Components of a Digital Signature

Components of a Digital Signature

February 8, 2003—Draft 2 for URPERA

January 27, 2001—Draft 1

Introduction[1]

It is only recently, October 1, 2000 to be exact, that the federal legislation enabling the use of electronic signatures became the law of the land under Public Law 106-229, entitled “Electronic Signatures in Global and National Commerce Act,” and more affectionately known as “E-Sign.”

Section 102 of E-Sign defers to the model (and only the model) Uniform Electronic Transaction Act (UETA). Although UETA has been enacted in some form by about 36 states, many of the versions of UETA as enacted, such as the one in California, do not conform to the model act. Because of this disparity, E-Sign preempts the provisions of many of these state acts. In response, the states should consider replacing their current versions of UETA with something closer to the model act, such as S.B. 97 (2002) in California.

The following discussion is not a discussion of whether PKI technology is really secure. That issue is beyond the scope of what regular people can discuss. However, I can vouch personally for the fact that obtaining a digital signature can be a frustrating affair. In fact, when I last applied for one on the Digital Signature Trust web site, I found that the personal certificate agreement warranties were missing from the agreement because they were reference by a web address that was a broken link!

In any event, the first rule that you need to apply to an understanding of digital signatures is that any assumption that a digital signature is easily equated to a wet signature is naive. For example, you can have hundreds of digital signatures, if you wish, not just one. In fact you may need to have at least two if you want to sign both personal and business documents. Further, it is necessary for both the user of a digital signature and the party relying on a digital signature to be intimately aware of what each of the following components implies in order to determine whether the signature is even valid for the transaction being contemplated.

The Components of a Digital Signature

A digital signature is an electronic construct that purports to replace in an electronic world what is called wet or ink signatures in the paper world.

I have so far identified eight fundamental components of a digital signature:

1. Provider
2. Level of Authentication
3. Portability
4. Time Limitation
5. Capacity Limitation
6. Commitment Level Limitation
7. Purpose/Use Limitation
8. Non-Unique

I suspect that there are even more fundamental components to a digital signature, but it has been difficult even to uncover some of these eight because, as far as I can tell, nothing like this present article has been written.

1. Provider

You obtain a digital signature from a private company, sometimes called a CertificationAuthority, which provides it at a price. Companies that provide digital signatures include Veri-Sign ( and Digital Signature Trust (

[There is no space here to discuss what may be in the up-to-120 pagesof contract you need to agree to, or the “relying party” concept.]

2. Level of Authentication

Whatever you may have heard about the “ authentication”[3] and “non-repudiation”[4] aspects of a digital signature is just not true. At least two of the providers of digital signatures provide three or four different levels of digital signature, what they call “Certification Classes.” The lowest class (Class 1) of digital signature has no authentication or non-repudiation characteristics at all; it is useful only to encrypt email. The second class (Class 2) provides some level of authentication, but it is a fine legal point whether this level of authentication is worth much. Class 3 is what you usually hear about when the techies talk the talk of authentication and non-repudiation. This class of digital signature meets requirements 1 and 4 of the fundamental principles of acknowledgment,[5] that is, the digital signature is issued only after personal appearance before a notary public during which identity is proven.[6]

3. Portability

Some digital signatures are attached to one of your computers or to your email address, while others, I am told, are portable, that is, the appropriate codes can be downloaded to a diskette or smart card so you can carry your signature with you. Unlike a credit card or your wet signature, you may not be able to leave home withit.

4. Time Limitation

You do not own your digital signature; you rent it. Your digital signature is good for a specified period of time. I am not clear whether you can renew a digital signature, or whether you need to obtain a new one at the end of each term. Nor am I clear about how that signature can be validated 20 years hence because I am told that the providers will clear old, outdated signature records from their files, maybe after seven (7) years.

5. Capacity Limitation

In personal matters, you sign for yourself. In business, you sign on behalf of an organization; for example, I sign documents in my capacity as CEO of Ernst Publishing Co., LLC. On a paper document, I can make an agreement with my company by signing the same name in two places, this way:

Ernst Publishing Co., LLC

Signature hereSignature here

Carl R. ErnstCarl R. Ernst, CEO

In the world of digital signatures, I believe it is necessary to have different digital signatures in these two capacities because, in the case of the right hand signature, the digital certificate needs to list the name of the company and my capacity within it.

6. Commitment Level Limitation

As CEO of my company, I might want to limit the amount that other officers of the company could commit to. For example, I could give one a limit of $50,000 per contract signed. This type of dollar limit could be included in the digital certificate.

7. Purpose/Use Limitation

You may want a digital signature to apply only to one or a particular type of transaction. You could specify that this digital signature is good only for the purchase of a television set.

