On Sunday, October 1, 2000, the Electronic Signatures in Global and National Commerce Act (ESIGN) S. 761 Act officially went into effect, stating that electronic signatures, which encompass digital signatures, retinal scans (think Mission: Impossible) and digitized signatures are as valid and legal as handwritten ones. The enaction of this legislation forever changed the way business is done for individuals, businesses of any size, organizations and government agencies. Internet users are now able to sit at a computer and sign a lease, a loan, a contract, a purchase order or any other document that requires a legal signature.
The market for secure online transactions is growing rapidly, buoyed by thriving e-commerce and a push for paperless systems. However, legally binding methods acceptable across multiple platforms have been difficult to delineate and secure due to a wide variety of e-signature solutions now flooding the market. Still, a recent survey by eMarketer reported that 58 percent of those conducting online business fear cyber fraud and issues of privacy and confidentiality.
A digital signature allows customers to electronically send and receive information that is uniquely signed by the sender. This information is not physically signed with ink, but electronically marked in a way that ensures the message came from you and only you, has not been altered by anyone else and can be read and verified by all recipients.
Executives at Telenisus, a managed service provider specializing in Internet infrastructure services for businesses, recently released recommendations for those interested in using digital signatures. Weston Nicolls, manager of professional services group, assumes national responsibility for developing encryption/PKI (Public Key Infrastructure) practices and e-commerce architecture consulting services for Telenisus. Ron Hale, vice president of professional services for Telenisus, has more than 15 years of experience in Internet security and privacy. The following are their recommendations.
- Companies interested in digital signing need to understand the business risk associated with deployment of Public Key Systems and take the necessary security precautions to protect these systems.
- Digital signatures need to be supported by a policy and practices statement that describes the degree of trust that can be associated with a signature.
- Users of digital signatures need to understand the significance of signing and the need to protect their signing key.
- Remember that when you invest in digital signature technology, you are investing in an infrastructure that can solve many information protection problems. Leverage the investment to gain the greatest business advantage.
Facts About Digital Signatures
- Digital signatures are extra data appended to a message that identify and authenticate the sender and message data using public-key cryptography.
- To verify, the verifier must have access to the signers digital certificate and a means to check if the digital certificate has been revoked.
- The Certification Authority that issued the digital certificate provides assurance that the private key corresponds to the signers private key.
- Using the public key and the hash result, the verification software checks (1) whether the digital signature was created using the corresponding private key and (2) whether the newly computed hash result matches the original transformed into the digital signature during the signing process.
What does all of that mean?
- Cryptography: The practice of using mathematics to render information unreadable by unauthorized users.
- Public Key Cryptography: Using a public key and a private key, each persons public key is published while the private key is kept secret. Messages are transformed or signed using the intended recipients public key and can only be decrypted using his private key.
- Public key cryptography employs an algorithm using two different but mathematically related keys; one for creating a digital signature or transforming data into a seemingly unintelligible form, and another key for verifying a digital signature or returning the message to its original form. (ABA digital signature guidelines)