Top_Govt_Contractor
Email This Page

Resource Center 

Why Digital Signatures Aren’t Enough

Five years have passed since the E-Sign Act was enacted. Millions of dollars have been spent on PKI and other related security technologies. The deadline for meeting the Government Paperwork Elimination Act has come and gone. Yet the majority of agencies still fall to paper each time a signature is required in a document.

The simple reason for this is that digital signatures aren’t enough. While the technology authenticates the origin and integrity of data, it requires an application to be developed on top of it for it to be useable in daily DoD signing processes, and to ensure that it reproduces the same force and effect as its ink counterpart. Digital signatures, therefore, are only one part of a secure, electronic signing solution.

The more complex reason is that signing is only one part of an entire stream of activities that take place before and after a typical decisionmaking process. Understanding what those processes are in detail and what is required to support them in an electronic environment are key to a successful deployment.

The Building Blocks

To better illustrate why an application must be developed on top of digital signatures, one must first understand what signing is in the first place and the role that security technologies play when bringing signatures online.

Signing is the expression of the intent to approve, authenticate or agree to information. As such it requires a specific action on the part of the signer, such as adding a handwritten signature to a document or entering a private password.

For an electronic signing process to have the same force and effect as a handwritten signature, it has to reliably capture and reproduce that intent, while also ensuring that the process complies with applicable laws, regulations, standards and policies. This is what is known as an electronic signature.

Security, on the other hand, makes the electronic signature safe from tampering, forgery or misrepresentation. Security is applied at various points to: 1) protect the integrity of and access to signed documents, and personal or confidential information they may hold, and 2) authenticate the identity of the person involved in signing, receiving or accessing the documents.

Many security products use digital signature technology at its core, including PKI, smart cards, and off-the-shelf electronic signing applications. Based on public/private key cryptography, digital signature technology encrypts and decrypts data through the unique pairing of public and private keys. Private keys are kept secret and stored in a protected environment, such as on a smart card, PKI environment, or password protected file on a PC, whereas public keys are housed in publicly-accessible directories for use in decrypting messages.

Contrary to what its name may suggest, digital signature technology alone does not enable individuals to sign electronic documents with the same effect as a handwritten signature. However, when incorporated into a process that captures signing intent, it ensures that electronically signed documents are auditable and legally enforceable.

When it is used to authenticate users, such as with PKI and smart cards it provides a high level of identity assurance. And when used with biometrics, it eliminates the need to remember passwords.

Making It Work

Replacing wet-ink signatures with their electronic equivalent, however, requires more than just capturing intent and authenticating users and data. Because signatures and documents touch every part of the DoD’s decision-making processes, an electronic solution must also manage and automate signatures as part of an entire authenticated business approval process. Understanding one’s workflow and technology requirements in detail is key.

Documents are created, routed, reviewed, corrected, signed, and archived. Often parallel orders are given, resulting in the generation of multiple documents that then need to be reviewed and signed by multiple task forces and users.

In addition, electronic documents and signatures are expected to work in a myriad of file formats and IT systems while providing features unavailable with paper, such as the secure automatic transfer of document data to other data management systems. This adds tremendous complexity to the process.

To add even more complexity, DoD processes are governed by laws and policies that agencies must comply with, regardless of whether the process is on paper or in the electronic world. (For example, a requisition over $10,000 requiring approval from three authorized individuals in a particular sequence.) Not only do compliance requirements determine how documents are created, routed, presented, signed, delivered and stored, agencies must demonstrate their compliance through auditable and reliable business records.

Simply looking at where the signature plugs into a document will result in a lack of requirements and underestimating the cost, resources and timelines to properly implement a paperless process, agencies run the risk of not complying and the ramifications that go with it.

A successful implementation, on the other hand, will consider all aspects of the process where documents, delivery and signing take place in order to achieve end-to-end automation.