the
message since it was digitally signed.

   2.3. Digital Signature Creation and Verification
Thus, use of digital signatures usually involves two processes, one performed by the
signer and the other by the receiver of the digital signature:

Jen YAN                                                                          Anthony LI
Remy MAGNIER                            12/03/00                          Nargiz UMAYEVA
 Digital signature creation
It uses a hash result derived from and unique to both the signed message and a given
private key. For the hash result to be secure, there must be only a negligible possibility
that the same digital signature could be created by the combination of any other
message or private key.

 Digital signature verification
This is the process of checking the digital signature by reference to the original
message and a given public key, thereby determining whether the digital signature was
created for that same message using the private key that corresponds to the referenced
public key.
To sign a document or any other item of information, the signer first delimits precisely
the borders of what is to be signed. The delimited information to be signed is termed the
"message" in this report. Then a hash function in the signer's software computes a hash
result unique (for all practical purposes) to the message. The signer's software then
transforms the hash result into a digital signature using the signer's private key. The
resulting digital signature is thus unique to both the message and the private key used
to create it.

Typically, a digital signature (a digitally signed hash result of the message) is attached
to its message and stored or transmitted with its message. However, it may also be sent
or stored as a separate data element, so long as it maintains a reliable association with
its message. Since a digital signature is unique to its message, it is useless if wholly
disassociated from its message.

Verification of a digital signature is accomplished by computing a new hash result of the
original message by means of the same hash function used to create the digital
signature. Then, using the public key and the new hash result, the verifier checks: (1)
whether the digital signature was created using the corresponding private key; and (2)
whether the newly computed hash result matches the original hash result which was
transformed into the digital signature during the signing process. The verification
software will confirm the digital signature as "verified" if: (1) the signer's private key was
used to digitally sign the message, which is known to be the case if the signer's public
key was used to verify the signature because the signer's public key will verify only a
digital signature created with the signer's private key; and (2) the message was
unaltered, which is known to be the case if the hash result computed by the verifier is
identical to the hash result extracted from the digital signature during the verification

Various asymmetric cryptosystems create and verify digital signatures using different
algorithms and procedures, but share this overall operational pattern.

Jen YAN                                                                        Anthony LI
Remy MAGNIER                           12/03/00                         Nargiz UMAYEVA

   2.4. The legal purposes of digital signature
The processes of creating a digital signature and verifying it accomplish the essential
effects desired of a signature for many legal purposes:

 Signer authentication
If a public and private key pair is associated with an identified signer, the digital
signature attributes the message to the signer. The digital signature cannot be forged,
unless the signer loses control of the private key (a "compromise" of the private key),
such as by divulging it or losing the media or device in which it is contained.

 Message authentication
The digital signature also identifies the signed message, typically with far greater
certainty and precision than paper signatures. Verification reveals any tampering, since
the comparison of the hash results (one made at signing and the other made at
verifying) shows whether the message is the same as when signed.

 Affirmative act
Creating a digital signature requires the signer to use the signer's private key. This act
can perform the "ceremonial" function of alerting the signer to the fact that the signer is
consummating a transaction with legal consequences.

Jen YAN                                                                         Anthony LI
Remy MAGNIER                            12/03/00                         Nargiz UMAYEVA
 Efficiency
The processes of creating and verifying a digital signature provide a high level of
assurance that the digital signature is genuinely the signer's. As with the case of
modern electronic data interchange ("EDI") the creation and verification processes are
capable of complete automation (sometimes referred to as "machinable"), with human
interaction required on an exception basis only. Compared to paper methods such as
checking specimen signature cards -- methods so tedious and labor-intensive that they
are rarely actually used in practice -- digital signatures yield a high degree of assurance
without adding greatly to the resources required for processing.
The processes used for digital signatures have undergone thorough technological peer
review for over a decade. Digital signatures have been accepted in several national and
international standards developed in cooperation with and accepted by many
corporations, banks, and government agencies. The likelihood of malfunction or a
security problem in a digital signature cryptosystem designed and implemented as
prescribed in the industry standards is extremely remote, and is far less than the risk of
undetected forgery or alteration on paper or of using other less secure electronic
signature techniques.

