This month is mostly just a quick filler (informative, but not fattening) to hold the place in the archives for the September letter.
In past months I provided information regarding "digital signatures" and this is the final piece on that subject. The President has signed the bill that authorizes the use of the signatures and they will be with us from now on.
From the 10 July 2000, Government Computer News
Agencies expect E-Sign law to spur e-gov
By CHRlSTOPHER J. DOROBEK, GCN Staff
With a swipe of a smart card, President Clinton used the first digital certificate issued under a General Services Administration contract to electronically sign a bill that gives digital signatures the same stature as those scrawled with pen on paper.
The Electronic Signatures in Global and National Commerce Act, S 761, is not targeted at government specifically, but officials said the law will help agencies move toward an electronic government.
The E-Sign Act will broaden the overall use of digital signatures, making it easier to roll out e-government initiatives to the public, said Mary Mitchell, deputy associate administrator for electronic commerce in GSA's Office of Governmentwide Policy.
"It's really complementary more than anything" to other laws, such as the Government
Paperwork Elimination Act, which requires that agencies put their activities online by October 2003 wherever possible, she said.
"Government agencies will have the authority to enforce the laws, protect the public interest and carry out their missions in the electronic world," the president said. "Just imagine, if this had existed 224 years ago, the Founding Fathers wouldn't have had to come all the way to Philadelphia on July 4th for the Declaration of Independence. They could have e-mailed their John Hancocks in," the president said during a signing ceremony at Congress Hall in Philadelphia near Independence Hall, where founders signed the Declaration of Independence in 1776 using a quill pen.
Sen. Spencer Abraham (R-Mich.) introduced the bill in May of last year, and members from both chambers helped draft the final bill. "This bill literally supplies the pavement for the e-commerce lane of the information superhighway" he said. "The bill revolutionizes the way consumers, industry and government conduct business over the Internet."
Clinton became the first and most prominent user of GSA's Access Certificates for Electronic Services program. He used a smart card that contained an ACES digital certificate issued by Digital Signature Trust of Salt Lake City. Clinton signed the law electronically by swiping the smart card through a reader on a PC and keying in his password, Buddy, the name of his dog.
Digital Signature Trust is the only one of the three ACES vendors that GSA has certified so far. AT&T Corp. and Operational Research Consultants Inc. of Chesapeake, Va., are working on their certifications.
Agency officials said they hope the law will break down some barriers to e-government.
Agencies have faced a conundrum when it comes to public-key infrastructure initiatives. There has been a bit of trepidation among agencies, especially about the legality of digital signatures, said Judith A. Spencer, director of the Center for Governmentwide Security for GSA's Federal
Technology Service, which oversees ACES.
That concern has come despite GPEA and guidance from the Office of Management and Budget telling agencies they could use digital signatures [GCN, May 8, Page 3].
Although GPEA urges agencies to put activities online, the Justice Department has told some agencies they could not conduct transactions using an electronic signature because there was no case law to prove that such transactions were legal.
That created a catch-22 situation: Case law could not be developed because agencies were not allowed to conduct their pilot projects, said Patricia N. Edfors, director of government operations for Baltimore Technologies PLC of Baltimore.
During her tenure as chairwoman of the Public-Key Infrastructure Committee of the former Government Information Technology Services Board, several agencies expressed interest in conducting PKI pilot, Edfors said. Agencies were told that the legality of electronic signatures was questionable, which prevented them from proceeding, she said.
"This puts more meat on that" Spencer said. "I see [the bill] as an enabler."
The law addresses the issue of the legality of electronically signed transactions, said Keren Cummins, vice president of government services for Digital Signature Trust. "This really clears that up," she said.
The electronic-signature law will give agencies the protections they have needed to conduct electronic transactions, Edfors said.
Abraham said a uniform national framework of electronic-signature regulations would boost e-commerce. Standards vary from state to state, which hinders growth of electronic-signature technologies, he said.
The law primarily focuses on the private sector, but its provisions have implications for agencies, said Richard Guida, chairman of the PKI Working Group for the Chief Information Officers Council's Enterprise Interoperability and Emerging IT Committee.
The E-Sign law requires organizations that want to do business online to provide notice and offer consumers an opportunity to use traditional methods, Guida said. The act also requires that consumers agree to the use of digital signatures. Furthermore, it requires that the process be made clear so consumers understand it is legally binding, he said.
Proponents said they hope the law will spur development of an infrastructure that will let citizens use digital certificates easily. As electronic signatures become common in the private sector, the public will feel more comfortable using them for government services, said Tony Trenkle, director of electronic services at the Social Security Administration.
Also from the 10 July, 2000 Government Computer News
What apps are out there to help you?
By PATRICIA DAUKANTAS GCN Staff
What's an electronic signature, and how do you make one? It depends. The category of electronic signatures encompasses a broad range of technologies, from cryptographic software to biometric scanners, with widely different security, complexity and cost.
The terms electronic signature and digital signature sound similar but don't mean the same thing. A digital signature is a specific authentication method involving encryption. Other types of electronic signatures use smart cards, biometrics or shared secrets such as passwords.
