Guess how Clinton signed the Digital Signature bill?

2000-06-30

A major piece in the security jigsaw dropped into place at the end of last week, as US President Bill Clinton travelled to Philadelphia to sign a bill give electronic signatures the same legal status as handwritten. Quite why he had to travel all that way in this wireless world is quite beyond us, but all the same the Signature signature (sic) represents a very important step indeed.

Anyone who has attended security conferences over the past few years will have realised that there is very little left for the technologists to do. Most of the major problems – authentication, non-repudiation, encryption and the like – were solved years ago and the biggest problem facing security vendors is now how to ensure the adoption of such technologies. One of the main blockers to this adoption process has been the legal basis of the digital signature itself.

Digital signatures employ a public key mechanism. Two keys are used, one private which is used to encrypt the message, and one public which can decrypt it. The rather clever effect of this pairing is that, if a message can be decrypted using a person’s public key, then it must have come from the person as nobody else could have encrypted it. Hence we have the concept of non-repudiation – it becomes possible to guarantee the source of a message.

Security facilities are built into email systems, transactional systems and vertical applications, but they have not been getting the use they deserve. For example, the only emails that we have seen using digital signatures, have been those coming from security vendor companies. This lack of desire has been due in part to the all-or-nothing principle – if nobody is doing it, then nobody does it. It does, however, open up a weak link in the chain: it is possible to hold up an email as evidence of a commitment, but it does not provide a legal basis of its own. Also items such as contracts still require to be signed and posted, or faxed, before they are acceptable: both options are slower and more onerous (and costly) than a purely electronic means. That is, until now.

Once again of course, it will be necessary for other countries than the US to adopt the measure before it will really kick in. This will happen – it is only a matter of time. When it becomes possible for parties to agree contracts and other transactions electronically, the final nail will be hammered into the coffin of paper-based communications.

(First published 30 June 2000)