e-UCP article 3 provides:
ii. "electronic signature" means a data process attached to or logically associated with an electronic record and executed or adopted by a person in order to identify that person and to indicate that person's authentication of the electronic record.
Would that include electronic sounds or symbols? For instance the PIN or the password that are used to access the ATM or to enter the website to perform a transaction are the common forms of electronic signatures. In such cases people invariably use birthday, anniversary or the name of a pet to serve as a unique identifier that they are who they claim to be and give them some level of identity in an otherwise impersonal medium. The question is how about a digitized image of one's handwritten signature, which could likewise qualify as an electronic signature, or a sound that could be used to achieve the same purpose.
e-UCP article 3
-
hatemshehab
- Posts: 220
- Joined: Fri Apr 05, 2019 5:19 pm
e-UCP article 3
Hatem,
Just to let you know that I've read your query, but that I intend to stay clear of eUCP article specific discussions.
Regards, Jeremy
Just to let you know that I've read your query, but that I intend to stay clear of eUCP article specific discussions.
Regards, Jeremy
e-UCP article 3
Hatem,
An 'electronic signature' is generally held to be as unique to the user as their hand-written signature. A data process is used to generate this signature which can then be stored securely by the user on his or her computer or stored by an independant body who can verify the identity of the person attempting to use the signature.
There is usually a minimum of two steps required to get a signature but the key issue is what is called "ground truth". ie how to establish if the person issued with the signature is who they claim to be.
The signature itself is a unique combination of codes stored as a file which the owner can use to sign documents. I can attach, or associate it with a document using a key, which might be a long pass-phrase or using a thumb-print device.
Bio-metrics (voice, finger-print, retina-scan etc) are gaining some credibility in electronic signatures. In another aspect of what we do in IMS MAXIMS we are using voice prints to allow a buyer to sign a purchase order over the phone, this is accepted by the banks to immediately authorise payment.
So I guess pin numbers or passwords would not be considered as 'electronic signatures' but then who knows how it might be interpreted by a judge down the line.
[edited 2/11/02 3:51:04 PM]
An 'electronic signature' is generally held to be as unique to the user as their hand-written signature. A data process is used to generate this signature which can then be stored securely by the user on his or her computer or stored by an independant body who can verify the identity of the person attempting to use the signature.
There is usually a minimum of two steps required to get a signature but the key issue is what is called "ground truth". ie how to establish if the person issued with the signature is who they claim to be.
The signature itself is a unique combination of codes stored as a file which the owner can use to sign documents. I can attach, or associate it with a document using a key, which might be a long pass-phrase or using a thumb-print device.
Bio-metrics (voice, finger-print, retina-scan etc) are gaining some credibility in electronic signatures. In another aspect of what we do in IMS MAXIMS we are using voice prints to allow a buyer to sign a purchase order over the phone, this is accepted by the banks to immediately authorise payment.
So I guess pin numbers or passwords would not be considered as 'electronic signatures' but then who knows how it might be interpreted by a judge down the line.
[edited 2/11/02 3:51:04 PM]
e-UCP article 3
Hatem,
NATURE OF eUCP
Please bear in mind that the eUCP is the transitional rules solely to cover the transitional period from paper presentation to full scale electronic presentation. That is why it allows a mix of the two presentations. As such it will be updated from time to time to catch the evolution of technology, of which electronic signature is one.
Therefore, the Worksing Party considers that it is not strange that the eUCP Version 1.0 would be revised even sooner than the next UCP 500 revision.
The definition of electronic signature is of temporary basis and can be changed in a short time if the technology advancement is so rapid that it is necessary to change the definition.
I am leaving within a couple of hours for a Middle East workshop trip.
Today 12th February 2002 is Chinese New Year Day, the beginning of the Year of the Horse. To all of you, including IMS and DC Pro "Gong Xi Fa Cai" (Putonghua version in Shanghai) or "Kung Hei Fat Choy" (Cantonese version in Hong Kong)(it means "Wishing you make more money")
T. O.
http://www.tolee.com
[edited 2/12/02 6:02:27 PM]
NATURE OF eUCP
Please bear in mind that the eUCP is the transitional rules solely to cover the transitional period from paper presentation to full scale electronic presentation. That is why it allows a mix of the two presentations. As such it will be updated from time to time to catch the evolution of technology, of which electronic signature is one.
