E-Signature Assurance White Paper

8/14/2019 E-Signature Assurance White Paper

1/31

ProoSpace White Paper

Electronic Signature Assurance

& the Digital Chain-o-EvidenceExecuting Legally Admissible Digitally Signed Records

by Jacques R. Francoeur, B.A.Sc., M.A.Sc., MBA

ProoSpace

900 Clancy Ave NE

Grand Rapids, MI 49503

(312) 933.8823

www.proospace.com


2/31


Electronic Signature Assurance & the Digital Chain-o-Evidence Revised July 007

ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

Table o Contents

1. Executive Summary 3

. Electronic Signatures shall be Equivalent to Handwritten

Signatures Easier Said than Done 4

3. What needs to be Equivalent an Electronic Signature? 5

4. The Challenges and Risks o the Electronic Medium 9

5. The Formation o a Digitally Signed Record 11

6. Electronic Signature Assurance 13

6.1 Signing Module 14

6.2 Act-o-Signing 17

6.3 Signed Record 20

6.4 The Digital Chain o Evidence 24

7. The Digital Chain o Admissibility: Meeting Legal Standards

& Regulatory Requirements 6

8. Conclusion 9

About the Author 31


3/31


3Electronic Signature Assurance & the Digital Chain-o-Evidence Revised July 007

ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

1. Executive SummaryThe vast majority o inormation today is generated and processed in electronic orm.Consequently the majority o business conducted today is in part or entirely electronic.However, the need to obtain signatures causes business processes to be driven tothe physical world, resulting, not only, in delays and costs, but also, in the loss ocompetitiveness and the ability to adapt. The objective is simple maintain an end-to-end electronic state throughout the business process. But are electronic signatureslegal? Are they regulatory compliant? Can I hold my management accountable orapprovals and decisions? Are my contracts enorceable? Can I have the same degree ocontrol and security over my business? The answer is yes, i done correctly.

The U.S. e-Sign Act provides or the non-discrimination o electronic signatures andrecords when compared to their physical counterparts. In legal terms, the legislationprovides the same legal eect and validity to an electronic signature as that granted

to a handwritten signature on a paper. Note, the legal recognition granted a handwrittensignature, which is that o admissibility in a court-o-law, is ar greater than the legalrecognition granted an electronic signature, which is not to be deemed invalid solelybecause it is electronic. The key challenge is how to have an electronic signature havethe same legal recognition as a handwritten signature that o admissibility.

In converting rom ink-based signatures to electronic signatures, governing lawsand regulations describe the overall goal that electronic signatures be generallyequivalent to handwritten signatures. In order to achieve this requirement, one mustunderstand frst what makes an ink signature reliable. Secondly, one must understandwhat new challenges and risks are created by adopting the electronic medium.There are many abstract and intangible actors involved in the ormation o a multi-party electronically signed record. I not perormed and maintained reliably, internalapprovals may not be accountable; electronic evidence in legal disputes may not be

admissible; and regulated processes may not be compliant.

This white paper defnes the lie cycle o an electronically signed record and describesthe equivalence requirements throughout its retention period. A risk managementramework called Electronic Signature Assurance will be presented that defnes ageneric Digital Chain o Evidence that guides the architectural choices available indeploying an electronic signature solution. However, the requirement or equivalenceestablishes a minimum legal admissibility standard that restricts the architecturalchoices to high reliability options. The result is a high assurance Digital Chain oAdmissibility that holds individuals accountable or approvals and decisions and isdeemed admissible and regulatory compliant.

This white paper will lay out an innovative risk management model (ElectronicSignature Assurance) and reerence architecture (Digital Chain o Evidence) that can

be used to deliver confdence that an electronic signature solution can execute signedrecords that will meet the requirements or legal admissibility.


4/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

. Electronic Signatures shall be Equivalent to HandwrittenSignatures Easier Said than DoneCurrently, or a legally signifcant transaction, such as contract execution, or aregulatory signifcant transaction, such as e-Clinical Trial approval, electronicdocuments are printed and ink-based signatures are captured on paper. These signeddocuments are then stored and archived or a predetermined retention period drivenby legal and or regulatory requirements. Anytime during this period, these documentscan be called upon in a discovery request and oered as evidence in legal or regulatoryproceedings.

Ink signed paper documents are deemed sufciently reliable to be admitted as evidencedue to their intrinsic physical attributes or reliability. That is, they are inherently stable,indelible, durable, sel-contained and transportable.

In addition, decades o laws, regulations, precedence and established practices havecreated a human condition that generally presumes that when individuals sign paperdocuments, the:

person signing is who they say they are, their identity can be established rom theirsignature and they have the authorization to sign;

person signing has applied their signature in a state o inormed consent, in ullawareness o the meaning o content being signed and the implications o signing;

intent o their act-o-signing is an agreement to be bound by the content;

document being signed will not change ater the signature, and the signature onlyrelates to the associated document;

signed document is admissible in a court-o-law and enorceable.

The challenge beore electronic signature applications is to impart mechanismsand design architectures that will ensure these physical attributes or reliability arepersistently and verifably recreated by design.

In summary, the standard or electronic signed records can be simply articulatedby generating electronically signed records that are legally equivalent to theirphysical counterparts. The FDA 21 CFR Part 11 articulates this electronic-to-physicalequivalence as ollows:

The regulations in this part set orth the criteria under which the agency considerselectronic records, electronicsignatures, to be trustworthy, reliable, andgenerallyequivalent to paper records andhandwritten signatures executed on paper.1

In addition,

Persons using electronic signatures shall, prior to or at the time o such use, certiy to

the agency that the electronic signatures in their system, , are intended to be the legallybinding equivalent o traditional handwritten signatures.2

1 General Provisions: 11.1 Scope (a)

2 SP C: Electronic Signatures: 11:100 (c) General Requirements


5/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

The requirement or electronic-to-physical equivalence is also clearly articulated inthe European Union Electronic Signature Directive 3 where a special class o electronicsignature (i.e., digital signature) is defned with a guaranteed level o legal recognition/admissibility as evidence in a European Union court-o-law, as ollows:

Member States shall ensure that advanced [qualifed] electronic signatures that arebased on a qualied certicate and that are created by a secure Signing Device:

a) satisy the legal requirements o a signature in relation to data in electronic ormin the same manneras a handwritten signature satises that requirement in relationto paper-based data; and

b) are admissible as evidence in legal proceedings.

