FRAMINGHAM (07/07/2000) - A lack of common standards among competing public-key infrastructure technologies and validation processes could slow corporate deployment of digital signature networks, users and analysts warned.
The cautions come in the wake of a law signed June 30 by President Clinton giving electronic signatures the same legal standing as their ink counterparts.
The law takes effect Oct. 1.
The bill, officially known as the Electronic Signatures in Global and National Commerce Act, is expected to remove the legal barriers to using electronic signatures in e-commerce transactions. But first, users will need to overcome some serious interoperability issues related to the public-key infrastructure on which digital signature systems are established, said Laura Rime, a vice president at Identrus LLC in New York. Identrus was formed by eight of the world's largest banks to provide a global, fully interoperable infrastructure for secure business-to-business commerce.
"The lack of interoperability [among vendor products] is a significant barrier to the adoption of digital signatures," Rime said.
"The lack of standards and ease of use will hinder the development of robust digital signatures," echoed Marcelo Halpern, an attorney at law firm Gordon & Glickson LLC in Chicago. Digital signatures are basically specially encrypted codes in an electronic message that let a recipient establish the authenticity of the person sending the message.
A digital signature links a person's identity to a specially encrypted private key that is issued to only one bearer. The private key can be used to electronically sign a communication, which can then be opened by someone with a public key.
A certificate authority maintains the public key and also issues and verifies the digital certificates that validate the identity of each party in an Internet transaction.
A slew of vendors, including VeriSign Inc., Baltimore Technologies Inc., XCert Inc. and RSA Technologies Inc., supply the core technologies that allow most of this to take place.
The problem is that the technologies are too often proprietary, making it very difficult to certify digital signatures in a PKI where there's a mix of vendor products and certificate authorities involved, said Mahantesh Kothiwale, a vice president at E-credit.com Inc., an online credit verification service in Dedham, Massachusetts.
Each vendor, for instance, has its own certificate issuance, validation and revocation processes. And there are often differences in authentication policies and in the way that private keys are managed from vendor to vendor, users said.
The differences don't really matter in cases where companies are rolling out digital signature systems purely for internal use, said Wayne Austad, a staff engineer in the advanced information systems group at the Idaho National Engineering and Environmental Laboratory.
"But as soon as you start trying to deal with [multiple] businesses or multisite corporations, then it becomes an issue," he said.
Getting around such problems typically involves developing bridge software for linking multivendor PKI products or requiring everyone on the network to install the same vendor's software, Rime said.
"E-marketplaces, banks and other financial institutions will likely be the first firms to sign up for digital signatures," said Frank Prince, an analyst at Forrester Research Inc. in Cambridge, Massachusetts. "However, being the first in this case may not be worth the risk, and it may be best to be second and third."