   2.5. Public Key Certificates
 Who is represented by the key pair?
To verify a digital signature, the verifier must have access to the signer's public key and
have assurance that it corresponds to the signer's private key. However, a public and
private key pair has no intrinsic association with any person; it is simply a pair of
numbers. Some convincing strategy is necessary to reliably associate a particular
person or entity to the key pair.

In a transaction involving only two parties, each party can simply communicate (by a
relatively secure "out-of-band" channel such as a courier or a secure voice telephone)
the public key of the key pair each party will use. Such an identification strategy is no
small task, especially when the parties are geographically distant from each other,
normally conduct communication over a convenient but insecure channel such as the
Internet, are not natural persons but rather corporations or similar artificial entities, and
act through agents whose authority must be ascertained. As electronic commerce
increasingly moves from a bilateral setting to the many-on-many architecture of the
World Wide Web on the Internet, where significant transactions will occur among
strangers who have no prior contractual relationship and will never deal with each other
again, the problem of authentication/nonrepudiation becomes not merely one of
efficiency, but also of reliability. An open system of communication such as the Internet
needs a system of identity authentication to handle this scenario.

To that end, a prospective signer might issue a public statement, such as: "Signatures
verifiable by the following public key are mine." However, others doing business with the
signer may for good reason be unwilling to accept the statement, especially where there
is no prior contract establishing the legal effect of that published statement with
certainty. A party relying upon such an unsupported published statement in an open
system would run a great risk of trusting a phantom or an imposter, or of attempting to

                                                                                       - 10 -
Jen YAN                                                                           Anthony LI
Remy MAGNIER                             12/03/00                          Nargiz UMAYEVA
disprove a false denial of a digital signature ("nonrepudiation") if a transaction should
turn out to prove disadvantageous for the purported signer.

 The need of a third party
The solution to these problems is the use of one or more trusted third parties to
associate an identified signer with a specific public key. That trusted third party is
referred to as a "certification authority" in most technical standards and in this report.

To associate a key pair with a prospective signer, a certification authority issues a
certificate, an electronic record which lists a public key as the "subject" of the certificate,
and confirms that the prospective signer identified in the certificate holds the
corresponding private key. The prospective signer is termed the "subscriber. A
certificate's principal function is to bind a key pair with a particular subscriber. A
"recipient" of the certificate desiring to rely upon a digital signature created by the
subscriber named in the certificate (whereupon the recipient becomes a "relying party")
can use the public key listed in the certificate to verify that the digital signature was
created with the corresponding private key. If such verification is successful, this chain
of reasoning provides assurance that the corresponding private key is held by the
subscriber named in the certificate, and that the digital signature was created by that
particular subscriber.

To assure both message and identity authenticity of the certificate, the certification
authority digitally signs it. The issuing certification authority's digital signature on the
certificate can be verified by using the public key of the certification authority listed in
another certificate by another certificate authority (which may but need not be on a
higher level in a hierarchy), and that other certificate can in turn be authenticated by the
public key listed in yet another certificate, and so on, until the person relying on the
digital signature is adequately assured of its genuineness. In each case, the issuing
certification authority must digitally sign its own certificate during the operational period
of the other certificate used to verify the certification authority's digital signature.

A digital signature, whether created by a subscriber to authenticate a message or by a
certification authority to authenticate its certificate (in effect a specialized message)
should be reliably time-stamped to allow the verifier to determine reliably whether the
digital signature was created during the "operational period" stated in the certificate,
which is a condition upon verifiability of a digital signature under this report.

To make a public key and its identification with a specific subscriber readily available for
use in verification, the certificate may be published in a repository or made available by
other means. Repositories are on-line databases of certificates and other information
available for retrieval and use in verifying digital signatures. Retrieval can be
accomplished automatically by having the verification program directly inquire of the
repository to obtain certificates as needed.