Requiring that an electronically signed record be equivalent to ink-based signedpaper is an easy goal to set, but it is easier said than done. Demonstrating how this canbe accomplished with confdence is less obvious. However, it can be achieved i one

understands the legal and regulatory issues and how technology and process can beintegrated into a verifable digital chain-o-trust that is sufciently reliable to meetlegal standards and regulatory requirements.

3. What needs to be Equivalent an Electronic Signature?Beore one can understand how an electronically signed record can be equivalent to itsphysical counterpart, one must frst understand what it is that needs to be equivalent an electronic signature.

The defnition o an electronic signature as provided by the UN Model Law 4 is:

An electronic signature is data in electronic orm in, axed to, or logically associated with,

a data message, which may be used to identiy the signatory in relation to the data messageand indicate the signatorys approval o the inormation contained in the data message.

The defnition as provided by the EU Electronic Signature Directive 5 is:

electronic signature means data in electronic orm which are attached to or logicallyassociated with other electronic data and which serve as a method o authentication

Finally, the defnition as provided by the US e-Sign Act 6 is:

The term electronic signature means an electronic sound, symbol, or process, attached toor logically associated with a contract or other record and executed or adopted by a personwith the intent to sign the record.

It is interesting to compare how each o the three bodies o knowledge defnes anelectronic signature. These three defnitions are compared side-by-side in Table 1.

3 European Union Electronic Signature Directive Article 5.1

4 UNCITRAL Model Law on Electronic Signatures Article 2a

5 European Union Electronic Signature Directive Article 2.1

6 United States Electronic Signatures in Global and National Commerce Act: Section 106 Defnitions (5)Electronic Signature


6/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

Table 1: Electronic Signature Defnition Comparison

Electronic Nature o Signature: All three defnitions are consistent in that an electronicsignature is data in electronic orm with the U.S. e-Sign Act urther defning thenature o the data as an electronic sound, symbol, or process.

Link o Electronic Signature: All three defnitions require the signature to be afxed toor associated with what is being signed. Thereore an electronic signature cannot exist

without a context and the specifcs o what is being signed.

What is being Signed: All three defnitions are consistent in that what is being signed isdata in electronic orm with the U.S. e-Sign Act urther defning the nature o the dataas a contract or other record.

Identifcation o the Signatory: All three defnitions are consistent in that a signaturemust identiy the person signing.

Purpose o Signing: The UN Model Law and the U.S. e-Sign Act defnitions stipulatethat the act-o-signing must be an act-o-approval or an act-o-intent, respectivelyand the EU Directive defnes the intent as a method o authentication. Thereore, anelectronic signature cannot urther exist without the existence o intent.

Electronic Signature

Components

United Nations Model


Law

European Union


Directive

U.S. Global and

National e-Commerce

Act

Electronic Nature o

Signature

data in electronicorm

data in electronicorm

an electronic sound,symbol, or process

Link o Electronic

Signature

in, afxed to, orlogically associated

with

which are attached toor logically associated

with

attached to orlogically associated

with

What is Being Signed a data message, other electronic dataa contract or other

record

Identifcation o the

Signatory

which may be used toidentiy the signatory

in relation to the datamessage and which serve

as a method oauthentication...

and executed or

adopted by a person

Purpose o Signing

and indicate thesignatorys approvalo the inormation

contained in the datamessage.

with the intent to signthe record.


7/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

Consequently, in the most general sense these defnitions describe the ormation o anelectronic agreement a signature in electronic orm linked to a record in electronicorm with an identifed individual perorming and act-o-signing or the purpose oapproval, authentication or intent. This is illustrated in the fgure below.

It is also interesting to compare Table 1 to the defnition o an electronic signature asarticulated by FDA 21 CFR Part 11, as ollows:

Electronic signature means a computer data compilation o any symbol or series osymbols executed, adopted, or authorized by an individual to be the legally bindingequivalent o the individuals handwritten signature.

The impact o electronic signature legislation such as the U.S. e-Sign Act is to provide

or the non-discrimination o electronic signatures and records as compared to theirphysical counterparts. That is, no signature or record will be deemed inadmissiblemerely because it is in electronic orm. In legal terms this means that the legislationprovides the same legal eect and validity to an electronic signature and recordas to the legal eect granted a handwritten signature on a paper. Note that the legalrecognition granted a handwritten signature, which is that o admissibility in a court-o-law, is ar greater than the legal recognition granted an electronic signature, which isnot to be deemed invalid solely due to being electronic.

For example, the U.S. e-Sign Act 7 ensures the non-discrimination o electronicsignatures and records by ensuring their legal eect and validity, as ollows:

1) A signature, contract, or other record relating to such transaction may not be deniedlegal eect, validity, or enorce-abilitysolelybecause it is in electronic orm; and

2) A contract relating to such transaction may not be denied legal eect, validity, orenorceability solely because an electronic signature or electronic record was used inits ormation.

7 United States Electronic Signatures in Global and National Commerce Act: Section 101 General Rule oValidity


8/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

The objective is to build rom legal eect and validity, as provided by electronicsignature legislation, and reach legal admissibility, a prerequisite o enorceable signedrecords, by designing a signature process that is sufciently reliable to meet the legalstandards.

However, legally binding implies that the implications or meaning o what was signed isenorceable. The enorceability o the meaning o the document is subjective and thesole purview o the adjudication authority, such as the arbiter or judge. The legal limit oa reliable signature is that it is deemed sufciently reliable to be admitted into evidence,a prerequisite o legal enorceability as illustrated in the fgure below.

