Electronic and Digital SignaturesRichard Warner

An“electronic signature” consists of some string of symbols or characters manifested by electronic means, executed by a party with an intent to authenticate a writing. Examples: the sender’s name typed at the end of an e-mail message, a digital image of a handwritten signature attached to an electronic document, a PIN number, and so on.

The expression ‘digital signature’ is usually used to refer to a special kind of electronic signature.

What Is An Electronic Signature?

There is good reasons to have electronic documents signed in a way that allows them to serve the purposes of written documents.

Cost: it is a lot cheaper to use electronic documents. Checking example: It costs about $1.10 to process a

paper check. It costs about $.10 to process an electronic transfer. There are billions to be saved.

The Need to Sign Electronically

There is legal uncertainty about the status of electronic signatures

Illinois, for example, has 3000 statutory sections requiring a signed writing. Does an electronic record with an electronic signature satisfy these requirements?

The Need for Legal Clarification

A digital signature is an electronic signature that uses a special kind of encryption program. Here is a sample program.

The message: “The British are coming!” The encryption instructions: replace every

letter with the letter that follows it in the alphabet.

This yields: “Uif Csjujti bsf dpnjoh!”

What Is A Digital Signature?

Asymmetric Encryption Digital signatures use a special kind of

encryption called asymmetric encryption (or public key encryption).

A “key” is just a sequence of numbers. You add it to the message you want to

encrypt; then you then apply the encryption program to the message plus the key.

Example

Message Key+ Encrypted result

Example

Message Key+ Encrypted result

Same message Different key+ Different encrypted result

Application of the encryption program=

Private and Public Keys Asymmetric encryption uses two keys. The sender

uses one to encrypt; the recipient uses one to decrypt.

The keys are referred to as the private and public keys. Private key is private in the sense that the key owner

makes sure the public does not have access to it. The public key is public in the sense the owner makes it

freely available to the public. An example is helpful.

How Does A Digital Signature Work? Suppose Alice wants to digitally sign an e-mail. She runs a “hash function” on the message. This

turns the message into a sequence of letters and numbers, called the message digest. Each message is associated with a unique message digest. Asymmetric encryption is slow. It is not ideal for

encrypting a whole message. So what you encrypt is the much shorter message digest. The point is not secrecy, but signature.

Signing the Message Alice runs the encryption program on the

combination of the private key and the message digest.

She attaches the result to the e-mail, and sends it to Bob. She may also attach the public key.

This is the signature. To see why it works like a signature, consider what Bob does.

Bob’s Response Bob runs the encryption program on the combination

of the public key and the message digest. Doing so can only decrypt something encrypted with

the private key, so, if decryption is successful, the recipient knows the message came from Alice—or, more exactly, someone in possession of Alice’s private key. We are assuming that Bob knows that the public key is

Alice’s. This is the sense in which the message is signed.

Like a handwritten signature, the digital signature indicates the message is from the “undersigned.”

More Than A Signature Bob then runs the hash function on the

message itself. If the result matches the unencrypted message digest, Bob knows that the message was not altered in transmission.

This is better than a signature, which does not do anything to indicate that the message was not altered in transmission.

Public Keys and Identity We assumed that Bob knows that the public

key he uses is Alice’s. How does he know this?

A certification authority verifies that the public key is Alice’s

Alice has previously registered with the certification authority, at which time she provided proof of her identity.

Certification authorities add cost and complexity

When is the cost and complexity justified? When the benefits exceed the costs When is that?

Cost of Certification Authorities

Why do we use handwritten signatures? To avoid fraud; to show that the signer at least saw the document; to secure a signature with recognized legal consequences.

Written documents ensure integrity (note: not a function of the signature).

Digital signatures make sense where they are needed To avoid fraud; To ensure legal validity; To ensure message integrity.

Role of Handwritten Signatures

Where is there sufficiently likelihood of fraud? Typically not in: an established relationship; or, in the

consumer use of the credit card system in online contracting.

Digital signatures have not proven popular in consumer online contracting.

You do see a significant use of digital signatures in in large value financial transactions, and in electronic payments systems. But used to establish identity, not to contract.

Fraud

Inadequate revocation lists In theory, CA’s keep lists of revoked certificates;

in practice they do not. In addition, technology is inadequate to allow real time access to these lists

Adequately protected private keys Private keys are often stored on hard drives

Digital Signature Risks

There are three types of statute First: Any electronic symbol will do. Rhode Island:

“Electronic signature" means an electronic identifier, created by a computer, and intended by the party using it to have the same force and effect as the use of a manual signature.”

Similar approaches in: Colorado, Florida, Illinois, Indiana, Mississippi, New Hampshire, North Carolina, Texas, Virginia.

Statutory Treatment

Second: the California model of five requirements. A signature must be: (1) unique to the person using it; (2) capable of verification; (3) under the sole control of the person using it; (4) linked to the data in such a way that changes in the data invalidate the signature; (5) in conformity with any other regulations adopted by the Secretary of State.

Statutory Treatment

Third: The Utah model. This approach refers explicitly to asymmetric encryption, sets up rules for certification authorities, and assigns risk in a variety of eventualities.

Statutory Treatment

The E-Sign Statute The Federal E-Sign statute governs some

aspects of electronic signatures An “electronic sound, symbol, or process

attached to or logically associated with a contract or other record, and executed or adopted by a person with the intent to sign the record.” 15 USC Section 7006(5)

Illinois Commerce Security Act 15 USC section 7002(a)(2)(A)(ii) preempts

state laws that that are not technology neutral Illinois’s Act favors public key encryption in

sections 175/15 – 101 and 105 and is thus preempted

Preexisting state legislation is clearly preempted under 15 USC 7002(a)(2)(B)

What Illinois May Still Do It may still require public key encryption for

state procurement, 15 USC 7002(b) It may impose stricter state filing requirements

than the Federal requirement; this may include requiring public key encryption, 15 USC 7004(a)

Effect of E-Sign The effect may be a slower, more

decentralized development of electronic signature infrastructure and business practices

No Federal mandate for a particular technology, preemption of state mandates

Business considerations may of course lead to a rapid development of a particular technology, but it looks like the opposite is happening