Digital

Signature

Introduction

About
Image-X Enterprises

In recent years, use of digital or electronic signatures

has rapidly increased in an effort to streamline all types of
business transactions. There are two types of electronic
signatures: those based on a Public Key Infrastructure
(PKI) and those that are not.

Image -X Enterprises provides document management and

electronic signature services to businesses and
government organizations. Recently, Image-X became a CA
(Certificate Authority) in Washington. Image-X has been
providing electronic signature based solutions to County
governments across USA.

Digital signatures that do not use PKI:

?
Cannot offer a unique signature for each user.
?
Cannot identify the signer (authentication) cannot

detect changes in the documentation after signing

(non-repudiation).
?
Cannot offer a guarantee of sole control for the
signer (non-repudiation).

Overview of PKI
Technology

Digital signatures that do use PKI:

?
Bind signers with respective user identities by

means of a certificate authority (CA).

PKI technology is an arrangement that binds public keys

with respective user identities by means of a certificate
authority (CA), allowing individuals to encrypt messages to
each other, and enabling the various parties to a
document to establish message integrity, confidentiality
and user authentication, even if the parties have never
had prior contact.

?
Allow individuals to encrypt messages to each

other.
?
Establish message integrity, confidentiality and

user authentication, even if the parties have never

had prior contact.
In this paper, we will focus on electronic signatures that do
use a PKI as these are widely considered to be more
secure in the Information Technology community.

For those who are unfamiliar with Public Key

Infrastructure technology, it may be beneficial to describe
the major elements of the system to get a better idea of
how this technology operates:

PKI's can be developed within an organization as a turnkey solution, or through a trusted third party that acts as a
Certificate Authority.

?
A Registration Authority (RA) - The RA is the

authentication process in the network that verifies

user requests for a digital certificate. The RA tells the
certificate authority (CA) to issue the digital certificate.
?
A Certificate Authority (CA) - The CA issues the digital
certificate, which contains a public key and the
identity of the owner. This certificate validates that
this public key actually belongs to the certificate.
?
A Database - The repository, or database, stores the
digital certificates.
The Certificate Authority is the most important element of
a PKI structure and must be secure and cost-efficient. The
digital certificate proves the ownership of a public
key/private key pair by the named subject of the
certificate. This allows others (relying parties) to rely upon
signatures or assertions made by the public key/private
key pair. In this model of trust relationships, a CA is a
trusted third party that is trusted by both the subject
(owner) of the certificate and the party relying upon the
certificate.

Assessing CA Requirements and

Company Risks
Becoming a certificate authority is an arduous process that involves passing background checks and audits to ensure the
legitimacy of the certificate issuer. The requirements laid out in government statutes regarding security standards for PKI are
both expensive and time consuming. The typical requirements for an organization are as follows:?
Network administrators need to pass an examination that ensures that they are qualified to keep the digital certificates

secure.
?
Computer infrastructure must meet SAS 70 type II or web trust audits to assure that the servers are stored in a secure

environment.
?
All of the employees with access to servers need to have a security clearance.
?
Expensive bonds must be issued with the state for liability purposes.

These requirements are not without reason.; A compromised certificate or certificate server can result in forgery and theft by
hackers that could cost a company millions of dollars. These threats are explained in more detail below and should be
considered in your companys risk analysis. The typical risks are as follows:

Compromised certificates
?
Certificates that are lost or stolen represent a significant threat to your organization
?
Typically, a Certificate Revocation List (CRL) identifies certificates that have been lost or stolen and blocks that certificate

from being used.

?
Certification Revocation List synchronization across all the certificate servers, distributed across the world, ( See Figure 1)

can take some time. Most Certificate Policy Statements (CPS) specify that the CRL update time range is one to as many
as seven days. This leaves open the possibility of a malicious denial-of-service attack on the certificate server.

Registration costs for Browser

?
For online transactions storing the digital certificates with the browser makes doing business

with e-signatures easier, but also incredibly expensive.

?
Registering the digital certificates with browsers such as Mozilla FireFox, Internet Explorer and Google Chrome can cost
as much as $250,000/browser/organization.