Therefore, the Worksing Party considers that it is not strange that the eUCP Version 1.0 would be revised even sooner than the next UCP 500 revision.
The definition of electronic signature is of temporary basis and can be changed in a short time if the technology advancement is so rapid that it is necessary to change the definition.
I am leaving within a couple of hours for a Middle East workshop trip.
Today 12th February 2002 is Chinese New Year Day, the beginning of the Year of the Horse. To all of you, including IMS and DC Pro "Gong Xi Fa Cai" (Putonghua version in Shanghai) or "Kung Hei Fat Choy" (Cantonese version in Hong Kong)(it means "Wishing you make more money")
T. O.
http://www.tolee.com
[edited 2/12/02 6:02:27 PM]
-
hatemshehab
- Posts: 220
- Joined: Fri Apr 05, 2019 5:19 pm
e-UCP article 3
The purpose of electronic signature is to provide a peculiar means of authentication (both entity authentication and data origin authentication). This service enables the user to prove that they are who they claim to be and to be convinced that data sent to another entity can be read only by that entity and that highly sensitive information only gets into the hands of those with an explicit "need-to-know."
As for the recipient this will enable him to be assured that the data is correct and has not been altered in any way that might prejudice the interests of both the user and the recipient.
This is achieved if the user is able to associate a form of process to, unambiguously and correctly, with the system of the recipient with whom he wants to communicate.
Who is responsible for Authentication?
It is obvious that the user having accessed the system with that “form of process to associate, with the system of the recipient with whom he wants to communicate” is the e-Signature, which constitutes the initial authentication to the local environment, which may involve single or multi-factor authentication including passwords or biometric devices. The recipient through his system authenticates the validity of this signature. Hence the question is what if the user claimed that he is not the one who claimed to be the user? Or what if the system failed to perform the subsequent authentication? Who is responsible for the prevention of an attacker from getting the decryption of a random-looking value (in certain signature algorithms), which may yield valuable information in some circumstances? Does this imply legal consequences on the recipient as a result of male-authentication? Does article e12 constitute sufficient discharge of liabilities for the bank?
Electronic Signature vs. Digital Signature
From the search I have conducted on this issue Digital signatures are created and verified by cryptography. Cryptography is applied mathematics that transforms messages into seemingly unintelligible forms and back again. Digital signatures use what is known as "public key cryptography," which employs an algorithm using two different but mathematically related "keys;" one for creating a digital signature or transforming data into a seemingly unintelligible form, and another key for verifying a digital signature or returning the message to its original form. In this sense can we conclude that e-Signature is wider in scope that it could include digital signature?
Entity Identification may apply different factors
I do not fully agree that PIN or passwords are not e-Signatures. If the apparent purpose is to verify the identity of the user, then PIN or passwords, are exactly so. There are many ways of proving an identity.
· “xyz” I have (such as a smart card or a hardware token)
· “xyz” I know (such as a password or a PIN)
· “xyz” I am, or “xyz” intrinsic to my body (such as a thumbprint or a retinal scan)
· “xyz” I do (my typing characteristics or handwriting style)
In banking Multi-factor authentication is adopted during the authentication process. A familiar example of two-factor of identity verification is the "sign-on" process at a banking machine where the user presents a magnetic-stripe card and enters a PIN to gain access to his/her bank account.
A note to our friend TO LEE,
I do recognize the nature of e-UCP and that it is a preliminary step towards full-scale electronic presentation. What I intend to trigger in this query is the scope of the e-Signature and to what extent it could cover the different forms of identification methods adopted in the e-environment. I hope this will help in understanding and perhaps expand the scope of electronic presentations.
Wish you all the best in your trip.
Hatem
As for the recipient this will enable him to be assured that the data is correct and has not been altered in any way that might prejudice the interests of both the user and the recipient.
This is achieved if the user is able to associate a form of process to, unambiguously and correctly, with the system of the recipient with whom he wants to communicate.
Who is responsible for Authentication?
