<< . .

. 19
( : 53)



. . >>

message is the same as when signed;
• Non-Repudiation: Creating a digital signature requires the signer to use the
signer™s private key. This act can alert the signer to the fact that they are
consummating a transaction with legal consequences;
• Integrity: The processes of creating and verifying a digital signature provide a high
level of assurance that the digital signature is genuinely the signer™s. Compared
to paper methods, such as checking signature cards, methods that are tedious and
labor-intensive, digital signatures yield a high degree of assurance without adding
greatly to the resources required for processing.


Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 123


Current Legislation and E-Signature
Infrastructure
It is difficult to compare national approaches to electronic authentication legislation
because so few countries have conceived of the purpose of such legislation in quite the
same way. Some countries focused only on the technical standards for the operation of
one technology “ Public Key Infrastructure. Others have spanned the entire range of
issues associated with the legal effect of electronic signatures, the legal framework for
the operation of a Public Key Infrastructure, and the establishment of a regulatory
apparatus to oversee Certification Authorities. In practice, there are several Legislative
Models that are confronted with the issues of the tension between Technological
Neutrality and Legal Specificity. Any legislative approach to electronic authentication
must accommodate the inherent tension between the goal of technological neutrality and
the goal of prescribing specific legal consequences for the use of electronic authentica-
tion systems. To the extent that legislation seeks to enable the use of diverse electronic
authentication techniques, including some that are not yet even conceived, it becomes
progressively more difficult to accord specific and meaningful legal consequences to
their use. The reason for this inverse relationship is fairly straightforward “ legislators™
confidence in the security and reliability of known electronic authentication mechanisms
allows them to grant greater legal benefits and presumptions to the use of those
techniques. They may be less willing to grant the same level of legal benefits to as yet
unknown techniques or to technologies that bear no imprimatur beyond recognition and
acceptance in the marketplace. This conundrum is the inevitable consequence of
legislating against a backdrop of rapid technological change.
Prior legislative initiatives began to emerge worldwide, and the use of asymmetric
cryptography as a means of creating digital signatures was widely perceived as the
nearly-universal foundation for all electronic authentication. One of the most compli-
cated issues surrounding the creation of a Public Key Infrastructure is the extent to which
the law should define or limit the liabilities of the three main parties to a secure electronic
transaction, that is, the person who digitally signs a message, the person who receives
the message and who may rely on its validity, and the Certification Authority that
vouches for the identity or some other attribute of the sender. In a purely open networked
transaction - that is, one in which the parties have not previously defined their respective
rights and duties by contract - there are several major faults of liability. Most importantly,
the Certification Authority may be liable to the recipient of the message for any
inaccuracies or misrepresentations contained in the certificate, or for the failure of the
Certification Authority to revoke an invalid certificate.
More recently, however, there has been growing recognition that other means of
electronic authentication, including biometrics and dynamic signature analysis, will take
on equal or greater importance in the years ahead. In fact, some of these techniques - and
particularly those that are based on biometric features - may prove to be more reliable and
less susceptible to compromise than digital signatures based on Public Key Infrastruc-
ture.