This white paper addresses a specifc orm o electronic signature, a digital signaturethat has mechanisms o reliability intrinsic to its orm. Such a signature is defned by21 CFR Part 11 as ollows:

Digital signature means an electronic signature based upon cryptographic methods ooriginator authentication, computed by using a set o rules and a set o parameters suchthat the identity o the signerand the integrity o the data can be verifed.

However, in order to achieve this, one must understand the challenges that electronicmediums creates in enabling verifable reliability.


9/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

4. The Challenges and Risks o the Electronic MediumIronically, the electronic orm o data was invented in large part to increase the ease towhich it could be created, modifed, deleted, substituted and copied. Electronic data isultimately represented by a series o zeros and ones, inherently volatile and unstable.The inability to dierentiate between good (original) and bad (manipulated) data isa challenge. The mobility o data, its ability to move between systems and applicationsand people is rictionless. In addition, evidentiary techniques to determine theprovenance o data such as time-o-creation and unchanged state are immatureto non-existent. Thereore, unless mechanisms are put in place, electronic dataitsel and time can be modifed and manipulated, oten without detection, creatingcore challenges to establishing the reliability o electronically signed records. Thesechallenges are illustrated in the fgure below.

The transition rom ink-based signed documents to electronic equivalents doesnot impact the need to adhere to existing legal standards, meet current legislativerequirements and comply with governing regulations. However, executing legallyequivalent and regulatory compliant electronic signatures creates new legal andtechnical challenges that radically change the methods o meeting the standards andrequirements and demonstrating their adherence and compliance.


10/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

In order or a signature to be reliable, various bases o denial must be controlled asillustrated in the fgure below. FDA 21 CFR Part 11 articulates the requirement ormitigating the possible bases o denial as ollows:

Persons who use closed systems to create, modiy, maintain, or transmit electronicrecords shall employ procedures and controls designed to ensure the authenticity,integrity, and, when appropriate, the condentiality o electronic records, and to ensure

that the signer cannot readily repudiate the signed record as not genuine.8

The ability to reute these bases o denial will depend on the reliability designed into thesigned record ormation and verifcation processes. It is not only a matter o signaturecreation, but also the ability to preserve, veriy the integrity, and render the signatureand record in human readable orm when required. At the core o the ability to maintainthe reliability o a signed record over time is the ability to detect any modifcationater the signature is applied. The UN Model Law articulates this electronic signatureintegrity requirement as ollows:

An electronic signature [signed record] is considered to be reliable or the purpose osatisying the requirement [o law] i anyalteration o the electronic signature, made aterthe time o signing, is detectable; 9

Similarly, an electronic signature as an act o agreement and intent to be bound or anact o approval and intent to be responsible is predicated on the ability to preserve andveriy the integrity o the content signed. That is, the ability to detect any modifcationto the content ater the record has been signed. The UN Model Law articulates thiscontent integrity requirement as ollows:

An electronic signature is considered to be reliable or the purpose o satisying the

requirement [o law] i, anyalteration made to that inormation [record] ater the time osigning is detectable;10

8 SP B: Electronic Records: 11:10 Control or Closed Systems

9 UNCITRAL Model Law on Electronic Signatures Article 6.3.c

10 UNCITRAL Model Law on Electronic Signatures Article 6.3.d


11/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

Failure to mitigate the bases o denial; or the ability to alsiy or manipulate signedrecord may result in the signed record being deemed inadmissible as evidence ina court-o-law or the inability to assign accountability or internal approvals anddecisions.

FDA 21 CFR Part 11 articulates the requirement or ensuring accountability asollows:

The establishment o, and adherence to, written policies that hold individuals accountableand responsible oractions initiated under their electronic signatures, in order to deterrecord and signature alsication. 11

5. The Formation o a Digitally Signed RecordIn order to understand what is required to ensure that a signed record is sufcientlyreliable to be deemed admissible and compliant, one needs to understand the stagesinvolved in its ormation, retention and fnal disposition. This white paper ocuses ondigital signatures, an electronic signature based on asymmetric cryptography (i.e.,Public Key Inrastructure). The use o a digital signature does not necessarily mean thatthe resulting signatures will be reliable.

The stages o a two party signed record transormation process are illustrated in thefgure below according to the legend.

11 SP B: Electronic Records: 11:10 (j) Control or Closed Systems


12/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

The stages start with the creation o the content to be signed (Unsigned Record). Therecord is then signed by the frst individual (Signatory 1) to create Signed 1 Record. Thisis then transmitted to the second individual (Signatory 2) who in turn signs the Signed 1Record to create an ofcial corporate record (Executed Signed Record) or which a legalretention period applies. At the end o this period, the Executed Signed Record can belegally destroyed (Signed Record Disposition). However, anytime during this period, theExecuted Signed Record can be required in a legal discovery request (Signed RecordDiscovery) where its reliability will have to be established. This is the business criticalevent demonstrating the reliability o the digitally signed record.

FDA 21 CFR Part 11 articulates the requirement to preserve, veriy and render a recordthroughout its retention period as ollows:

Protection o records to enable theiraccurate and ready retrieval throughout therecords retention period. 12

As the record is being signed, there are a number o transparent but critical signaturerelated events occurring in the background that are essential to reliability as illustratedin the fgure below.

The frst key assumption prior to the start o the signing process it that the digitalcertifcates o Signatory 1 (Certifcate 1) and Signatory 2 (Certifcate 2) are valid, thatis, they have not been revoked, suspended or expired. The frst record transormation

stage is the application o the frst signature by Signatory 1 where the Unsigned Recordbecomes Signed 1 Record. At the time Signatory 1 initiates the act-o-signing, thecertifcate status o Signatory 1 is verifed (Certifcate 1 Validity Request). I the statusis valid, the Certifcate Authority returns a response to that eect (Certifcate 1 ValidityResponse) and the signature is generated (Signature 1 Creation). I the status is invalid,the signing process is terminated.

