Home  >  Publications  >  Title News Archive

The Skinny on Digital Signatures

July/August - Volume 81, Number 4

by Todd Hougaard

Many people think that electronic signatures are still a thing of the future, out there with flying cars and human cloning. But most of us have already become used to performing electronic acts that serve as signatures. For example, when we withdraw money from an automatic teller machine or when we use a pay-at-the-pump gas station, we are electronically signing these transactions by punching pass codes or swiping cards. We can also sign digital transactions from our personal computers, using a variety of methods to make our mark on a transaction. Electronic signatures allow us to bypass traditional pen and ink authorization, greatly increasing the speed at which we do business. The primary purpose of a signature is nonrepudiation: linking a specific person's actions and identity in such a way that the person can't easily deny performing the action. If a person claims that he or she didn't approve an electronic transaction, the method used for signing should provide a way to prove otherwise. There are several types of electronic signatures, ranging from a simple mouse click to encryption-based digital signatures. While each type has appropriate uses, important digital transactions require a level of protection that goes beyond a mouse click or typed name. The technology behind a digital signature is foreign to most people, and the fact that it doesn't involve penmanship might cause some discomfort. A close examination of the different kinds of electronic signatures, and the purpose of signatures in general, shows that digital signatures are a safe, effective tool for ensuring nonrepudiation and preventing fraud in digital documents.

Multipurpose Signatures
We take signatures for granted, often signing without really thinking about it. Most of our important documents require a signature to be valid. We also use signatures for seemingly insignificant transactions, like the check for the gas bill, a credit card charge at a restaurant, or renting a pair of bowling shoes. We sign our names to both business and personal correspondence and type our names at the bottom of e-mail messages. All these signatures allow us to make our mark on the world. Signatures serve four main functions:

• Approval: With few exceptions, we only sign things that meet our approval. By signing a document, we are saying that we approve of the terms of the words on the page.
• Ceremony: The simple act of signing a document serves as a ceremony that closes the deal. A person's heart beats much more quickly when signing closing papers on a 30-year home mortgage than when signing a 6-month apartment lease. The more important the transaction, the more ceremony it entails.
• Logistics: Signatures get things done. A contract represents a possibility that can only become reality when a signature is on the paper.
• Evidence: The whole point of signatures is that they are difficult to forge. With handwritten signatures a seemingly straightforward scribble is the combination of a signer's personality, education, and fine motor skills. These seemingly random qualities of a signature help protect a signer by reducing the possibility of fraud.

One way to help ensure a signature's legitimacy is to have the signature notarized. Notaries safeguard the parties involved in a written agreement by verifying a person's identity and then witnessing the act of signing. By signing in front of a notary, the signer acknowledges that he or she is authorized to sign the document and is signing voluntarily. After the signature is on the document, the notary puts their seal on the signature, reinforcing the document's validity.

Legislation and Electronic Signatures
Signatures have been in use for at least 4,000 years. But for most of that time, signatures were a convention rather than a legal requirement. From a historical perspective, the single most important legislation concerning signatures was the "Act for Prevention of Frauds and Perjuries," enacted in 1677 by the British parliament. This act stipulated that any contract for goods or services worth at least £500 must be executed as a "note or memorandum in writing" and that a contract must be "signed by the parties" to be valid. These basic principles have had a profound effect on the American legal system; echoes of the 1677 language can be found in the contract requirements of both U.S. federal and state legislation today. Slightly more recent signature law comes in the form of legal precedent established by the courts. After its invention in 1844, the telegraph became the first means of transmitting information using electricity. As the device became widely used, people began to telegraph entire contracts—complete with Morse-coded signatures—from one location to another. In 1869 a judge upheld a contract containing one of these electronically transmitted signatures by making the following statement: It makes no difference whether that operator writes the offer or the acceptance … with a steel pen an inch long attached to an ordinary penholder, or whether his pen be a copper wire a thousand miles long. …Nor does it make any difference that in one case common record ink is used, while in the other case a more subtle fluid, known as electricity, performs the same office. This decision comes more than 130 years before two modern laws regarding electronic signatures: the Uniform Electronic Transactions Act (UETA) and the Federal Electronic Signatures in Global and National Commerce Act (E-SIGN). Introduced in 1999 by the National Conference of Commissioners on Uniform State Laws, UETA provides states with ready-to-enact legislation to promote the use of electronic signatures in most business and government transactions. Some of UETA's more important provisions state:

• A record or signature may not be denied legal effect solely because it is in electronic form.
• With a few exceptions, any law that requires an agreement to be in writing will be satisfied by an electronic record.
• With a few exceptions, any law that requires a signature will be satisfied by an electronic signature.
• All involved parties must agree to using an electronic transaction; if even one party opts out, paper becomes the default.

As of May 2002, UETA had been adopted by 39 states, plus the District of Columbia. Seven additional states, plus the U.S. Virgin Islands, are in the process of adopting UETA legislation. In June 2000, President Bill Clinton signed the E-SIGN act—electronically. Using a digital key encoded on a "smart card," the President enacted legislation that enabled both businesses and government agencies to use electronic documents in lieu of paper. E-SIGN provides the following:

• Electronic signatures are valid for use in most interstate and international commerce.
• Allowable transactions and documents cannot be invalidated solely because they were accomplished using electronic means.
• Most laws that require written records and signatures are satisfied by electronic records and signatures.
• Multiple technologies and strategies for creating and signing electronic documents are accepted; no specific technology is endorsed or prohibited.

