...
A traditional holographic (hand-written) signature affixes a distinctive mark to the original document (the signature) that may be used as evidence of the identity of the signor, that the signing party approved or authorized the document, authorized, or adopted the document, and that the document has not been altered subsequent to the signature. An electronic signature calls for a similar outcome; some distinctive mark must be affixed to the original document as evidence of the electronic signature, binding the document to the signatorysignor's identity. An original signature on a document also provides evidence that the document has not been altered subsequent to the signature. Electronic signatures should provide similar confidence of document integrity. And finally, tangible paper documents with holographic signatures are amenable to a wide variety of evaluations to establish confidence in their authenticity. Because electronic documents are intangible and not amenable to evaluation of chemical composition, printing techniques, signature strokes, etc., it is important for an electronic signature system to provide audit trails to establish the chain of custody for e-signature transactions.
, indicating their approval or adoption, and providing evidence of the document's integrity. (These three elements, identity, adoption, and non-alteration, are known in computer security jargon as non-repudiation.)
Binding Document to Identity
Some distinctive mark must be affixed to the original document as evidence of the electronic signature. This outcome has been articulated in the NMFS policy directive 32-110 as "...tie the electronic transaction to the individual or entity in a legally-binding way." The policy also specifies that "implementation of an e-signature system must contain some form of technical non-repudiation services to protect the reliability, authenticity, integrity... of the electronically-signed information" and "...audit trails that ensure the chain of custody for the transaction." In e-signature literature, the issue of tying the electronic transaction to the individual or entity is often referred to as non-repudiation, that is, limiting the ability of the signer to repudiate, or deny responsibility, for the signature.
In an implementation different technical mechanisms are employed to address "Binding Document to Identity", "Document Integrity", and "Audit Trails".
In evaluating alternative approaches to binding document to identity, it is sometimes helpful to distinguish two different concerns; non-repudiation and integrity. Non-repudiation refers to limiting the ability of the signer to repudiate, or deny responsibility, for the signature. In e-signature systems, the distinctive mark is going to be one or more data elements that have been associated with the individual or entity. A simplistic (but inadvisable) example would be to require the signing party to enter their social security number as part of the signing ceremony; the social security number could be considered a distinctive mark and stored in a database table with the document, the date and time of the e-signature, and other contextual data.
In practice a social security number should not be used directly for this purpose, but, some other identifier could serve the same function. The requirements for the identifier are that it is distinctive and unique to the individual, and can be associated as necessary with other data pertaining to that individual.
The mechanisms for binding the identifier to the document provide more scope for variation. The simplistic example above writes the identifier (SSN), the document, and contextual data into a database as related items. This approach may be sufficient to mitigate business risk. A more rigorous approach would be to use a mathematical function that would imprint the identifier and contextual data on the document, and then store the resulting imprinted document along with the identifier and contextual data. An even more rigorous approach would be to submit the document, identifier and contextual data to the US Postal Service Electronic Postmark system. (The Electronic Postmark provides trusted proof of content as of a specific point in time.)
Document Integrity
Integrity refers to confidence that the signed document has not been altered subsequent to the signature.
Policy directive 32-110 specifies that "implementation of an e-signature system must contain some form of technical non-repudiation services to protect the reliability, authenticity, integrity... of the electronically-signed information" and "the technical non-repudiation... should tie the electronic transaction to the individual or entity in a legally-binding way." It also Depending on the business risk, it may be adequate to document system access controls and security procedures, and assert that these adequately protect electronic signature data from alteration. Higher levels of business risk might require higher levels of access controls, security procedures, and audit trails. The signed document, identifier, and contextual information could be pre-processed, using a mathematical function that would imprint the identifier and contextual data on the document, and then stored, so that any alteration would be detectable; i.e., the storage and retrieval would become tamper evident. Finally, the Electronic Postmark mentioned above could provide a very high level of confidence in the integrity of an electronically signed document.
Audit Trails
NMFS policy directive 32-110 specifies "...audit trails that ensure the chain of custody for the transaction. "
A traditional holographic signature affixes a distinctive mark to the original document (the signature) that may be used as evidence that the signing party approved or authorized the document. An electronic signature calls for a similar outcome; some distinctive mark must be affixed to the original document as evidence of the electronic signature. This outcome has been articulated in the NMFS policy directive 32-110as "...tie the electronic transaction to the individual or entity in a legally-binding way." In technical literature the process to achieve this outcome is frequently referred to as "Binding Document to Identity".
In this section we will discuss design alternatives
Binding Document to Identity
...
Document Integrity and Tamper-Evident Packaging
In evaluating alternative approaches to binding document to identity, it is sometimes helpful to distinguish two different concerns; non-repudiation and integrity. Non-repudiation refers to limiting the ability of the signer to repudiate, or deny responsibility, for the signature. Integrity refers to confidence that the signed document has not been altered subsequent to the signature.
To address non-repudiation concerns an association must be made between the electronic document and some distinctive item of data that identifies the signing party, in a way that makes the signature attributable to the signing party. To address integrity concerns the document and the association to the signing party must be stored and retrieved in such a way that any alteration in either would be detected; i.e., the storage and retrieval must be tamper evident.
...
These audit trails should identify the sending location, sending individual or entity, date and time stamp of receipt, and other measures that will ensure the integrity of the document. These audit trails must validate the integrity of the transaction and prove: (1) that the connection between the submitter and NMFS has not been tampered with; and (2) how the document was controlled upon receipt by NMFS."
Depending on business risk it may be adequate to store the originating computer's Internet Protocol address and time stamps in database tables. Higher levels of business risk might require Secure Socket Layer (SSL) sessions, trusted time stamps, and comprehensive audit trails on the database tables involved.
To some extent extra emphasis on database integrity might counterbalance an emphasis on audit trails. For example, if an Electronic Postmark were used as the guarantor of document integrity, audit trails on local database tables might be considered irrelevant.