Sunday, April 6, 2014

The EU's "advanced" electronic signature is retrograde

Like the term "Big Brother," the European Union's (EU) "advanced" electronic signature is an oxymoron designed to impress you with self-proclaimed goodness, but is in fact retrograde and certainly not advanced.  Adoption and interoperability remain poor and put too much onus on individuals and trusting unknown entities.

English author George Orwell wrote all about such government Newspeak in his famous novel, 1984.  Committees, governments and big corporations try these FUD tactics (fear, uncertainty and doubt) all the time because they work more often than not.  It's your advantage in life to see through the blather.

Public key infrastructure (PKI)


PKI has been around since the early 1970s, a product of British intelligence.  It's useful in many scenarios, and the world wide web relies on it for the HTTPS protocol, though even that would work well for most without a PKI requirement.

RSA and other PKI vendors have led "Year of PKI" celebrations at least since 1996.  It's been declared "dead" just as many times and such declarations of death are often interwoven with declarations of its grand dominance.  Renowned cryptography expert Bruce Schneier provides good insights in his Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure.

There are numerous reports of stolen digital certificates, stolen private keys, hacked certificate authorities, after-the-fact certificate revocation lists, etc., including a long-lived Windows trojan called ZeuS that now makes use of "stolen" digital certificates assigned to Microsoft.  Of course, a digital certificate is supposed to be public, so stealing one should have little value whatsoever.  I mean, every HTTPS web site gives you it's certificate freely and your browser comes pre-loaded with many "trusted" certificate authorities (if you've never heard of them, how can you trust them?).  But PKI relies on a chain of trust, so it's only as trustworthy as its weakest link, and there are innumerable weak links as recently demonstrated by the ZeuS exploit.

Unlike a certificate, if your private key itself is compromised, all bets are off, which is precisely why it's so odd that some large e-signature vendors put their entire customer base at risk by using a single signing key for every document signed by every person.  One large vendor just uses a salt+message digest of your document instead of a digital signature even though a simple database update of the document with the newly computed message digest would make the so-called "authoritative copy" a fraud.

Bad security remains the norm at loud companies (i.e. big spenders on marketing and freebies) that demonstrably value profits and market share over quality and customer concern.  Say it loudly and often and hope people come to believe it's true.  We continue to read about competitors, even those built on a PKI, that don't even encrypt your private documents containing personal and private information when stored, leaving them open to perusal simply by querying for it.

Despite the reality of PKI issues, vendors, EU committees and international standards bodies (how many of you use their "advanced" OSI model of networking rather than the Internet?) continue to claim that you need a PKI in order to have an "advanced" electronic signature.  If it weren't so real for millions, the best advice would be to ignore it until it goes away.  It's really a shame, too, because the EU has a perfectly good electronic signature law modeled on the U.S. E-Sign Act of 2000.  Some just cannot believe that their technobabble isn't required by law and are trying to trick you into thinking you have to be old school in order to be advanced.  It's not just the EU either: before the U.S. E-Sign Act, very few e-signatures were performed in the United States because state laws also mandated a PKI. 

For e-signatures, PKI just hasn't been workable.  The costs of deployment are high.  Scaling and interoperability are hard.  The issues of trust remain unresolved.  Most computers and networks are notoriously insecure.  Users are often clueless about such details -- and rightly so.  Even so-called secure cards have to be connected to these very computers and networks and be operated by these very users.  (Just watch President Clinton look over the shoulder to see the short PIN entered by Prime Minister Ahern and then exchange their "smart" cards. If leaders of nations can't be trusted to do this correctly, you are right to wonder if any other folks will be better at it.)

Most prefer service providers


Would you consider getting rid of banks because they are too insecure?  I mean, clearly you should keep your money in a safe in your home and transport it using armed couriers all controlled solely by yourself.  Why would you trust an intermediary like a bank to keep your money safe and allow simple transactions by check, ATM, debit card or wire transfer when it doesn't even keep your deposited money in that very bank's vault?

How about credit card companies?  Clearly they are not secure, again allowing money to move easily just by entering some numbers into an online store or providing it to other merchants for payment processing.

The post office, FedEx and UPS certainly cannot be trusted.  You should delivery your packages directly, keeping them in your sole custody to ensure nothing goes amiss until you have handed to your intended recipient.

Obviously, few consider using cash and delivering your own mail and packages to be more "advanced" than banks, credit cards and delivery services.  But some do.

For most, the use of an intermediary with the special skills and technology, system monitoring and forensic capabilities for troubleshooting should problems arise is the most advanced way to go.  We place trust in banks, credit card companies and FedEx not because they prevent all thefts of cash, prevent all fraud and never lose a package, but because they do a very good job, are cost effective, reliable, easy to use, and when things do go wrong, they have mechanisms in place to resolve them.

Advanced web-based electronic signatures


If you want a truly advanced e-signature system, we recommend using a proven technology that puts your privacy and data security ahead of making money and growth at all costs, and certainly ahead of requiring retrograde technology.  Such an e-signature system can remove a rogue user simply by deactivating his/her account to prevent ongoing problems, not punt the issue by putting the bad actor's certificate into a revocation list and hoping you checked it before, during and after every transaction.

Such an e-signature company likely does not give you freebies to induce you to sign up.  Such a company will keep your data encrypted better than you can, while also making it available to you using any of your web-capable devices at any time from any location.  Such a company will use advanced digital signature technologies to ensure documents can be verified as authoritative for the foreseeable future.  Such a company will allow for performing transactions easily and quickly with billions of people across the world.  Such a company will use standards where they make the most sense from a practical perspective to protect your investment and avoid vendor lock-in.  Such a company will not keep its technology proprietary and hidden from review.  Such a company is unlikely to be built by a committee.

Yozons is such a company.

Don't let words fool you.  A truly advanced electronic signature can be had today, and it most certainly does not rely on retrograde PKI.

2 comments:

  1. Your post provides very accurate and interesting information about the development of electronic signatures, although I don't quiet agree with some who claim that they are extremely useful for small-sized enterprises. eSignature

    ReplyDelete
    Replies
    1. I'm suspicious of any general claim of being "extremely useful," but you didn't mention who the "some who claim" are. Even "small" is a tricky term. We do have customers from 1-person entities to the largest (though they tend to be run in departments/divisions with 5-500 users). If you do little contracting, there's little benefit. If you do a fair amount, you'll find it faster and cheaper and easier for those you are doing business with, plus you're documents will be easily available to you. If it doesn't make sense, don't do it!

      Delete