IN.gov - Skip Navigation

Note: This message is displayed if (1) your browser is not standards-compliant or (2) you have you disabled CSS. Read our Policies for more information.

Indiana State Board of Accounts

SBOA > Electronic and Digital Signatures Electronic and Digital Signatures

Electronic and Digital Signatures

There is a lot of confusing and conflicting terminology surrounding the concept of electronic and digital signatures.  The following is an attempt to clarify some issues.  However, remember that while the use of electronic signatures may initially seem to be a technical issue, it is also a legal issue, involving concerns such as but not limited to: for what purpose is the electronic signature being used; is there an agreement between the parties as to the use and form of the electronic signature; is there guidance or approval needed from relevant oversight authorities such as granting agencies for Federal funds; and ultimately what is acceptable in a court of law as evidence that the parties intended to sign a document.

Digitized Signature

A written signature that has been read by a computer device, which has converted the signature into digital data, examples include:

  • A scanner used to copy a signature from paper and store the signature as a digital image.  The image can then be printed on a document.  This is basically a digital replacement for the rubber signature stamp.
  • A mobile digitizing device used when signing for packages from UPS or other common carriers.
  • A digitizing device used when making a credit card purchase at a retail store.

These devices can be quite simple such as a scan of the signature, or very sophisticated such as a device that measures pressure throughout the signature and the number of stokes used during the signature.

Electronic Signature

For several years the Federal Government has tried to support electronic commerce, but the requirement for a signature has been a problem.  As a result, the National Conference of Commissioners on Uniform State Laws drafted a recommended law in 1999, the State of Indiana passed a Uniform Electronic Transactions Act in early 2000, IC 26-2-8, and the Federal Government passed the Federal Electronic Records and Signature in Commerce Act (e-Sign Law), on electronic transactions effective in late 2000.  Normally, a Federal Law would override a state law, but this Federal Law specifically states that if the state law is not in conflict with the Federal Law, the state law takes precedence.

An electronic signature means an electronic sound, symbol, or process attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the electronic record.  This record or signature may not be denied legal effect or enforceability solely because it is in electronic form.  Examples of potential electronic signatures include but are not limited to:

  • Click OK on a screen
  • Password
  • PIN Number
  • Digitized Signature
  • Digital Signature
  • Fingerprint Scan
  • Retina Scan

The definition was intentionally broad so it would not favor any existing technology or prevent the use of new technologies that will be available in the future.  It was assumed technology would progress more rapidly than specific laws could be enacted. 

A governmental unit shall determine whether, and the extent to which, it will send and accept electronic records and electronic signatures to and from other persons and otherwise create, generate, communicate, store, process, use, and rely upon electronic records and electronic signatures.

If a party agrees to conduct a transaction electronically, the party is not prohibited from refusing to conduct other transactions electronically.

The State Board of Accounts does not have a position on whether or not the governmental units should participate in this technology.  The governmental unit may choose to participate in electronic signatures to assist in performing their responsibilities or to assist others in increasing their efficiency.

The State Board of Accounts audit scope is based on Indiana Code 26-2-8-202 that states the governmental units are required to “control the processes and procedures as appropriate to ensure adequate preservation, disposition, integrity, security, confidentiality, and auditability of electronic records”. Concerns about the use of Electronic Signatures include but are not necessarily limited to:

  • Has the unit and the other party agreed to utilize electronic signatures?
  • Has the unit and the other party agreed to what will constitute an electronic signature?
  • Does the unit have adequate security to insure the documents are not modified?
  • Does the unit have adequate security to insure only authorized users can execute the electronic signature?
  • Do procedures exist to insure the unit and all related parties have exact replicas of the documents?
  • Can the documents be accessed in their original form?
  • Do adequate backup and disaster recovery procedures exist to insure the documents can be restored?
  • Is hardware and software available to access the documents for audit?
  • What provisions are made to provide future access to the documents as technology changes?
  • Any certification language that the Official must attest to in the manual signature process must be part of the approval process before the electronic signature can be created.

Digital Signature

Indiana Code 5-24-1 Electronic Digital Signature Act defines a Digital Signature.  It’s only applicable to State Agencies.  Indiana Administrative Code, Title 20 State Board of Accounts, Article 3 Digital Signature (20 IAC 3) further defines the requirements for Digital Signatures that are used by State agencies.  Other governmental entities are not bound by these provisions.

A Digital Signature means an electronic signature that transforms a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can determine whether:  The transformation was created using the signer’s private key; and whether the initial message has been altered since the transformation.  The process is as follows:

  • A Certification Authority (CA) determines that a customer is valid and generates a certificate or “key set” which includes a private encryption key for the signer and a public encryption key for those receiving the message.  The keys are different, but asymmetric – what one key encrypts the other key decrypts.  A certificate can cost up to several hundred dollars.
  • The CA posts the name, public key and effective dates for the certificate.
  • The owner of the private key generates a message and/or document and applies the private key.
  • The message is “hash totaled” at the binary level.
  • The message and “hash total” are encrypted and the digital signature, a number, is created and is sent along with information on who is the CA.
  • Person receiving message obtains the public key from CA and checks the effective dates.
  • The public key is applied which decrypts the message, the “hash total”, and confirms the digital signature number is the same as the one generated by the private key.

As a result, the receiving person knows who sent the message and that no changes have occurred to the message.  Any “legal” meaning attached to this process, such as agreement to contract terms, should be defined by the agreement between the parties on how to use the electronic or digital signatures in conducting business.

In order for State agencies to use a Digital Signature, the Certificate Authority that issues the certificate must comply with the additional provisions of 20 IAC 3, including:

  • The encryption technology must conform to the x.509 standard published by the International Telecommunication Union.
  • The CA must submit an annual audit.
  • The CA must post a bond.

Currently there are no Certificate Authorities that comply with 20 IAC 3.

In addition to the Electronic Signature concerns discussed above, the use of Digital Signatures present additional concerns such as:

  • The quality of the CA's identity vetting process, i.e. the procedures the CA uses to verify the person applying for the certificate is really the person who he claims to be.  Entities should be aware of the CA’s vetting procedures before using Digital Signatures.  It may be possible to specify additional identity vetting procedures for the Digital Signature to be acceptable by the agency.
  • The recipient should insure that the certificate was valid at the time each transaction or document was digitally signed.
  • The recipient should insure that the electronic transaction and the digital signature are retained.

Conclusion

Electronic signatures are a key element in the implementation of electronic transactions and their use will expand in the future as government units attempt to provide better and more cost effective services to citizens and business organizations.  Currently, definitions of electronic signatures are broad and there is limited guidance on the controls necessary to assure their legal validity.