Electronic signature
From Free net encyclopedia
In recent years, the terms electronic signature and digital signature have come into widespread, and somewhat confused, use. Electronic signature is often used to mean either a signature imputed to a text via one or more of several electronic means, or cryptographic means to add non-repudiation and message integrity features to a document. Digital signature usually refers specifically to a cryptographic signature, either on a document, or on a lower-level data structure. The confusion in terminology is unsatisfactory in many respects, and will remain so until usage, especially in statutes and regulations, becomes more standardized.
Contents |
Legal use of electronic signatures
Various laws have been passed internationally to facilitate the use of electronic records and signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts entered into electronically.
- U.S. - Electronic Signatures in Global and National Commerce Act
- UK - s.7 Electronic Communications Act 2000
In law, if a signature on a contract or other document is contested, the signature must meet certain tests to be upheld by a court. These requirements vary by jurisdiction, but various sorts of signatures, some entirely electronical Telex addresses (for example, ABC Company sends a Telex to XYZ Company making an offer at a particular price. The offer was held to be binding when the 'signature' was challenged.), telegrams (for example, "I ACCEPT, SMITH" even though Smith never actually touched the telegraph key), and faxes of documents, even in some cases where the original was not signed by the sender.
Typical process steps required for an electronic signature in the United States include:
- Provide consumer disclosures regarding the legality of electronic signatures, hardware and software requirements, signing alternatives, and if any fees apply
- Authenticate the party to match business risk tolerance and needs
- Present the completed document for review (the user may also enter data on the form before reviewing)
- Have the party take willful action to indicate their desire to sign the document
- Ensure that the agreed upon document has not been changed once signed
- Provide all parties an independent, legal original for their own records
A central question in such cases is forgery and spoofing of assent, and in these decisions, courts have held that forgery and spoofing can be in practice ruled out. Nevertheless, it is easily possible, for many electronic methods of signature, or imputed signature, to forge or spoof assent. The rapidly rising problem of identity theft illustrates the ease of such forgeries.
Often, busineses rely on other means to ensure an electronic signature is valid, including talking with the person directly or over the phone before electronically signing, having an ongoing business relationship, and receiving payment or other indications of intent to do business that do not rely solely on a signed document. This is good business practice even in the paper world, as forgeries are also common in the paper world. Fraud is a common issue for both traditional signatures and electronic signatures, and neither type of signature provides better anti-fraud protections.
None of the electronic signatures in these examples are digital signatures in that there is no cryptographic assurance of the sender's identity and no integrity check on the text received, but all are electronic signatures, and all have been found legally binding in some circumstances.
Pseudo-legal use of imputed electronic signatures
Some web pages (notably pornographic ones) and software EULAs claim that various electronic actions are legally binding signatures, and so are an instance of electronic signature. For example, a web page might announce that, by accessing the site at all, you have agreed to a certain set of terms and conditions. A software product might assert, in its packaging or on an early installation screen, that by using it you have agreed to licensing terms. These may or may not have been discernable prior to sale, and may or may not be completely displayed even at installation. Such licenses often include such restrictions as a prohibition of reviewing the product for publication (electronic or otherwise) without prior permission of the publisher/distributor, or prohibition on studying the product (ie, reverse engineering) for an otherwise lawful purpose such as producing data files in a compatible format. Some such claims would appear to be contrary to patent law (which requires public disclosure as a condition of granting a patent) or of copyright law which does the same for works available to the public. Only if all such covered matters are trade secrets would such clauses appear sustainable, but even so a condition of trade secrecy is maintenance of the secret by the holder. This would not appear to be have been met in the case of a widely distributed product offered for sale to anyone.
The legal status of such claims is uncertain. In the US, only two states have adopted a new revision of the Uniform Commercial Code which authorize such licensing restrictions and disclosure after purchase. The validity of such terms remains uncertain, despite the views of many EULA authors. Analogies to the physical world in which contracts and signatures are written, signed, and stored in tangible form suggest that analogous terms would not be acceptable. In the UK, Regulation 9 of the Electronic-Commerce (EC Directive) Regulations 2002 (SI 2002/2013) requires that a purchaser is able to determine in advance “the different technical steps to follow to conclude the contract.”
Cryptographic signatures
An electronic signature may incorporate a digital signature if it uses cryptographic methods to assure both message integrity and authenticity. For example, a proposed contract accepted by a vendor and returned via email to the purchaser after being digitally signed. In fact, in modern practice, a digital signature of some text is always electronically processed in some sense for the cryptographic mechanisms are impracticable without computers. In theory however, this is not required. Because of the use of message integrity mechanisms, any changes to a digitally signed document will be readily detectable if tested for, and the attached signature cannot be taken as valid.
It is important to understand the cryptographic signatures are much more than an error checking technique akin to checksum algorithms, or even high reliability error detection and correction algorithms such as Reed-Solomon. These can offer no assurance that the text has not been tampered with, as all can be regenerated as needed by a tamperer. In addition, no message integrity protocols include error correction, for to do so would destroy the tampering detection feature.
Popular electronic signature standards include the OpenPGP standard supported by PGP and GnuPG, and some of the S/MIME standards (available in Microsoft Outlook). All current cryptographic digital signature schemes require that the recipient have a way to obtain the sender's public key with assurances of some kind that the public key and sender identity belong together, and message integrity measures (also digital signatures) which assure that neither the attestation nor the value of the public key can be surreptitously changed. A secure channel is not required.
A digitally signed text may also be encrypted for protection during transmission, but this is not required when the digital signature has been properly carried out. Confidentiality requirements will be the guiding consideration.
External links
- Introduction to cryptography from the PGP international website
- OpenOffice Electronic Signatures and Security specification (OpenOffice format), also in pdf format. Incorporates standards for document format and XML Digital Signatures. Includes a comparison of document signature software and features from Adobe (Acrobat), Microsoft (Word) and Mozilla.ja:電子署名