12 SP B: Electronic Records, 11:10 Controls or Closed Systems (c)


13/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

The second record transormation stage is the application o the second and fnalsignature by Signatory 2 where the Signed 1 Record becomes Executed Signed Record.A precondition o applying Signature 2 is that Signature 1 be authentic (Signature1 Authenticity Verifcation), that is, the signature is what it purports to be. I thesignature o Signatory 1 was applied ater the validity o its Certifcate 1, thenSignature 1 is not reliable. I the content has been modifed ater the application othe frst signature (Signature 1), the Signed 1 Record is no longer what was signed bySignatory 1 and is no longer reliable. Signature 2 should not be applied.

The authenticity o Signature 1 is determined as ollows: The identity o the frstSignatory 1 is verifed to ensure it is the signature o the correct person. The validitySignature 1 is verifed by ensuring the time o the Certifcate 1 Validity Response was ata time when Signatory 1s certifcate was valid. I not, the signature is unreliable. Theintegrity o the Signed 1 Record is verifed to ensure the content has not been modifed

since Signature 1 was applied. I the Signature 1 Authenticity Verifcation is positive,the second signature (Signature 2) is applied in the same way the frst signature wasapplied and the record becomes an ofcial corporate record (Executed Signed Record).

A key question in the lie cycle o a digitally signed record is, once the certifcate o aSignatory is no longer valid ater it was involved in the application o a signature, suchas Signatory 1 Certifcate Revocation, does this invalidate the legal recognition providedto the o the signature? The answer is no. As long as the certifcate o the Signatory wasvalid at the time-o-signing (Identifer private, secure and under the sole control o theSignatory), the signature has legal eect and validity.

6. Electronic Signature AssuranceSection 2 discussed the attributes and expectations o physical signatures that must berecreated in the electronic counterpart, Section 4 discussed the challenges and riskso adopting electronic signatures and Section 5 discussed the key stages o the recordormation process. The pieces are now in place to discuss a ramework that will addressthese challenges, map to the record ormation process and translate the ambiguousrequirements o electronic-to-physical equivalence into a signed record digital chaino evidence.

Electronic Signature Assurance (ESA) is a digital signature risk managementramework that defnes a generic signed record architecture called the Digital Chain-o-Evidence. This chain-o-evidence contains discrete links that can be evaluated or ordesigned to a level-o-reliability.


14/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

The Electronic Signature Assurance ramework consists o three segments, illustratedin the fgure below.

1) Signing Module: this segment relates to the reliability o the module used to initiatethe act-o-signing;

2) Act-o-Signing: this segment relates to the individuals state-o-mind at the time-o-signing; and

3) Signed Record: this segment relates to the methods used to create and store thesigned record.

Each segment o Electronic Signature Assurance will be discussed individually.

6.1 Signing Module

The Signing Module segment o the Electronic Signature Assurance ramework relatesto the processes involved in provisioning the signing module, whether hardware orsotware based, used to initiate the act-o-signing. The nature o these processes willdetermine the reliability o signatures generated by the module. The main unctiono the Signing Module segment is to establish the true identity o the Signatory bycapturing and preserving a reliable and valid digital chain-o-identity. The chain-o-identity establishes the link between an electronic signature, a unique identifer, aregistered identity and a physical individual acting as a Signatory. This chain-o-identityshould only lead to one individual.

The UN Model Law requirement is articulated as ollows:

An electronic signature is considered to be reliable or the purpose o satisying therequirement [o law] i the signature creation data [unique identier] are,, linked to the

signatoryand no other person; 13

13 UNCITRAL Model Law on Electronic Signatures Article 6.3.a


15/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

The reliability level o the digital chain-o-identity is derived rom the proceduresperormed in each o the stages that make up the signing module provisioning process,as illustrated in the fgure below.

The primary objective o the process is to transer sole control o a secure signingmodule to the Signatory and no other individual.

The UN Model Law articulates this requirement as ollows:

An electronic signature is considered to be reliable or the purpose o satisying therequirement [o law] i the signature creation data [unique identier] were, at the time o

signing, under the control o the signatoryand no other person; 14

A loss o sole control invalidates the reliability o any subsequent electronic signaturecreated by the signing module. The concept o sole control embodies our criticalaspects the uniqueness, privacy, security and exclusive access to the identifercontained in the signing module, hereinater reerred to as Identifer. The Identifer iseectively the electronic version o an individuals hand with pen.

The Signing Module segment o ESA is made up o the ollowing provisioning stages:

1) Identity Registration: the process o establishing the true identity o the individualorming the basis o the Signatorys registered public identity (stage 3 below).

2) Identifer Generation: the process o generating a unique Identifer (e.g., PrivateKey) that can only be associated with one individual the Signatory.

3) Certifcate Issuance: the process o issuing a public identity (i.e., digital certifcate)containing the Public Key that is bound to the registered identity (stage 1 above).

4) Identifer Protection: The Identifer generated in stage 2 above must only be knownby or under the control o the individual private. This is accomplished through asecure process that places the Identifer in the signing module, while preventingits duplication, and protects the Identifer rom unauthorized access or unintendeddisclosure.

14 UNCITRAL Model Law on Electronic Signatures Article 6.3.b


16/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

5) Signing Module Custody: The process o transerring physical custody or logicalcontrol o the signing module to the Signatory and no other individual andestablishing a second actor o authentication necessary to ensure sole control overthe signing module. The second actor o authentication (e.g., PIN or password) isused to ensure that only the Signatory can initiate the act-o-signing.

The Signing Module segment o Electronic Signature Assurance ramework contributestwo metrics-o-reliability to the Digital Chain-o-Evidence: Signatory Identity andSigning Module. The Signature Identity metric determines the confdence in the abilityto establish the true identity o the Signatory. The Signing Module metric establishesthe confdence that no other individual could have initiated the act-o-signing other thanthe Signatory. In order to establish the reliability o each element o the Signing Modulesegment, reliability metrics are defned or each as ollows and illustrated in the fgure

below.

