CONTENTS
Home Page
Articles of interest to small business
Small business books for sale
Glossary of small business terms
Business to business services
Tax hints and advice
Doing business with the U.S. Government
Small business information for each U.S. State
Small business FAQ's
Checklists
Book Reviews
Stock Quotes
Small business related newsgroups
Links: Small Biz/Favorites/Searching
Advertising information for this site
Website design services
Who we are
How to contact us

The Advisor
------------

Who Am I? Securing Documents and Electronic Signatures
by Greg Welsh

Since October, 2000, when the U.S. Congress enacted the Electronic Signatures in Global and National Commerce Act(1) ("ESIGN") businesses have had the ability to enter into binding contracts executed electronically. Prior to the enactment of the ESIGN legislation, the privacy and authentication of electronic correspondence was achieved through the use of individual digital signatures or server-side certificates. Digital IDs prove that a message was sent by the sender and can secure the transmission channel between sender and receiver; with ESIGN, they are components of legally enforceable agreements executed electronically.

We're going to discuss server-side secure sockets layer (SSL) certificates in a future column. Today our topic is document authentication, and how you can ensure that the document you sent to a client or a customer is secure and can serve as a legally enforceable contract.

Obtaining a digital ID is easy (using it is a bit more complex). To get your digital ID, simply visit the web site of an issuing authority such as GeoTrust or VeriSign ,complete the application form and pay your fee, and you can immediately start sending digitally signed messages. This means, simply, that recipients will know that you sent the message - it's a bit of protection against "spoofing," a trick spammers use to forge identities on the internet. However, if you want to encrypt the message, which means that it travels over the internet in a more secure scrambled form, your correspondent will also need a digital ID, and you will have to exchange public keys. It's a bit of a two-step, but once you've set it up, you can go on with business as usual.

So, to review: you've got a digital ID that allows you to be known as the sender of a document. And, if your correspondent also has a digital ID and you've exchanged keys, the communication between you can be encrypted as it travels over the internet, keeping it safe from prying eyes (let's not get too far into the question of who can penetrate the encryption or how that encryption can be compromised by intelligence operatives or other parties with nefarious motives). But the question remains: how can your correspondent be sure that the document you've sent - whether it's a contract, purchase agreement, or business proposal - is exactly the document you created? And if the authenticity of the document is challenged, what authority will vouch for its integrity?

Here's where the electronic postmark (EPM) of the United States Postal Service (USPS) comes into play. With EPM, the who, what, and when of a document's creation and transmission can be established such that it is legally enforceable under the terms of the ESIGN legislation. You need a digital ID to use electronic postmarks (to prove who sent the message). What you get from the EPM is proof of what you sent - a digital code for your document - and when you sent it, using time stamps derived from official clocks run by the U.S. National Institute of Standards and Technology (NIST). For more on time-stamping, see my tip in this week's "Information Technology Weekly" page on this web site.

Many of the protections you buy when using EPMs are what you would expect in the online environment, although you might be surprised to learn that neither AuthentiDate, the service provider for EPMs, nor the USPS ever have possession or knowledge of the content of your document. The document's digital identity is derived using mathematical wizardry and the resulting "hash code" (geek speak for proving that something is authentic and unmodified) is all that is stored on their servers in the event verification is needed later. Otherwise, you'll find the usual security and encryption techniques: 128-bit secure sockets layer (SSL) encryption for your transactions, PKI standards endorsed by the American Bar Association, and standards-based interfaces for applications (more on this later).

Using an EPM also buys you other protections because of the numerous federal laws that govern the use of U.S. Postal Service. Any interference with postal service operations, including the EPM, may result in criminal investigation and prosecution. Further, the USPS retains records of EPM transactions for seven years; this provides you some assurance that if a dispute arises during this period you will have the appropriate proof necessary to uphold your end of the transaction.

So what does all this cost? Let's start with time. Your total time investment will be between one and two hours, depending on how curious you are: 1) read this article, 2) go on the web, choose a digital certificate provider and sign up, 3) visit the USPS EPM site and enroll in the program, and 4) download and install the appropriate extensions to link the EPM program to your applications (such as Microsoft Word). That's less than an hour - the second hour is yours to spend reading about the program, perusing Microsoft's documentation, and getting wise in the ways of digital signatures. If you are content to use the one digital certificate provider that is partnered with the USPS you can shave some time off step two by not researching or purchasing from other digital ID vendors.

On the money side, your financial investment will be about $20 for each digital certificate (most small businesses will only need one) plus the cost of your EPMs, which you purchase in blocks ranging from 25 for $20 (80 cents each) to 10 million (just a dime each if you're willing to plunk down a cool million bucks). Typical small business usage might run in the range of fifty cents or so for each EPM. Think of it as postage on a sliding scale using volume discounts, with one important difference: EPMs, unlike stamps, must be used within one year of purchase, and no refunds are available for unused EPMs.

While businesses large enough to need 10 million electronic postmarks annually are not part of the Small Business Advisor's core audience, there is a point at which a small business might have enough volume to use the software development kits that will allow EPMs to be integrated into business software applications. Using software development and application integration will cost more up front than the numbers provided above - but if your business can cost-justify the investment, the tools are available to provide the security of EPMs in an efficient and effective business process, reducing operating expenses and increasing information technology's contribution to the bottom line. Software development kits are available for both Microsoft Windows and Sun's Java environments, so whether your business uses Windows, Macintosh, or Unix, there's a kit for you.

Information on the USPS EPM program can be found at the USPS web site or at the web site of AuthentiDate, a company that today is the sole contractor whose content authentication technology is the underpinning of the USPS EPM program.

Contact Greg Welsh for more information.

Return to top of page - Return to homepage