Some vendors offer software-only signature applications based on public-key infrastructure technology. Others use smart cards or other types of tokens, which store digital certificates away from a computer's hard drive.
Biometric technologies authenticate a signature based on some unchanging personal characteristic, such as fingerprint or iris patterns or the exact motions a person makes while signing.
Like the Pretty Good Privacy public-domain encryption program long employed to protect e-mail, PKI uses pairs of mathematically related public and private keys, said Richard Guida, chairman of the PKI Working Group for the Chief Information Officers Council's Enterprise Interoperability and Emerging Information Technology Committee. PGP, however, works on a hierarchical trust model in which users know each other, said Michael Laurie, vice president of alliances for Silanis Technology Inc. of Dorval, Quebec.
Unlike PGP, PKI requires the use of digital certificates issued by a trusted third party known as a certificate authority. Each certificate, usually 5K to 10K in size, contains its owner's name plus a public key. PKI puts a digital signature on a document by creating a 50-character alphanumeric "hash" unique to that document.
"It's like a fingerprint of that file," Guida said.
The software then encrypts the first hash using the document author's private key, Guida said. The encrypted, or signed, hash is called the digital signature.
These hashes are attached to the document and sent to the recipient, whose software decrypts the signed hash with the public key from the certificate authority. If the newly decrypted hash matches the original hash, the recipient can be confident that the document hasn't changed.
Even the slightest change would alter the hash and be immediately apparent to other parties. But for PKI to be useful, it must be incorporated into an application, Laurie said.
For example, when e-mail with an attachment is digitally signed, the software would hash and attach the signature on top of the entire e-mail. Once the attachment is separated from the e-mail and downloaded to the recipient's hard drive, however, it would Lose the digital signature.
"In that sense, you have lost the ability to verify the integrity of the document," Laurie said.
Silanis' $149 ApproveIt software ties the image of a physical signature with the act of digitally signing a document [GCN, Aug. 2, 1999, Page 24].
Users who want to dip into the e-signing pool can download a free Silanis application from the Web, at www.onSign.com, for digitally signing Microsoft Outlook 98 and Outlook 2000 messages or Microsoft Word 97 and Word 2000 documents.
But there is no trusted third party to administer such signatures. Anyone could fax any signature to the company for digitization without verification.
As important as the digital signature itself is an audit trail that proves the signer knew what was being signed and when it happened, said Kirk LeCompte, vice president of marketing and product management for PenOp Inc. of New York.
"It's the evidence attached to the document," LeCompte said.
PenOp's main product, the $169 PenOp Signature Series, provides two e-sign technologies. The user can sign on a digitizing pad or create a so-called signature stamp based on a password entry, voice recognition or fingerprint scan.
Communication lntelligence Corp. of Redwood Shores, Calif., has created a biometric application called Sign-On for handheld computers running Palm OS 3.3 or higher versions of the operating system or the Microsoft Windows Pocket PC OS. The $19.95 Sign-On captures the signature of a handheld device's user and requires it for log-on.
Among the smart card products available is NetSign from Litronic Inc. of Irvine, Calif. "It makes the digital signature capability more robust and easier to move from machine to machine," said Bill Holmes, Litronic's vice president of marketing.
The PKI-based NetSign stores users' private keys on a smart card rather than on a hard drive. System administrators can specify how many password attempts can be made with the smart card before barring further tries.
The $99 NetSign product includes one smart card, one reader, NetSign software and a voucher for a digital certificate from VeriSign Inc. of Mountain View, Calif.
Windows 2000 is ready to use smart cards and can detect a reader installed on a computer. PC makers are starting to integrate the readers into new machines, Holmes said.
Litronic also makes Profile Manager, a product for managing PKI and smart-card systems. Holmes said he recently went to a Microsoft Corp. smart card conference to demonstrate a proof-of-concept application combining an iris scanner with PKI and smart cards--three levels of authentication.
"What was really new was the integration of biometrics and PKI" Holmes said. "Very little work has been done in that area."
Litronic also is experimenting with fingerprint, voice and signature recognition, because different biometrics might be appropriate for different applications, Holmes said.
Cyber-Sign Inc. of San Jose, Calif., makes the Cyber-Sign signature recognition product that uses a pressure-sensitive digitizing tablet [GCN, May 10, 1999, Page 28]. The $850 Cyber-Sign stores a signature as a 3-D shape in which the third dimension represents the dynamic and presumably unique pressures the signer exerted on the pad.
AlphaTrust Corp. of Dallas provides a guaranteed electronic signature service for organizations that want to out source a PKI e-signing system. The company also offers one- to three-year Digital ID certificates to individuals at a cost of $19.95 to $217.95.
Arcot Systems Inc. of Santa Clara, Calif., offers Arcot WebFort, a software-only PKI system that stores users' private keys in software tokens.
ILumin Corp. of Orem, Utah, recently announced a Digital Handshake system that allows multiple users to meet online in a virtual room where they exchange digital signatures to make a transaction binding.
I have learned that the USPS eBillPay web page at http://www.usps.com now has a FAQ link that provides the answers to some of the questions that we came upon in our discussion of the on line bill paying service. Check it out...
That's all for now.
Until the next meeting, happy computing...
dc