This Signatory Identity metric o reliability is composed o the ollowing parameters:

1) Identity Vetting: the level-o-confdence in the identity o the Signatory isdetermined by the number and type o independent identity credential used to vetthe individuals identity. For example, government issued photo ID credentials suchas passports are considered reliable.

2) Identifer Uniqueness: the level-o-confdence that the Identifer (i.e., Private Key) isunique and can only associated with the Signatory and no other person.

3) Certifcate Trustworthiness: the level-o-confdence in the Certifcate Authoritieswho issued the digital certifcates (i.e., Private Keys) in the certifcate path, rom the

Trust Anchor (root) to Signatorys digital certifcate, and the ability to determine thecurrent status o the certifcates.

This Signing Module metric o reliability is composed o the ollowing parameters:

1) Identifer Security: the level-o-confdence that only a single instance o theIdentifer is in existence and that it is located on the signing module.

2) Signatory Sole Control: the level-o-confdence that only the Signatory can initiatethe act-o-signing.


17/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

6. Act-o-SigningThe Act-o-Signing segment o the Electronic Signature Assurance ramework has lessto do with technology than with creating a state-o-mind at the time-o-signing. Thepurpose o this segment is to control a class o denials related to the Signatorys state-o-mind previously discussed in Section 4: it is my signature but, I did not intend to sign;it is not what I meant when I signed; or I did not understand what I was signing.

To control this class o denials, the design o the act-o-signing process mustdemonstrate that a state o inormed consent existed in the mind o the Signatory atthe time-o-signing. That is, the signing process must demonstrate by design, notice,or response that the Signatory was ully aware that a signature execution process wastaking place; clearly understood the purpose o signing; and was sufciently aware othe implications o signing and the resulting obligations or responsibilities.

The requirement o inormed consent originates rom an established physical-

world legal standard called Legal Sufciency15. This legal standard involves twobasic elements reerred to as Writing and Signature. These concepts combinemeasurable parameters, including content with less measurable notions o context,consent and intent. Legal Sufciency requires that certain transactions, such ascontracts, be reduced to writing on paper to be legally enorceable. The requirementis important as it builds awareness that an agreement ormation process is takingplace and the implications o signing. The unctional purpose o writing was alsoto create verifable records o the obligations that are not subject to manipulation,imperect memory or competing claims. This needs to be recreated in the executiono an electronically signed record. The second element o Legal Sufciency is calledSignature. Legal Sufciency requires that certain transactions, such as contracts,must not only be reduced to writing but also must contain a signature in order tobe legally enorceable. The act-o-signing must clearly establish the identity o the

Signatory, and a clear expression o the intent o signing. This also needs to berecreated in the execution o an electronically signed record.

The Act-o-Signing segment can be subdivided into our technology centric processesand two awareness centric processes, as illustrated in the fgure on the next page.Content Rendering, Signatory Validation, Intent to Sign and Signature Creation aretechnology centric and thereore, can are measurable and demonstrable. However,Inormed Consent and Purpose o Signing are awareness centric and are difcult tomeasure and demonstrate.

15 US Department o Justice, Legal Considerations in Designing and Implementing Electronic Processes:A guide or Federal Agencies, November 2000. http://www.cybercrime.gov/eprocess.htm


18/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

The Act-o-Signing segment o ESA is made up o the ollowing stages:

1) Content Rendering: The process o ensuring what was signed was the content thatwas rendering to the Signatory What you See is What you Sign WYSIWYS.

2) Signatory Validation: Veriying that the signing module was reliable at the time-o-signing. This is critical to the legal admissibility o the corresponding signature.A signing module is no longer reliable i its corresponding certifcate is revoked orexpired or i the security o the Identifer and sole control over the signing module iscompromised.

3) Inormed Consent: The process o creating a clear understanding o the meaning othe content and the implications o signing.

4) Purpose o Signing: The process o creating a clear understanding o the purpose osigning, or example to approve, or agree to be bound.

5) Intent to Sign: The process to ensure that the Signatorys intent to sign (initiate theact-o-signing) is an explicit and unambiguous act that cannot occur inadvertently.

6) Signature Creation: The process o creating the digital signature.

The Act-o-Signing segment o the Electronic Signature Assurance rameworkcontributes two metrics-o-reliability to the Digital Chain o Evidence: State-o-Mind and Signature Reliability. The State-o-Mind metric establishes the level o

understanding and awareness the Signatory had at the time-o-signing. The SignatureReliability metric determines the robustness o the digital signature.

In order to determine the level-o-reliability o the Act-o-Signing segment, reliabilitymetrics are defned as ollows and illustrated in the fgure on the next page.


19/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

State-o-Mind: The state-o-mind o the Signatory at the time-o-signing is difcult toestablish. However, a ew simple measures can be designed into the signing processto drive awareness, clariy intent, and prevent inadvertent actions. The State-o-Mindreliability metric is composed o the ollowing parameters:

1) What You See Is What You Sign: The content o what is to be signed must be ullyrendered to the Signatory in human readable orm at the time-o-signing and whatis signed must be exactly what was rendered.

2) Inormed Consent: The level-o-confdence that the Signatory had a reasonableunderstanding o the content and the implications o signing. The Signatory shouldbe required to indicate they have read and understood the content; however it doesnot guarantee they have.

3) Purpose o Signing: The level-o-confdence that the Signatory had a clearunderstanding o the purpose o applying their signature. The Signatory should be

required to indicate the reason or signing or the Signatory should receive a noticeindicating the purpose o signing such as to be legally bound.

Signature Reliability: The reliability o a digital signature is based on whether atthe time-o-signing the Signatory was in good standing, the act-o-signing was notaccidental and the robustness o the signature. The Signature Reliability metric iscomposed o the ollowing parameters:

1) Signatory Validation: the level-o-confdence that the Signatory was in goodstanding at the time-o-signing (certifcate was valid and signing module was undersole control). The confdence level is also associated with reliability o the validationinormation (e.g., time stamped, signed) contained in the response (CertifcateVerifcation Report).

