Digital signatures gain support

The use of digital signatures takes a significant step forward tomorrow--in Utah, at least--when, for a day, they are given the same validity as signatures on paper. Along with several other US states and Germany and Malaysia, Utah is helping to bring nearer the day when digital signatures will be as common as the old-fashioned variety is today.

It may not yet be true in other places, but if you live in Utah, digital signatures on electronic documents are just as good as ink signatures on paper.

Amid some hoopla, Utah will declare tomorrow "Digital Signing Day" as its governor, Michael Leavitt, issues a digitally signed electronic proclamation to that effect. Utah will announce that Zion Bank is the first organisation certified under state rules to issue public-key digital certificates. Using this technology, individuals can create electronic signatures that will be recognised in a Utah court.

"It all means that Utah says a digital signature is as good as paper one," says Alan Asay, legal vice-president at CertCo LLC. CertCo's certificate authority (CA) management product passed inspection in Utah and is being used by the state and Zion Bank.

Public-key digital signature technology, which lets users "sign" documents electronically, is gaining ground as state governments and Congress begin to insist that a digital signature should be considered as valid as a paper-based one.

Zion Bank had to meet Utah's CA rules for financial soundness and secure operation.

In varying degrees, other US states also are on the way toward adopting digital signatures, says Asay, pointing to Washington, California, Minnesota and Illinois, in particular. Germany and Malaysia, he says, also are taking their own approach to legalising digital signatures.

However, there is no comprehensive US national law recognising digital signatures as legally valid. This is true even though over two years ago the National Institute of Standards and Technology adopted a public-key technology called the Digital Signature Algorithm as the nation's official Digital Signature Standard.

Some representatives in Congress are signing on to digital signatures. Representative Anna Eshoo (Democrat-California) and Representative Billy Tauzin (Republican-Louisiana) have introduced legislation in the House that would instruct federal agencies to convert paper-based documents to electronic form within two years. People then could send government-required paperwork electronically, signed with a digital certificate.

There is a widely implemented digital certificate standard called X.509 Version 3 that can be used to sign and encrypt electronic documents. As yet, there is no standard that lets client/server-based CA products run validation checks or cross-certify each other's X.509 certificates.

That is changing. This week the Internet Engineering Steering Group (IESG), the leadership of the Intenet Engineering Task Force (IETF), will vote to make a specification called "Public-Key Infrastructure X.509, No. 3 (PKIX-3)" a proposed standard.

PKIX-3, which looks like an easy win in the IESG ballot, will foster cross-certification of X.509 certificates, says Jeff Schiller, director of network services at the Massachusetts Institute of Technology and the IETF Area Security director.

"For one thing, PKIX-3 will be important because it will make sure browsers work properly together with certificate authorities out there, like VeriSign," Schiller says.

More than a dozen vendors, including Entrust Technologies Inc., Hewlett-Packard Co. and Entegrity Inc., that either make CA software or provide CA services, next week will rally around PKIX-3.

Entrust, claiming to be the chief architect of PKIX-3 at the IETF, says the proposed standard will promote electronic commerce. This is because corporations using different CAs for the first time will be able to cross-certify each other's certificates.

"Customers are now going to get maximum utility out of their certificates in their trading-partner relationships," says John Ryan, Entrust president and chief executive officer.