Signatures and the Law A digital signature serves four legal functions: evidence, ceremony, approval, and efficiency and logistics. When a signer makes a mark in a distinctive manner, it serves as evidence that the item is attributable to the signer. The ceremony of signing a document calls the signer's attention to the legal significance of the act. The act of signing also expresses approval or authorization of the document. In addition, the signature provides a document with finality (a function of efficiency and logistics), often allowing the document to change hands and rapidly come to its end.

A signature in and of itself is not considered legally binding until its authenticity is established. This might be done by ha ndwriting analysis or testimony of a witness. However, a notarized signature is accepted as valid. All bodies of law have extensive considerations of signatures. There are many similarities in the laws, and there are just as many discrepancies.

The Function of Digital Signatures Digital signatures were developed by OSI as the X.509 standard. They uniquely and unequivocally identify the entity responsible for a data file. A data file's content could be made of just about anything: mail, images, financial transactions, medical records and so on. This digital signing process could include the creation of a hash value for the data. This would establish an extremely high assurance of data integrity. The technology for this digital signature process has been well-defined for years. But the development of a reliable method for verifying a digital signature was the hitch in digital signatures' deployment.

Digital signature technology was created within a hierarchy of trust. There would be some world ro ot--the one and only top of the hierarchical scheme that would be recognizable to everyone. This world root would identify a few key players, who in turn would recognize signing authorities. These signing authorities (through whatever number of actual layers were required) would create user signatures. This process was built on the basis that each hierarchical level's digital signature would be treated as a file to be signed in turn by the next level in the chain. The process was neat and clean, but required one world-recognized starting point.

X.509 version 3 (the current version) broke with the requirement for the one world root and allows for multiple hierarchies to be connected by bidirectional cross-certification links. These hierarchies function as a chain of trust, letting any recipient determine the validity of the claim of ownership. The fact that this technology has absolutely no basis in law is its one problem.

The Evolution of Law It is a rare event w hen something new in our civili zation is legal from its inception. New laws or legal precedence are needed to establish legalities, and our legal system moves slowly to incorporate change. Of course, time is something business rarely has. We need fast methods for using digital signatures without risking our businesses' future on litigation.

Legal Progress and Alternatives Utah has led the nation in paving the way for digital signatures. Interestingly, the effort comes from a court system that encourages electronic filing of briefs, while its circuit judges continue to travel from city to city. The Utah digital signature law has been on the books for two years, and changes are needed still (they have to figure out the wording to cover notarizing in ink only).

The Utah law is known as a "thick" law because it is very explicit about the digital signature technology and the licensing of certificate authorities (CA). This stands in contrast to the California "thin" law, which merely defines the concept of digital signatures and how a CA becomes licensed. Some states, such as Florida and Texas, are pushing toward even thinner laws than California's. These laws would define electronic signatures in a broader sense (allowing for biometric technologies and even old-fashion logon IDs).

States are busy enacting one model or the other. This disparity has led Massachusetts to spearhead an effort to communize the state laws (see www.magnet.state.ma.us/itd/legal).

There is an effort to get federal enabling legislation--it may well be in place as you read this. The federal efforts are similar to those of Florida and Texas: Enable electronic signatures that are technologically neutral. All of this will give your digital signatures full legal standing and will drastically reduce court costs.

There is, however, a simpler way: Contract law clearly frames how to enable any business practice. If two businesses state in their contracts that if a party to a transaction spins around twice and clicks his or her heels three times to seal the transaction, then they are bound to this practice (they can use other more traditional methods). Similarly, if you and I state in our trading partner agreement that we will use X.509 certificates issued by the Bank of Kalamazoo--we would be bound to that practice. Of course, the terms of any contract cannot violate existing laws.

For "communities of interest"--like banking, health, transportation or automotive--our immediate option is go with contract law and work with governments around the world to address digital signatures in a sound manner. This way, each community need not work out terms of engagement between themselves on a case-by-case basis.

Robert Moskowitz is a software systems specialist at Chrysler Corp., Detroit, Mich., and a member of the Internet Architecture Board (IAB). He can be reached at rgm@htt-consult.com.