2) Intent to Sign: The level-o-confdence that the Signatory explicitly intended to

initiate the act-o-signing. Clear intent to sign is ensured when a second actor oauthentication is required to exercise control over the signing module that is, initiatethe act-o-signing.

3) Signature Creation: the robustness o the signature creation process including thehashing unction, encryption algorithm and key length.


20/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

6.3 Signed RecordThe signed record ormation process discussed in Section 5 yields a record with oneor more signatures that is then stored, subsequently transmitted and processed orbusiness purposes and ultimately archived or legal retention purposes. The signedrecord at anytime may be called upon in a discovery request and oered as evidence.The questions then become: Does the signed record contain the necessary inormationand mechanisms o verifcation to establish its reliability? Will the reliability level besufcient or the signed record to be admitted into evidence? What inormation hasbeen captured about the Signatory(s), the content signed, and the time o criticalevents during the signed record ormation process? In addition, what is the evidentiaryquality o the signed record?

The Signed Record segment o ESA is not a process as in the previous two segmentsbut a series o signed record attributes, illustrated in the fgure below, that contribute

directly to reliability as ollows:

Signatory Profle: This attribute reers to capturing the Digital Chain-o-Identity.That is, the data objects associated to the Signatory(s) including its certifcate, all theCertifcate Authority certifcates in the certifcate path and the corresponding certifcatestatus validation responses received at the time-o-signing. The process o establishingthe validity status o the Signatorys certifcate involves requesting and receiving acertifed (signed) response rom the Certifcate Authorities in the certifcate path atthe time-o-signing. Evidence o this verifcation and its results as an event uniquelyassociated with the signed content is essential.

Signature Profle: This attribute reers to capturing the data objects associated withthe signing event(s) including the time-o-signing(s), the purpose o signing(s) and thecontent signed. Note, the Signatory Profle above should be considered an integral parto the Signature Profle.


21/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

Sel-Evident: This attribute reers to how the signed record is constructed in termso its ability to independently veriy and convey its authenticity at any given time. I thesigned record is sel-evident, all the inormation necessary to veriy and convey itsauthenticity is present (sel-contained) and the signed record can be verifed in realtime without external dependence. I the signed record is a distributed object composedo associated data elements, then the signed record must be reconstructed beore itsauthenticity can be established. A sel-evident signed record oers the highest level oassurance or preserving the reliability o the signed record over an extended periodo time. It also reduces the storage and archival complexity compared to distributedschemes.

Audit Trail: This attribute reers to capturing the series o time-based eventsoccurring in the lie cycle o the signed record discussed in Section 5. A signed recordinvolves events beore and ater its signatures that relate to the overall business or

transaction context. For example, the time o fnal content creation and its prior dratversions provides evidence o content awareness and inormed consent in the act-o-signing. This Legal Sufciency requirement o writing was discussed in Section6.2. In addition, a signed record involved in a business process or transaction involvescontextual inormation related to the intent o the parties, historic inormation relatedto the negotiation or case history o the record, prerequisite inormation such as creditchecks and other material inormation. This inormation may need to be captured andpreserved.

The Signed Record segment o the Electronic Signature Assurance rameworkcontributes three metrics o reliability to the Digital Chain o Evidence: Rendering,Evidentiary Quality, and Trusted Time.

In order to estimate the level-o-reliability o each element, reliability metrics aredefned or each as ollows and illustrated in fgure below.


22/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

Rendering: The ability to accurately and completely render the signed record in humanreadable orm and to convey its authenticity at the time o rendering is very importantrom a business and legal perspectives.

The U.S. e-Sign Act articulates this requirement as ollows:

Notwithstanding [General Rule o ES Validity], i a statute, requires that a contract orother record be in writing, [its] legal eect, validity, or enorceability may be denied i

such electronic record is not in a orm that is capable o being retained and accurately

reproduced or later reerence by all parties or persons who are entitled.16

This requirement is articulated by FDA 21 CFR Part 11 as ollows:

The ability to generate accurate and complete copies o records in both human readableand electronic ormsuitable or inspection , review, and copying by the agency.17

The requirement to accurately and completely render the signed record applies toanytime during its retention period. The retention period o a signed record is the sameas the electronic record.

The U.S. e-Sign Act articulates this requirement as ollows:

I a rule o law requires that a record relating to a transaction be retained, thatrequirement is met by an electronic record that: accurately refects the inormationset orth in the contract or other record [transaction]; remains accessible to all personsentitled to access or the period required in a orm that is capable o being accuratelyreproduced18

The authenticity o the signed record relates to establishing that it is what it purports tobe. This is achieved by perorming integrity checks related to the integrity o the contentcompared to when it was signed and the validity o the signature(s).

Evidentiary Quality: The nature o how the signed record was constructed will aectthe ability to veriy its authenticity and preserve its reliability over time. The EvidentiaryQuality metric or reliability is composed o the ollowing parameters:

1) Sel-Verifable: To what degree is the signed record a sel-contained object? Itmay, in whole or in part, be composed o distributed data elements. That is, doesit contain all the inormation necessary to veriy its authenticity without externaldependencies?

2) Tamper Evident: What is the ability o the signed record, its components or its audittrail to detect any unauthorized modifcations (i.e., tampering) over its retentionperiod? For example, the certifcate validity status response is a digitally signed dataobject that is verifable.

3) Association: What is the nature o the binding between data elements o a signedrecord? For example, the defnitions o an electronic signature discussed inSection 3, defne an electronic signature as electronic data afxed to, logically

16 United States Electronic Signatures in Global and National Commerce Act: Section 101 (e)

17 SP B: Electronic Records: 11:10 Control or Closed Systems (b)

18 United States Electronic Signatures in Global and National Commerce Act: Section 101 (d)


23/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

associated or embedded in electronic data (content signed). The robustness othe association will aect reliability. Cryptographically bound objects provide anintrinsic association that is more reliable than non-cryptographically bound objectssuch as inerred associations o data pointers. For example, a digital signature isthe cryptographic binding between the digest and the Identifer (Private Key). Thisis why a digital signature can be more reliable (i done correctly) that an electronicsignature. Also, a Certifcate status response cryptographically binds the CertifcateAuthoritys identity to the certifcate validity request.

