Sunday, April 6, 2014

The EU's "advanced" electronic signature is retrograde

Like the term "Big Brother," the European Union's (EU) "advanced" electronic signature is an oxymoron designed to impress you with self-proclaimed goodness, but is in fact retrograde and certainly not advanced.  Adoption and interoperability remain poor and put too much onus on individuals and trusting unknown entities.

English author George Orwell wrote all about such government Newspeak in his famous novel, 1984.  Committees, governments and big corporations try these FUD tactics (fear, uncertainty and doubt) all the time because they work more often than not.  It's your advantage in life to see through the blather.

Public key infrastructure (PKI)


PKI has been around since the early 1970s, a product of British intelligence.  It's useful in many scenarios, and the world wide web relies on it for the HTTPS protocol, though even that would work well for most without a PKI requirement.

RSA and other PKI vendors have led "Year of PKI" celebrations at least since 1996.  It's been declared "dead" just as many times and such declarations of death are often interwoven with declarations of its grand dominance.  Renowned cryptography expert Bruce Schneier provides good insights in his Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure.

There are numerous reports of stolen digital certificates, stolen private keys, hacked certificate authorities, after-the-fact certificate revocation lists, etc., including a long-lived Windows trojan called ZeuS that now makes use of "stolen" digital certificates assigned to Microsoft.  Of course, a digital certificate is supposed to be public, so stealing one should have little value whatsoever.  I mean, every HTTPS web site gives you it's certificate freely and your browser comes pre-loaded with many "trusted" certificate authorities (if you've never heard of them, how can you trust them?).  But PKI relies on a chain of trust, so it's only as trustworthy as its weakest link, and there are innumerable weak links as recently demonstrated by the ZeuS exploit.

Unlike a certificate, if your private key itself is compromised, all bets are off, which is precisely why it's so odd that some large e-signature vendors put their entire customer base at risk by using a single signing key for every document signed by every person.  One large vendor just uses a salt+message digest of your document instead of a digital signature even though a simple database update of the document with the newly computed message digest would make the so-called "authoritative copy" a fraud.

Bad security remains the norm at loud companies (i.e. big spenders on marketing and freebies) that demonstrably value profits and market share over quality and customer concern.  Say it loudly and often and hope people come to believe it's true.  We continue to read about competitors, even those built on a PKI, that don't even encrypt your private documents containing personal and private information when stored, leaving them open to perusal simply by querying for it.

Despite the reality of PKI issues, vendors, EU committees and international standards bodies (how many of you use their "advanced" OSI model of networking rather than the Internet?) continue to claim that you need a PKI in order to have an "advanced" electronic signature.  If it weren't so real for millions, the best advice would be to ignore it until it goes away.  It's really a shame, too, because the EU has a perfectly good electronic signature law modeled on the U.S. E-Sign Act of 2000.  Some just cannot believe that their technobabble isn't required by law and are trying to trick you into thinking you have to be old school in order to be advanced.  It's not just the EU either: before the U.S. E-Sign Act, very few e-signatures were performed in the United States because state laws also mandated a PKI. 

For e-signatures, PKI just hasn't been workable.  The costs of deployment are high.  Scaling and interoperability are hard.  The issues of trust remain unresolved.  Most computers and networks are notoriously insecure.  Users are often clueless about such details -- and rightly so.  Even so-called secure cards have to be connected to these very computers and networks and be operated by these very users.  (Just watch President Clinton look over the shoulder to see the short PIN entered by Prime Minister Ahern and then exchange their "smart" cards. If leaders of nations can't be trusted to do this correctly, you are right to wonder if any other folks will be better at it.)

Most prefer service providers


Would you consider getting rid of banks because they are too insecure?  I mean, clearly you should keep your money in a safe in your home and transport it using armed couriers all controlled solely by yourself.  Why would you trust an intermediary like a bank to keep your money safe and allow simple transactions by check, ATM, debit card or wire transfer when it doesn't even keep your deposited money in that very bank's vault?

How about credit card companies?  Clearly they are not secure, again allowing money to move easily just by entering some numbers into an online store or providing it to other merchants for payment processing.

The post office, FedEx and UPS certainly cannot be trusted.  You should delivery your packages directly, keeping them in your sole custody to ensure nothing goes amiss until you have handed to your intended recipient.

Obviously, few consider using cash and delivering your own mail and packages to be more "advanced" than banks, credit cards and delivery services.  But some do.

For most, the use of an intermediary with the special skills and technology, system monitoring and forensic capabilities for troubleshooting should problems arise is the most advanced way to go.  We place trust in banks, credit card companies and FedEx not because they prevent all thefts of cash, prevent all fraud and never lose a package, but because they do a very good job, are cost effective, reliable, easy to use, and when things do go wrong, they have mechanisms in place to resolve them.

