New Hampshire Bar Association
About the Bar
For Members
For the Public
Legal Links
Publications
Newsroom
Online Store
Vendor Directory
NH Bar Foundation
Judicial Branch
NHMCLE

The most experienced neutrals as selected by local litigation firms across the United States.

NH Bar's Litigation Guidelines
New Hampshire Bar Association
Lawyer Referral Service Law Related Education NHBA CLE NHBA Insurance Agency

Member Login
username and password

Bar Journal - September 1, 1999

Signing Your John Hancock in the 21st Century: An Introduction to NH's Digital Signature Legislation

By:
 

You may be wondering, what is a digital signature? Have no fear, you are not alone. This article will introduce you to digital signatures in general, highlight major issues pertaining to digital signatures, and explain how New Hampshire and other states across the country address those issues.

I. INTRODUCTION

Have you ever gone shopping for an item over the Internet, and used your credit card to pay for it? If so, you may have noticed that you did not sign anything to verify the purchase. Instead, you probably typed in your name, credit card number, address and some other relevant information to verify the transaction. How does the party on the other end of the transaction know that it really is you placing the order, and not an imposter who has stolen your credit card information? This is where digital signatures come into play.

Digital signatures are not written or manual signatures. Rather, digital signatures use electronic encryption to verify that the sender is who she says she is, and that the contents of the message have not been altered. This technology, otherwise known as an "asymmetric cryptosystem," is based upon a key pair which is used to encode and decode the encrypted message. A third party, known as a certification authority, is responsible for creating and maintaining the key pairs. The certification authority verifies that the electronic transaction or communication is free from fraud and alteration. Thus, one can generally rest assured that their online transactions will be secure and reliable.

II. THE MECHANICS OF DIGITAL SIGNATURES

A. Digital Signature Technology

Digital signatures are created using encryption technology known as asymmetric or public key cryptography, which relies upon an algorithm using two different but mathematically related keys called a key pair. One of these keys is used for encrypting data, and another key is used for decrypting data or returning the data to its original form. Computers and software, which use the keys to perform the encryption and decryption, are often collectively referred to as asymmetric cryptosystems.3  When used to create a digital signature, the key that is used for encryption is known as the private key, which is known only to the signer. The key used to verify the digital signature is known as the public key, which is generally more well known to the public.

To create a digital signature, the private key does not encrypt the entire message, but rather a number that is unique to the message. This unique number is created by a process known as a hash function. Hash functions take a message as input and produce a smaller message summary in numerical format known as the hash result or hash number. Any modification made to the message, such as changing a comma to a period, will change the hash number. To create a digital signature, the message signer uses her private key to encrypt the hash number. This encrypted hash number is the digital signature and is unique to both the message and the signer. The signer attaches the digital signature to the plain message and transmits both to the recipient.4 

When the message arrives, the recipient's software computes the hash number of the plain message. Next, the software uses the signer's public key to decrypt the digital signature to determine the hash number generated by the signer of the message. So long as both hash numbers match, the signature is valid and the message is untampered. However, if the signer's private key does not correspond to the public key, or if the message is either intentionally or unintentionally altered before it reaches the recipient, the hash numbers will not match and the recipient will know that the digital signature is not reliable either because the message has been altered or because a forgery has occurred.5 

While the process of creating and verifying a digital signature may seem overly complicated, it is normally performed automatically on a computer, with minimal human inter action required. Therefore, digital signatures yield a high degree of reliability in a seamless and effortless process.6 

B. Certification Authorities

For a party to verify a digital signature, they must have access to the signer's public key and have assurance that it corresponds to the signer's private key. But, a key pair has no inherent association with any person and, therefore, some strategy is necessary to reliably associate a particular person or entity with the key pair. Consequently, the use of a trusted third party is necessary to associate an identified signer with a specific key pair. This trusted third party is commonly known as a certification authority (CA).7 

To associate a key pair with an identified signer, the CA issues an electronic record known as a certificate. This certificate identifies the public key of a prospective signer and confirms that the prospective signer identified in the certificate holds the private key. The prospective signer is technically known as a subscriber. The main purpose of a certificate is to bind a key pair with a particular subscriber.8 

One who receives a certificate and desires to rely upon a digital signature (created by the subscriber named in the certificate) can use the public key listed in the certificate to verify that the digital signature was created with the corresponding private key. Successful validation assures that the named subscriber holds the private key and that the digital signature was created by her.9 

