incomplete - characterizes alternative approaches to e-signatures.
Context for Analysis (Steve to provide
Requirements
- Ease-of-use consistent with typical commercial online transactions such as consumer banking or personal investor securities trading
- Portable eSignature capability, not tied to a particular Internet access device or particular type of access device (rules out an eSignature pad, fingerprint reader, etc.)
- Low-cost or no-cost to the end user
- Accountability appropriate to mitigate business risk - which is a function of confidence in the original identity assertion (was the registrant who they claimed to be?), the chain of custody of the identity credentials (did the registrant maintain sole custody of the secret key), the integrity of the signed document (is the document in evidence exactly the same document that was signed?), and the legal framework of the e-signature (is the signature legally binding?).
Design Alternatives
In the design of e-signature systems there are several independent components, each of which present choices among technical alternatives, and these choices can be mapped to our requirements:
Design |
Registration |
Credential |
Credential |
Signing |
Tamper |
|
Ease-of-use |
Portability |
Cost |
Accountability |
|---|---|---|---|---|---|---|---|---|---|---|
Theoretical PKI alternative |
In-person proofing at USPO |
PKI private key |
In-person |
Digital Signature: document hash is encrypted with private key. Requires some type of reader to input the key, and, client software to execute the hashing and encrypting |
Store signed document and digital signature |
|
Fails: complex and mysterious |
Fails: reader required |
Fails: cost of person-proofing and certificate issuance |
Strong confidence in identity and credential, however, custody of credential not guaranteed |
Theoretical digitized signature alternative |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|