                                                                                         - 11 -
Jen YAN                                                                        Anthony LI
Remy MAGNIER                            12/03/00                        Nargiz UMAYEVA
Once issued, a certificate may prove to be unreliable, such as in situations where the
subscriber misrepresents his identity to the certification authority. In other situations, a
certificate may be reliable enough when issued but come to be unreliable sometime
thereafter. If the subscriber loses control of the private key ("compromise" of the private
key), the certificate has become unreliable, and the certification authority (either with or
without the subscriber's request depending on the circumstances) may suspend
(temporarily invalidate) or revoke (permanently invalidate) the certificate. Immediately
upon suspending or revoking a certificate, the certification authority must publish notice
of the revocation or suspension or notify persons who inquire or who are known to have
received a digital signature verifiable by reference to the unreliable certificate.

   2.6. Summary of digital signatures’ mechanism
Assume you were going to send the draft of a will to your lawyer in another town. You
want to give your lawyer the assurance that it was unchanged from what you sent and
that it is really from you.

1. You copy-and-paste the will (it's a short one!) into an e-mail note.
2. Using special software, you obtain a message hashing (mathematical summary) of
   the will.
3. You then use a private key that you have previously obtained from a public-private
   key authority to encrypt the hash.
4. The encrypted hash becomes your digital signature of the message (Note that it will
   be different each time you send a message).

At the other end, your lawyer receives the message.

1. To make sure it's intact and from you, your lawyer makes a hash of the received
2. Your lawyer then uses your public key to decrypt the message hash or summary.
3. If the hashes match, the received message is unaltered and valid.

                                                                                      - 12 -
Jen YAN                                                                       Anthony LI
Remy MAGNIER                           12/03/00                        Nargiz UMAYEVA

   3.1. Other types of digital signatures
Other types of digital signature use biometric technology. Biometrics involves the
identification of a person using measurements of inherent biological characteristics
(such as fingerprints or eye patterns) or acquired personal characteristics (such as
speech or handwriting). For example, a biometric digital signature can contain a
handwritten signature that is captured electronically and linked to a document. You may
have already had personal experience with this type of technology when signing credit
card receipts.
While biometric digital signatures have certain obvious advantages (such as the same
visual appearance as traditional handwritten signatures), they also have their
drawbacks. Extra peripheral devices are needed to support the technology and
Biometric systems have not received the same level of support that the DSS has
enjoyed from the federal government and large institutions. This may change, however.

   3.2. Advantages and Disadvantages
 Advantages
Whatever the technical system used to create them, all digital signatures give rise to
many of the same issues and problems. Digital signatures have three main roles:

      Ensure that no one other than intended recipients have access to the data
      Ensure that the data have not been altered
      Ensure that a particular sender did indeed send the message

Digital signatures can provide several advantages over traditional handwritten

      First is data integrity. Digital signatures provide proof that the document or
       message has not been altered or tampered with.
      Second is authentication of identities. Digital signatures make it easier to verify
       the identity of senders and recipients, which is important as transactions
       increasingly occur over great distances between persons who have never met.
      A third advantage is the concept of non-repudiation. This means that neither the
       sender nor the recipient can deny having sent or received the document.
      Fourth, digital signatures can include an automatic date and time stamp, which is
       critical in business transactions.
      Fifth, digital signatures can increase the speed and accuracy of transactions. For
       example, a bank could verify thousands of digital signatures much faster than it
       could the same number of handwritten signatures.
      And finally, confidentiality is improved with digital signatures through the use of

The advantages of digital signatures are further magnified when considered alongside
the problems associated with handwritten signatures. There is no "standard method" for
a person's handwritten signature, which can vary from one day to the next. This makes

                                                                                    - 13 -
Jen YAN                                                                        Anthony LI
Remy MAGNIER                            12/03/00                        Nargiz UMAYEVA
signature verification a difficult and subjective activity. Also, handwritten signatures can
be easily forged or copied. Finally, on multiple page documents, it can be difficult to
determine whether the signature applies to all pages or whether pages have been
added/deleted since the signing. Digital signatures mediate these problems and excel
where handwritten signatures fall behind.

