Schneier: Why Digital Signatures are not Signatures (was Re :CRYPTO-GRAM, November 15, 2000)

[Lynn.Wheeler at firstdata.com]

there are issues about authentication ... like conceptual frame-works of
something you have, something you know, and something you are. it is possible to
put together digital signature authentication technology/frame-works involving
digital signature that are dependent on one or more pieces of 3-factor
authentication.

legal "signatures" as indication of intent have involved issues like counterfeit
and understanding (and various regulations about font-sizes, wording, different
expectations about prudent person, etc).

a digital signature, once executed is a lot harder to counterfeit (compared to
various written signatures) ... however there is much less direct correlation
between intention and the act of executing a digital signature. digital
signature in conjunction with various process that can proove that every digital
signature executed was directly dependant on various combinations of 3-factor
authentication (for each and every digital signature executed) attempts for a
tighter correlation and demonstrate some degree of actual binding (between
intention and signature execution).

however, they also introduce new technology challenges ... there is now a
significantly wider gap between the presentation of the information that a
person may be agreeing to ... and the actual representation that is involved in
executing digital signatures.

paper documents also have had the advantage that the presentation of the
information and the signature application is nearly identical technology ....
much closer binding between the representation of what is being agreed to and
the method of indicating that agreement.

There are not a whole lot of cases where as the person is using a pen to sign a
specific piece of paper ... that the pen can wonder off and sign a totally
different piece of paper (like radar getting week-end passes signed in the MASH
show).

So the understanding issue pretty much stays the same in both environments
(digital signature and paper signature) ...  digital signatures (in conjunction
with the appropriate authentication framework) can reduce the instances of
counterfeit signatures being applied to documents ... but also opens up the
instances where what a person is presented isn't necessarily what the person is
signing.

So one issue might be ... all other factors being equal ... is the magnitude of
any counterfeit reduction significantly greater than the increase in the "what
you see is what you sign" problem and the "did the person actually
intend/confirm that particular signature" problem.







"Paul Kierstead" <paul.kierstead at alcatel.com> on 11/17/2000 06:09:02 AM

Please respond to paul.kierstead at alcatel.com