Signatures and Law

A signature is not part of the substance of a transaction, but rather of its representation or form. Signing writings serve general purposes as evidence, ceremony, and approval of the document.

A signature on a written document often imparts a sense of clarity and finality to the transaction and may lessen the subsequent need to inquire beyond the face of a document. The basic nature of transactions has not changed, the law has only begun to adapt to advances in technology. To achieve the basic purposes of signatures outlined above, a signature must have the following attributes:

Signer’s authentication: A signature should indicate who signed a document, message or record, and should be difficult for another person to produce without authorisation.

Document authentication: A signature should identify what is signed, making it impracticable to falsify or alter either the signed matter or the signature without detection.

Affirmative act: The affixing of the signature should be an affirmative act, which serves the ceremonial, and approval functions of a signature and establishes the sense of having legally consummated a transaction.

Efficiency: Optimally, a signature and its creation and verification processes should provide the greatest possible assurance of both signer authenticity and document authenticy, with the least possible expenditure of resources.

How it works

Electronic signatures use a variety of methods and are created using different technologies. Although all electronic signatures are represented in digital or binary form, at base an electronic signature indicates who signed a document and, ideally, when that document was signed. An electronic signature can be the name in the body of an e-mail message, a digitised image of a handwritten signature attached to an electronic document or a unique biometric authentication, such as a fingerprint or a retinal scan. Note that biometric devices that use fingerprints show promise, but iris- and facial-recognition systems are drastically affected by lighting conditions and have not been thoroughly tested in the real world.

Creating digital signatures with public key (asymmetric) cryptography uses two different but mathematically related keys: A private key encrypts a message, and a public key decrypts it. The private key is known only to the signer and is used to create the digital signature. The public key is distributed widely or kept in an online repository and is used to verify the signature. If the system is designed properly, deriving the private key from the public key to forge a signature is very difficult. In fact, the risk of loss due to a fraudulent or invalid signature is inversely proportional to the number of bits used in the signing algorithm.

A hash function (algorithm) is used to create and verify digital signatures. The algorithm operates on a message to create a digital representation or a fixed-length hash value unique to a particular message. Then you sign the hash value with a private key using, for example, the DSA (Digital Signature Algorithm). The resulting signed hash becomes the digital signature.

The signature can be verified by referring to the size of the original message using the public key that corresponds to the private key. Any change in the message would produce a different hash result using the same algorithm. Although this ensures that a signature will match a certain message, an enterprise may still lack the confidence that the signature identifies the party to be bound to the message. For example, someone might be sitting at your computer with direct access to your private key. Using a Public key infrastructures (PKI) system with tokens can add the requisite assurance.

Digital signatures in a PKI system are created using a digital ID, a combination of public and private keys, and an associated digital certificate. A certificate is a document associated with the keys that contain an identity and with its public key signed or certified by a recognized CA (certificate authority).

Certificates are public documents that should always conform to the X.509 standard. They can be stored on a hard drive, in a browser or directory, or on a token. A token, such as a smart key or smart card can create a digital signature with a private key without revealing the private key. Digital signatures can be created on a computer without a token. However, this exposes the private key to potential theft by direct access to the computer or from a virus like the Love Bug, which was designed to compromise user credentials.

To get your digital signature you first need to apply to a certifying authority (CA). The company will then allocate a private key and a public key to you. These 'keys' are mathematically related and are used to encrypt and decrypt your digitally signed documents. This procedure is referred to as public key cryptography. You use your private key to digitally sign or encrypt a message and on the other end the recipient who already has your public key uses it to decrypt your message. Two things are essential — as the name suggests the private key should be known only to you and the public key to the recipient.

As with any new system the deployment of digital signatures too will requires some intuitional and financial overheads in terms of sever level and user level software. Experts also advise hardware-based solutions to secure a subscriber's private key. And last but not least a subscriber has to pay the certifying authority (CA) that issues the digital signature.