Smedinghoff Identity Management: Who's Signing?


Published on

ESRA IDM Presentation 11-09-2010

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Smedinghoff Identity Management: Who's Signing?

  1. 1. Identity Management: Who’s Signing? Electronic Signatures and Government Adoption Thomas J. Smedinghoff Wildman, Harrold, Allen & Dixon, LLP Chicago
  2. 2. The Basic eSignature Identity Issue <ul><li>There are many ways to “sign” an electronic record – </li></ul><ul><ul><li>Clicking “I Agree” button </li></ul></ul><ul><ul><li>Digital signature (PKI) </li></ul></ul><ul><ul><li>Digitized imaged of handwritten signature </li></ul></ul><ul><ul><li>PIN, password </li></ul></ul><ul><ul><li>Typed name </li></ul></ul><ul><ul><li>Voice signature </li></ul></ul><ul><li>But at the end of the day, you also have to prove “ who signed” ? </li></ul><ul><ul><li>An electronic signature won’t be valid and enforceable unless you can prove who signed </li></ul></ul><ul><ul><li>How can you prove “who” clicked? </li></ul></ul>
  3. 3. Identity-Based Signature Risk <ul><li>Repudiation by the alleged signer </li></ul><ul><ul><li>That’s not my signature. I didn’t sign it. It wasn’t me. </li></ul></ul><ul><ul><li>Inability to prove who signed </li></ul></ul><ul><li>Addressing this risk is a function of the strength of the identity management process </li></ul>
  4. 4. How Does Identity Relate to Signature? <ul><li>The form of signature itself need not identify the person signing, but </li></ul><ul><li>eSignature not enforceable where the signing process does not include sufficient authentication processes to make the signer reasonably identifiable </li></ul><ul><li>See e.g ., Prudential v. Dukoff , 2009 U.S. Dist. LEXIS 117843 (E.D.N.Y. Dec. 18, 2009) </li></ul>
  5. 5. Many Options for Identifying the Signer <ul><li>Build identity into the form of signature used </li></ul><ul><ul><li>In a very reliable manner – e.g., PKI-based digital signature </li></ul></ul><ul><ul><li>In a pretty reliable manner – e.g., secret PIN-based signature </li></ul></ul><ul><ul><li>In an unreliable manner – e.g., a typed name </li></ul></ul><ul><li>Build identity into the overall signing process </li></ul><ul><ul><li>Build identity into the online session </li></ul></ul><ul><ul><ul><li>Require login as prerequisite to signing </li></ul></ul></ul><ul><ul><li>Notarization </li></ul></ul><ul><ul><li>Witness </li></ul></ul><ul><ul><li>Etc. </li></ul></ul>
  6. 6. The Basic eRecords Identity Issue <ul><li>Identifying who is authorized to access, use, modify, transfer, and/or delete eRecords (Identification) </li></ul><ul><li>Verifying that a person claiming to be an authorized person is, in fact, a person that is authorized to access, use, modify, transfer, and/or delete eRecords (Authentication) </li></ul>
  7. 7. Key Elements of Identity Management <ul><li>Identification </li></ul><ul><ul><li>A process designed to answer the question “ who are you ?” </li></ul></ul><ul><ul><li>Typically a one-time event that involves – </li></ul></ul><ul><ul><ul><li>Associating one or more identifying attributes ( e.g ., name, address, height, birth date, SSN, employer, account number, membership number) with a person, and </li></ul></ul></ul><ul><ul><ul><li>Issuing a credential to evidence that identity </li></ul></ul></ul><ul><li>Authentication </li></ul><ul><ul><li>A process designed to answer the question “ OK, how can you prove it ?” Used to determine whether a person is, in fact, the previously-identified person they claim to be. </li></ul></ul><ul><ul><li>It is a transaction-specific event that involves authenticating a credential to verify that the person trying to engage in a remote online transaction really is the person he or she claims to be </li></ul></ul>
  8. 8. National Strategy for Trusted Identities in Cyberspace <ul><li>White House draft released June 25, 2010; Final expected early 2011 </li></ul><ul><ul><li>Seeks to address the problem of online identity </li></ul></ul><ul><li>Vision: business and government will rely on identity information provided by any one of several third party identity providers – a so-called federated model </li></ul><ul><ul><li>Identity information would be portable across different systems and entities </li></ul></ul><ul><ul><li>Would allow individuals and businesses to use an identity credential of their choosing to conduct online transactions with numerous enterprises, </li></ul></ul><ul><li>Committing the federal government to: </li></ul><ul><ul><li>Develop a comprehensive Identity Ecosystem Framework </li></ul></ul><ul><ul><li>Build and implement an interoperable identity infrastructure </li></ul></ul><ul><ul><li>Take steps to enhance confidence and willingness to participate </li></ul></ul><ul><ul><li>Take steps to ensure the long-term success of the Identity Ecosystem </li></ul></ul>