Alternative | Document Binding, Integrity, and Audit Trails Mechanisms | Confidence
| Characteristics |
|---|
Typical online system practices
| write the individual's identifier, the signed document, and contextual information into the database as a relation, with typical constraints, access controls, and security procedures
audit trails (change logs) may be maintained in the application program or the database layer
| low | fast implementation,
inexpensive to implement and maintain,
security characteristics well understood
|
Secure online system practices
| rigorous constraints, access controls, and security procedures, including audit trails in the database layer (in addition to any controls in the application layer), trusted time sources, logging of security events in the database layer and/or the system software layer, etc.
audit trails (change logs) should be maintained in both the application program and database layers
| moderate | moderately expensive to implement and maintain,
security characteristics well understood |
Package with a Digital Signature
| pre-process the document using a mathematical function that would imprint the identifier and contextual data on the document, and then store the resulting imprinted document along with the identifier and contextual data, which should include a trusted timestamp.
audit trails should be maintained in both the application program and database layers, although in this case the audit trails are solely to preserve confidence in the transaction context data. Confidence in the integrity of the signed document is preserved by the tamper-evident nature of a Digital Signature. Operationally it would be impossible to change a signed document without invalidating the signature; instead of allowing changes to signed documents, the system may need to support attaching signed amendments or annotations to a document, or some other mechanism that clearly preserves the original signed document but makes some allowance for additions to the record.
| high | expensive to implement and maintain, security characteristics are complex and unfamiliar |
USPS Electronic Postmark
| submit the document, identifier and contextual data to the US Postal Service Electronic Postmark system (EPM) and store the resulting confirmation code with the signed document
audit trails should be maintained in both the application program and database layers, although in this case the audit trails are solely to preserve confidence in the transaction context data. Confidence in the integrity of the signed document is preserved by the tamper-evident nature of the USPS EPM and by trust in the institution of the USPS. Operationally it would be impossible to change a signed document without invalidating the EPM; instead of allowing changes to signed documents, the system may need to support attaching signed amendments or annotations to a document, or some other mechanism that clearly preserves the original signed document but makes some allowance for additions to the record.
| highest | inexpensive to implement but expensive to maintain, security characteristics are based on trust in the institution of the USPS |