With the proliferation of electronic documents and the increased reliance on electronic documents, e.g., in electronic commerce, the use of electronic or digital signatures is becoming more widespread. An “electronic document” can include any collection of organized information, which is stored, transmitted, read, or written, in electronic form. Examples of electronic documents include files, folders, directories and other data structures and organized representations of information used in conjunction with computers, digital communication systems and other electronic media.
One difference between conventional paper documents and electronic documents is that while paper documents display on their face what is contained therein, electronic documents may contain content which is not apparent on the face of the electronic document. Electronic documents may contain codes and nonvisible characters and data in addition to their visible content. As an example, electronic documents may contain embedded control characters, used for the purpose of sending an instruction to a display terminal to make changes in the physical appearance of the document. As another example, metadata may be incorporated into an electronic document to perform other functions related to the appearance or formatting of the document. One example of metadata includes metatags, used in mark-up languages such as hypertext mark-up language (HTML) to format and index an HTML document.
In addition, electronic documents may include macros or active content. “Active content” can include executable electronic content that can take an input or a set of inputs, and cause a result based on the input or set of inputs. Active content may include nonvisible, executable instructions within the electronic document, such as macros. A “macro” may be an instruction or a set of instructions that perform a specific function or task, usually in the context of a software application. Active content and macros typically operate on the electronic document within its environment, using the inputs as parameters. Macros may be simple or complex, with some applications allowing almost arbitrary programming capability within the macro environment. One consequence of including active content in electronic documents is the possibility of compromising the integrity of the document from the standpoint of document security.
It is customary for a person to sign a document as a mark of authenticity, using a signature uniquely identifying the person signing the document. Various types of conventional signatures are known, such as seals, fingerprints and handwritten signatures. Since traditional signature methods are not normally applied to electronic documents, special electronic or “digital signatures” have been developed for this purpose. Digital signatures, in analogy with conventional signatures, allow the owner of the signature to impart a unique identifier to that which is to be identified. In the case of a typical digital signature, the holder of the signature attaches a unique electronic code to the electronic document. The electronic document, together with the digital signature, can then be stored or transmitted in electronic form and later identified with the signature holder. Typically, the digital signature is specific to the person (or entity) signing the electronic document and the content of the electronic document. “Digital signatures” can include numerous means of signing an electronic document, generally, and include known methods based on public key infrastructure (PKI), digital watermarks, and other methods for verifying, identifying and/or securing a document.
Systems and methods for identification, verification, authentication and/or non-repudiation of electronic documents are generally referred to herein as “assurance” systems and methods. Electronic document assurance systems and techniques may provide one or more of these functions, however, assurance is not so limited. Other functions falling under the general umbrella of assurance services may be provided either directly or indirectly, and are essentially directed to improving the security of electronic document transfer and storage and/or to minimizing intentional or unintentional compromises to the integrity of electronic documents.
A conventional paper document typically displays on its face substantially all that is contained therein, and photocopies thereof will display the same. An electronic document can include both the electronic document “corpus,” stored or transmitted, or existing in electronic form, as well as a corresponding perceptible, observable, or visible form that is presented to users of the electronic document, such as by displaying an output onto a computer monitor or printer. It should be understood that a perceptible instance of an electronic document, such as the output displayed onto a computer monitor or printed onto a printer, is merely an output generated to correspond to the electronic document and its content. The output may be presented to a user or viewer of the document in whole or in part and may appear in various forms. This perceptible output is a representation of the document corpus and data, and reflects in part any active content and input data used to produce the observed output.
Embedding active content into an electronic document can make it difficult to verify that the output as seen and digitally signed by a party when presented with the output in a first instance is identical to the output as seen in a second instance. This is especially true if the active content is not visible to the party viewing or invoking the document. An electronic document is said to be “presented” or “invoked,” referring to any recall, viewing, editing, transmission or other use of or interaction with the electronic document. One example of invoking an electronic document is the act or process of viewing a document containing text or graphical output on a display device. More specifically, one example is the process of retrieving a stored word processing file and displaying its corresponding output on a computer monitor or printing the same on a printer.
Active content can manipulate or alter the way an active electronic document is perceived or displayed, resulting in a lowered confidence level in the authenticity of the active electronic document. This may occur accidentally or intentionally and may take place without the knowledge or permission of the electronic document's users. Attaching a digital signature to the electronic document still leaves a question as to its integrity. The reason for this being that no change to the corpus of the electronic document (e.g., rewriting the data in the electronic file) needs to occur to alter the visible output of the active document. Digital signatures merely attest to the integrity of the underlying electronic file and do not assure that the output of active electronic documents has not been altered by the active content.
This problem is not cured by delivery of the digitally signed document to an uninterested party, or placing the document in an electronic escrow account, because embedded active content or macros within the document may become activated by an input to alter the document and any copies of the document, including copies kept with the uninterested party or in escrow. Furthermore, as explained above, since the actual electronic file's corpus is not altered by the active content, there is typically no indication that the displayed form of the document has been changed from one invocation of the document to the next.
Information, such as the date of the formation of the contract, may be automatically inserted into a contract document for convenience, such as by soliciting the time and/or date information from the operating system. This solicited information is an input to the electronic document, corresponding to a “system call” caused by instructions from its active content. Many applications routinely pass system calls, such as queries, to their environments or operating systems to obtain input information required by the applications. Date and time queries are typical of such queries, which may be used by active content to modify the output of electronic documents.
In some instances, for example in cases where goods, services and funds are exchanged frequently between the same two parties, the two parties may agree to have a software application automatically generate the individual corresponding contracts for convenience. For example, the two parties may have agreed that the amount owed by one party to another is to be calculated from a related document, such as a spreadsheet.
To illustrate a possible adverse consequence of the preceding situation, consider the simple case of a contract, formed electronically between parties A and B, and executed using digital signatures. The contract may be in the form of a word processing document, and may contain active content or macros, either embedded by the application vendor, the parties to the contract, or by another party. The contracting parties may have agreed that B will render goods or services to A, and in return A will pay $1,000 to B. The figure $1,000 may be calculated by a spreadsheet application and automatically inserted into the word processing document using a macro. The calculation may involve parameters which may change without the knowledge of the parties, causing the apparently-agreed upon payment amount to change.
This scenario and others can arise using presently-accepted electronic document technology and practices.