As more data and documentation traverse the Internet each day, sender verification and delivery assurance is taking on renewed importance.
So it’s not surprising that digital signatures are also taking on new meaning, and urgency, especially for U.S. government agencies that must conform to the Government Paperwork Elimination Act. To spur paper reduction efforts, Congress passed the Electronic Signatures in Global and National Commerce Act in 2000, which gives digital signatures the same legal weight as ink signatures.
The paper elimination law requires that agencies receiving more than 50,000 copies of a form in a given year must provide electronic filing capabilities.
"For those agencies that really need a strong substitute for an ink-on-paper signature, [government agencies] are finding themselves in the position of needing to supply digital-signing software to 50,000 or more filers," explained Keren Cummins, vice president of governmental services at Digital Signature Trust (DST). DST, an affiliate of Salt Lake City-based Zions Bancorporation, is a digital certificate solutions provider.
One of the impacted agencies is the Social Security Administration (SSA) and its W2 form-filing requirements. DST was awarded an SSA contract to help the agency provide digital signature capabilities to more than 6.5 million businesses in the United States. Each company is required to file W2 forms for all employees—roughly 250 million people.
DST, along with VeriSign and Operational Research Consultants (ORC), had previously been awarded a contract with the federal General Services Administration (GSA) to provide digital certificates. The SSA used the GSA contract as the basis for its bid proposal and examined each of the three companies before deciding on DST.
In this article, we'll examine the issues facing the SSA and how the chosen DST solution will work.
Sizing up the challenge
Digital signature technology requires the document signer to have a digital certificate that the recipient considers valid.
"A lot of people believe that if they have a digital certificate, they can electronically sign stuff," Cummins said, explaining that most people today can sign e-mails using digital certificates because signing software is built into popular e-mail clients, including Netscape Communicator and Microsoft Outlook.
"But in order to sign a standalone document, like a Word or a text document, you need to have some sort of a signing tool on your desktop," Cummins added.
For today’s typical business enterprises, there’s a slew of signature products available. The organization’s IT shop normally controls desktop distribution and maintains the software. However, it doesn’t work that way in the government enterprise.
"You have an agency that wants to receive a document once a year, or once a quarter, or on an ad hoc basis. They are not in a position to put software on that constituent's desktop, and that constituent doesn't want the government to put software on their desktop," explained Cummins.
Along with the obvious problems of different operating systems and equipment to deal with, there are lots of reasons why implementing sophisticated technologies such as public key infrastructure (PKI) on customer desktops is not easy, said Chuck Liptz, management analyst in the SSA’s e-commerce division.
"It’s one thing doing it in an environment where you have large IT shops and lots of folks with technical abilities," he said. "[But] we deal with everyone from the very large companies with millions of employees and probably hundreds of people who deal with nothing but IT, to little mom-and-pop shops that have five people. We needed to build a product that works for all segments of the community."
How the SSA approached the issue
Undaunted by the SSA's monumental user criteria, DST began working on possible solutions three years ago.
The SSA formally began testing the new system last year, issuing certificates called Access Certificates for Electronic Services (ACES), through the GSA .
While the program was deemed successful last year–20,000 files were sent in via the Internet—Liptz acknowledges that there were a few hurdles to overcome.
"We found out that some browsers work better than others. That's why we wanted to pilot this out in a relatively small fashion so we could learn from this experience," he said. The SSA requires both Internet Explorer and the 128-bit security modules.
Another problem was the procedure for acquiring the certificates, Liptz related. Initially, participants had to print out a form that supervisors then had to sign and have notarized. The form was then sent to DST, who acted as the registration and certificate authority. Businesses didn't like it as it proved to be a cumbersome process.
"If I want to deal with you electronically, why is it that I have to generate paper, get some people to sign things, [and] mail things back and forth?" Liptz recalled participants complaining. "So this year, we're testing out individual certificates so all the authentication will be done electronically."
Outlining the process
Yet while the process may appear pretty simple on paper, there are a number of important steps users take to file forms electronically at the SSA. Here’s a quick peek at how a SSA filer provides an electronic signature:
- Step 1: The user compiles the information into a file to be uploaded.
