Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
FCC defends new net neutrality proposal
New iPad rumor rollup for week ending April 23
Dell adds Big Switch to its SDN mix
Google Plus now minus chief Vic Gundotra
Heartbleed prompts joint vendor effort to boost OpenSSL, security
Microsoft Surface Mini seems likely to ship soon
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
Verizon: Web apps are the security punching bag of the Internet

B2B is ideal test bed for XML Digital Signatures

Kobielus archive

We can now take for granted the notion that electronic signatures, under U.S. law, may be as legal and binding as the pen-and-paper variety. The new Electronic Signatures in Global and National Commerce Act has removed legal impediments to potential acceptance of various electronic techniques for signing commercial contracts and other agreements.

Now the critical issue is not whether electronic signatures are valid, but whether any particular electronic signature technology or procedure can withstand real-world legal challenges. There is no legal precedent for digital signatures, and a body of relevant case law will take several years to build. We should be avidly putting our new "cyber-Hancock" law into practice, but instead the more cautious legal advisors are urging us to take it slow and steady.

But it would be absurd for us in the private sector to wait a generation or two, deferring electronic signature implementations until lawyers and judges make up their collective minds on the matter. Besides, the legal community is waiting for us to make the first move, try out various approaches, and come forth with real-world test cases. The new law gives us free rein to continue developing digital signature technologies, based on legislators' desire to let the free market set its own standards in this fast-changing area.

That's why, for example, the new law uses the generic term "electronic signatures" rather than the more specific "digital signatures." The latter term would imply that the correct, government-sanctioned approach involves use of such existing technologies as public-key cryptography, X.509 certificates and the Digital Signature Algorithm. These technologies may be perfectly suited to the task but are not necessarily, in their current forms, the final word on the subject.

One of the law's core principles is the U.S. government's desire to "permit parties to a transaction to determine the appropriate authentication technologies and implementation models for their transactions, with assurance that those [approaches] will be recognized and enforced." A good place to start experimenting with digitally signed transactions is in today's business-to-business trading communities. Those communities come in myriad forms, ranging from electronic marketplaces to traditional extranets. What they all share is reliance on binding legal contracts that define roles, responsibilities, terms, conditions and risks for participants. There's nothing stopping an e-marketplace operator from implementing a digital signature approach for transactions in its environment, as long as the community's membership agreement describes that approach, and participants assent to it by signing the membership agreement - an act that may represent a participant's only pen-and-paper signature in the community. On commercial contracts in these communities, legally binding digital signatures would be whatever the members have agreed to accept, cognizant of the risks and without regard for whatever signing technologies and practices are accepted in other e-marketplaces.

Digital signatures deliver critical authentication, tamperproofing and nonrepudiation services for legally enforceable transactions, so it's only a matter of time before they're adopted everywhere in the business-to-business arena. But it's doubtful that many business-to-business trading communities will rush to implement digital signatures without a flexible, general-purpose standards framework for applying and validating signatures on electronic documents. Fortunately, the standards community is well along in defining such a framework: XML Digital Signatures (XML-DSig). XML-DSig is a set of draft specifications that has considerable industry support where it counts: early vendor implementation and ongoing interoperability testing.

What's most important, the XML-DSig framework is application-independent and supports signing of any content type, XML or non-XML, as long as that content can be addressed across the Internet, extranet or intranet via uniform resource identifiers (URI). XML-DSig defines procedures for binding cryptographic signatures to one or more URI-addressable local or network resource and for validating those signatures. XML-DSig also specifies an XML syntax for defining signature blocks that can be embedded in all content types.

We will start to see commercial implementations of XML-DSig early next year. During this time frame, the World Wide Web Consortium and Internet Engineering Task Force, which are jointly shepherding the XML-DSig initiative, are expected to finalize and then ratify the standards. The XML-DSig initiative won't directly address any of the thorny cultural, commercial and legal issues surrounding the notion of electronic signatures, but it will help to clarify the technical contours of the "generally accepted signing practices" that we may begin to take for granted in a few years.


Kobielus is an Alexandria, Va.-based analyst with The Burton Group, an IT advisory service that provides in-depth technology analysis for network planners. He can be reached at (703) 924-6224 or

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.