Booz Allen Hamilton
Email This Page

Resource Center 

Electronic Signature Terminology

Approval:

The presence of signature on a record indicating that the signer approves or authorizes the record under the terms stated. For example, contracts, agreements or transactions cannot be effected until signed. Examples include signing a bill to law, endorsing a check, signing for delivery or signing a credit card receipt. (“The case of the invisible ink”, Meridien Research, 2000)

Authentication - Data:

Data authentication is the process of verifying the information contained in a signed document to ensure that it hasn’t changed since it was signed. In traditional business processes, this involves scanning or reading the document. In the electronic world, this is often done automatically upon opening the document. Some solutions will visibly invalidate the electronic signature(s) contained within the document if an unauthorized change to the content or the signer’s credentials is detected.

Authentication - User:

User authentication is the process of identifying an individual and ensuring that the person is who he or she claims to be. In traditional business processes, this involves verifying the person’s unique credentials, such as passport, driver’s license or social security number. In information security systems this entails verifying the person’s username and password, digital certificate or biometrics.

Biometrics:

Biometrics is a form of user authentication, consisting of unique physical characteristics, such as fingerprints, iris scans, retinal scans, digitally captured handwriting, speech, DNA, or any digital information that can be linked to a specific person’s biological information. (Gartner Research, 2003)

Business Process Automation (BPA):

A wide range of applications designed to automate, streamline and / or optimize one or more specific tasks which comprise a business process. This might be straightforward workflow or collaboration products with somewhat universal applicability (e.g. document creation). More often, these are applications designed around a specific vertical, such as FDA approval or mortgage origination. (Redwood Capital, 2005)

Business Process Management (BPM):

Software products which map, organize and orchestrate business activities by defining the processes used to achieve specific business objectives. The major difference between BPM and other types of enterprise software lies in defining the process at the heart of business activity. By its nature, BPM is concerned not only with defining and “templating” of processes across functional silos but also by the management of changes to those processes. (Redwood Capital, 2005)

Ceremony:

The act of signing considered symbolic of the legal impact of the record being signed. It makes legitimately signed records “official” where the signer is responsible for his or her role in the contract or agreement. For example, signing a document is the final act of the agreement and serves as proof that the agreement took place and was finalized. (“The case of the invisible ink”, Meridien Research, 2000)

Digital Certificates, PKI and Certificate Authorities:

When digital signature technology is used to authenticate a particular individual, that individual’s public key is digitally signed with another private key to secure his / her identity. This process produces what is known as a digital certificate, which can be issued and managed in two ways: it can be self-issued, or issued through a public key infrastructure (PKI).

A self-issued certificate, also known as a self-signed certificate, is produced when an individual signs his/her own certificate. The equivalent of a handwritten signature on paper, a self-signed certificate means the bearer alone can vouch for the authenticity of his / her identity. In these cases, verification of that identity occurs directly between the individual in question and the other parties involved in the transaction. Once approved, subsequent use of the individual’s digital certificate can be trusted.

While self-issued certificates are the easiest to implement and manage, digital certificates can also be issued and managed using a PKI consisting of servers, databases, cryptographic applications and policies. The PKI ensures that digital certificates are used under the sole control of an issuing organization, and can be revoked or suspended at a later date if an individual’s status changes. Digital certificates using PKI can be issued and managed by a central person or department within an organization, or by a trusted third party known as a Certificate Authority (CA) who assumes the liability of vouching for an individual’s identity.

Digital Signature:

Digital signature technology is the foundation of a variety of security, e-business and e-commerce products. Based on public/private key cryptography, digital signature technology is used in secure messaging, public key infrastructure (PKI), virtual private networks (VPN), web standards for secure transaction, and electronic signatures.

Public / private key cryptography encrypts and decrypts data through the unique pairing of public and private keys. Private keys are kept secret and stored in a protected environment, such as a smart card or in a password-protected file on a PC, whereas public keys are housed in publicly-accessible directories for use in decrypting messages. Digital signatures verify the origin of digitally signed data using a public key to confirm that the data was encrypted with a private key. When combined with a hashing algorithm, digital signatures can also verify the integrity of the data.

