Internet commerce expected to soar with digital signatures, but safekeeping key

<br>SAN JOSE, Calif. (AP) _ It's no big secret any more that people can get great deals shopping for automobiles on the Internet. Capitol Honda in San Jose sold 108 cars online in the last month _

Thursday, October 5th 2000, 12:00 am

By: News On 6

SAN JOSE, Calif. (AP) _ It's no big secret any more that people can get great deals shopping for automobiles on the Internet. Capitol Honda in San Jose sold 108 cars online in the last month _ nearly double the month before.

But like thousands of business people across the country, Capitol's Internet sales manager, Chuck Fowler, hopes online deals can really take off now _ thanks to a new federal law that cuts out the paperwork.

The electronic signatures act, which gives legal standing to documents ``signed'' online, took effect Oct. 1. That means Fowler will no longer have to ship buyers financing forms and other documents, then wait for them to come back with signatures.

``In the best case, we're looking at three days' turnaround. With this, now, it's now _ right now,'' Fowler said.

The electronic signatures law had almost no opposition in Congress and President Clinton signed it in June. Now no contract, signature or record can be denied legally binding status just because it is electronic.

That means a signature transmitted on a fax, for example, is valid, as are electronic signatures sent online _ digital signatures. Eviction notices, certain court documents and health insurance information must still come in paper form, however.

Nearly every state had similar laws, but the patchwork of regulations was tricky for use in interstate commerce. Many companies waited for uniform nationwide rules before putting digital signature technology into widespread use.

``We think the room was full of gasoline and diesel fuel vapors, and this effectively is the ignition,'' said Scott Lowry, chief executive of Digital Signature Trust.

The Salt Lake City company, 22 percent owned by the American Bankers Association, issues digital certificates that let computer users prove their identity when they sign a document online.

Added June Yee Felix, chief executive of New York-based CertCo, another company that validates online identities: ``We're envisioning a world in which there's going to be lots of trading between people who have never done business together before.''

It will take some time, however, before most people understand what exactly digital signatures are. In a recent telephone survey of managers at 250 small- and medium-sized non-Internet companies conducted for Office.com, fewer than half knew the answer.

Largely because of such confusion, Frank Prince, an analyst at Forrester Research Inc., predicts it take as much as five years before digital signatures have much impact on e-commerce.

To digitally sign documents, a person must first obtain a digital certificate supporting their identity _ the equivalent of a physical world driver's license or passport.

Issuing such certificates, in addition to CertCo and Digital Signature Trust, are companies including Entrust Technologies Inc. and VeriSign Inc.

The digital signatures themselves are analogous to numerical John Hancocks.

They are delivered via the Internet using two numerical keys. One key is kept secret and stored as a software file on a computer. The other number, the public key, is stored online, in a sort of electronic vault.

When a document with a digital signature is sent (after the initiator ``signs,'' usually by typing in a password that encrypts the data), the receiving party verifies the signature with the sender's public key.

The accompanying digital certificate authenticates that person _ proving they have a real-world identity that can be trusted. The transaction is complete.

The private key is a number with about 100 digits, and even a hacker with the world's most powerful supercomputer would be unable to figure it out, said Ram Varadarajan, chief technology officer for Santa Clara-based Arcot Systems Inc., an Internet security company.

But while the private key itself cannot be decoded, a hacker could gain access to it.

This is of serious concern to Bruce Schneier, a leading expert in computer security and cryptography _ the science of encoding messages so they are unintelligible for anyone but their intended recipient.

Schneier says the law doesn't account for the possibility that documents might be transformed after they leave the senders' computers.

Or that access can be obtained to someone's private key and their signature ``forged.''

``This has a potential for enormous abuse, because it's blind faith in the technology, and completely ignoring the human aspect,'' said Schneier, chief technology officer for San Jose-based Counterpane Internet Security Inc.

``If it fails, you're suddenly in this Kafkaesque nightmare of saying, `I never signed this,' and the court's saying, `Is that your signature?' And what do you do? Because it is your signature.''

Hence the importance of safeguards offered by a slew of Internet security companies to prevent forgeries.

``Properly implemented, a digital signature will be more secure than a written signature,'' said Martin Hellman, a retired Stanford University professor and a developer of public key cryptography.

Arcot, for example, offers downloadable software that allows people to use a password to apply their digital signature to documents _ and keep that signature protected from hackers in an encoded file. To access the signature, a user must enter a PIN number. If someone tries the wrong PIN three times, the signature is voided.

Other companies will let people store their signatures on a portable ``smart card,'' which requires that a special reader device be attached to a computer _ a potentially more secure way of storing a digital signature than a hard drive on a personal or corporate PC.

Arcot's chief executive, Chet Silvestri, plans to charge e-commerce companies a fee for every buyer who applies a digital signature to an order _ in the same way a shopper must sign a credit card receipt in a store.

About 1,400 companies are already using VeriSign's certificates to verify internal online transactions, such as changes to benefit plans, said Anil Pereira, a senior vice president at the Mountain View-based company.

On Thursday, the company announced a deal with Motorola Inc. that will let people use digital signatures in transactions using mobile phones with Internet access.

VeriSign is so serious about guarding against fraud that the device it uses to generate digital certificates and send them on the Internet is kept in a box in a special room.

The room has no crawl spaces and is behind multiple layers of security _ and only employees who have passed background checks can get close to the room.

Six such employees must be present at once to open the box and make the device issue a certificate, Pereira said.

``Nothing ever in the world is foolproof, but certainly ... these systems are far more robust than most systems than what you'll see in the digital and physical world,'' he asserted. ``Our secure data center is the Fort Knox of the Internet.''