The Esignature Post

Another area that is routinely conflated into the electronic signature/document processing stew is the topic of authentication. Authentication has many meanings, but in the context that it is usually used in the electronic document space it refers to “How do I know it is you signing this document?” This has obvious ramifications for non-repudiation.

Authentication then brings in the issue of trust. Do I trust your credentials/identification? Just as in real-world, potentially you could be an impersonator with a fake id. Peter Gutmann at the University of Auckland has an interesting (if slightly dated) discussion of issues around using electronic signatures, with a focus on signature laws and using PKI as an adequate proxy for trustworthy credentials. This presentation can be found here, Guttman on PKI and signatures. One area to note is the section on Trust beginning on page 23.

Mr. Gutmann discusses types of trust. His taxonomy includes (but is not limited to):

• Blind Trust, where we trust because we have to, or there are no significant repercussions for a breach of trust
• Swift Trust, which is hedged (limited liability) trust given to establish business relationships
• Knowledge Based Trust based on a history of interactions between the trusting parties
• Indirect Trust based on a trusted intermediary, such as a credit card

All of these forms of trust come into play in the world of electronic transactions. A business supports blind trust when it allows you to request a car insurance quotation online and emails you a link where you can access the web based applications. When a quotation is issued based upon your applying at the private link it has granted you swift trust. And when it issues you the insurance based upon you making your first payment with your American Express it employs indirect trust, American Express guarantees the payment!

In each step the business is increasing its confidence, or trust, that you are you. This is has been done through a web of interlocking identification factors: you own the email address, the car is registered in your name and you have provided a valid credit card which has the same billing address as your car registration. Each step has been hedged so that the insurance company (which assumes all liability if it is defrauded) has made a decision on the acceptable levels of business risk.

Peter Gutmann seems to believe, and I concur, that prescriptive digital signature laws do little to mitigate the risk of electronic transactions in an acceptable way. Furthermore, they may create more problems than they solve.

I would add to this that the general electronic signature laws (ESIGN/UETA in the US) provide all of the legislative framework that is necessary. With these laws, and a sensible approach to risk management through authentication and intermediaries, electronic transactions should have no more risk than the face to face transactions that we engage in every day.