8. Non-Unique

We think of our written signature as being unique. It is ours, and even though it may change over time as we age, the basic form of the signature will not change unless something bad happens to our writing hand or our mind. Granting that an “X” or a stamp may in law also have represented our signature in the paper world, our written signature is essentially our unique way of saying, “I agree to this” or “I did this.”

Not so in the electronic world. Given the other characteristics listed above, you can have many different and perfectly valid signatures, just as many as you wish to sign up for.You can sign one document with one and the next document with an entirely different one.

An Example

Let’s say you are looking for a new home. You are on the road seven (7) days a week. Your real estate agent, who is really bright and computer savvy, talks you into getting a digital signature so that you can participate in the offer-counteroffer process from anywhere in the country. She also says you will be able to use the digital signature to sign your mortgage and other papers. You agree, but you are leery of your signature being misappropriated. When you sign up for the digital signature, you specify that the following statement be placed in the digital certificate:

“This signature is valid only for personal transactions involved in my purchase of residential real estate, the price of which cannot exceed $250,000.”

In this example you can distinguish components 4 through 7, which all limit the validity of the signature, and it is up to those who rely on the signature

(1)to read the certificate to ascertain whether the digital signature is valid with respect to any contract being signed, and

(2)to read the “Certificate Policy” of the Certification Authority to ascertain the legal limitations that apply to use of the signature.

Representing a Digital Signature on a Document to Be Recorded

A certificate is attached to all digital signatures. The certificate, which I think uses standard called X509, includes four tabs:

General

Details

Certification Path

Trust

The Details tab contains a number of fields. Two of these fields contain data that identifies the signer with enough specificity for a reader of the image of the document to determine how to obtain verification of the signature from the certification authority. This information can be placed in the signature area of the image of a signed document, as follows:

(1) Serial Number—This set of ASCII characters represents the serial number of the certificate in the system of the certification authority.

(2) Issuer—This is the name of the company that issued the certificate.

(3) Valid from/Valid to—The dates between which the signature was valid.

(4) Subject—This field contains various data. I suggest the following components be represented:

Email address

Signer name

Class of Signature (Coded differently by Digital Signature Trust than by Veri-Sign)

For example, here is how my signature would look at the end of a representation of an XHTML deed (data highlighted):

Warranty Deed

Parcel Identification Number: 1121-09-07800

This warranty deed, made this 28th day of July, A.D. 2001by Carl R. Ernst, herein called the grantor,

to Abel Ortiz, a married man, as tenants in common, whose address is 123 SW 8th Ave., Kissimmee, FL35345, and Suzy Ng, whose address is 124 SW 8th Ave., Kissimmee, FL35345, herein called grantees.

The grantor grants to grantees certain land situate in TrinityCounty, State of California, viz:

[Legal description here]

In witness whereof, grantors have signed and sealed theses presents on the date given above.

This deed has been signed using the digital signature of the grantor and the notary public. The following information is taken from the digital certificate of the grantor:

Issued to: Carl R. Ernst

Issued by: Verisign Class 1 CA Individual Subscriber-Persona Not Validated

Valid from: 2/1/2001 to 2/1/2002

Serial Number: 1FCE 8EE1 5AA1 857A 9A04 7BF0 0C5E CA20

Email:

[Date and time signed]

State of California

Countyof Trinity

The foregoing was acknowledged before me on July 28, 2000 by Carl R. Ernst , who proved their identification to me:

[Digital Signature of Notary Here]

Official Notary Seal of
Rhoda Ronson
NotaryPublicState of California
Commission #123456
Commission Expires April 3, 2001

© 2001-2003 Carl. R. Ernst, Ernst Publishing Co., LLC

[1] As I begin to write about digital signatures, some will get the idea that I am some sort of Luddite who wants to stand in the way of progress. That is just the opposite of my position. I have been involved in automation since my days at IBM starting in 1965. Rather, with respect to digital signatures and related issues, I believe that there has not been a full and frank discussion, as the politicians would say, of the characteristics and limitations of electronic documents and digital signatures. As a consequence, I believe long-term changes in the underlying infrastructure of the land recording system in the United States should not be irretrievably committed to until that full and frank discussion has led to consensus within the governmental, legal, business, and consumer communities. In the meantime, I applaud the initiatives taken to try out the new technologies.

[2] I obtained a digital signature from the second in 2001 and 2003, and attempted in 2001 to obtain one from the first of these companies. It is an interesting experience.

[3] Authentication means you are who you purport to be.

[4] Non-repudiation means you can’t take back what you signed.

[5] See a version of that article at the end of this one.

[6] It is arguable that fundamental principle 2, that the acknowledgement is taken by a government official, does not take place when obtaining a Class 3 digital signature because the notary public is not acting on her own but as an employee of the issuer of the digital signature. Notaries public are by law supposed to act on their own behalf, not on behalf of a commercial entity.