Cost of authentication
?
Registering individual users with a certificate costs a significant amount of money. Most certificate authorities

charge between $20.00/digital certificate to $60.00/digital certificate.

?
Even for in-house solutions, costs per user can run far too high to make establishing these kinds of digital certificate

structures cost-effective.

Evaluating Digital Signature Options

Companies that have decided to implement digital signatures have several different approaches to consider, each offering
different value propositions. The following provides a brief overview of these options, which will be discussed in greater
detail later in the paper
Managed PKI Outsourcing the Solution - Outsourced PKI refers to a PKI solution that is owned and operated by a
trusted third-party entity known as a Certificate Authority (CA). The CA assumes responsibility for setting policy, managing
the technology and infrastructure, and owns the legal liability on behalf of the client. This approach does not require
purchasing hardware or software. However, when factoring set-up fees per user license, annual renewal fees, and in-house IT
support, the costs can be considerable.

Traditional PKI Developing an In-House Solution - In-house implementation involves the acquisition of PKI software and
hardware in order to deploy digital certificates. Full-time, dedicated staff is required to create, manage, and support the
systems and users. Utilizing this approach allows the organization to control and customize their digital signature solution
according to their needs and infrastructure. Implementing an in-house option, even if using free software, can be the most
costly approach to PKI technology.
Server Side Signing An Off-the-Shelf Solution - A new concept in PKI technology, also known as Server Side Signing,
leverages the existing infrastructure that is currently in place at a company.

Cost / Benefit Analysis of PKI Implementation

Managed PKI Developing an Outsourced Solution
Outsourcing is a popular solution for many modern tech companies. It is an easy way to allow
your company to focus on its core business. Not needing to invest in new hardware, software,
or personnel can lower total cost of ownership significantly.
In a managed scenario, the Certificate Authority (CA), the outsourcing company, owns the
digital signature solution and is responsible for the physical facility, the processing facility,
operations and maintenance, as well as the legal framework. The CA is also responsible for all
legal and security issues, as well as for changes in technology. In addition, the outsourcing
entity assumes the responsibility for setting policy, and managing the information technology.
Even though the client company can maintain control of certificate issuance, co-branding and
management, the major responsibility for maintenance, scalability, and policy management is left
to the outsourcing company.

Benefits
Requires less initial investment in infrastructure/staffing.

Faster deployment time.

Good for companies that lack expert IT support because

PKI requires extensive training.

Costs
Prohibitive costs such as renewal fees, service fees, and
support fees (these can often add up to more than the cost
of an in-house implementation).

Fees for customization and upgrades, if necessary.

Have to coordinate with third party vendor with its own

schedule of priorities.

Company employees may be issued tokens to access the

CA which may get lost or stolen and cause loss of
production time within your company.

Some third parties, have lock-in agreements that

become prohibitively expensive over time.
In conclusion, while delegating all of the digital signature technology to an outsourcing company may seem enticing, as there
is no significant upfront cost, the truth is that the total cost of ownership increases over time. Total costs can be around
$300,000 for just 100 employees and close to half a million dollars for 1000 employees.

Traditional PKI Developing an In-House Solution

Companies that choose to develop a traditional or in-house PKI implementation, base their decision on the perceived
merits of greater control and flexibility and lower costs over the long term. With traditional PKI, the expectation is that the
solution can be implemented using the existing IT personnel without any additional expenses.
However choosing a traditional PKI implementation is a major investment with significant up-front costs. The first step is to
choose the desired software. According to Microsoft's own assessments for managing a Windows Server 2003 Public Key
Infrastructure, the initial set up effort alone demands 13 days (105.5 hours) of work. Once the software and the hardware
(dedicated servers) are purchased, it is essential to have experts in PKI technology, who are able to define the companys
certificate creation and distribution policies. The software and hardware also require a dedicated IT staff.
Once the solution is implemented, there are additional expenses to ensure that the physical servers are secure. Encryption
keys safety and back up and disaster plans represent significant incidental costs that are necessary for a secure environment.
If these steps are not taken, the possibility of unauthorized use of signing keys increases. Nevertheless, a traditional PKI
implementation does offer some benefits:-

Benefits
Gives flexibility to the company to issue and revoke
certificates quickly.