To facilitate the relying party's access to the certificate, the CA makes them publicly available by publishing them in a repository. A repository is an on-line database of certificates and other information useful in verifying digital signatures. Because the key pair is asymmetric, it is essentially impossible to derive the private key from knowledge of the public key. Therefore, many people may have the certificate and public key of a given signer and use it to verify his signatures without the risk of those people deciphering the signer's private key and using it to forge digital signatures.10  Should the certificate become unreliable (e.g. the subscriber loses his private key), the CA may suspend or revoke the certificate. Consequently, the CA plays a major role in maintaining the reliability and effectiveness of the digital signature system.11 

III. NEW HAMPSHIRE'S APPROACH TO DIGITAL SIGNATURES

In 1997, New Hampshire enacted N.H. Rev. Stat. Ann. ch. 294-D ("RSA 294-D") titled the New Hampshire Digital Signature Act ("Act"). The purpose of the Act is to "set standards and provide credibility for digital signatures used in dealings involving state entities in New Hampshire" and "to avoid the state's involvement as a certification authority or repository."12  This purpose is accomplished by authorizing the use of digital signatures in any communication between the state of New Hampshire and any agency or instrumentality of the state.13 

Under the Act, digital signatures have the same force and effect as the use of a manual signature so long as the following requirements are met: (a) the digital signature is unique to the person using it, (b) it is capable of verification, (c) it is under the sole control of the person using it, (d) it is linked to data in such a manner that if the data is changed, the digital signature is invalidated, and (e) it conforms to the rules adopted under RSA 294-D:5.14  Because this statute does not impose specific technological requirements for the digital signature, it is termed a "technology neutral statute."15  Therefore, any digital signature meeting these requirements has the same legal effect as a handwritten signature. However, the Act only applies to transactions between New Hampshire state entities and does not apply to transactions between members of the public.

In 1998, New Hampshire enacted additional legislation that applies to the use of digital signatures on all communications, including those of the general public. This legislation, codified in N.H. Rev. Stat. Ann. ch. 506:8-9 ("RSA 506:8-9"), gives a digital signature the same force and effect as a written signature. Additionally, this legislation defines a digital signature as "a type of electronic manipulation that transforms a message using an asymmetric cryptosystem such that a person having the transformed message and the signer's public key can accurately determine: (a) [w]hether the transformation was created using the private key that corresponds to the signer's public key," and "(b) [w]hether the initial message has been altered since the transformation was made."16  Because this statute specifically requires a certain type of technology, an asymmetric cryptosystem, it is termed "technology specific."17 

A. Technology Specific and Technology Neutral Approaches to Digital Signature Legislation

As discussed above, RSA 294-D is technology neutral, while RSA 506:8-9 are technology specific. As a result, the two statutes are significantly different in their applications.

Technology neutral statutes are flexible in their application.18  Because they do not set any specific technological requirements for the digital signatures, any electronic signature technology that meets the statute's broad verification requirements will be deemed a valid signature.19  This allows technology neutral statutes to keep up with the rapid advances in digital signature technology.20 

In addition, technology neutral statutes often include provisions that delegate rulemaking authority to a specified agency to promulgate rules necessary to govern digital signatures. For example, New Hampshire's Digital Signature Act delegates this power to the commissioner of administrative services.21  Thus, agencies can quickly and efficiently use their rulemaking power to make new rules as may be required by changes in technology.

However, technology neutral statutes may not provide the courts with enough guidance to determine when an electronic signature in fact meets the verification requirements of the statute.22  Because the verification requirements of a technology neutral statute are termed in broad language, the courts may have difficulty applying them to specific technologies.23  Furthermore, digital signature technology is very complicated and, although an agency may have rulemaking authority, it may not have the requisite knowledge to exercise it effectively.24 

Conversely, technology specific statutes are rigid in their application.25  These statutes create certain presumptions and limitations on liability if the certification authority and the certificate issued by it satisfy specific technological requirements. Although these statutes are permissive (e.g. certification authorities do not have to comply), if the certification authority wants to enjoy the benefits of the statute it must comply with the statute without any deviation from the specified technology. As a result, technology specific statutes require continuous updating to conform to changes in technology.26  Because the statutory amendment process can take a long time, technology specific statutes are not easily adapted to conform to rapid changes in technology.

Although technology specific statutes are rigid in their application, they do provide the courts with specific standards for determining a valid digital signature.27  By imposing specific technological requirements, these statutes assure that the courts will make accurate and consistent determinations regarding digital signature validity.