A Variety of Electronic Signatures
Neither E-SIGN nor UETA specifically endorses or prohibits a particular technology for use in creating or signing an electronic document. The language in E-SIGN says that a signature in an electronic agreement can be "an electronic sound, symbol, or process attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the electronic record." An electronic signature doesn't necessarily have to involve the name (handwritten or otherwise) of the signer. Just as a stamp in sealing wax and an X on a line can function as a signature, an electronic signing action can take several different forms:

• Click signature: To buy something online, you fill in your personal information, enter a credit card number, and click a button to finalize the purchase. Clicking the button is equivalent to signing the register tape when you use a credit card at a brick- and-mortar store.
• Typed signature: Some online agreements are executed by having the signer type his or her name into a browser-based form. Alternatively, a typed name in a contract can function as a signature. Like a click signature, a typed signature relies on a simple overt act to indicate the signer's acceptance of the terms of an agreement.
• Digitized signature: This is what most people think of when they visualize an electronic signature—accepting a package by signing with a stylus on a digitizer strip. A similar process allows someone to sign on a computer screen using a light pen. Another type of digitized signature is created by signing on paper, then scanning the signature into an image file.
• Digital signature: The most technologically advanced type of electronic signature, digital signatures rely on encryption and other mathematical functions to allow a reviewer to verify a document's authenticity and a signer's identity. Once the digital signature is applied to a document, it renders the document virtually tamperproof.

The nature of most electronic signatures makes nonrepudiation difficult. Falsifying a clicked or typed signature is a simple matter, which is why these methods are only used for relatively low-impact transactions. Digitized signatures are also problematic. A signature created by a stylus or light pen lacks many of the fine details used by document examiners for authentication. In addition, the graphic nature of scanned signatures makes them perfectly suited for fraud, since a forger can easily copy a signature from one document and paste it into another. Digital-signature technology capitalizes on the fact that digital documents are (at their lowest level) just numbers, and mathematical operations can be performed on them. One such calculation is the hash function, which creates a numeric fingerprint of a document. Another important element is public-key encryption. This requires a signer to have two keys—one for signing, one for validation. A signer can be either a person or a computer, making this type of signature ideally suited for automated processes. Though digital signatures use encryption technology, they do not hide anything about a signed document. Instead, they provide a way to validate the identity of a person signing a document and the contents of the document itself.

Digitally Signing and Authenticating Documents
Creating a digital signature requires a digital certificate, which is issued by an agency called a certificate authority (CA). This method of signing also requires a pair of numeric keys. The first is the private key, which is known only to the signer and must be kept absolutely secret for the entire system to work. The second key, the public key, is freely available to anyone who wants it and is part of the public information in the signer's published digital certificate. Because of the mathematical nature of these two keys, only documents that are locked by one key can be unlocked by the other. The final requirement is a digital document, ready to be signed.
1.The document's numerical content is processed using a hash function. This creates a document fingerprint.
2. The signer's private key is used to encrypt the document fingerprint, resulting in a digital signature.
3. The digital signature is embedded within the original document, creating a digitally signed document.
Anyone who receives a digitally signed document will want to authenticate it before accepting it as real. Document validation ensures that a signature was created by the specified signer and that the document has not been tampered with in any way. The validation process goes as follows (see Diagram 2):
1. After separating the document and signature, the original document is processed using the hash function. This creates a second document fingerprint.
2. The signer's public key is obtained, either from the certificate authority's online certificate repository or from within the document itself.
3. The public key is used to decrypt the digital signature,releasing the first document fingerprint.
4. The two document fingerprints are electronically compared.
5. If the two fingerprints are not absolutely identical, the document is considered invalid. If they match, then the signature—and the document to which it is attached—is proved valid, and the signed document is accepted as legitimate.

The Future of Electronic Signatures
There has been a great deal of discussion in the mortgage industry regarding electronic signatures. Some believe that public-key digital signatures require too much of the consumer for them to catch on for everyday use. Others point out that digital signatures are the most effective tool available to "lock" signed documents and enable easy, automated detection of document fraud and tampering. The fact is, digital signatures are already being used extensively in court e-filings, in electronic commerce, and in the health care industry. The digital signature has been adopted by the Mortgage Banking Association of America as an approved method of protecting electronic mortgage transactions. Powerful encryption technology makes digital signatures the ideal option for nonrepudiation and automated authentication for digital documents in any market or industry. More than a century ago our legal system began coming to terms with the changes introduced by the advent of electronic information. The federal government and most states have approved the use of electronic signatures in many everyday transactions. Since the digital signature is the only type of electronic signature that can effectively protect both the signer and receiver of a document, it makes sense to use this safe, reliable technology as an integral part of mission-critical digital document systems.

Todd Hougaard is president of Ingeo, a leader in the electronic document industry. He can be reached at thougaard@ingeo.com or 435-755-9837. This article is an elaboration on his presentation at ALTA®'s 2002 Tech Forum.