Contrary to what its name may suggest, digital signature technology alone does not enable individuals to sign electronic data with the same effect as a handwritten signature. For this to occur, digital signature technology must be incorporated into a process that reproduces the basic elements of a handwritten signature. Such elements include that the signature be unique, verifiable, and under the sole control of the signatory. The process must also be able to authenticate signed data and effectively capture a signer’s intention to agree to or be bound by the data that was signed.

Digital Signature Standard (DSS) in U.S. (1994):

In the U.S. the National Institute of Standards and Technology (NIST) defined the DSS for use by all federal departments and agencies to sign unclassified electronic documents. The digital signature algorithm (DSA) was originally proposed by NIST with a fixed 512-bit key size. After much criticism that this was not secure enough for long-term security, NIST revised DSS to allow key sizes up to 1,024 bits. DSA is used in ANSIX9 and, at present, remains the U.S. government standard. DSA and DSS are also used by some large multinational corporations based in the U.S. (“E-signatures – Digital and Electronic: Technology Overview”, Gartner Research, 2003)

Digitized Signature:

A digitized signature is an image of a person’s handwritten signature saved as an electronic file. The signature image can be captured by signing an electronic pad or by scanning the signature from a paper document. A digitized signature alone is not considered secure because it is not in the sole possession of the person it belongs to. Just like any other type of image file, a digitized signature can be easily copied and pasted into other documents without the person’s consent.

Electronic Approval:

An electronic approval is a process built on top of electronic signature technology that enables complex, business processes to be replicated electronically.

In the electronic world, an electronic signing solution must provide more than signing and data authentication capabilities. It must also manage and automate signature approvals as part of an entire authenticated, business approval process.

Approval processes vary widely by industry as well as by company. Some processes are simpler than others and only require a single signature to approve a piece of information. Others require multiple signatures and a number of steps to review, modify, add, and individually approve information contained in one or more documents.

The nature of the documents can vary from a letter to a multi-part form, and from a folder containing various documents to a simple signature sheet. Some approval processes give specific signatories the authority to make changes to a previously-signed document, while others require that documents be signed using a signing hierarchy.

The complexity of these different approval processes is increased each time new signatures and data are added to the originally signed document. Electronic approval solutions maintain the authenticity of documents and data as they move through complex, business processes through support for advanced signing features.

Electronic Process Signature™

An Electronic Process Signature is a new form of electronic signature technology developed by Silanis for Web-based transactions and electronic document automation. It captures and stores the entire web sequence of events and content involved in a transaction including the review, signing, acceptance and delivery of documents. The resulting stored Electronic Evidence is linked to the final transaction documents that have signed and/or delivered by an electronic document automation system. The Electronic Evidence can then be used to reliably and accurately reproduce the transaction exactly as it occurred and demonstrate compliance in legal, regulatory or internal proceedings.

The Electronic Process Signature technology can be used with any form of electronic signature in a web-based application to create its Electronic Evidence. This includes Zero-client click-through, holographic signature capture devices, and digital certificates and credentials.

Electronic Signature:

An electronic signature is a process built on top of digital signature technology that reproduces the elements of a handwritten signature, captures the signer’s intent, and authenticates signed data.

First, it combines the cryptographic functions of a digital signature with the image of a person’s handwritten signature or some form of visible mark that would be considered acceptable in a traditional signing process. Just as in a paper-based process, the image of the signature contained in the electronic signature is what visually demonstrates a person’s consent, understanding, and/or responsibility towards a document’s contents. Consequently, when capturing a person’s intent, an electronic signature has the same visual and cultural effect as a handwritten signature.

Second, an electronic signature authenticates data. Using a hashing algorithm, it permanently links the act of consent embodied by the signature to the exact contents of the signed document. Each time the document is opened, an electronic signature automatically verifies and detects whether data has been changed since the document was first signed. If a change is detected, the previously applied electronic signature is invalidated.

Third, an electronic signature provides secure user-authentication by permanently referencing a person’s digital certificate within the signature file.

