Digital dotted line Featured

9:33am EDT July 22, 2002

Electronic signatures now have the same weight as documents signed with a pen. The only problem is, who do you trust?

Digital signatures are extremely secure, and, by the way, aren't necessarily actual signatures. Some programs or services only require you to acknowledge the terms of any contract, not actually scan in a signature and attach it to the document.

For the system of digital signatures to work, there has to be an agency or company that verifies people on the Net are who they claim by using a digital certificate -- a sort of virtual ID. The encryption process is complex, but one of the key elements is known as a public key.

"Something has to vouch for the authenticity of the public key," says Jonathon Chinitz, vice president and general manager of VASCO Data Security, a provider of secure business solutions. "If you go to some other country, and someone needs to know who you are, you pull out your passport. They check that the pictures match, the signatures match and the passport number is unique.

"The digital certificate is the digital equivalent of a passport."

A third party that has your information on file issues the certificate. When you digitally sign something, it is encrypted with a private key, which is used to unlock the encrypted document for viewing, but cannot be changed. The digital certificate is tied to the public key, and verifies that the public key has not been altered -- if it had been, the information on the certificate and the public key would not match because only the third party issuer of the certificate and you have the proper codes to change the document.

For example, you are sent a contract to sign. You sign the contract, and it is encrypted using the private key portion of your software. When you send it back, a public key is included to allow the receiving party to unlock the document for viewing. A digital certificate is included to verify that the public key matches the information on file with the issuer of the certificate.

Thus a hacker might be able to somehow gain access to the file and try to change the numbers of the deal, but would not be able to pose as you because the certificate information would not match that of the public key.

The problem in all of this lies with who will issue the certificates.

"In order for us to use digital signatures as a regular course of business, the fundamental barrier is the infrastructure, not the encryption algorithm," says Chinitz. "Every browser is already capable of producing digital signatures. But where do I get the certificate and how many will I need?"

Right now, several private enterprises -- the best known is probably Verisign -- are vying to earn the public trust for this authority, as are several government entities. This is the equivalent of having 10 versions of a passport, all issued by different authorities.

Chinitz predicts that at first, this will be accepted, with certificates from many authorities -- or even a certificate from each retailer you do business with -- being stored in your browser.

"Eventually there will be a user revolt," says Chinitz. "Eventually, everyone will accept one type issued by X."

When the infrastructure catches up, the use of digital signatures will be seamless. A user working on a Word document will click on a button to encrypt and send it. The person receiving it will open it, receive verification of the authenticity, and move on without thinking twice about it. How to reach: VASCO, www.vasco.com; Verisign, www.verisign.com

Todd Shryock (tshryock@sbnnet.com) is SBN's special reports editor.