As demonstrated above, both technology-neutral and technology-specific statutes have their positives and negatives associated with them. Which approach is better depends upon the particular application for which they will be used. Apparently, the New Hampshire legislature has determined that a technology neutral approach is better for government use, and that the technology specific approach is better for use by the general public.28 

B. Legal Presumptions and Digital Signatures

The New Hampshire legislation gives digital signatures the same force and effect as a written or manual signature.29  Generally, in the absence of evidence to the contrary, written signatures are presumed to be invalid.30  Therefore, in New Hampshire, the burden of proving the validity of a digital signature is on the party seeking to enforce the signature.

This presumption of invalidity creates a problem for any person who wishes to rely on the digital signature. None of the indicia of reliability associated with written signatures, such as the use of paper, letterheads, handwritten ink signatures and personal contact between the parties, are present with digital signatures.31  Moreover, digital information can be undetectably altered. Therefore, proving the validity of a digital signature in court can be virtually impossible. In addition, it becomes extremely difficult for a party to know when she can rely on the integrity and authenticity of the digital signature.32  Thus, in many cases it is important for the party relying on a digital signature to be in a position to know whether it can prove both the authenticity and the integrity of the message in court.33 

Many states have addressed this problem through legislation, by giving digital signatures a rebuttable presumption of validity.34  This presumption is designated as being rebuttable in recognition of the fact that no technology is flawless.35  Thus, the presumption operates to require the owner of the digital signature to prove, by a preponderance of the evidence, that the signature was neither hers nor authorized by her.36 

This presumption is justified because the evidence normally available to prove who actually sent the message will most often be in the possession of the person who owns the digital signature.37  For example, the person who owns the digital signature will ordinarily be in a better position to prove that the private key may have been stolen, copied, compromised or used without her authority.38  On the other hand, the recipient of the message will have no evidence other than the receipt of an authentic digital signature.39  Also, some states impose upon the owner of the digital signature a duty to safeguard the private key's control and secrecy, further justifying the presumption.40 

New Hampshire's failure to address the presumption of validity undermines the viability of the use of digital signatures in electronic commerce.41  In the future, it would be beneficial for New Hampshire to follow the lead of other states and incorporate the presumption of validity into its digital signature legislation.

C. Regulation of Certification Authorities

New Hampshire's only reference to certification authorities in its digital signature legislation is to disclaim the state's direct involvement as a CA or repository.42  In contrast, the American Bar Association Digital Signature Guidelines recommend that states require certification authorities to use trustworthy systems.43  The primary reason for regulating certification authorities is to assure the trustworthiness of a digital signature and guarantee that it is deserving of the presumption of validity discussed above.44  After all, the digital signature is only as trustworthy as the certificate issued by the CA.

Some states have established methods for regulating certification authorities.45  The methods used by these states include: accreditation of certification authorities by third parties; voluntary licensing of certification authorities through the compliance with standards specified or adopted by an agency; and case-by-case determination by a court or other trier of fact that the digital signature was issued by a certification authority that properly authenticated the subscriber and the subscriber's public key.46 

It is important to note that any methods adopted by a state should provide as much flexibility and latitude as possible for making a determination as to the trustworthiness of a certificate issued by a CA.47  This flexibility is particularly important in light of the fact that the use of digital signatures is not yet fully developed.48  Thus, any regulations implemented should retain the flexibility necessary to prevent the hindrance of digital signature development and implementation, while at the same time guaranteeing their trustworthiness.49 

Because certification authorities play a major role in keeping the use of digital signatures trustworthy and free from fraud, it is vital to electronic commerce in New Hampshire that one or more of the regulation methods discussed above is implemented.

IV. CONCLUSION

The use of digital signatures in electronic commerce is a new practice that is growing rapidly and therefore presents special legal challenges. The legislation enacted by New Hampshire, to this point, establishes a foundation upon which digital signature law can develop. But, as discussed previously, both the presumption of validity and the regulation of certification authorities are legal issues that should be addressed for digital signature use in New Hampshire to be fully effective. As the use of digital signatures continues to flourish, it will be important to stay aware of the legal developments concerning these issues.

ENDNOTES

1.

Steven J. Schwarz is a J.D./M.I.P. candidate at Franklin Pierce Law Center, class of 2000. He is focusing his studies on intellectual property law, with an emphasis on patents.

2 .

Gary L. Hodgson is a J.D. candidate at Franklin Pierce Law Center, class of 2000. He is focusing his studies on corporate law.

3.

