Document Binding, Integrity, and Audit Trails
(from policy directive 32-110)
1. The implementation of an e-signature system must contain some form of technical non-repudiation services to protect the reliability, authenticity, integrity, and usability, as well as the confidentiality, and legitimate use of the electronically-signed information.
2. The technical non-repudiation services (required in number 1 above) should tie the electronic transaction to the individual or entity in a legally-binding way.
3. The electronic signature process should include, as part of its technical non-repudiation services, audit trails that ensure the chain of custody for the transaction. These audit trails should identify the sending location, sending individual or entity, date and time stamp of receipt, and other measures that will ensure the integrity of the document. These audit trails must validate the integrity of the transaction and prove: (1) that the connection between the submitter and NMFS has not been tampered with; and (2) how the document was controlled upon receipt by NMFS.
...
Introduction
A traditional holographic (hand-written) signature affixes a distinctive mark to the original document (the signature) that may be used as evidence of the identity of the signing party, their approval, authorization, or adoption of the document, and that the document has not been altered subsequent to the signature. An electronic signature calls for a similar outcome. Some distinctive mark must be affixed to the original document as evidence of the electronic signature, binding the document to the signing party's identity, indicating their approval or adoption, and providing evidence of the document's integrity. (These three elements, identity, adoption, and non-alteration, are known in computer security jargon as non-repudiation.)
Binding Document to Identity
Some distinctive mark must be affixed to the original document as evidence of the electronic signature. This outcome has been articulated in the NMFS policy directive 32-110 as "...tie the electronic transaction to the individual or entity in a legally-binding way." In e-signature systems, the distinctive mark is going to be one or more data elements that have been associated with the individual or entity. A simplistic (but inadvisable) example would be to require the signing party to enter their social security number as part of the signing ceremony; the social security number could be considered a distinctive mark and stored in a database table with the document, the date and time of the e-signature, and other contextual data.
In practice a social security number should not be used directly for this purpose, but some other identifier could serve the same function. The requirements for the identifier are that it is distinctive and unique to the individual, and can be associated as necessary with other data pertaining to that individual.
There are a variety of mechanisms for binding the identifier to the document. The simplistic example above writes the identifier (SSN), the document, and contextual data into a database as related items. This approach may be sufficient to mitigate business risk. A more rigorous approach would be to pre-process the document using a mathematical function that would imprint the identifier and contextual data on the document, and then store the resulting imprinted document along with the identifier and contextual data. An even more rigorous approach would be to submit the document, identifier and contextual data to the US Postal Service Electronic Postmark system. (The Electronic Postmark provides trusted proof of content as of a specific point in time.)
Document Integrity
Integrity refers to confidence that the signed document has not been altered subsequent to the signature. Depending on the business risk, it may be adequate to document system access controls and security procedures, and assert that these adequately protect electronic signature data from alteration. Higher levels of business risk might require higher levels of access controls, security procedures, and audit trails. The signed document, identifier, and contextual information could be pre-processed, using a mathematical function that would imprint the identifier and contextual data on the document, and then stored, so that any alteration would be detectable; i.e., the storage and retrieval would become tamper evident. Finally, with the Electronic Postmark mentioned above, the institutional integrity of the USPS could provide a very high level of confidence in the integrity of an electronically signed document.
Audit Trails
NMFS policy directive 32-110 specifies "...audit trails that ensure the chain of custody for the transaction. These audit trails should identify the sending location, sending individual or entity, date and time stamp of receipt, and other measures that will ensure the integrity of the document. These audit trails must validate the integrity of the transaction and prove: (1) that the connection between the submitter and NMFS has not been tampered with; and (2) how the document was controlled upon receipt by NMFS."
Depending on business risk it may be adequate to store the originating computer's Internet Protocol address and time stamps in database tables. Higher levels of business risk might require Secure Socket Layer (SSL) sessions, trusted time stamps, and comprehensive audit trails on the database tables involved.
It should be noted that while the policy directive stipulates that audit trails "identify the sending location", in practice it is not possible to identify the sending location of all Internet transactions with a high degree of confidence. In particular if the transacting party has motivation and technical competence there are widely available mechanisms to defeat practical attempts at location. (With the resources of the NSA or the FBI it may be possible to achieve high confidence in the origin location of a transaction, but with ordinary resources it isn't possible to detect commonly available mechanisms to misrepresent your location.)
To some extent extra emphasis on database integrity might counterbalance an emphasis on audit trails. For example, if an Electronic Postmark were used as the guarantor of document integrity, audit trails on local database tables might be considered irrelevant.
Summary
Generally the alternatives that are least expensive, easiest to implement, and most convenient for the registrant are also the alternatives that provide the least confidence. The table below summarizes pertinent characteristics of some of the alternatives.
Alternative |
Document Binding, Integrity, and Audit Trails Mechanisms |
Confidence |
Characteristics |
|---|---|---|---|
Typical online system practices |
write the individual's identifier, the signed document, and contextual information into the database as a relation, with typical constraints, access controls, and security procedures |
low |
fast implementation, |
Secure online system practices |
rigorous constraints, access controls, and security procedures, including audit trails in the database layer (in addition to any controls in the application layer), trusted time sources, logging of security events in the database layer and/or the system software layer, etc. |
moderate |
moderately expensive to implement and maintain, |
Package with a Digital Signature |
pre-process the document using a mathematical function that would imprint the identifier and contextual data on the document, and then store the resulting imprinted document along with the identifier and contextual data, which should include a trusted timestamp. |
high |
expensive to implement and maintain, security characteristics are complex and unfamiliar |
USPS Electronic Postmark |
submit the document, identifier and contextual data to the US Postal Service Electronic Postmark system (EPM) and store the resulting confirmation code with the signed document |
highest |
inexpensive to implement but expensive to maintain, security characteristics are based on trust in the institution of the USPS |