Digital Signatures "Can" be Wave of the Future

Local governments might find the successful implementation and use of a PKI to be a major benefit.

by / September 30, 1999 0
Somebody once told me that the tin can was invented several years before the can opener. I don't know if that is true, but thanks to the rapid pace of technological innovation, we sometimes find ourselves looking at a wonderful, airtight, tin-can solution to a problem only to realize later we neglected to invent a can opener.

These days, digital signature technology is the tin can that will make electronic documents viable. All we need now are the laws, policies and business practices that will let us get to the soup inside. Fortunately, Washington, Massachusetts, Texas and the Social Security and General Services administrations, to name but a few, are working hard to invent a "can opener."

The signature has been the foundation of business and government transactions for thousands of years. However, the tools of government and commerce are changing. Bits and bytes are replacing pen and parchment. Information is being created, transformed and transferred more often and more rapidly than ever before.

Modern communication tools have created almost limitless opportunities to improve information flow and processes, but they have not eliminated the legal, cultural and practical need for tangible and lasting representation of commitment. Digital signatures are today's answer to that age-old need.

Digital signatures will someday give us the ability to routinely transact official business between government and the public over computer networks. Unfortunately, the political, legal and technical infrastructure necessary to support widespread implementation of such an open public-key infrastructure (PKI) seems to be several years away.

Right now, this technology can transform the way we do business amongst ourselves; government to government. How much time and money is spent within an enterprise like local government routing paperwork for signatures? The city of Tucson requires that some forms be routed between several geographically dispersed departments for review and signature. How much more efficient will operations be when we are able to fill out, route and sign our forms electronically?

Building the legal framework necessary to broadly implement digital signature technology has not been easy. Several of the bills dealing with digital signatures introduced in Congress in recent years have been designed to address specific concerns of factional interests and have not passed.

Certification Authorities

One philosophical question for states that has enacted digital signature legislation have been whether to license certification authorities. A summary of such legislation can be found at the McBride, Baker and Coles Web site. Certification authorities (CAs) are the legal entities responsible for ensuring the appropriate and consistent establishment of identity in the issuance of digital certificates.

A CA generates a matched set of electronic keys that correspond to a certificate and are necessary to digitally sign a document. Each set contains a public key kept in a publicly accessible electronic repository and a private key kept and protected by the individual.

Allowing a CA to become licensed -- licensure is optional even in most states that license -- is one way to help create trust in a PKI, the comprehensive system of laws, policies, practices and procedures necessary to create and exchange digital signatures. To complicate things just a bit more, a PKI can be either "open" or "closed."

An open PKI is one in which digital signatures are offered and accepted by people who have no significant knowledge of each other and no legal relationship besides the one created by the digital signature transaction. A closed PKI relies on business or contractual relationships that predate and could govern the relationship created by the digital signature.

Digital certificates issued by a CA can be used in three ways. First, they can establish identity. The certificate verifies that "I am who I say I am." Second, certificates can establish authority. The certificate validates that "I am the director of Information Technology for Tucson and, as such, I am authorized to transact business and legally bind the city in a specific fashion." Third, certificates may be passed electronically between computers to confirm they are what they appear to be.

This electronic exchange and verification, known as server certification, is especially important as governments look toward accepting electronic payments. Before I send my credit-card number over the Internet to pay a fee or fine, I want to know that I am dealing with the appropriate government computer, and not one masquerading as such. These computer impostors are known as "spoofers."

Using digital signatures is not a complicated process and the technology is relatively easy to implement. The first thing is to establish a "closed PKI" limited to the government enterprise. A basic PKI framework has been defined and can be tailored to meet the needs of the enterprise . In states where digital signatures are not yet a legal alternative to pen-and-ink signatures, early implementation can focus on replacing signatures required as a matter of policy rather than law.

The use of server certification for our Internet sites is another reasonable step for local government to take now. The move toward electronic service delivery and our ability to accept electronic payment depends on our ability to establish trust with those who use our systems. Accepting electronic payment of fees, fines and even utility bills has the potential for greatly reducing processing costs for city government. More importantly, it has the potential to greatly improve the service received by our businesses and citizens. Server certification can be accomplished by individual jurisdictions installing the necessary software or, more efficiently, by the use of a cooperative effort such as that available to local and county government from Public Technology Inc. (PTI).

Government IT professionals have a responsibility to not only manage emerging technology but, more importantly, to explain what it means to our politicians, managers and even citizens. If we let ourselves become too intimidated by the can, we may never get to the soup.


This article was written by Todd Sander, CIO of Tucson, Ariz., for Public Technology Inc. and is reprinted with permission. PTI, the nonprofit technology R&D organization for local governments, is sponsored by the National League of Cities, the National Association of Counties and the International City/County Management Association. PTI's mission is to advance the development and use of technology in local governments. For more information, contact PTI at 800/PTI-8976.
Todd Sander Executive Director, Center for Digital Government

Todd Sander is Executive Director of the Center for Digital Government, and is responsible for driving the strategic direction and development of the Center's programs and for providing thought leadership and hands-on expertise in expanding the Center’s services to both government and industry.