Alternative | Document Binding, Integrity, and Audit Trails Mechanisms | Confidence
| Characteristics |
|---|
Typical online system practices
| write the individual's identifier, the signed document, and contextual information into the database as a relation, with typical constraints, access controls, and security procedures
audit trails (change logs) may be maintained in the application program or the database layer
| low | fast implementation,
inexpensive to implement and maintain,
security characteristics well understood
|
Secure online system practices
| rigorous constraints, access controls, and security procedures, including audit trails in the database layer (in addition to any controls in the application layer), trusted time sources, logging of security events in the database layer and/or the system software layer, etc.
audit trails (change logs) should be maintained in both the application program and database layers
| moderate | moderately expensive to implement and maintain,
security characteristics well understood |
Package with a Digital Signature
| pre-process the document using a mathematical function that would imprint the identifier and contextual data on the document, and then store the resulting imprinted document along with the identifier and contextual data, which should include a trusted timestamp.
it should be impossible to change a signed document, since the Digital Signature's tamper-evident packaging would indicate that a changed document was invalid; instead of allowing changes to signed documents, the system may support attaching signed amendments or annotations to a document, or some other mechanism that clearly preserves the original signed document but makes some allowance for adding to the record in the future.
| high | expensive to implement and maintain, security characteristics are complex and unfamiliar |
USPS Electronic Postmark
| submit the document, identifier and contextual data to the US Postal Service Electronic Postmark system (EPSEPM) and store the resulting confirmation code with the signed document
in this instance the most relevant primary audit trails trail requirement would be those that guanrantee that the relationship between the document, identifier and contextual data and the USPS EPS confirmation code was robust. The existence of to submit to the USPS EMP service enough of the customer's identifier and contextual data that it would always be possible to correlate a transaction's data in the agency system with the corresponding data in the USPS EPM system. If an adequate selection of transaction data (including a trusted timestamp) were recorded in both systems, and effective audit trails within the USPS EPS program would be assumedcould be assumed, then the audit trail requirements on the agency side could be relaxed because there would be no credible threat which could retroactively alter the record.
| highest | inexpensive to implement but expensive to maintain, security characteristics are based on trust in the institution of the USPS |