Is it an electronic or Digital Signature?
Last month, we began our discussion about electronic signatures by talking through the aircraft maintenance cycle and the points at which a signature is needed to meet regulatory requirements. We also noted that there are really two general areas for maintenance records and the signatures that certify them:
1.the maintenance provider
2.the aircraft itself
It is important to keep in mind the differences, both in location and in purpose, between maintenance records of the maintenance provider and maintenance records of the aircraft itself as we look at the methods used for electronic and digital signatures.
In this issue, we will cover definitions of terms, and get a clear understanding of what an electronic signature is compared to a digital signature. In addition, we will touch briefly on the current Advisory Circular (AC 120-78) written by the FAA in 2002 to provide for the use of electronic signatures in aircraft maintenance.
Electronic Signatures go Way Back
Various forms of electronic signatures have been accepted in practice for many years, some for hundreds of years. For example, as far back as 1869, the New Hampshire Supreme Court accepted the enforceability of telegraphic messagesas electronic signatures. A more familiar form of electronic signature is a faxed copy of a signature, which has been accepted as a legal signature for many years. The term “electronic signature” has been around for a long time but the technology explosion that has taken place during the past 20 years has created opportunity to use computer technology to create a much more verifiable form of electronic signature, more accurately termed the “digital signature.”
Electronic Signatures Act
On June 30, 2000, President Clinton signed into law the Electronic Records and Signatures in Commerce Act, more commonly referred to as the Electronic Signatures Act. After the signing, the Electronic Signatures Act (Public Law No: 106-229) went into effect on Oct. 1, 2000.
You may access the Electronic Signatures Act at the following address: http://www.gpo.gov/fdsys/pkg/BILLS-106s761enr/pdf/BILLS-106s761enr.pdf
The Act formally provides for the use of electronic contracts in the same way as contracts executed on paper — with a few minor exceptions that are listed in the Act. The Act does not mandate the use of electronic signatures, rather just provides for their use. In addition, the Act purposefully avoids mandating any specific form of electronic signature. A multitude of electronic signature methods are acceptable under the Act, including simply pressing an “I Accept” button, digital certificates, smart cards and biometrics.
Technology was very different back in 2000 when the Act was signed into law. The Internet and the widespread sharing of data was very young compared to today. Since then, we have seen a technology evolution that brought forth a ton of potential for the future in this area. I’m thinking of iPads, tablets and smart phones, along with Cloud computing, etc., not to mention the formalization of the process of creating digital signatures that can validate both the identity of the person signing the document as well as the security of the content of the document itself.
AC 120-78 Acceptance and use of Electronic Signatures, Electronic Recordkeeping systems and Electronic Manuals.
Spurred by the Electronic Signatures Act of 2000, in October 2002, the FAA, specifically AFS-300, issued an Advisory Circular (AC) intended to provide the industry with guidance on how to incorporate these technologies into day-to-day operations and remain in compliance with Federal Aviation Regulations. Specifically, the AC addresses electronic signatures and electronic record-keeping systems as well as the use of electronic manuals. There is certainly a lot of information in the advisory circular that helps us to understand better what electronic signatures are and how they work, but one key issue to point out in reading the AC is that, through the language of the Advisory Circular, the FAA has embellished on the term “electronic signature.” For the purposes of the AC, the FAA changed it to mean essentially the same as the term “digital signature.” They tell us right up front in the AC that they are doing so
NOTE: In this AC, the term “electronic signature” refers to either electronic signatures or digital signatures. The specific electronic signature used depends on the end user’s preference and the system application.
It might seem minor, but we need to have this embellishment in mind so that we don’t get confused while talking about the application of electronic signatures in aviation. The fact is that a copy of a handwritten signature such as is found in a faxed image, or a signature created by a stylus on a signature pad at the grocery store is an electronic signature, but it is not a part of a digital signature system that provides authentication and verifiable proof that the signer is one unique individual.
I know for many of us, including the FAA, the term electronic signature and the term digital signature have often been used as if they were synonymous. However, they are very different. A digital signature is just one form of electronic signature. Let’s walk through the definitions provided, first by the Electronic Signatures Act and then by the FAA through Advisory Circular 120-78, and see if we can make sense of it all.
Electronic Signature vs. Digital Signature
Below is the definition of the term electronic signature taken from the Electronic Signatures Act signed into law June 30, 2000.
Electronic signature. The term ‘‘electronic signature’’ means an electronic sound, symbol or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.
Next are two definitions from AC 120-78, both the definition of electronic signature and digital signature. In the definition of electronic signature, I highlighted the portion of the definition that comes directly from the Electronic Signatures Act so that you can see the difference. The FAA’s definition includes the act’s definition nearly in its entirety, but is expanded to include cryptographic (encrypted data keys) functions of digital signature, etc.
Electronic signature. The online equivalent of a handwritten signature. It is an electronic sound, symbol or process attached to or logically associated with a contract or other record and executed or adopted by an individual. It electronically identifies and authenticates an individual entering, verifying or auditing computer-based records. An electronic signature combines cryptographic functions of digital signatures with the image of an individual’s handwritten signature or some other visible mark considered acceptable in a traditional signing process. It authenticates data with a hash algorithm and provides permanent, secure user-authentication. (ref AC 120-78)\
The AC includes the definition of digital signature, too.
Digital signature.Cryptographically-generated data that identifies a document’s signatory (signer) and certifies that the document has not been altered. Digital signature technology is the foundation of a variety of security, electronic business and electronic commerce products. This technology is based on public/private key cryptography, digital signature technology used in secure messaging, public key infrastructure (PKI), virtual private network (VPN), Web standards for secure transactions and electronic digital signatures. (ref AC 120-78)
The key difference in the AC between an electronic signature and a digital signature is that a digital signature includes the certification that the document has not been altered. This makes sense for our industry. We want to be certain when the signer signs an electronic document or record, it cannot be altered in any way.
Let’s call it Digital Signature
An electronic signature is truly any form of signature that uses an electronic means to communicate a marking or signature, identifying the person signing. It can be the signature pad at the grocery store, a faxed copy of a signature or even a telegraphic message indicating approval.
It is the “digital signature” on which we need to focus. We must embrace a method of acceptance, security and authentication that upholds the integrity of the aviation community AND ensures the same or higher level of efficiency and value in execution as the handwritten signature methods we have all evolved with.
Next month, we will look at the opportunities for digital signatures as well as the potential obstacles in the way of an effective implementation. Taking the first article (in the Jan/Feb issue of D.O.M.) where we talked about the aircraft maintenance cycle and the various points requiring a signature, laying that over the methods for digital signature available today, and introducing the regulatory landscape associated with aircraft maintenance records, we will see more clearly where the opportunities are and where potential weak links exist.
Until next month………
Joe Hertzler has more than 25 years of experience in business aviation. He has earned a reputation as an efficiency expert when it comes to aircraft maintenance and is well known for his in-depth understanding of maintenance regulations and how they affect aircraft compliance. He has helped many in dealing with critical and urgent FAA interactions and often speaks on the topic of aircraft maintenance and compliance at industry events, such as the NBAA Maintenance Managers Conference, PAMA meetings and IA renewal seminars. Hertzler also serves on the National Air Transportation Association’s (NATA) Maintenance and Systems Technology committee. Contact him at JoeHertzler@gmail.com.