Trusted Time: Time is the only invariant reerence that is beyond the controlo humans, yet time in a computer system is ephemeral, a parameter set by anadministrator or a value contained in a data feld or record. Time is one o the mostimportant reliability attributes o a signed record.

The nature o the association between time and data can determine reliability. Thereare two undamental ways time is linked to data. The frst is inerred by association.For example, when a time value is extracted rom a source o time and placed as avalue in a data feld, such as a record header or fle metadata. This is reerred to as aTime Mark, as illustrated below, which is an unprotected machine or human readablevalue representing time. A Time Mark is unreliable as it is susceptible to manipulationwithout detection.

The second way time can be linked to data is intrinsically bound cryptographicallywhich provides a much higher level-o-reliability. This can be achieved by two means,

as illustrated above. The frst is called a Time Stamp which is a Time Mark (value otime) added to content to be signed and cryptographically bound, such as what occursin a digital signature. However, where and how the time is sourced is also important toreliability. Time Stamps are protected against manipulation by all external individuals.However, they are susceptible to time based manipulation by trusted insiders who have

19 Working drat on Foundations or Digital Evidence, chapter on Digital Evidence, Time and Admissibility,American Bar Association, publication expected November 2007.


24/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

control over the computer systems which manage the data and clocks providing time. Ithas been said that the ability to control time in a computer system translates into theability to alter, create or recreate history.19 The second and most reliable cryptographicmethod is a Trusted Time Stamp. It diers rom a generic Time Stamp by providinga verifable cryptographic association between time rom a trusted time source anddata, irrespective o who controls the data or computer systems generating time.Cryptographically bound trusted time stamps are part o the ANSI Standard X9.95-2005.

The Trusted Time reliability metric is composed o the ollowing parameters:

1) Source: What is the level o confdence that the time associated with a data event isthe actual time and that it has not been modifed? Trusted time stamping standardsare intended to ensure the reliability o the time source used by a computer system,reerred to as National Timing Authorities (e.g., NIST) and the time stamp createdand associated to data. For urther inormation on trusted time stamping, see

Internet Engineering Task Force technical specifcation RFC 3161 and the AmericanNational Standard or trusted timestamp management and security ANSI StandardX9.95-2005.

The FDA 21 CFR Part 11 defnes the requirement or trusted time stamps as ollows:

Use osecure, computer-generated, time-stamped audit trails to independentlyrecord the date and time o operator entries andactions that create, modiy, or deleteelectronic records.20

2) Real Time: The real time nature o critical verifcation checks are important toSignatories and Relying Parties who depend on the results to make decisions. Forexample, the act-o-signing process discussed in Section 6.2 has a stage calledSignatory Validation. A successul signature execution is predicated on a positivecertifcate status verifcation result (a valid certifcate at the time-o-signing). I

signature execution is allowed to proceed based on a Certifcate Revocation Listbased verifcation check, there is a risk that the Signatorys certifcate was in actrevoked at the time-o-signing allowing or an unreliable signature to be created.

3) Binding: What is the reliability o binding between time and data events occurringbeore, during and ater the signed record ormation process? These unique dataevents occur over time creating the transaction audit trail.

6.4 The Digital Chain o Evidence

Section 6.1 through 6.3 discussed the Electronic Signature Assurance risk managementramework which is composed o three segments Signing Module, Act-o-Signing,and Signed Record. Each segment, in turn, was defned by a process that was evaluated

by a set o reliability metrics. The Digital Chain o Evidence (DCOE) is constructed romthe concatenation o the reliability metrics rom each segment, as illustrated on thenext page.

20 SP B: Electronic Records: 11:10 Control or Closed Systems (e)


25/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

The DCOE is a generic construct o evidence that does not prescribe a level-o-reliability. It simply oers as evidence the electronic data associated with a signedrecord, its audit trail in combination with details as to how the signing module wasprovisioned and how the act-o-signing occurred. The DCOE can be used to evaluatethe overall reliability o a signed record by evaluating how the Signing Module (Section6.1) was provisioned, how the Act-o-Signing was executed (Section 6.2) and how thesigned record was constructed and stored (Section 6.3). This is. In. turn accomplishedby assessing the parameters that characterize each metric o reliability, as illustratedbelow. The DCOE is only as strong as its weakest link. For example, i a Signatory losesthe sole control over the act-o-signing, the signed record is not reliable irrespective othe strength o the rest o the chain.


26/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

7. The Digital Chain o Admissibility: Meeting Legal Standards& Regulatory RequirementsAs mentioned previously, the DCOE does not prescribe a level o reliability. Theelectronically generated data orming the Digital Chain-o-Evidence may be oeredas evidence in a court-o-law but whether it will be admitted into evidence requiresdemonstrating that it is sufciently reliable. The key question becomes what issufciently reliable?

Guidance on the standards o evidence to be met is provided by the Federal Rules oEvidence. 21 However, this guidance must be interpreted with the ever increasing contexto electronic records. This subject is considered beyond the scope o this white paperand the reader is reerred to the recent work on digital evidence by the American BarAssociate.22

In general, the level-o-reliability must be appropriate or the purpose o the signedrecord, the legal signifcance o the act-o-signing, and the nature and level o the risks,including consideration o the damages that can ensue rom the ailure o any Signatoryto ulfll its obligations. Consequently, the level-o-reliability should be established on acase by case basis.

The UN Model Law articulates the required level-o-reliability as ollows:

Where the law requires a signature o a person, that requirements is met i an electronicsignature is used which is as reliable as was appropriate or the purpose or which thedata message [agreement] was generated23

21 Federal Rules o Evidence: http://judiciary.house.gov/media/pds/printers/109th/31310.pd

22 Working drat on Foundations or Digital Evidence, American Bar Association, publication expected Nov.2007.

23 UNCITRAL Model Law on Electronic Signatures Article 6.1


27/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

Without the context o what is being signed, the purpose o a signature is undetermined.The level-o-reliability is associated with the purpose o the act-o-signing the intento what is being signed. The act-o-signing has a number o intended eects, somewith more legal signifcance than others, as illustrated below. Consider the ollowingintended eects o signing.