See generally, Digital Signature Guidelines, Electronic Commerce and Info. Tech. Division of the Info. Security Committee of the Am. Bar Ass'n, Aug. 1, 1996, available free online at http://www.abanet.org/scitech/ec/isc/dsgfree (providing tutorial on digital signatures) [hereinafter Digital Signature Guidelines].

4.

It is important to note that the message text is sent in an unencrypted format. For example, it may be sent as a word processsor document.

5.

Lonnie Eldridge, Internet Commerce and the Meltdown of Certification Authorities: Is the Washington State Solution a Good Model?, 45 UCLA L. Rev. 1805, 1816 (1998).

6.

Digital Signature Guidelines, supra note 3.

7.

Id.

8.

Id.

9.

Id.

10.

Id.

11.

Id.

12.

N.H. Rev. Stat. Ann. 294-D:2 (1997).

13.

N.H. Rev. Stat. Ann. 294-D:4 (1997).

14.

Id. (R.S.A. 294-D:5 delegates to the Commissioner of Administrative Services the power to adopt rules to implement the purposes of the Digital Signature Act. However, the Commissioner has not adopted any rules at the time of this writing.)

15.

Telephone interview, Thomas G. Melling. Thomas G. Melling is an associate in the Seattle, Washington office of Perkins Coie LLP, where he specializes in Internet law and electronic commerce. His experience with digital signatures includes representing the first licensed certification authority in the State of Washington. For more information about Thomas G. Melling and Perkins Coie LLP, go to http://www.perkinscoie.com.

16.

N.H. Rev. Stat. Ann. 506:8 (1998).

17.

Telephone interview, Thomas G. Melling.

18.

Id.

19.

N.H. Rev. Stat. Ann. 294-D:4 (1997).

20.

Telephone interview, Thomas G. Melling.

21.

N.H. Rev. Stat. Ann. 294-D:5 (1997).

22.

Telephone interview, Thomas G. Melling.

23.

Id.

24.

Id.

25.

Id.

26.

Id.

27.

Id.

28.

N.H. Rev. Stat. Ann. 294-D (1997), N.H. Rev. Stat. Ann. 506 (1998).

29.

Id.

30.

See New Hampshire Rules of Evidence, Rule 901 (1999).

31.

Ill. Comm'n on Elec. Commerce and Crime, Final Report of the Comm'n on Elec. Commerce and Crime, 10-120, cmt. 1, 90th General Assembly, 1998 [hereinafter Final Report].

32.

Id.

33.

Id.

34.

See, e.g., 1998 Ill. Legis. Serv. P.A. 90-759, Art. 10, 10-120 (H.B. 3180) (West), Minn. Stat. Ann. 325K.24 (West 1998), Utah Code Ann. 46-3-304 (1998), Wash. Rev. Code 19.34.350 (1998).

35.

Final Report, supra note 31 at ' 10-120, cmt. 1.

36.

Id at 10-120, cmt. 5.

37.

Id.

38.

Id.

39.

Id.

40.

Id at 10-125, cmt. 1.

41.

Id at 10-120, cmt. 1.

42..

N.H. Rev. Stat. Ann. 294-D:2 (1997).

43.

Digital Signature Guidelines, supra note 3.

44.

Final Report, supra note 31 at 15-115, cmt. 2.

45.

See, e.g., 1998 Ill. Legis. Serv. P.A. 90-759, Art. 15, 15-220 (H.B. 3180) (West), Minn. Stat. Ann. 325K.05 (West 1998), Miss. Code 1972 Ann. 25-63-7 (1998), Utah Code Ann. 46-3-301 (1998), Wash. Rev. Code 19.34.220 (1998).

46.

Final Report, supra note 31 at 15-105, cmt. 2b.

47.

Id.

48.

Id.

49.

Id.

The Author

Steven J. Schwarz, Class of 2000, Franklin Pierce Law Center, Concord, New Hampshire.

The Author

Gary L. Hodgson, Class of 2000, Franklin Pierce Law Center, Concord, New Hampshire.

 

NHLAP: A confidential Independent Resource

Home | About the Bar | For Members | For the Public | Legal Links | Publications | Online Store
Lawyer Referral Service | Law-Related Education | NHBA•CLE | NHBA Insurance Agency | NHMCLE
Search | Calendar

New Hampshire Bar Association
2 Pillsbury Street, Suite 300, Concord NH 03301
phone: (603) 224-6942 fax: (603) 224-2910
email: NHBAinfo@nhbar.org
© NH Bar Association Disclaimer