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
124 Ruzic


Thus, no single technology will prevail as the sole means of electronic authentication.
Different technologies will likely be used in different settings and for different purposes.
This diversity of authentication techniques, while generally promoting the expansion of
electronic business, nonetheless poses a significant challenge for legislators, because
not all technologies necessarily require the same legal infrastructure or may be accorded
the same presumption of security and integrity. It is obvious that the widespread use of
Public Key Infrastructure-based digital signatures require a legally established trust
infrastructure, that defines the rights and obligations of the parties to an authenticated
transaction, including the potential liability of Certification Authorities to third parties.
Other technologies, such as voice authentication, may not require the same type of
legally-defined trust infrastructure, although it is very hard to predict how any of these
technologies will be used in widespread commercial practice and what their specific legal
requirements will be.
For those legislators and policymakers who believe that the continued expansion of
electronic business requires a known and reliable authentication mechanism with
established legal consequences, the preference is usually to enact legislation that
specifically addresses the use of digital signatures, and to save the issues raised by other
authentication techniques for another day. At the same time, legislators and policymakers
naturally fear that any attempt to codify a known authentication mechanism runs the risk
of stunting the development of other authentication mechanisms, or at least of giving
undue benefits to a technology that is itself only in the earliest stages of commercial use.
Apart from these concerns and the general desire to avoid the rapid obsolescence of new
legislation, there is also a concern among national legislators and policymakers that
premature endorsement of a particular technology will set the country outside of the
mainstream of technological and legislative developments internationally. For these
reasons, technological neutrality in electronic authentication legislation has become an
increasingly prevalent objective.
The manner in which legislators and policymakers have sought to accommodate the
conflicting concerns largely defines the typology of existing and proposed electronic
authentication legislation. Until the beginning of first decade of 21st century, the most
common approach has been to ignore authentication mechanisms other than those based
on digital signatures. These legislative initiatives are among the countries whose
electronic signature legislation activities started before 2000. More recent initiatives,
whether in the form of proposed legislation or reports by national experts groups, have
increasingly focused on the need to accommodate emerging and even unforeseen
technologies.
The second approach to electronic authentication legislation, accepts all or most
electronic authentication mechanisms on a technologically-neutral basis, and grants
these mechanisms a basic set of legal benefits. For example, technologies that are
accepted at the first level might satisfy writing and form requirements, but would not be
entitled to any presumptions concerning the signer™s identity or intent. At the second
level, the legislation creates a class of approved technologies whose use is invested with
a broader array of legal benefits and obligations. The legislation may define these
technologies “ sometimes referred to as secure or qualified technologies “ by reference
to general criteria, by reference to the specific techniques of asymmetric cryptography,
or by reference to a schedule of technologies approved by statute or regulation.


Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 125


Documents that are authenticated by one of these methods are typically entitled to a more
robust set of legal entitlements, for example, a presumption concerning the identity of
the signer and the integrity of the document™s contents. At this second level, the
legislation also states requirements to address issues that are specifically associated
with the operation of a Public Key Infrastructure, such as the operational requirements
and liabilities of Certification Authorities.
This approach achieves the goal of technological neutrality by granting a minimum level
of legal recognition to all or most authentication techniques, mostly with regard to
satisfying form and writing requirements. At the same time, it affords greater legal
certainty and benefits to those authentication mechanisms whose security and reliability
permit greater confidence in their use. This approach also recognizes that some authen-
tication mechanisms, and particularly those that are used in open systems, require a
better-defined legal environment, while not depriving legal recognition to those authen-
tication mechanisms that do not require a significant external legal framework. The most
elemental objective of any electronic authentication legislation is to ensure that elec-
tronic signatures are accorded appropriate legal recognition. Virtually every jurisdiction
has laws that require that certain types of documents be signed, or “in writing” or any
one of countless other formulations that could be construed to require a physical
document or hand-written signature.
The recent trend in legislation considering electronic signature utilization is for broad
enabling legislation. When dealing with a technology that is new, it seems premature to
draw up specific technology-related legislation. This could hamper innovation. Most
countries define both electronic and digital signature, that are defined as:
• Electronic signature: Any letters, characters, or symbols manifested by electronic
or similar means, executed or adopted by a party with the intent to authenticate a
writing. A writing is electronically signed if an electronic signature is logically
associated with such writing;
• Digital signature: A type of electronic signature that transforms a message using
an asymmetric cryptosystem (public and private key capability) such that a person
having the initial message and the signer™s public key can accurately determine
whether the transformation was created using the private key that corresponds to
the signer™s public key, and whether the initial message has been altered since the
transformation was made.