Advanced web-based electronic signatures


If you want a truly advanced e-signature system, we recommend using a proven technology that puts your privacy and data security ahead of making money and growth at all costs, and certainly ahead of requiring retrograde technology.  Such an e-signature system can remove a rogue user simply by deactivating his/her account to prevent ongoing problems, not punt the issue by putting the bad actor's certificate into a revocation list and hoping you checked it before, during and after every transaction.

Such an e-signature company likely does not give you freebies to induce you to sign up.  Such a company will keep your data encrypted better than you can, while also making it available to you using any of your web-capable devices at any time from any location.  Such a company will use advanced digital signature technologies to ensure documents can be verified as authoritative for the foreseeable future.  Such a company will allow for performing transactions easily and quickly with billions of people across the world.  Such a company will use standards where they make the most sense from a practical perspective to protect your investment and avoid vendor lock-in.  Such a company will not keep its technology proprietary and hidden from review.  Such a company is unlikely to be built by a committee.

Yozons is such a company.

Don't let words fool you.  A truly advanced electronic signature can be had today, and it most certainly does not rely on retrograde PKI.

Friday, April 4, 2014

High volume seasonal hiring made easy, well, easier

For this installment, I'd like to discuss a large merchandising company that does high volume seasonal hiring, mostly to meet the demands of the large retails they service.

During peak hiring, over 500 people on any given day are in some stage of the online hiring process, from initial filling out a job application, to interviewing, through internal approval, store assignment, completing various new employee documents, I-9 and e-Verify, and finally payroll setup.  Much of the rest of the year, volumes are lower as they do maintain an ongoing hiring process year-round.

This company's web-based onboarding package of documents consists of over 25 forms and includes the job application, questionnaire, EEO survey, background check authorization, and various government forms like the W-4, I-9 and state tax withholding forms.

A powerful routing capability was custom developed for their hiring process on top of the Yozons e-signature platform.  Based on the applicant’s geographical location, the package of documents is assigned to an area manager.  The area manager does the initial review and then assigns the package to a specific store manager to determine whether to hire the candidate or not.  Alternatively, the area manager can override the area manager step and simply send the hiring package directly to the applicant.  Once hired, the package of documents is sent to the employee to complete all of the onboarding paperwork.  The package is then routed to the store manager to verify the employee's identity for the Federal Form I-9, and then it's routed to payroll.

With government and legal compliance concerns (i.e. “Failing to comply with Form I-9 requirements” is $110 to $1100 fine per employee -- see http://www.uscis.gov/i-9-central/penalties), this customer’s core requirement is to ensure legal compliance, to decrease the time to process all of the hiring paperwork, as well as the ability to search for onboarding packages from the past and to keep up-to-the-minute status of ongoing new hires.

Yozons rapidly built a custom HR onboarding system using our enterprise web service software.   This customer has been using their system since 2007, and they have yearly requirements to keep their system modern, useful and up-to-date with HR laws and regulations.  With this custom solution they are able to coordinate their hiring with over 100 HR staff spread across a large multi-state region.

Tuesday, April 1, 2014

PKI Digital Signature company acquires patent license

In a prior blog posting about our patent licensee who is in an unrelated marketplace of instant income verification, we discussed much about how patent law works.

Today, we will discuss a "tangentially related" competitor in the marketplace.  In the European Union (EU), so-called "advanced" electronic signature laws tend to favor solutions built on public key infrastructure (PKI), just like myriad antiquated U.S. state laws prior to the U.S. E-Sign Act of 2000.  Adoption of electronic signatures has suffered in the EU because such solutions are harder to deploy, just as they are in the U.S.

The EU has an advantage in that many of its countries are much smaller than the U.S., and they are able to roll out government-based electronic IDs that are built around a PKI.  This more closely mirrors how our states are able to issue driver's licenses, though no state offers an eID.  Of course, the EU still suffers with interoperability across national boundaries and other issues in this regard, but the U.S. is unlikely to adopt a federal eID anytime soon as we've never had a national ID.

Our recent patent licensee is a software vendor in the United Kingdom that offers a PKI-based server platform with a web front end for the purpose of electronically signing documents.

While they make use of a PKI, their web users in particular are able to effect electronic signatures built on digital signatures on the server alone, without the users on their web browsers having to download software, generate/manage encryption keys, exchange keys, etc.  Under that scenario, our patent came into play, and so they purchased a license that covers both their server product and the web-based front-end product that is also operated as a service (SaaS, web site).

With the patent license, the company, its investors and all of its customers are fully protected. That's a smart business decision.

We were able to negotiate a fair one-time royalty on favorable terms to them because they approached Yozons and concluded a license agreement quickly and professionally.   Naturally, royalty rates are higher for those who do not willingly purchase a license, with the highest rate for those who must be sued into compliance.