Digital Signatures: Philosophically Speaking

There is nothing magical about digital signatures. They are simply an electronic mark used to signify a promise and to cement faith in the document or transaction to which that promise is attached. Some day digital signatures will be as commonplace among CAD professionals as the human readable “wet stamp” is today. However it must also be said that, just as CAD did not make architects more creative, digital signature technology will not make engineers more trustworthy.

The technology to use digital signatures has been around for well over 20 years, and a wide variety of software tools exist today that make digital signatures easy to use on almost any platform. So why is the use of digital signatures not more widespread? Primarily because the utopian dream of a paperless world has yet to materialize.

So long as hardcopy on paper is regarded as the authentic “record” version of a document, digital signatures are virtually useless. Even if new buildings are designed completely in CAD, an architect’s digital signature simply won’t mean anything if downstream consumers of the building design require a paper blueprint. The true benefits of a paperless world simply can’t be realized until every link in the chain has joined the digital club. So long as even a single node on the distribution tree requires a human readable method of verifying authenticity, the architect is forced to use a handwritten wet signature on paper blueprints from the very start.

Handwritten signatures can be scanned into an electronic format, but then they lose their putative value because a digital facsimile is so easily reproduced. Therefore only original and unique handwritten wet signatures are trustworthy in a human readable form. Digital signatures do not translate to paper because they are not human readable. Therefore digital signatures only have value for a document in electronic form. This maxim is fundamental to a proper understanding of the emerging digital signature technology: digital data can only be securely signed by computers; and human readable documents can only be securely signed by humans.

I see many people in the CAD industry looking for a hybrid solution to this paper vs. digital dilemma by using a “digitized signature” (i.e. handwritten on paper, then scanned into electronic format) so that printed output contains this digitized signature. This cannot even remotely be considered a digital signature! There is simply no such thing as a secure printed digitized signature. Yes, you can digitally sign a document that has an embedded digitized signature, but once it is printed, that digitized signature is not worth the paper it’s printed on. Not only could that signature be stolen from the document and used maliciously, there is no way to tell from the signature alone whether or not it has already been stolen and used maliciously.

The only hybrid approach that is practical and legally sound is to use digital and wet signatures in parallel. Using an architect as an example, this would mean creating and disseminating two sets of signed documents: the CAD model of a building (perhaps converted into a common 2D format like PDF, DWFx, or XPS) with the architect’s digital signature and paper blueprints with the architect’s individually handwritten wet signature.

A number of companies claim to sell some sort of hybrid solution involving the creation of a secure digitized signature. This is simply capitalism — selling something useless just because there is a market for it. A digitized signature is only secure if it is never used. I’ve heard the rationalization that the digitized signature printed on paper meets a psychological need for people accustomed to seeing one, even if it has no legal value. In my opinion, such pandering borders on deception and serves only to further alienate digital signature technology from those who would benefit from it. This sort of abuse is typified by an emailed PDF file consisting of a scanned document with a handwritten signature. In such cases, checking the sender’s email address likely becomes the most reliable way to verify the document’s trustworthiness. Spam filters bear witness to the fact that the sender’s email address is the most important — and often only — criteria we use in determining the level of trust to place in emailed documents. This is an important point to keep in mind.

The act of applying a digital signature requires the use of a secure private encryption key, but the digital signature alone does not provide security in any way. Digitally signing a document does not prevent it from being modified or stolen. In that respect it is no different than a handwritten wet signature. However, unlike a wet signature that cannot be easily duplicated, a digital signature does not prevent a signed document from being copied. This does not make digital signatures inferior. On the contrary, making copies is necessary and commonplace in the digital world, so the fact that exact copies of digitally signed documents are still trustworthy is a huge benefit over handwritten signatures.

There are other notable differences between a digital signature and a handwritten signature. Digital signatures can be time-stamped, thus providing reliable evidence that a document was signed on or before a certain time. A disadvantage of digital signatures is that they are only as reliable as the digital ID used to create them. To combat this problem, a public clearinghouse of compromised digital IDs must be maintained, and auditing systems must be in place to immediately detect and report suspicious activity. Time stamped digital signatures created before a digital ID is compromised can be easily and certainly distinguished from compromised signatures if properly designed and competently managed infrastructure is in place. This is necessary to ensure that previously existing digital signatures survive a compromising event.

In conclusion, adequate technical solutions and time tested safeguards already exist for successfully using digital signatures in a professional environment, but digital consumers still need to learn how to work within the limitations of the technology. Building an acceptable comfort level with a technology that must by its nature completely replace something as significant and culturally ingrained as the handwritten signature will not be easy or quick, but it is inevitable.

Leave a Reply

Your email address will not be published. Required fields are marked *