It is obvious that the user having accessed the system with that “form of process to associate, with the system of the recipient with whom he wants to communicate” is the e-Signature, which constitutes the initial authentication to the local environment, which may involve single or multi-factor authentication including passwords or biometric devices. The recipient through his system authenticates the validity of this signature. Hence the question is what if the user claimed that he is not the one who claimed to be the user? Or what if the system failed to perform the subsequent authentication? Who is responsible for the prevention of an attacker from getting the decryption of a random-looking value (in certain signature algorithms), which may yield valuable information in some circumstances? Does this imply legal consequences on the recipient as a result of male-authentication? Does article e12 constitute sufficient discharge of liabilities for the bank?
Electronic Signature vs. Digital Signature
From the search I have conducted on this issue Digital signatures are created and verified by cryptography. Cryptography is applied mathematics that transforms messages into seemingly unintelligible forms and back again. Digital signatures use what is known as "public key cryptography," which employs an algorithm using two different but mathematically related "keys;" one for creating a digital signature or transforming data into a seemingly unintelligible form, and another key for verifying a digital signature or returning the message to its original form. In this sense can we conclude that e-Signature is wider in scope that it could include digital signature?
Entity Identification may apply different factors
I do not fully agree that PIN or passwords are not e-Signatures. If the apparent purpose is to verify the identity of the user, then PIN or passwords, are exactly so. There are many ways of proving an identity.
· “xyz” I have (such as a smart card or a hardware token)
· “xyz” I know (such as a password or a PIN)
· “xyz” I am, or “xyz” intrinsic to my body (such as a thumbprint or a retinal scan)
· “xyz” I do (my typing characteristics or handwriting style)
In banking Multi-factor authentication is adopted during the authentication process. A familiar example of two-factor of identity verification is the "sign-on" process at a banking machine where the user presents a magnetic-stripe card and enters a PIN to gain access to his/her bank account.
A note to our friend TO LEE,
I do recognize the nature of e-UCP and that it is a preliminary step towards full-scale electronic presentation. What I intend to trigger in this query is the scope of the e-Signature and to what extent it could cover the different forms of identification methods adopted in the e-environment. I hope this will help in understanding and perhaps expand the scope of electronic presentations.
Wish you all the best in your trip.
Hatem
e-UCP article 3
Hatem,
I am now in Air France Lounge Paris playing with Internet provided with a different keyboard, waiting for the transit flight to Middle East.
Perhaps the ICC GUIDEC Rules may resolve your problems on definition of e signature which the GUIDEC Rules are all about, but I do not have these Rules with me.
T. O.
I am now in Air France Lounge Paris playing with Internet provided with a different keyboard, waiting for the transit flight to Middle East.
Perhaps the ICC GUIDEC Rules may resolve your problems on definition of e signature which the GUIDEC Rules are all about, but I do not have these Rules with me.
T. O.
e-UCP article 3
Hatem,
This is an interesting and challenging area. Public Key Infrastructure, PKI, comprises the features needed to achieve non-repudiation, encryption, digital signing and authentication. Still, while PKI offers the framework for all this, the problem of verifying the users identity remains.
To add to your point the main methods of verification are:
- Something you have - might be a key, Smart Card or other token that you
use to verify your identity.
- Something you know - might be a PIN or password that only you know.
The problem with these two methods is that they can be borrowed or stolen.
Biometrics represents the third alternative:
Something you are - Fingerprint, iris, voice etc.
These methods are often combined, where as one part identifies the user, while the other verifies that the person is who he/she claims to be. E.g. a Smart Card (something you have) in combination with fingerprint verification (something you are).
Using digital certificates protected with biometrics is currently one of the best way of proving a person's identity in an open network. However the elements used to verify the identity of the user are quite separate from the actual signature. So a pin or password is not a signature but is used to identify the user of a signature. If you rely on only a pin number to identify the user of a signature then the reliability of the signature is diminished. If you combine it with a smart card or swipe card then it is increased.
[edited 2/13/02 1:14:41 PM]
[edited 2/13/02 1:15:23 PM]
This is an interesting and challenging area. Public Key Infrastructure, PKI, comprises the features needed to achieve non-repudiation, encryption, digital signing and authentication. Still, while PKI offers the framework for all this, the problem of verifying the users identity remains.
