View Source

draft - characterizes alternative approaches to e-signatures.

Context for Analysis

Complying with OMB's guidance for e-authentication, as required by NMFS e-signature policy and procedural directive, requires agencies to work through an analytical process to evaluate e-signature alternatives to match e-signature tools to the e-government application being enabled.
Neither the OMB policy nor NIST e-authentication technical guidance specifies solutions that agencies must use.
The first step in the analytical process is to understand the range of e-signature alternatives available to agencies and agree upon criteria for evaluating the e-signature alternatives. (This is the subject of the August 20th meeting)
The second step is to evaluate a selected set of e-signature alternatives against some agreed-upon alternatives. (This is the subject of the August 27th meeting)
Subsequent meetings will help complete the analytical steps called for in the NMFS e-signature policy and procedural directive.

Proposed Evaluation Criteria

Usability: ease-of-use consistent with typical commercial online transactions such as consumer banking or personal investor securities trading; portable e-signature capability, not tied to a particular Internet access device or particular type of access device (rules out a signature digitizing pad, fingerprint reader, etc.)
Ease of Implementation: minimize modifications to agency business rules or technology infrastructure
Affordability: cost appropriate for business value delivered
Risk Mitigation: accountability appropriate to mitigate business risk - which is a function of confidence in the original identity assertion (are you sure enough that you have identified a specific individual?), the chain of custody of the identity credentials (did the registrant maintain sole custody of the secret?), the integrity of the signed document (is the document in evidence unaltered from when it was signed?), and the legal framework of the e-signature (is the signature legally binding?).

Representative Design Alternatives

As described in the design of e-signature systems, it can be useful to decompose these systems into component parts, each of which present clear choices among technical alternatives. (Like putting together a five-course meal from an a la-carte menu.) The resulting composite design can then be mapped back to our requirements. The table below illustrates this decomposition and analysis for some theoretical and existing e-signature systems.

Design Alternative	Registration	Credential	Credential Delivery	Signing Technology	Tamper Evident Packaging	Ease-of-use	Portability	Cost	Accountability
HMS Permits: no confirmation of identity	Online registration at http://www.hmspermits.gov/	Permit number	Online issuance of permit	Not called a signature, but does include "I am authorized" checkbox	Typical transactional database controls	Similar to common e-commerce transactions	Only "something you know" required	Clearly less expensive than the paper process	Low confidence in identity and custody, but may be adequate to mitigate low risk in the context of the full relationship between the parties
NPS e-signature	Online registration, identity validation via shared secrets including SSN	Username and password	Online issuance	Signatory signs with a "something you know" username and password. One-factor authentication.	Package consists of text of document and e-signature metadata; requires external "seal" to make tamper-evident	Similar to common e-commerce transactions	Only "something you know" required	Clearly less expensive than former paper process	Moderate confidence in identity, credential, and custody, but may be adequate to mitigate moderate risk
IRS e-signature	Transactions typically are complete stand-alone packages with registration, content, and e-signature submitted at the same time; registration for subsequent authentication is not an important concept in this context	Self-Select five-digit PIN with customer's prior year adjusted gross income, or prior year PIN	An identity credential is not an important concept in this context. The e-signed annual electronic transaction (filing a return) represents a small part of the relationship between the parties, and validation of identity is based on multiple factors from the full relationship.	Signatory signs with a "something you know" self-selected five-digit PIN. Transaction is authenticated by user providing prior year adjusted gross income. Might be considered two-factor, but likely one factor (prior year AGI).	Package consists of text of document and e-signature metadata; requires external "seal" to make tamper-evident. User recieves an electronic confirmation number from IRS acknowledging reciept and that also binds signature to transaction.	Similar to common e-commerce transactions	Only "something you know" required	Clearly less expensive than former paper process	Moderate confidence in identity, credential, and custody, but found to be adequate to mitigate risk in the context of the full relationship between the parties
myAlaska e-signature	Online registration, identity validation via shared secrets from two independent government-issued sources (Alaska Permanent Fund Dividend and driver license)	Username and password	Online issuance	Signatory signs with a "something you know" username and password. One factor authentication for user, but strenghened by server side encryption.	Package consists of text of document and e-signature metadata, and is then digitally signed by the myAlaska server to become tamper-evident	Significantly more complex than common e-commerce transactions, but wide adoption indicates that the complexity is acceptable	Only "something you know" required	Clearly less expensive than former paper process	Moderate confidence in identity, credential, and custody, but found to be adequate to mitigate moderate risk in the context of the full relationship between the parties
FedEx(R)-like digitized signature: holographic signature using stylus on a digitizing pad	Signature would not necessarily be electronically associated with the registrant	Image of a holographic signature	None required	Signatory signs a holographic signature on a digitizing pad while the digitizing pad is under the control of agency's e-signature software. One-factor authentication	Package consists of text of document, e-signature metadata, and image of holographic signature; requires external "seal" to make tamper-evident	Familiar and understandable	Requires digitizing pad, stylus, and custom software at client device	Significant cost of stylus and digitizing pad	Characteristics similar to traditional signature
USDA Level 2 Access	Create online profile, then appear in-person at USDA Service Center with government-issued photo ID to activate level 2 credentials	User ID and password	Customer specified credentials are electronically activated by USDA Service Center employee	tbd	tbd				Strong confidence in identity, however, custody of credential not guaranteed
RSA SecureID(TM)	Configurable per business requirements; could be fully online using shared secrets	Choice of 5 hardware authenticators or software for cell phone or PDA	Hardware authenticators require physical delivery; software authenticators "seed" could be delivered electronically	Signatory signs with a "something you know" pin or password, and, a one-time use token code generated by their authenticator	Package consists of signed document and authentication metadata; requires external "seal" to make tamper-evident	Dedicated devices mask deep complexity	Dedicated device must be present at signing	Significant cost of dedicated device and licensing	Strong confidence in identity and credential, good confidence in custody of credential
Theoretical highly rigorous public key infrastructure (PKI) alternative	In-person proofing at US Post Office or a financial institution.	PKI private key with password and biometric (three-factor: something you have, something you know, something you are)	User enables the use of a digital certificate by typing in a passode. The digital certificate would likely be on a storage device or may be stored on a computer. Many web browsers and e-mail clients will work with digital certificates.	Digital Signature: document hash and biometric and e-signature metadata are encrypted with private key. Requires some type of reader to input the key, a scanner for the biometric, and, PKI-aware and biometric-aware client software	Package consists of text of document, biometric and e-signature metadata, and digital signature; this combination is tamper-evident by design	Complex, mysterious, many ways to fail	Reader required (mag stripe, smartcard, usb, etc.), biometric scanner required	Significant cost of person-proofing and certificate issuance, significant cost of reader and biometric scanner	Strong confidence in identity, credential, and custody of credential