Social Icons

twitterfacebookgoogle pluslinkedinrss feedemail


Wednesday, April 24, 2013

I (manually) sign, so I authenticate (or not)

What is authentication?

Authentication is a procedure. It is a procedure that allow the recipient to know who issues a document and that the data contained is reasonably reliable. In a broad sense it also includes "integrity", that is, the data has not been change from its origin, although technically speaking authentication and integrity are separate concepts.

Authentication always exists, in an explicit way (a manual signature, a stamp, ...) or implicit (I trust you, I know your email address so I assume the document you send to me via email is correct) one, with awareness of the parties (I can see the signature and, eventually I can check its validity - it has been performed by the claimed individual) or without it (I do not know how my bank knows to which account it has to pay my electrical power bill, and I do not care), but it always exists.

The vast majority of authentication mechanism do not provide integrity, but a few of them does (MAC, digital signature, etc...). Manual signature does not provide integrity by itself at all.

Is manual signature an authentication mechanism and vice versa?

A manual signature is a means to authenticate the identity of a person ... after a process of registration (i.e., ID Card or passport issuance.) A manual signature is one among dozens of mechanisms of authentication, so manual signature implies authentication but not in the other way.

In a daily work we do not care about authentication. We do businesses and this is our main goal. But when something goes wrong we run looking for that audit trail, authentication mechanism or whatever that can demonstrate that I am right, my hands are clean and the hot potato is on the other’s roof.

A handwritten signature by itself can not proof that the data has not been altered (you need special paper or legal forms for that) and neither can proof when the document was released.

So, from my point of view a handwritten signature is an (poor) authentication mechanisms but manual signature and authentication are not synonyms at all.

What do you think?
Do you think this is an interesting post? Just help me sharing it by clicking one of the buttons below.