Procedural policies can be changed to coordinate with

changes in company policy.

Cost per user lower than outsourced PKI, because cost of

issuing certificates is lower.

Can add support for proprietary applications and services

that a third party may not be willing to provide.

Costs
Company must manage root keys (administrator
privileges), digital certificates and private keys, as well as
maintaining audit logs to comply with government
regulations.

Fees for creating a Certificate Revocation List (CRL) if

employees lose their key.

Have to coordinate with third party vendor with own

schedule of priorities.

Company employees may be issued tokens to access the

CA which may get lost or stolen and cause loss of
production time within your company.

Some third parties have lock-in agreements that become

prohibitively expensive over time.

Payments for hardware such as dedicated servers and

software for the servers and consequent upgrades can add
up.

In conclusion, creating an in-house system is neither easy nor inexpensive. According to cost comparisons, minimum costs for
100 employees can be $1,500 per person. For a larger company with 1000 employees, these costs could run close to
$500,000.

Final Option Evaluation

Research indicates that for most companies a major obstacle to deploying a digital signature solution is the prohibitive cost of
implementing this type of complex solution. Whether a company chooses to outsource a solution to a trusted third party or
to develop a traditional solution in-house, the decision can cost close to half-a-million dollars over a three-year period for
only 1,000 users. This is a major investment per user for a company of any size.

Image-X's Digital Signature Solution

Image-X Enterprises Inc. has found a way of bypassing the high costs associated with both in-house and outsourced methods
of PKI. While Image-X is approved to act as a certificate authority in a way similar to the outsourced scenario described
above, Image Xs approach is unique and cost-effective by:
1) Authenticating the user before issuing digital certificate by County Clerk or other approved local authority.
2) Restricting the use of digital certificates only for document signing.
3) Providing a two loop process to eliminate the problems associated with CRL (Certificate Revocation List) in case of loss of
a certificate by a user.
4) Reducing the cost of issuing and maintaining the integrity and acceptance of digital certificate across the world by
creating an innovative approach to public key distribution and use of secured repository that can store all the signed
documents associated with the certificate server.

Practical Application
Image-X has already passed the rigorous standards to become a CA (Certificate Authority) for Washington State. Registering
with the state of Washington requires that the company pass the Statement on Auditing Standards, specifically SAS 70
Type II audit. This confirms for clients in the state that they are allowed to issue certificates for digital signatures.
Image-Xs servers currently run web services that allow attorneys and judges to request legal documents from court clerks
online. In this example, Image-X already acts as a trusted third party between the requestor and the distributor of legal
documents. There are numerous possibilities to integrate Image-Xs web technology with the ability to issue certificates to
users anywhere in the world where they need to sign a document or confirm another individuals signature (See below
illustration).

Other Electronic Signature Companies versus

Image-X's Two Tier Solution
Certificate Servers Around the World

CRL

C
L
CR

CRL

CRL
CRL

CRL

CRL

L
CR

CR
L
CR
L

CRL

CR

CRL
CRL

CR

CRL

CRL
CRL

CRL

CRL

Certificate User

Different Companys
CA servers

The CA servers around the world are regionally oriented. If you store your certificate with one company in the U.S.and you want to sign
a document in Germany, you go through a different companys server which verifies the validity of your certificate through a Certificate
Revocation List (CRL).

Centrally Located Certificate Servers

X
X

Secure Website

X
Se
c

Certificate User

ur

W
eb

sit

X
Image-X Certificate servers

Secured Repository
With Image-X, you can access the certificate by signing onto our web based application and using it anywhere in the world, bypassing
the need for a CRL while maintaining the same level of security.

Conclusion
In summary it can be stated that Image-X has developed a process that can make the
digital signature based solutions cost effective while still meeting all the legal
requirements and eliminating associated technical problem such as CRL and unlimited
liability for the user in case of loss of the digital certificate. Incorporation of digital
signature by government organizations and businesses will create greener
environment and efficient document delivery system that can replace paperbased
processes.

To learn more about Image-X Enterprises contact Dr. Mohammed Shaikh - mohammed@imagexx.com
Or go to http://www.imagexx.com

IMAGE-X Enterprises, Inc.