But there's still a lot of disagreement about what forms of encryption work best and how
to set up digital signature networks. While digital signatures make it easier for important
transactions to be conducted electronically, there are standards issues, security
problems, and confusing and counterproductive legal concerns that seem to be keeping
the technology from breaking into the mainstream.

 Disadvantages
The disadvantages of digital signatures fall into several categories: technological
compatibility, security concerns, and legal issues.

      Technological compatibility
Technological compatibility refers to standards and the ability of one digital signature
system to "talk" to another. Currently, both the recipient and sender must be using the
same signature program in order for the process to work. Ideally, different systems
should be compatible, but that involves agreement on standards of communication. It is
difficult to develop standards across a wide user base. Any digital signature standards
would have to be developed globally. Some groups, including UNCITRAL (United
Nations Commission On International Trade Law) and OECD (Organization for
Economic Cooperation and Development), are currently working on international
agreements related to digital signatures.

    Security concerns
As with any computer technology, digital signatures require a constant struggle to
maintain secure transactions. These efforts are perpetually hampered by lost or
borrowed passwords, theft and tampering, and vulnerable storage and backup facilities.
Also, technological weakness is always a security issue. Hackers are constantly finding
loopholes or cracking codes. The public/private keys used in digital signatures used to
be 40 bits long, but that key length can now be easily broken or decoded. Current key
standards are typically 128 bits. Soon, that standard will be obsolete, too.

     Legal issues
The legal issues associated with digital signatures are complex. There is clear
consensus that digital signatures should be legally acceptable. However, many
questions remain unanswered in the legal arena.
Almost every U.S. state has enacted or considered some form of legislation allowing the
use of digital signatures, but each state has a different approach. Some states have
"thick" laws, meaning that they have detailed regulations about the definition of digital
signature, the types of acceptable technologies, and/or provisions for licensing
certificate authorities. Other states have "thin" laws, where they simply state that
electronic signatures in whatever form are acceptable as legal signatures. Since

                                                                                      - 14 -
Jen YAN                                                                       Anthony LI
Remy MAGNIER                           12/03/00                        Nargiz UMAYEVA
technology changes so quickly, it is important for legislation to be flexible enough to
allow for technological improvements.

Sometimes, problems arise when digital signatures are used for state to state
transactions. Jurisdiction over Internet transactions at the local level are unclear since
the Internet is unregulated. To solve this problem, some digital signature advocates
believe that regulations are needed at the federal level. However, digital signatures are
really a global issue and need to be addressed at that level.
Liability is another concern. There is little guidance for certificate authorities in
understanding their liability for problems arising from erroneous, falsified, or altered
digital IDs. How far should certificate authorities go to verify someone's identity? Many
digital IDs today aren't much better than library cards for proving identity.
A related issue is the legal hurdles facing encryption, an integral component of digital
signature technology. The U.S. government restricts the export of sophisticated
encryption technology to other countries claiming it's a matter of national security. This
has enormous implications for digital signature technology, and it is a hotly contested

                                                                                    - 15 -
Jen YAN                                                                      Anthony LI
Remy MAGNIER                          12/03/00                        Nargiz UMAYEVA

   4.1. Impact on the business world
The adoption of digital signatures by the state is important to businesses as it creates
an environment that facilitates electronic commerce and private communications. This
means not only creating an element safe from Internet robbery and fraud, but a place
where business agreements can be transacted under accepted legal standards.

A major opportunity for business process improvement exists in the application of digital
signature technology to electronic document management systems. Digital signature
technology can provide greater cost savings and increased performance for these
systems by allowing the complete automation of many processes normally left to
manual procedures. This includes assigning handwritten signatures to "official"
documents. However, for such technologies to be implemented in a successful manner,
adequate policies and guidance must be developed. There is a need for government
agencies, private enterprise and records management professionals to contribute to the
development of issues on security, privacy, keys, certification, and the legal and
business ramifications of using digital signature technology. The government still must
establish a Digital Signature Service infrastructure to craft uniform policies, propose
necessary law changes, and promote interoperability among agencies and the private
sector. The appropriate role of government in this area is a topic of much debate.

