President Clinton Friday signed e-signature legislation into law, so marketers can now start evaluating some options for making the technology work in their business.
Smart cards, server-based IDs and biometric systems are all being touted. But building a standard your business partners will accept and securing your e-signatures against identity theft will still take time.
"The future is here and the new era is now," said Nunda Ambegaonkar, exec VP of Elock.com, Fairfax, Va., which sells digital signature technology. "We have federal legislation everyone can turn to as the basis for their e-commerce."
The House and Senate passed a compromise bill that established rules for the use of electronic signatures in commercial transactions.
The easiest way to implement e-signatures may be to have online markets hold keys for all members, said Brian O'Higgins, exec VP of Entrust Technologies Inc., Plano, Texas. The keys would be accessible with a password.
Entrust makes TruePass, a software system for managing digital keys. O'Higgins sees a day when each digital marketplace will hold keys for all users on its server. "Your password on sign-up will unlock your certificate," he said. "When you log on you get your keys."
Bill Holmes, VP-marketing for Litronic Inc., Irvine, Calif., said he worries about the security of server-based key systems. His company is pushing smart cards, chip-based cards with digital signatures that could be backed up by biometric systems, such as iris scanners, to confirm identity.
"The key can't be removed" wita smart card, Holmes said. "The calculation using the key actually takes place on the card, so the key is never in the open, either. And the card is quite sophisticated." When used with a system that scans one's fingerprint or the iris of one's eye it's quite safe, he said.
In implementing e-signatures, businesses will have a choice between buying certificates or buying the power to make them.
Verisign Inc. offers both services.
The choice comes down to whether a company wants to control the e-signature process in-house or outsource it, said Bob Pratt, director of product marketing for the Mountain View, Calif.-based company. "It's really analogous to the payroll business," he said.
All current systems for controlling e-signatures have security holes, said Paul Kocher, president of Cryptography Research Inc., a San Francisco-based security consultancy that also licenses a portfolio of e-signature technology.
Thieves may guess passwords and it can be difficult to revoke certificates that are compromised, he said.
Despite the dangers, these systems offer more security than those that rely on written signatures on contracts, Kocher said. "Paper signatures are awful in proving who actually signed something," he said. "They can't be accurately verified the way digital signatures can."
Kocher predicted it will take a decade for a complete public key infrastructure to be built and accepted outside corporate intranets and b-to-b marketplaces.
"It's like the ATM business," said Pratt. "When ATMs were first deployed, a few people used them. Now most of us never go into banks. But it didn't happen all at once."