...
- Ease-of-use consistent with typical commercial online transactions such as consumer banking or personal investor securities trading
- Portable eSignature capability, not tied to a particular Internet access device or particular type of access device (rules out an eSignature pad, fingerprint reader, etc.)
- Low-cost or no-cost to the end user, cost to agency appropriate for business value delivered
- Accountability appropriate to mitigate business risk - which is a function of confidence in the original identity assertion (was the registrant who they claimed to be?), the chain of custody of the identity credentials (did the registrant maintain sole custody of the secret key), the integrity of the signed document (is the document in evidence exactly the same document that was signed?), and the legal framework of the e-signature (is the signature legally binding?).
...
Design | Registration | Credential | Credential | Signing | Tamper |
| Ease-of-use | Portability | Cost | Accountability | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Theoretical PKI alternative | In-person proofing at USPO | PKI private key | In-person | Digital Signature: document hash is encrypted with private key. Requires some type of reader to input the key, and, client software to execute the hashing and encrypting | Store signed text of document and digital signature; this combination is tamper-evident by design |
| Fails Fail: complex and mysterious | Fails Fail: reader required | Fails Fail: cost of person-proofing and certificate issuance | Strong Pass: strong confidence in identity and credential, however, custody of credential not guaranteed | |||||||||||||||
Theoretical digitized signature alternative |
|
|
|
|
|
|
|
|
|
|
|
|
|
| FedEx-like digitized signature: holographic signature using stylus on a digitizing pad | Signature would not necessarily be electronically associated with the registrant | Image of a holographic signature | None required | Signatory signs a holographic signature on a digitizing pad while the digitizing pad is under the control of agency's e-signature software | Package signed document and image of holographic signature; requires external "seal" to make tamper-evident |
| Pass: familiar and understandable | Fail: stylus and digitizing pad required, custom software required at client device | Fail: cost of stylus and digitizing pad | Pass: characteristics similar to traditional signature |
RSA SecureID¿ | Configurable per business requirements; could be fully online using shared secrets | Choice of 5 hardware authenticators or software for cell phone or PDA | Hardware authenticators require physical delivery; software authenticators "seed" could be delivered electronically | Signatory signs with a "something you know" pin or password, and, a one-time use token code generated by their authenticator | Package signed document and authentication metadata; requires external "seal" to make tamper-evident |
|
|
|
|
|