                                                                                   - 16 -
Jen YAN                                                                     Anthony LI
Remy MAGNIER                          12/03/00                       Nargiz UMAYEVA
Legend for Chart:   Benefits

        Industry                           Customer expectations
                       Reduced paperwork; faster approvals
                       Increased velocity of fund transfers
 Banking and financial
       services        New business opportunities to act as certification authorities
                       Support for the many different trading partners that may be
                       involved in a financial transaction
                       Automation of time-consuming and costly processes
                       Cost of adoption
                       Speed with which digital signature technology can be
                       Automation of claims and payments
                       Integration with insurance companies and provider networks
                       Secure access to patient records
     Health care
                       Cost of adoption
                       Speed with which digital signature technology can be
                       Resolving claims online
                       Processing policy applications online
      Insurance        State-to-state differences in insurance regulations
                       Integrating digital signature technologies into well-established
                       and heavily regulated processes
                       Supply-chain automation
                       Supporting the many different trading partners that may be
                       involved in a supply chain
                       Establishing standards
                       Faster approvals for new drug applications
   Pharmaceutical      Integrating digital signature technologies into well-established
                       and heavily regulated processes
                       Automate contract processes
       Services        Integrating digital signature technologies into existing contract
                       management and accounting systems

                                                                                  - 17 -
Jen YAN                                                                        Anthony LI
Remy MAGNIER                           12/03/00                         Nargiz UMAYEVA

   4.2. International Overview
 US
In US, the Electronic Signatures in Global and National Commerce (E-Sign) Act is
hailed by supporters as a major step that will spur the growth of business-to-business
and business-to-consumer e-commerce, and it also brought the U.S. into step with
many of its individual states and several other countries that have already implemented
digital signature legislation.

While U.S. states that have implemented digital signature bills gave validity to intrastate
online transactions, the new U.S. law signed by President Clinton on June the 3 rd 2000
updates federal statutes so that transactions with the federal government and interstate
transactions are covered. However the issue remains unsolved as differences between
state and federal laws might hinder the evolution of E-commerce. Other countries also
have updated their laws to make it easier to conduct business online.

 Asia
In Asia, the move toward digital signatures is being spearheaded by the commercial
sector, which is eager to cut out a lot of the paperwork that now dogs intra-regional
trade. Almost coinciding with the U.S., Taiwan's first legally binding digital contract was
signed on Sept. 25 between a local company and one in Japan.
At the intergovernmental level, APEC (Asia Pacific Economic Cooperation) is working
on several initiatives to promote the use of digital signatures, but some of the leading
economies in the region have either already given them force of law or are well on their
way to adopting new laws.

Among the nations that already have digital signature laws in place are Malaysia, South
Korea and Singapore. In India, the Department of Electronics has issued the draft
Information Technology Act 1998, which contains provisions on digital signatures.
Malaysia has enacted a Digital Signature Act in 1997. South Korea also passed the e-
commerce legislation in January this year. For example, Malaysia’s Digital Signature
Act 1997 provides that a digital signature in compliance with the Act is as legally binding
as a “handwritten signature, an affixed thumbprint or any other mark.” Article 62 of the
Act provides that the digital signature must be verified through a valid certificate issued
11 by a licensed certification authority and must be affixed by the signer with the
intention of signing the message

Singapore announced that it had set up a digital certification authority, known as
Netrust, described as the "first Certification Authority in South East Asia". Netrust is a
joint venture between the Singapore National Computer Board (NCB) and Network for
Electronic Transfers (Singapore) Pte Ltd (NETS) and provides business and
government departments in Singapore a complete online identification and security
infrastructure to enable secure electronic commerce and other online transactions
across the Internet. Malaysia, though the first to pass a Digital Signature Act in ASEAN
and even in Asia, has not yet set up any digital certification authorities.

