There have many advances in the technology relating to the digital signature of documents. For example, standards such as the Public Key Infrastructure (PKI) have been established and widely accepted. As a result, Certification Authorities (CA) have been established and are increasing in number. Examples of public CAs are VeriSign, Thawte, and Entrust. CAs are used as a trusted third party to generate public-key certificates for an entity. Many entities use X.509 certificates, while other entities are using standards such as the public key cryptographic standard (PKCS) #7 for digitally sign soft documents.
Currently, many problems exist that inhibit the widespread acceptance of digital signatures. One problem is the lack of portability, from computer to computer, in present approaches used for digital signatures. The lack of portability often results in limiting a user of digital signatures to one specific computer.
Furthermore, there are many difficulties that arise when the recipient of a digitally signed document presents the document to a third party and attempts to establish to the third party, that the document was digitally signed by the original sender of the document. For example, the recipient may be able to verify that the received document has been signed, however, the recipient is unable to re-send the document to a third party, while keeping the original signature intact and valid.
Another problem is the lack of security in protecting private keys. Currently, digital signatures are computed using private keys. Public keys are associated with a particular entity, and are intended to be known to everyone who needs to have trusted interactions with that entity. The public keys are also used to verify signatures. Private keys must be protected from public access and are supposed to be known only to the particular entity that owns the private key. However, if private keys are not adequately protected, then they can be stolen by hackers. Hackers can steal private keys by hacking their way onto a computer and accessing the private keys that may be stored on the hard drive. Stolen private keys can be used to “forge” the digital signature of a particular entity. In addition, if the security of a private key is compromised, the signer of a specific document could deny ever signing the document, a fact that is referred to as “repudiation”, on the grounds that his key might have been stolen by a hacker and used to sign the document. Thus, private keys should be protected by adequate security mechanisms. However, adequate security mechanisms such as a “firewall” are expensive to install and maintain, and are often too complex for the typical individual user of a computer. Furthermore, it is well known in the art that even the best firewalls can be penetrated, and thus, even private keys protected by a firewall can be compromised and stolen by an unscrupulous hacker. These security issues have contributed to the lack of widespread use and acceptance of digital signatures.
In order to provide adequate protection for private keys, sophisticated technologies are required that are extremely expensive and may even require a network of personal computers. Clearly, these sophisticated solutions are not and never will be popular.
Other current solutions include storing private keys in chip cards or in USB tokens. These current solutions also have several disadvantages. For example, they require the use of special equipment to read the chip cards or they require the availability and accessibility of USB slots. In addition, it is worth noting that both chip cards and USB tokens, each of which require the physical connection of the chip card or USB token to a computer, could result in repudiation claims based on the scenario where chip cards or USB tokens can be actuated or triggered without the agreement and knowledge of the owner. The request of a fixed personal identification number (PIN) in order to actuate a chip card or USB token is not an obstacle for the unscrupulous hacker who can hack onto a computer and steal a PIN that has been previously entered into the computer.
In addition, many current solutions restrain the use of digital signatures to personal computers (PCs) or similar devices, and thus do not enable the sending of a digitally signed document through other types of devices such as a telephone.
An additional problem of present solutions lies in the CA/revocation list system which hands over to the recipient (13) the obligation to check the revocation list which is a concept that is not well known to a person who is not skilled in the art. Furthermore, a recipient (13) that checks the validity of the public-key certificate typically has to keep records that show that at a particular time the public-key certificate was not revoked, and, therefore, it was proper to accept the signature as verified. This further restricts the use of the digital signatures and prevents their widespread usage.