A digital signature, that corresponds to advanced electronic signature in European
Union, is intended by the party using it to have the same force and effect as the use of
a manual signature, and it is unique to the party using it with capability of verification
under the sole control of the party using it. It is also linked to data in such a manner that
it is invalidated if the data is changed, and it is in conformity with rules that state a
Certification Authority obligations and functionality.
This notion provides that unless otherwise provided by law, an electronic signature may
be used to sign a writing and shall have the same force and effect as a written signature.
It also provides that electronic signatures will be given the same force and effect as
manual signatures, but also recognizes digital signatures. The validity of electronic



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
126 Ruzic


signatures is not dependent on a licensed Certification Authority or other regulator,
however, provision is made for licensure and regulation of certification authorities.
Most of countries within G4 (USA, Canada, Japan, and EU) have enacted legislation that
would legalize digital technology for both the private and public sector. Some of them
have restricted the technology to just state government business applications. One of
the primary goals of most states is to promote electronic business, electronic commerce
and online government and to ensure the security and reliability of electronic commu-
nications and records. At the same time, many countries adopted Public Key Infrastruc-
ture modeling schema and enacted legislation needed for the process of licensing
Certification Authorities that would be issuing qualified certificate of electronic signa-
tures.
The formal requirements for legal transactions, including the need for signatures, vary
in different legal systems, and also vary with the passage of time. There is also variance
in the legal consequences of failure to cast the transaction in a required form. The statute
of frauds of the common law tradition, for example, does not render a transaction invalid
for lack of a writing signed by the party to be charged, but rather makes it unenforceable
in court. During the last decade, most legal systems have reduced formal requirements,
or at least have minimized the consequences of failure to satisfy formal requirements.
Nevertheless, sound practice still calls for transactions to be formalized in a manner
which assures the parties of their validity and enforceability. In current practice,
formalization usually involves documenting the transaction on paper and signing or
authenticating the paper.
The legislation in many countries adopts slowly, but evidently in progressive way, along
the general rule of validity of an electronic signature that is recognized as the essential,
core category of the digital economy legislation. The general rule of validity is that a
signature, contract, or other record related to any transaction in or affecting interstate
or foreign electronic business may not be denied legal effect, validity, or enforceability
solely because it is in electronic form.
When we sign a document, we become accountable. Our signature indicates our
agreement, acceptance and authorization to act and move forward. Our business
processes rely on the signatures of customers, managers, suppliers and business
partners to keep work flowing. Patients sign consent forms, judges approve warrants,
mortgage lenders need a signature for a loan, engineers stamp drawings, insurance
providers can not proceed without a signature on an application. These acts of signing
are critical to an organization™s operation and success.
E-Business needs uniformity of e-signature in electronic transactions. Despite E-
Business efforts to implement lawful e-signatures in electronic transactions, the world-
wide digital economy still suffers from a substantial lack of uniformity. This lack creates
substantial doubt in the minds of those wanting to sell goods and services over the
Internet and definitely impedes e-commerce. Non-uniformity also makes parties more
likely to specifically designate the law governing a transaction consummated electroni-
cally. In the same time, the Internet allows remote parties to enter into and perform
contracts through systems that span multiple jurisdictions and may not depend on the
physical location of either party. Conflict-of-law principles that apply when the parties
fail to designate the governing law are complicated, archaic, and were certainly never



Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 127


written with electronic transactions in mind. In light of such uncertainty, many online
brokerage firms and financial institutions are reluctant to open brokerage and bank
agreements with electronic signatures via the Internet.