                                                                                     - 18 -
Jen YAN                                                                         Anthony LI
Remy MAGNIER                            12/03/00                         Nargiz UMAYEVA
In Japan, where corporate seals, rather than signatures, are most commonly used, the
government is expected to submit a bill to parliament during the current or next session
aimed at giving digital signatures full legal force by the end of 2001.
In Hong Kong, following the United Nations e-business model law, the law gives
electronic records and digital signatures the same legal status as that of their paper-
based counterparts. The Ordinance also guarantees that electronic records can be used
to draw up contracts and that such records can be admissible as evidence in court.

 Europe
The European Union's directive on electronic signatures went into force on Jan. 19,
2000. Thus far, three states have implemented it, and most of the rest are expected to
implement it by the end of this year. Unlike in the United States where each State has
its own regulation, the EU regulations states that any form of digital signature is to be
accepted within the union, which therefore reinforces one of the major rights in the
community: free circulation of products and services. At the same time, the law seeks
standardization by accepting digital signatures from non-member state through a
certification authority. This set of rules should help all countries to head towards a global
standard for digital signature to expand in the international business world.

As digital signature becomes a commodity, certification authorities will play a critical
role. They will act as real agents for evidence and they will be responsible of keeping
track of a digital signature and its unique owner. However no rule has been defined
concerning certification authorities in the European law. Each member state is
responsible for controlling their certification authorities and if necessary it will have to
proceed to specific modifications on their laws by Jan. 19, 2001. The need for a third
party in the process of using digital signature not only creates a new promising market
or produces legal discontents internationally but the sociological consequences also
have to be taken in account. Traditional signature is to lose its personification and give it
up to a third party. People are going to give up the right to identify themselves in a
transaction. For example in France, the social security system is to be upgraded to
function with digital signature but at the same time patients will lose control of their
reimbursement as technology and third party authorities will be involved in the process.

Today in most of the industrialized countries digital signature enjoys a strong legal base.
Within 3 years legislators managed to formulate laws flexible enough to adapt to
technological change. The main issue now is to reach an international standard both
legally and technologically. All countries agree on the fact that the purpose of digital
signature is to further improve the development of e-commerce. Nevertheless under this
dynamics drive it will be difficult to find a general consensus. As each country or group
of countries implement their solution and enforce their laws, a logical scenario for digital
signature would be a 3-step process to reach a long-term goal:
o domestically each country will be able to expand the use of digital signature thanks
    to the flexibility given by regulations at a higher level (EU, United States and APEC)
o regulations at a higher level such as the European Directive and the federal law in
    the United States becomes commonly accepted among countries under their range
    of actions

                                                                                       - 19 -
Jen YAN                                                                        Anthony LI
Remy MAGNIER                           12/03/00                         Nargiz UMAYEVA
o a convergence of both technology and regulations through business practice on a
  worldwide basis

    4.3. The costs of digital signatures
The prospect of fully implementing digital signatures in general commerce presents both
benefits and costs. The costs consist mainly of:

 Institutional overhead
The cost of establishing and utilizing certification authorities, repositories, and other
important services, as well as assuring quality in the performance of their functions.

 Subscriber and Relying Party Costs
A digital signer will require software, and will probably have to pay a certification
authority some price to issue a certificate. Hardware to secure the subscriber's private
key may also be advisable. Persons relying on digital signatures will incur expenses for
verification software and perhaps for access to certificates and certificate revocation
lists (CRL) in a repository.

    4.4. The promising solutions
On the plus side, the principal advantage to be gained is more reliable authentication of
messages. Digital signatures, if properly implemented and utilized offer promising
solutions to the problems of:

 Imposters
By minimizing the risk of dealing with imposters or persons who attempt to escape
responsibility by claiming to have been impersonated.

 Message integrity
By minimizing the risk of undetected message tampering and forgery, and of false
claims that a message was altered after it was sent.

