Digital signatures: Use with care, if at all

With fears of anthrax-contaminated letters still fresh in the public mind, and with federal legislation authorizing digital signatures on the books, you might think the time has finally come for digital signatures.

Don't bet on it. Widespread adoption of digital signatures will be slow for at least the next few years, due to the cost and complexity of the public key infrastructures (PKI) required for them, and a legal muddle over what constitutes a binding digital signature. During that time, analysts recommend implementing digital signatures only for less sensitive applications, outsourcing your PKI needs if you can't afford to implement PKI yourself, and choosing technology vendors who can survive any coming shakeouts and whose products support (or will support) PKI if and when you need it.

First, some vocabulary. According to Gartner Inc., "e-signature" is a generic term covering any electronic signing of a document. The less robust form of an "e-signature" is an electronic signature, which may include the digital capture of an actual signature, clicking on "yes" or "I agree" buttons to "sign" a document, or checking biometric characteristics such as a fingerprint or an iris scan. (See Scheier's Security Roundup on biometric technologies.)

A digital signature, by contrast, uses a pair of mathematically related signing keys to verify the identity of the sender and to verify that the content of the signed document has not changed while in transit. Digital signatures also provide for "nonrepudiation," which means neither the sender nor the recipient can later claim the transaction didn't take place. This is vital not only when dealing with contracts but also for online sales of digital goods such as music.

However, the federal E-Sign Act of 2000 failed to make such distinctions, defining an electronic signature only as "an electronic sound, symbol or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record." Companies are eager to implement digital signatures so they can save money by moving paperwork-intensive transactions online, says Analyst Jan Sundgren with the Giga Information Group. However, he says, "They're probably getting some serious pushback from their legal counsel" because of a lack of case law defining exactly what types of digital, or electronic, signatures are legally binding.

"You can't really do digital signatures without a PKI," says Phil Schacter, vice president of The Burton Group, a consulting and research firm in Midvale, Utah, but PKI is still too expensive and complex for most companies to implement. Before PKI use becomes common, he says, it must become easier to mix and match PKI tools from different vendors, to "cross-certify" digital certificates issued by different certificate authorities, and to create trusted intermediaries who can vouch for the accuracy of digital certificates.

While larger companies may have some form of PKI in house already, he says, smaller firms may want to buy PKI services from vendors such as Baltimore Technologies, Entrust Inc. or Digital Signature Trust Co.

Other companies are rolling out intriguing approaches to the electronic, or digital, signature challenge. Silanis Technology Inc. is getting a lot of attention, says Sundgren, with its ApproveIt line of electronic signature software that allows a customer to electronically "sign" documents by clicking on a series of "I agree" buttons. (Silanis also offers a version that works with a signature pad to electronically capture an image of the consumer's signature.) Silanis claims to have 900 customers in the government, pharmaceutical and financial services industry.

PureEdge Solutions Inc.'s Internet Commerce System uses XML-based forms to capture a series of questions and answers. This provides non-repudiation, the company says, "by storing the form template, data and internal logic in a single file that can be authorized and secured with a digital signature." Pure Edge says its customers include FedEx, GE Aircraft Engines and numerous government agencies.

While vendors struggle to demystify PKI and courts grapple with legal definitions, technical committees are hammering out standards to make digital signature adoption easier. The most crucial underlying standard, according to Burton Group Senior Analyst James Kobielus, is xmldsig, which defines how to digitally sign documents using XML syntax. The xmldsig specification, in turn, is being used to develop other key standards such as XKMS (the XML Key Management Specification to define the XML protocols and formats for managing public and private keys) as well as SAML (the Security Assertion Markup Language) designed to give users single sign-on capability across applications and Web servers from different vendors, he says.

These standards point to new, and maybe unexpected, applications for digital signatures, which are far different than applying for a mortgage online. Among the areas where digital signatures are taking off first, says Kobielus, are secure person-to-person messaging, secure application-to-application middleware for Web services and digital rights management. In "digital rights management," sellers of content such as music use the non-repudiation capabilities of digital signatures to prove the customer got the song or the albums they ordered and then bill them for the music.

Which -- if any -- of these will be the "killer app" for digital signatures? It depends on your technology environment and your business needs. That's why Schacter recommends deploying digital signatures only "where they will give you tactical business advantage today," choosing your vendors carefully to ensure they'll survive any shakeouts as the industry matures, and making sure any tools you deploy will support PKI when and if you need it.

In other words, look carefully before signing on the (digital) dotted line.