Clearly there is a dierence in the legal signifcance between signatures with the intentto assign legal ownership o intellectual property (Assignment) as compared to a log oan attendance to an event (Presence). Consequently, the purpose and legal signifcanceo the act-o-signing establishes its commensurate level-o-reliability. I the purposeo a signed record is to provide internal approval, the level-o-reliability does not

necessarily have to abide by the same external legal standards as accountability can betaken care o by established corporate practices and policies.

The appropriate signed record level-o-reliability can be defned as ollows:

suciently reliable commensurate with the legal signicance o the act-o-signing andthe nature and risk o the transaction.24

The Digital Chain-o-Evidence is intended to be designed to a prescribed level oreliability. For example, i the objective is to ensure that signed records are deemedadmissible into evidence in a court-o-law, the chain must be designed to meet boththe requirements set orth by electronic signature legislation and the legal standardsestablished by precedence. Similarly, in the case o regulated processes such as NewDrug Applications submitted electronically, the reliability will be governed by 21 CFRPart 11. Consequently, the chain must be designed to meet the general requirements

o 21 CFR Part 11 or the more specifc requirements established under the SAFEstandard. 25 Note, both the legal and SAFE standard are aligned with the core objectiveo legal admissibility. Dierent standards and their level o assurance are conceptuallyillustrated in the fgure on the next page.

24 Jacques R. Francoeur

25 http://www.sae-biopharma.org


28/31


29/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

8. ConclusionIn order to ensure that digitally signed records will be admitted into evidence (deemedlegally admissible) the level o reliability o the signing method must be architected to aprescribed level. To achieve this, reerence architecture is required to identiy and defnethe elements that contribute to the reliability o a signed record. Electronic SignatureAssurance is an electronic signature risk management ramework that defnes ameasurable reerence architecture called the Digital Chain o Evidence. ElectronicSignature Assurance is composed on three segments, Signing Module, Act-o-Signingand Signed Record. Each segment in turn is defned by a process that defnes thecritical stages that contribute to reliability. Each segment has reliability metrics thatcan be used to evaluate the reliability o the segment process. The concatenation o thereliability metrics orms the reerence architecture Digital Chain o Evidence. Thismodel and architecture is illustrated in the fgure below. The Digital Chain o Evidencecan be designed to meet a specifc level-o-reliability, such as legal standards, resultingin a Digital Chain-o-Admissibility.


30/31



ProoSpace

900 Clancy Ave NE


(312) 933.8823

www.proospace.com

Electronic signature legislation such as the U.S. e-Sign Act ensures the non-discrimination o electronic signatures and records solely on the grounds o being inelectronic orm. It does so by ensuring their legal eect and validity. The requirementor admissibility is predicated on the level-o-reliability o the signed record and itsormation process. The objective is to start rom legal eect and validity, as providedby electronic signature legislation, and reach legal admissibility, a prerequisite oenorceable signed records, by designing a Digital Chain-o-Evidence that is sufcientlyreliable to meet the legal standard, as illustrated in the fgure below.

The method o achieving the admissibility standard is to ensure: the Signing Moduleis sufciently reliable (a strongly vetted Signatory and trustworthy Signing Moduleprovisioning process); a responsible act-o-signing, involving a clear state-o-mind atthe time-o-signing (inormed consent, purpose o signature, intent to sign, awarenesso obligations or responsibilities); and a clear act o initiation (Signatory was theonly individual that could have initiated the act-o-signing); the signed record wasconstructed, preserved and rendered in a way demonstrates accuracy, completenessand verifable authenticity.

In summary, a reliable electronic signature application is one that captures, preserves,retrieves, verifes, makes available and renders in human readable orm anytime duringthe retention period, the authentic content, context, intent, identity and time to a level-o-reliability commensurate with the legal signifcance o the act-o-signing and thenature and risk o the transaction.


31/31


ProoSpace

900 Clancy Ave NE


(312) 933 8823

About the AuthorJacques R. Francoeur (B.A.Sc., M.A.Sc., MBA)VP, Proessional Services, ProoSpace

As Vice President o Proessional Services at ProoSpace, a company specializing inhigh assurance digital evidence, Francoeur is responsible or proessional services andthought leadership. As a domain expert and evangelist in trusted electronic businessand legal admissibility o electronically stored inormation, Francoeur regularly authorswhite papers and makes presentations internationally.

As Executive Director o the Bay Area CSO Council, a nonproft member-basedorganization, Francoeur manages a trusted virtual community o leading Bay Area ChieSecurity Ofcers (CSO), and hosts private and public CSO round tables.

Previously, as Sr. Marketing Manager and Inormation Assurance Evangelist at AdobeSystems, Francoeur was responsible or feld enablement, customer advocacy,messaging, and executing go-to-market strategies or Adobes Enterprise RightsManagement and Digital Signatures solutions.

Francoeur ounded TrustEra and Forensic Signature Corp., specializing in the feldso enterprise electronic risk management and high assurance digital signatures,respectively. Francoeur also served as an instructor o Trusted e-Business and Trustede-Systems at the University o Caliornia, Berkeley Extension. His 20-year career in thetechnology industry also includes a stint as KPMGs National Privacy Support Manager,Director o Trust Practices at NetFront Communications, and Director o Trust Practicesat CertifedTime (under contract).

Francoeur is an experienced public speaker and established author and is oten

invited to speak on the legal, regulatory and technical aspects o electronic businessassurance, including digital accountability, digital trust management and digitalsignatures. Francoeur holds a Bachelors degree in Aerospace Engineering and aMasters degree in Applied Science rom the University o Toronto. He earned his MBArom Concordia University in Montreal.

E-Signature Assurance White Paper

Documents

Transcript of E-Signature Assurance White Paper