To add to your point the main methods of verification are:
- Something you have - might be a key, Smart Card or other token that you
use to verify your identity.
- Something you know - might be a PIN or password that only you know.
The problem with these two methods is that they can be borrowed or stolen.
Biometrics represents the third alternative:
Something you are - Fingerprint, iris, voice etc.
These methods are often combined, where as one part identifies the user, while the other verifies that the person is who he/she claims to be. E.g. a Smart Card (something you have) in combination with fingerprint verification (something you are).
Using digital certificates protected with biometrics is currently one of the best way of proving a person's identity in an open network. However the elements used to verify the identity of the user are quite separate from the actual signature. So a pin or password is not a signature but is used to identify the user of a signature. If you rely on only a pin number to identify the user of a signature then the reliability of the signature is diminished. If you combine it with a smart card or swipe card then it is increased.
[edited 2/13/02 1:14:41 PM]
[edited 2/13/02 1:15:23 PM]
-
hatemshehab
- Posts: 220
- Joined: Fri Apr 05, 2019 5:19 pm
e-UCP article 3
Dear TO
The GUIDEC did not solve the problem of the definition of the e-signature stated in e-UCP. On the contrary, it has created more problems (queries) that might be considered for further discussion. As for me, I have no problem with the definition, but what I am trying to understand is one thing; does this definition really encompass all identification method refered to in this forum either by me or by Sean? Is the definition of e-signature really corresponds tothe language and terminology used in GUIDEC? Has the word “authentication” been used or even imported from the UCP 500 traditional definition, which might not be the case with electronic records?
If you go through the GUIDEC, it refers to digital signatures and never to e-signatures except once when it makes a reference to UNCITRAL Model Law. It states:
“The Model Law treats electronic signatures as they relate generally to problems deriving from form requirements in existing commercial laws of the major legal systems. Specifically, the Model Law provides that form requirements relating to signatures may be met in relation to data messages where a method is used that identifies the person and indicates that person's approval of the contents of the data message, and where the reliability of the method of signing is appropriate under the circumstances. Recognising that signature requirements derive from fundamental commercial law and public policy issues relating to intent of contracting parties, the Model Law does not specify what method of signing a data message might be appropriate under what circumstances. The Draft Guide to the Model law does indicate, however, that it may be useful in the context of data messages, to "develop functional equivalents for the various types and levels of signature requirements in existence." The GUIDEC attempts to build upon the Model Law in this regard, by defining requirements for signatures used in international commerce, in particular digital signatures, in which there is the additional requirement of certification.”
The paragraph here indicates that Public Key Infrastructure(PKI)process of verifying signatures is different. Under PKI technology, the sender and the receivers possess two keys (public key & private key). The public key cryptography employs an algorithm using to different but mathematically related keys; one for creating a digital signature, and another key for verifying a digital signature or returning the message to its original form. The private key is kept private and is known to the signer only. The public key, on the other hand, is directly attributable to a real person, the subscriber, and is created and issued through the use of a trusted, third-party intermediary known as a certificate authority ("CA").
It is obvious that we have here three parties in the process of one signature. This bind all parties into the correctness of their signatures and for the integrity of the data content, since it can provide electronically the same forensic effect a signed paper message provides. Hence the traditional term of authenticated becomes more complicated here and that why GUIDEC uses different terminology. It has therefore employed the term "Ensure", to denote the act of digitally signing an electronic message, "ensuring a message to denote the public key cryptography process, and “Certifier” to denote a trusted third party establish that holders of public keys are indeed who they purport to be.
What about a digitally scanned image of a handwritten signature, a signature by means of a stylus and digitising tablet, a name signed using the keyboard, the use of passwords or other techniques for controlling access, or any similar procedures that could be used for ensuring a message, does these fall under the definition of e-signatures?
What about electronic sound and symbol, or any process, attached to or logically associated with the electronic record, could that be construed as an e-signature if executed or accepted by a person with the intent to sign the record?
Dear Sean,
Thank you indeed for your valuable comments. From your response could we come to a conclusion that e-UCP definition of e-signature is restrictive and should be revised to accommodate more technologies / processes adopted for “signing” electronic reports?