 Formal legal requirements
By strengthening the view that legal requirements of form, such as writing, signature,
and an original document, are satisfied, since digital signatures are functionally on a par
with, or superior to paper forms.

 Open systems
By retaining a high degree of information security, even for information sent over open,
insecure, but inexpensive and widely used channels.

    4.5. Today’s e-signature players
Here's a rundown of who is making and selling digital-signature technology, some of
which works independently or in concert with others.

   Ilumin

                                                                                     - 20 -
Jen YAN                                                                       Anthony LI
Remy MAGNIER                           12/03/00                        Nargiz UMAYEVA
Calls its technology the "digital handshake." It creates a secure environment with all the
tools necessary to review, edit, sign and store documents.

 SignOnline
A silicon startup, will issue its own signatures to customers to use, marrying
authenticated digital certificates with secure e-documents. Once signed, documents at
SignOnline also go into a secure electronic cabinet.

 Litronic
Also a maker of smart cards, is developing technology that treats a user's eye as a
fingerprint. A camera scans the user's iris and matches it up with one on record.

 Interlink Electronics
Sells its ePad, which records more than just the shape of your name. It records the date
and time of the signing, and your signature is cryptographically linked to the document
and biometrically associated to you.

Much of the heavy lifting in the days ahead will be done by companies such as VeriSign
and Entrust Technologies, which have already laid strong foundations in developing the
public key infrastructure that is the basis of most digital signatures.

   4.6. Sooner than later
Thanks to a measure approved by Congress and headed to President Clinton's desk for
his signature, Web surfers and e-mail users will soon be able to put a legally binding
digital version of their John Hancocks on virtually any document or transaction. No
surprise, really. With the volume of e-commerce and business-to-business transactions
skyrocketing, the acceptance of digital signatures was more a question of when rather
than if. In fact, many companies have been using proprietary digital signature
technology for decades as part of electronic data interchanges.
The effect, businesses pledge, is a new world of e-commerce that is faster, cheaper and
less vulnerable to fraud.
"It's truly a watershed event," said Guido DiGregorio, president and chief executive of
the Communication Intelligence Corporation of Redwood Shores, Calif., which
developed the system for Schwab. "I can do transactions at the speed of the Internet,
cut costs 50 percent and I'm more secure than I was before."
The Electronic Signatures in Global Commerce Act did not dictate that any particular
technology be used, leaving those choices to the marketplace. That means consumers
can expect a proliferation of competing mechanisms for bringing signatures into the
digital age, from encryption-based "digital signature" systems essentially software that
uses scrambled numbers to identify a particular person from companies like Entrust
Technologies Inc. and VeriSign Inc., to the simple signing mechanism at Schwab, which
updates ancient and familiar practices.
Bryan Keene, an analyst at Prudential Securities, estimates that electronic and digital
signatures will lead to 80 percent of all financial transactions being completely
automated the next five years.

                                                                                    - 21 -
Jen YAN                                                                      Anthony LI
Remy MAGNIER                            12/03/00                      Nargiz UMAYEVA
Digital signatures are already in use around the world today. However, it remains to be
seen if the technology's advancement can effectively confound the devious talents of
hackers and, at the same time, slow down long enough to let legislation catch up with it.
While the advantages are obvious--healthcare, finance, and education are only some of
the potential beneficiaries--current stumbling blocks seem to be preventing widespread
use at a consumer level. Though with a truly global marketplace and the accompanying
benefits of e-commerce, online transactions are multiplying at a furious rate. It's
probably safe to assume that digital signature technology will keep the pace. In the
meantime, keep a pen handy.


   The New York Times, E-Signatures Become Valid, John SCHWARTZ, October

    2, 2000

   American Bar Association - Section of Science and Technology - Information

    Security Committee

   Business Week, What Do E-Signatures Mean for You, Douglas HARBRECHT

   ZDNet - AnchorDesk, Sign of Trouble: The Problem With E-Signatures, Jesse

    Berst (EditorialDirector)





                                                                                   - 22 -

To top