PC Magazine Definition of Electronic Signature

Extensible Markup Language (XML) Digital Signature Standard:

In February 2002, the World Wide Web Consortium (W3#C) recommended XML Signature, a standard developed with the IETF – and announced in 2000 – as a means of verifying electronic signatures used for XML transactions. The XML signature is designed to work with both the Internet and election markup language (EML). The XML Digital Signature Standard associates data cryptographically with a key and provides authentication and integrity. The standard defines signature quite broadly to encompass not only what is generally considered to be an e-signature but also to include symmetric authentication codes and biometric-based authentication. (“E-signatures – Digital and Electronic: Technology Overview”, Gartner Research, 2003)

I Agree Button:

A button located within the flow of information and presented on a web page that is labeled “I agree”, “Approve” or “OK”. By clicking on the button, a person demonstrates that they are agreeing to something specific on the web page. For the event to be legally enforceable or auditable, a secure link between the person, the information being approved, and an audit trail representing the act of approving (who, what, where, when and how) would have to be created through the use of electronic signature technology. Further, the audit trail would have to be stored as part of, or linked to, the record in a secure and permanent manner.

Intent:

The intent to agree to or comply with the content of the document or nature of the transaction. The very process of creating the electronic signature is what is known legally as an “affirmative act” making clear to the signer that the signature is a legal agreement. (“E-signatures – Digital and Electronic: Technology Overview”, Gartner Research, 2003)

Mark or Representation:

A mark or representation unique to the signer that becomes an integral part of the document, transaction or record. This signature should identify clearly what is being signed and be attached in such a way that the signer is associated with the document. The signature should be generated from information in the secure, sole possession of the signer. (“E-signatures – Digital and Electronic: Technology Overview”, Gartner Research, 2003)

PKI in Electronic Approvals:

A Public Key Infrastructure is a security system used to issue and manage digital certificates.

Electronic approvals can embed or reference a digital certificate and private key in its signing tool. Consequently, when used to sign a document, the resulting electronic signature contains the signer’s digital certificate.

Pretty Good Privacy (PGP) Model:

The PGP Web trust model does not have certification authorities or root authority. Instead, it relies on a small community of users who have regular contact and who “introduce” other users based on some level of trust. The model is difficult to incorporate in large-scale operations and has not been fully accepted beyond local user communities. Many people like to add their PGP public key to business cards, stationary and e-mail. A niche solution, PGP fails as a viable, scalable alternative to the X.509 standard. (“E-signatures – Digital and Electronic: Technology Overview”, Gartner Research, 2003)

Secure Electronic Transaction (SET) Certificates:

At times, knowledge of an individual’s identity is unnecessary and may be undesirable. SET protocol certificates are issued to cardholders and merchants. Similar to credit cards, they do not identify the bearer, only the bearer’s credit line and history. SET uses digital signature technology to provide extra security to the transaction by authenticating the relationship of a public key to an account number, and not by identifying an individual. SET has not been widely accepted, with only pockets of use in Europe and elsewhere in the word, and essentially no use in the U.S. (“E-signatures – Digital and Electronic: Technology Overview”, Gartner Research, 2003)

Secure / Multipurpose Internet Mail Extensions (S/MIME):

Multipurpose Internet Mail Extensions (MIME) is the official proposed standard format for extended Internet electronic mail. The S/MIME protocol adds digital signatures and encryption to Internet mail. Internet e-mail messages consist of two parts: the header and the body. MIME defines how the body of an e-mail message is structured. While MIME itself does not provide any security services, S/MIME defines security services, following the syntax given in PKCS #7 for digital signatures and encryption. Internet Engineering Task Force (IETF) has published a set of documents describing S/MIME version 3. S/MIME has been endorsed by a number of leading networking and messaging vendors. (“E-signatures – Digital and Electronic: Technology Overview”, Gartner Research, 2003)

Verification:

Verification that the mark or representation is indeed that of the signer for non-repudiation and to avoid fraud, forgery and impersonation. In the most secure e-signature applications, this verification is accomplished through matching the e-signature against a known piece of authentic information. (“E-signatures – Digital and Electronic: Technology Overview”, Gartner Research, 2003)

X.509 Digital Certificates:

A chain of trusted third parties is required to permit consumers and vendors to do business globally. Each entity in the chain is called a “certificate authority”. The certificate authority’s function is to certify that a particular key belongs to a particular individual or entity. The root certification authority is the original certificate authority. This certification authority – along with all the subsidiary certification authority-issued certificates – is transferred along the X.509 trusted hierarchy path when and individual signs a document. (“E-signatures – Digital and Electronic: Technology Overview”, Gartner Research, 2003)

For more information on this topic, please contact Silanis.