Seeking a Practical Guide to Digital Signatures?

ScuzzMonkey asks: "I work for a small company trying to streamline some business processes in Washington State. As a part of this initiative, we're considering implementing a 'paperless' contracts system. In order for this to work out, on our end, we need a legally acceptable method of electronically signing the contract documents that we receive via fax from our sub-contractors (at this time, they will still be signing manually; this may eventually move to e-mail and digital signatures on their end as well as they become more capable of dealing with us on that level). On the face of it, this seems pretty straightforward. I set up some sort of certificate or some such for our employees responsible for signing these documents, and they simply review the TIFF attachment that comes in from the fax software and 'sign' it with their digital signature via a selected program. With the passage of the E-Sign Act (PDF) in 2000, it seems like this should be every bit as solid in court as a written signature. But while I've been able to find quite a lot of information on the web about the theoretical ramifications of this law, there's not much on practical implementations. What sort of software should I use? Do I need a third-party issued certificate? If so, do I just need one for the company, or one for each signer? What certificate authorities would you recommend? Do some certificates work with some software but not other software? What about this program from the state? Has anyone done this successfully yet? Any other stumbling blocks I should be aware of here, either legal or technological?"

Look at IBM Lotus Notes

[Elfod]

This is exactly the kind of thing Lotus Notes was designed for - it's had digital signatures from the start and can handle faxes as images.

Paperless office is what Notes all about.

Two points tho:

It's expensive, but very secure

The FAX solution is an add on product offered by many vendors.
Your best path, especially if you have no Notes experience, is to get a consultancy (IBM could recommend you one) who have done this before to give you proposal which you can then compare to alternate non-notes solutions.

The weak link is the human

[Far�]

The technical aspect of digital signature is well-known. OpenPGP and variants do everything you need.

The problem is that you can't keep those keys in a secure server watched 24/24 by armed guards --- you must hand them out (or hand a key to a key to a key) to the actual humans who will have to use them, and there you have a weak link in your security chain: how can you prove that the key can't be stolen? Or are you willing to be liable for anything signed with a stolen key?

Things can be enhanced by having some kind of physical key (a credit card or better, one of those small round things that you put in an actual keyring) attached to every person, to unlock his keys; usable only with his personal password at a secure desk within the walls of the company. Usual protection against Tempest are useful, to prevent anyone from stealing your passwords, etc.

If you find a cost effective way to manage digital signatures, you might find that you can make an awful lot of money selling the process to other companies, as part of streamlining their internal IT processes.

Just my .002 mg of gold worth.

Digital Signatures

You obviously need to set up a PKI, which is neither cheap nor simple. Actually, it is simple to install and get running, but the administrative part of it is a pain if you want it to be legally binding. I set up the first production PKI in the federal government back in 1994, which is still up and running and providing digi-sig's for a procurement application. Today, you need two people to simultaneously badge in to enter or leave the room that hosts the CA, as well as two people to issue certificates (kinda like launching the nukes in the WarGames movie). If you want it to be totally standards-compliant, I'd suggest looking at Baltimore Technologies offering. Entrust also has a fine product suite.
The legal challenge is in the Certificate Practice Statement and the Certificate Policy Statement. But there's many templates available on the web that you can use to get something going. Your goal is total non-repudiation. If it's implemented correctly, you'll have it.

I could go on and on about the topic, but don't have the time. I hope the limited input is of some use though.

Bruce Schneier on digital signatures

[return+42]

He makes some good points here: Why Digital Signatures Are Not Signatures