• Home
• Products and Services
• Local Gov
• Support
• Professional Services
• Initiatives
• Digital Signatures
• XForms
• Interactive TV
• Personal Devices
• Partners
• Developer Club

Digital Signatures

Summary

Many paper forms require a written signature to authenticate the person completing the form, or to provide proof that they agreed to some service or purchase.

With electronic forms the electronic equivalent of a written signature is called a digital signature. In 2000 digital signatures became a legally acceptable way of 'signing' electronic forms in the UK and USA. In 2001, this was extended across the whole of the EEC. Hence there is a growing call for support for the use of digital signatures within electronic forms.

However, to be accepted a digital signature must be trustworthy i.e. come from the person you think it is from. This requires a trusted Authority to issue the certificate in the first place, and to check the certificate when it is used. Also the whole process of managing the issuing, revoking, and checking of signatures is an expensive business. So it is being left to governments, and/or the Finance Industry to set up as issuing Authorities.

There are also technical barriers to the use of digital signatures. One issue is how to store the signature securely, but in a way that it can be easily used. There is also the issue of how to actually use the signature to 'sign' a form that has come across the Internet. Although these technical issues do have some solutions, the costs of implementing them can be quite high. So in general everyone is waiting for a de-facto mechanism to be introduced by whoever becomes the major issuing Authorities before committing themselves to implementing any particular solution.

As a result of the above issues it is expected that it will many years before solutions are in common public use across the Internet.

At Mandoforms, we understand that digital signatures are important to the widespread use of many types of electronic form. As such we are committed to complying with any standards that may come to apply to us in this area. However, the normal way in which signing occurs happens after the Mandoform has finished. As such Mandoforms will today work out-of-the box with many current commercial offerings. We hope to announce a reference site using one such offering at the beginning of 2003.

Managing Digital Signatures

In order for a digital signature to be accepted by the person receiving it, the recipient must trust that the signature does truly represent the person it says it does. For this to happen the signature must have been created and issued by someone that they trust. This Authority must be recognised as having the necessary level of security in place to prevent signatures being forged, or stolen, and being capable of validating that the person asking for the signature to be issued really is who they say they are. Furthermore, when a signature is used to sign something, they must have facilities to quickly check that it is correct, and has not been compromised, and return a verdict to the recipient.

In general it is being left up to governments, and financial organisations (e.g. consortia of banks) to set themselves up as Authorities capable of issuing, revoking and validating digital signatures. These organisations have right level of public trust, and the deep pockets required to fund such systems and more importantly the trusted and skilled staff required to run them. Indeed many large organisations are already making plans to do introduce such systems. The only issue is the timescales that are involved, which are typically 5-10 years.

Within closed circles, or within individual organisations, trust can be more easily established than with the general public. So these would appear to be likely testbeds for their introduction. However, as well as the 'trust' factor, digital signatures present a huge management task, and the tools, staff, and general infrastructure required to implement such a system is typically very expensive. Hence there are very few examples where digital signatures are being used in anger today.

Using Digital Signatures

Creating and managing a signature is only part of the story. There is also the issue of how it is stored, and how it can then be used. The main barrier here is currently the cost of implementing solutions.

The main solution to date is to place the digital signature onto a physical medium such as a SmartCard. This is issued just like a Credit Card, together with an expiry date, and a PIN number (and/or fingerprint) to unlock the signature when used. However, this requires a specialised card reader, and ideally every PC and ATM would be equipped with a standard device to do this. But until they are in general use, using such devices may incur high capital and support costs.

Once the signature has been transferred to a user's computer, there is the issue of adding it to an electronic form (which is typically running within a web browser), and then transmitting the signature, together with the form, back to the server.

With Mandoforms the user completes the form in the usual way, and submits it to the Mandoforms Server. A Server plugin is then used to send back a web page containing a 'picture' of the entire form (typically as PDF or graphical image). At this point everything else happens 'outside' of Mandoforms: 3rd party signing software is used to sign the 'picture' of the form and send it back to a 3rd party server where the signature is checked for validity. Finally the form data is then typically saved together with the signature in a database.