Remarks for E-Business
Any testimonial law provides that a signature, contract, or other record relating to such
transaction may not be denied legal effect, validity, or enforceability solely because it
is in electronic form. Moreover, a contract may not be denied legal effect, validity or
enforceability solely because an electronic signature or electronic record was used in its
formation. These straightforward provisions outlaw discrimination against electronic
formats, and bring the fundamental for E-Business activities. To the extent that contract-
ing parties do not understand proposed electronic formats, they can just say “no” to
electronic agreements and signatures, but the result of saying “no” to electronic
transaction can result in efficiency losses and missed opportunities to participate in
global electronic business.
With low-value items, merchants may be willing to ship goods with just credit card
information and without a legally binding contract. More sophisticated transactions,
however, require a contract to create an enforceable agreement, and the entire process
can take one to several days. Contrary, the acceptance of electronic signatures stream-
lines the whole process. An E-Business firm can expedite and simplify the entire
processes by having the consumer sign and return the contract electronically. Electronic
signatures greatly reduce the time to process the transaction, the consumer receives his
goods faster, and the E-Business firm is legally entitled to receive payment prior to the
shipment of goods.
Today, many organizations are interested in replacing paper-based systems with auto-
mated electronic systems. One of the inhibitors to the increasing use of electronic
commercial transactions has been the concern for the risks of forgery over unsecured
networks. This focus has brought about the need for a reliable, cost-effective way to
replace a handwritten signature with an electronic signature. Like a handwritten signa-
ture, an electronic signature can be used to identify and authenticate the originator of
the information. It can also be used to verify that information has not been altered after
it is signed. Electronic signatures play a key role in enabling electronic business by
helping to ensure that electronic documents are unaltered and have not been forged.
Companies considering the use of electronic signatures should evaluate their paper-
based processes to determine where the risks are acceptable. The assessment requires
a partnership between the Information Communications Technology people, the busi-
ness people and the company™s attorneys to establish what™s possible, what makes
sense accordingly to the risk and capital investment prepositions. In deciding which
documents and processes require which types of electronic signatures, companies have
to weigh the value of the underlying transaction and the confidentiality of the informa-
tion. Does anybody have a motive to change the document after it™s been signed? It may
turn out that vacation requests that have always required a handwritten signature could


Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
128 Ruzic


be handled without any type of signature, but a million-dollar purchase order would
clearly require strong authentication and signal of intent.
For any E-Business firm, there is a need to determine its overall business needs and time-
frames. It should establish focus groups to identify business processes that would be
enhanced or require the use of any electronic signature technology. The requirements
from these business processes should be determined. A working group should be
established to accomplish these goals. Both program staff and agency legal staff should
be included.
At the same time, there are numerous applications that the entire government and public
administration bodies (agencies) could use electronic signatures for, ranging from
driver™s license applications, vendor contracts, bids, purchase orders, employee appli-
cations, and voter registration to state employee time sheets. Again, when considering
business requirements, consider any document requiring a signature that could be
transmitted or filed electronically to be a candidate for the technology.
In the paper world, paper is the lowest common denominator, but in the digital world, there
is no one common file format. To make e-signatures useful to the overall business
community, the E-Business company shouldn™t have to convert one format to a certain
representation just for the sake of signing.
Transacting business remotely means making sure the receiving party can interpret the
entire e-signature and trust the digital certificate behind it (Skrbek, 2003). Vendor
interoperability is a problem, although not necessarily a technological one since almost
all PKI certificates are based on the universal X509 standard, so interoperability is more
a matter of business trust than of technology.
In the scope of e-signature standardization development, there is an open platform that
could solve most of the interoperability problems. This platform is under the term XML-
Signature Syntax and Processing standard (XML Signature) that is being incorporated
into new products and services dealing with e-signature utilization. XML Signature is
designed to work with existing XML (Extensible Markup Language) software, making it
easier for modern software developers to incorporate the signature verification technol-
ogy into new programs they develop. XML is the generation of Web-based software
designed to make publishing data on the Web more flexible and adaptable than the fixed
coding used in HTML, the programming language on which most Web sites are still
based. By virtue of using the structured data formatting of XML software, users can
apply their digital signature to distinct parts of an XML document. Most existing
electronic signatures treat documents as single indivisible documents.
This is important for electronic documents that pass through multiple intermediaries,
allowing the information to be open, read and then retransmitted while preserving the
validity of the electronic signature embedded in the information (Onieva, Zhou, Carbonell
& Lopez, 2003). Thus users may choose to sign portions of an electronic document but
leave other parts unauthorized. Commercial applications can be sent through a series of
intermediaries, with each party validating those portions of the document relevant to
them. A mortgage applicant could sign an electronic form and forward it to a broker who
would open it, process it, sign it and forward it on to a bank for final action. At the same
time, the standard can be used to verify the authenticity not simply of text, but also of




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
Electronic Signature 129


graphics and images stored in standard data compress formats such as “bitmaps” and
“jpegs” used to transmit data-intensive images and other digital media.
For e-commerce to grow, businesses must implement the use of electronic signatures
correctly and legally. Electronic commerce has changed the way we buy books, sell, and
pay bills. Now, with the advent of electronic signatures, e-commerce is changing the way
we sign and store documents. Eventually, any business that wants to succeed in e-
commerce must deal with electronic signatures. Thus, any E-Business manager needs to
understand
• what a signature is legally, and when it is needed,
• the various electronic-signature standards,
• current electronic-signature legislation, and
• some basics about electronic-signature technology.