Should we suggest that the definition include "symbols, sounds, or a process associated or logically attached to the electronic record” to give a wider spectrum to that definition?
best regards
The GUIDEC did not solve the problem of the definition of the e-signature stated in e-UCP. On the contrary, it has created more problems (queries) that might be considered for further discussion. As for me, I have no problem with the definition, but what I am trying to understand is one thing; does this definition really encompass all identification method refered to in this forum either by me or by Sean? Is the definition of e-signature really corresponds tothe language and terminology used in GUIDEC? Has the word “authentication” been used or even imported from the UCP 500 traditional definition, which might not be the case with electronic records?
If you go through the GUIDEC, it refers to digital signatures and never to e-signatures except once when it makes a reference to UNCITRAL Model Law. It states:
“The Model Law treats electronic signatures as they relate generally to problems deriving from form requirements in existing commercial laws of the major legal systems. Specifically, the Model Law provides that form requirements relating to signatures may be met in relation to data messages where a method is used that identifies the person and indicates that person's approval of the contents of the data message, and where the reliability of the method of signing is appropriate under the circumstances. Recognising that signature requirements derive from fundamental commercial law and public policy issues relating to intent of contracting parties, the Model Law does not specify what method of signing a data message might be appropriate under what circumstances. The Draft Guide to the Model law does indicate, however, that it may be useful in the context of data messages, to "develop functional equivalents for the various types and levels of signature requirements in existence." The GUIDEC attempts to build upon the Model Law in this regard, by defining requirements for signatures used in international commerce, in particular digital signatures, in which there is the additional requirement of certification.”
The paragraph here indicates that Public Key Infrastructure(PKI)process of verifying signatures is different. Under PKI technology, the sender and the receivers possess two keys (public key & private key). The public key cryptography employs an algorithm using to different but mathematically related keys; one for creating a digital signature, and another key for verifying a digital signature or returning the message to its original form. The private key is kept private and is known to the signer only. The public key, on the other hand, is directly attributable to a real person, the subscriber, and is created and issued through the use of a trusted, third-party intermediary known as a certificate authority ("CA").
It is obvious that we have here three parties in the process of one signature. This bind all parties into the correctness of their signatures and for the integrity of the data content, since it can provide electronically the same forensic effect a signed paper message provides. Hence the traditional term of authenticated becomes more complicated here and that why GUIDEC uses different terminology. It has therefore employed the term "Ensure", to denote the act of digitally signing an electronic message, "ensuring a message to denote the public key cryptography process, and “Certifier” to denote a trusted third party establish that holders of public keys are indeed who they purport to be.
What about a digitally scanned image of a handwritten signature, a signature by means of a stylus and digitising tablet, a name signed using the keyboard, the use of passwords or other techniques for controlling access, or any similar procedures that could be used for ensuring a message, does these fall under the definition of e-signatures?
What about electronic sound and symbol, or any process, attached to or logically associated with the electronic record, could that be construed as an e-signature if executed or accepted by a person with the intent to sign the record?
Dear Sean,
Thank you indeed for your valuable comments. From your response could we come to a conclusion that e-UCP definition of e-signature is restrictive and should be revised to accommodate more technologies / processes adopted for “signing” electronic reports?
Should we suggest that the definition include "symbols, sounds, or a process associated or logically attached to the electronic record” to give a wider spectrum to that definition?
best regards
-
hatemshehab
- Posts: 220
- Joined: Fri Apr 05, 2019 5:19 pm
e-UCP article 3
Just another thing to consider. The ISP98 has provided a definition what is the electronic signature. It stated that:
"Electronic signature" means letters, characters, numbers, or other symbols in electronic form, attached to or logically associated with an electronic record that are executed or adopted by a party with present intent to authenticate an electronic record.”
ISP98 is the product of ICC as the case of e-UCP, however both adopts a different definition, an observation to consider?
"Electronic signature" means letters, characters, numbers, or other symbols in electronic form, attached to or logically associated with an electronic record that are executed or adopted by a party with present intent to authenticate an electronic record.”
ISP98 is the product of ICC as the case of e-UCP, however both adopts a different definition, an observation to consider?