Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested

B2B is ideal test bed for XML Digital Signatures

Kobielus archive

We can now take for granted the notion that electronic signatures, under U.S. law, may be as legal and binding as the pen-and-paper variety. The new Electronic Signatures in Global and National Commerce Act has removed legal impediments to potential acceptance of various electronic techniques for signing commercial contracts and other agreements.

Now the critical issue is not whether electronic signatures are valid, but whether any particular electronic signature technology or procedure can withstand real-world legal challenges. There is no legal precedent for digital signatures, and a body of relevant case law will take several years to build. We should be avidly putting our new "cyber-Hancock" law into practice, but instead the more cautious legal advisors are urging us to take it slow and steady.

But it would be absurd for us in the private sector to wait a generation or two, deferring electronic signature implementations until lawyers and judges make up their collective minds on the matter. Besides, the legal community is waiting for us to make the first move, try out various approaches, and come forth with real-world test cases. The new law gives us free rein to continue developing digital signature technologies, based on legislators' desire to let the free market set its own standards in this fast-changing area.

That's why, for example, the new law uses the generic term "electronic signatures" rather than the more specific "digital signatures." The latter term would imply that the correct, government-sanctioned approach involves use of such existing technologies as public-key cryptography, X.509 certificates and the Digital Signature Algorithm. These technologies may be perfectly suited to the task but are not necessarily, in their current forms, the final word on the subject.

One of the law's core principles is the U.S. government's desire to "permit parties to a transaction to determine the appropriate authentication technologies and implementation models for their transactions, with assurance that those [approaches] will be recognized and enforced." A good place to start experimenting with digitally signed transactions is in today's business-to-business trading communities. Those communities come in myriad forms, ranging from electronic marketplaces to traditional extranets. What they all share is reliance on binding legal contracts that define roles, responsibilities, terms, conditions and risks for participants. There's nothing stopping an e-marketplace operator from implementing a digital signature approach for transactions in its environment, as long as the community's membership agreement describes that approach, and participants assent to it by signing the membership agreement - an act that may represent a participant's only pen-and-paper signature in the community. On commercial contracts in these communities, legally binding digital signatures would be whatever the members have agreed to accept, cognizant of the risks and without regard for whatever signing technologies and practices are accepted in other e-marketplaces.

Digital signatures deliver critical authentication, tamperproofing and nonrepudiation services for legally enforceable transactions, so it's only a matter of time before they're adopted everywhere in the business-to-business arena. But it's doubtful that many business-to-business trading communities will rush to implement digital signatures without a flexible, general-purpose standards framework for applying and validating signatures on electronic documents. Fortunately, the standards community is well along in defining such a framework: XML Digital Signatures (XML-DSig). XML-DSig is a set of draft specifications that has considerable industry support where it counts: early vendor implementation and ongoing interoperability testing.

What's most important, the XML-DSig framework is application-independent and supports signing of any content type, XML or non-XML, as long as that content can be addressed across the Internet, extranet or intranet via uniform resource identifiers (URI). XML-DSig defines procedures for binding cryptographic signatures to one or more URI-addressable local or network resource and for validating those signatures. XML-DSig also specifies an XML syntax for defining signature blocks that can be embedded in all content types.

We will start to see commercial implementations of XML-DSig early next year. During this time frame, the World Wide Web Consortium and Internet Engineering Task Force, which are jointly shepherding the XML-DSig initiative, are expected to finalize and then ratify the standards. The XML-DSig initiative won't directly address any of the thorny cultural, commercial and legal issues surrounding the notion of electronic signatures, but it will help to clarify the technical contours of the "generally accepted signing practices" that we may begin to take for granted in a few years.


Kobielus is an Alexandria, Va.-based analyst with The Burton Group, an IT advisory service that provides in-depth technology analysis for network planners. He can be reached at (703) 924-6224 or

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.