Posted January 26, 2001 - 6:51 pm
We can now take for granted the notion that electronic signatures, under U.S. law, may be as legal and binding as the pen-and-paper variety. The new Electronic Signatures in Global and National Commerce Act has removed legal impediments to potential acceptance of various electronic techniques for signing commercial contracts and other agreements.
Now the critical issue is not whether electronic signatures are valid, but whether any particular electronic signature technology or procedure can withstand real-world legal challenges. There is no legal precedent for digital signatures, and a body of relevant case law will take several years to build. We should be avidly putting our new "cyber-Hancock" law into practice, but instead the more cautious legal advisors are urging us to take it slow and steady.
But it would be absurd for us in the private sector to wait a generation or two, deferring electronic signature implementations until lawyers and judges make up their collective minds on the matter. Besides, the legal community is waiting for us to make the first move, try out various approaches, and come forth with real-world test cases. The new law gives us free rein to continue developing digital signature technologies, based on legislators' desire to let the free market set its own standards in this fast-changing area.
That's why, for example, the new law uses the generic term "electronic signatures" rather than the more specific "digital signatures." The latter term would imply that the correct, government-sanctioned approach involves use of such existing technologies as public-key cryptography, X.509 certificates and the Digital Signature Algorithm. These technologies may be perfectly suited to the task but are not necessarily, in their current forms, the final word on the subject.
One of the law's core principles is the U.S. government's desire to "permit parties to a transaction to determine the appropriate authentication technologies and implementation models for their transactions, with assurance that those [approaches] will be recognized and enforced." A good place to start experimenting with digitally signed transactions is in today's business-to-business trading communities. Those communities come in myriad forms, ranging from electronic marketplaces to traditional extranets. What they all share is reliance on binding legal contracts that define roles, responsibilities, terms, conditions and risks for participants. There's nothing stopping an e-marketplace operator from implementing a digital signature approach for transactions in its environment, as long as the community's membership agreement describes that approach, and participants assent to it by signing the membership agreement - an act that may represent a participant's only pen-and-paper signature in the community. On commercial contracts in these communities, legally binding digital signatures would be whatever the members have agreed to accept, cognizant of the risks and without regard for whatever signing technologies and practices are accepted in other e-marketplaces.
Digital signatures deliver critical authentication, tamperproofing and nonrepudiation services for legally enforceable transactions, so it's only a matter of time before they're adopted everywhere in the business-to-business arena. But it's doubtful that many business-to-business trading communities will rush to implement digital signatures without a flexible, general-purpose standards framework for applying and validating signatures on electronic documents. Fortunately, the standards community is well along in defining such a framework: XML Digital Signatures (XML-DSig). XML-DSig is a set of draft specifications that has considerable industry support where it counts: early vendor implementation and ongoing interoperability testing.
What's most important, the XML-DSig framework is application-independent and supports signing of any content type, XML or non-XML, as long as that content can be addressed across the Internet, extranet or intranet via uniform resource identifiers (URI). XML-DSig defines procedures for binding cryptographic signatures to one or more URI-addressable local or network resource and for validating those signatures. XML-DSig also specifies an XML syntax for defining signature blocks that can be embedded in all content types.
We will start to see commercial implementations of XML-DSig early next year. During this time frame, the World Wide Web Consortium and Internet Engineering Task Force, which are jointly shepherding the XML-DSig initiative, are expected to finalize and then ratify the standards. The XML-DSig initiative won't directly address any of the thorny cultural, commercial and legal issues surrounding the notion of electronic signatures, but it will help to clarify the technical contours of the "generally accepted signing practices" that we may begin to take for granted in a few years.