- Step 2: The user then applies for a PIN and password on the SSA site to gain access to the electronic filing area.
- Step 3: The services provider, DST, issues an access code to the user.
- Step 4: With access code in hand, the user now logs in to the SSA site and downloads their ACES digital certificate.
- Step 5: The user visits services and wage-reporting pages to file the forms.
- Step 6: When a user initiates the upload file request, he or she receives an applet from DST's SimpleSign program. The user then chooses the file to be uploaded, is prompted for the ACES certificate, and clicks to acknowledge he or she is signing the document.
The biggest delays in the process are due to the mechanics of verifying the authenticity of the transaction. Program officials hope verification will be shortened in the near future as the SSA investigates accepting digital certificates from other authorities. That effort is being tested this year.
Verifying the signature is real
The verification process doesn’t start when the user uploads the document. It actually begins at the point a user applies for a PIN and password. The GSA requires user data up-front, such as a Social Security number, a credit card number, and a driver's license number as part of the authentication process. At some point, users requesting digital processing may be charged a fee. But the SSA is currently picking up the tab for digital certificates during the trial period.
According to the SSA, the GSA checks 20 to 30 different databases to verify that a user’s information is correct before issuing a digital certificate.
Once the certificate is issued, the security issue then becomes how to let a user sign the uploaded file so that the SSA knows who it’s coming from, that the file's integrity is sound, and that it has been time-stamped. DST solved this issue by providing signing software to the user through its SimpleSign program, which Cummins described as a server-based client product. Essentially, the signing process is not done on SSA's servers, but on DST's.
While a user is uploading their collection of W2 information to the SSA server during an SSA session, the SimpleSign applet is confirming their digital certificate on the DST server. It then binds that person's identity to that document, Cummins explained.
Digital users essentially are providing three types of files to the SSA when filing online. In addition to W2 forms, users are providing the digital certificate and the signature. "The SimpleSign applet wraps those three things up and sends them up to the server, and then it disappears off a person's computer," Cummins said. The fact that the signature applet is uploaded temporarily to the user helps thwart potential desktop issues afterward, said Cummins. "So six months from now, the SSA doesn't get a call from a user who says they have this piece of signing software they got from the SSA and now it is interfering with their Excel program."
It's only going to get simpler
It's costing the SSA $20,000 per CPU to run a digital signature program, but the SSA can use that CPU license for as many customers as that CPU can handle. Another benefit is that the entire process is designed to become easier for the user as time goes on, Cummins said. At press time, the SSA said it was using more than one CPU at this point but could not provide the specific number of CPU licenses currently being used. SSA officials said they cannot estimate the program's costs until the pilot program ends and the complete user base is determined.
"The two really important things that are happening at the SSA this year [are] the deployment of SimpleSign [and that] we're actually opening up the system so that businesses who don't have an ACES certificate but that happen to have a certificate from a state can use that state-issued certificate to sign and submit [a document].
"We've built that capability—to recognize that state certificate, validate it in real time, and proceed just as if that business had an ACES certificate," Cummins said.
Washington state is already using digital certificates for employers. Expanding the digital certificate capability from other certificate authorities will prevent the federal government from having to issue 6 million certificates.
Washington state's security policies were evaluated by the SSA and found to be equivalent or compatible with the ACES security level, thus allowing it to be the test case for allowing state certificates to substitute for the ACES certificate, Cummins said. So far, it is the only state certificate accepted by the SSA.
While every state might not participate in the digital certificate program, there are already businesses, particularly in banking, that are using digital certificates in business-to-business transactions. DST makes a digital certificate for the American Bankers Association called TrustID, and this certificate may become acceptable to government agencies in the future.
Businesses shopping for a digital certificate are advised to check out the different products on the market.
"I would really encourage people to look at what is happening in the banking community and in the government, both federal and state, to see if there are already digital certificates that are being produced. Many of these have a strong set of authentication policies and procedures associated with them that they can leverage, instead of everyone feeling like they should build their own," Cummins said.
Are you using digital certificates or digital signatures?
If you are using digital certificates and digital signatures, tell your fellow CIOs about your experience. Send us a note or post a comment in the discussion below.