Although the commercial world bases its need for “signed” documents on pre-Internet
legal principles, this need is even more important today with remote buyers and sellers
agreeing to exchange consideration for goods or services. Web sites that embrace
electronic signatures and incorporate new document preparation and signature tech-
nologies will decrease transaction processing time and transaction non-fulfillment. More
importantly, buyers and sellers using those Web sites will have more certainty of
transaction fulfillment, creating participant loyalty to those Web sites, which in turn will
create more usage and a more defensible market-share position.
Accordingly to the most often found statement, the electronic purchase of goods of
greater value cannot be enforced in the absence of a signed contract. In contrast, with
low-value items merchants are willing to ship goods with just credit card information and
without a legally binding contract. More sophisticated transactions, however, require a
contract to create an enforceable agreement. For example, Dell Financial Services requires
a user to print an agreement, physically sign it, and return it by fax to Dell Financial
Services when a consumer finances the purchase of a Dell computer or leases a Dell
computer. This entire process can take two or three days. The acceptance of electronic
signatures streamlines the whole process. A Web site operator can expedite and simplify
the entire process by having the consumer sign and return the contract electronically.
Electronic signatures greatly reduce the time to process the transaction, the consumer
receives his goods faster, and the Web site operator is legally entitled to receive payment
prior to the shipment of goods.
First-generation e-signature solutions are focused on platform-and application-specific
solutions. Since then, many second-generation e-signature solutions are being imple-
mented using open standards. These second-generation products and services will
better integrate with corporate databases and security mechanisms, including biomet-
rics. This is a perfect time to assess current business processes that require signatures.
No industry is immune from the e-signature challenge. There are some big paybacks for
implementing e-signature technology “ especially for big-ticket transactions in the
consumer market place and in business-to-business processes. In particular, there is the




Copyright © 2005, Idea Group Inc. Copying or distributing in print or electronic forms without written
permission of Idea Group Inc. is prohibited.
130 Ruzic


idea of using an e-signature to simplify auto and home loan processes and to speed up
supply-chain operations.
Yet, you will now have to determine what changes you™ll need to make to support e-
signatures. More important, carefully examine available e-signature solutions and watch
where they are going. Choose solutions and services that are platform and application
agnostic. And look for those that will best integrate with the rest of your data and your
security strategy.
E-signatures require businesses to obtain consent before sending information electroni-
cally, and to confirm that consumers can access the electronic form to be used. (For
example, if a document were sent as a PDF, an end-user would need software with which
to open it, such as Adobe Acrobat.) Anecdotal evidence suggests this provision can be
a deterrent to e-commerce. Even if someone opens a trading account with an online broker
at a storefront office, and asks for electronic account statements, that individual would
also need to confirm the request electronically. The consumer consent provision can
create headaches for companies if they change their electronic formats for users. A
company using PDFs may decide to switch to a different format in a couple years, but
when that happens they must receive new confirmations from all consumers to ensure
they have access. Otherwise, the company can no longer send the information electroni-
cally.
As advice to E-Business, it is functional to start in applying electronic signatures to low-
value transactions, and gradually work your way up to higher security. As businesses
work up to more important and secure processes and documents, it is preferable to make
sure you have the flexibility to migrate to a more secure solution such as Public Key
Infrastructure combined with smart cards. It is slowly but surely becoming possible to
conduct secure, legally binding transactions online. Forward-thinking companies are
finding ways to make electronic signatures easy for customers to use and simple for the
company to manage. Each business process has its own unique challenges, so there are

<< . .

. 19
( : 53)



. . >>