Digital signatures, central to the growth of electronic commerce in all its forms (inter and intra-government, business-to-business, business-to-consumer, and consumer-to-consumer) remain more of a curiosity than a compelling technology to businesses.
Yet governments - usually not the most cutting edge of entities - continue to forge ahead with digital signature policies. To say such policies raise little excitement among the population in general would be an understatement.
They deal with sets of technologies which in some cases exist, and in others, are assumed to be coming. They typically incorporate a level of complexity in wording and concept which makes an EU directive look interesting.
So combine an EU directive and digital signature policy, and you have the verbal equivalent of watching cement harden on a rainy day. Except that this document - a draft directive "on a common framework for electronic signatures" considered by the Commission's telecommunications council on November 27th - is quite interesting.
Not so much for what it proposes but for the fact that the directive has already become a victim to a political tussle over what kind of technologies should dominate in this not-yet-quite-here world. Or more precisely, if any technology should dominate at all.
The directive's sticking point was a proposal that a tangible "token" should be used in tandem with software used to create the encrypted signature (not actually a person's name but a unique mathematical "sign", or group of numbers, linked to the document it accompanies, that only that person could have created).
The token in this case was a smart card - cards which contain an embedded microchip. The cards simply add another level of security to the computerised process - the Taoiseach and President Clinton used them in Dublin when they digitally signed a joint communique last September.
But tokens are not necessary for digital signatures. If you have a current version of an Internet browser you have the capability of adding digital signatures to email with just a mouse-click. And tokens do not have to be smart cards, either - they can be magnetic strip swipe cards or perhaps some future item we cannot now imagine.
That is why the attempt by Germany and France, both countries with strong indigenous smart card industries, to commit the EU to using a smart card-based encryption technology was opposed by ministers from five states - the Republic, Britain, Finland, Sweden and the Netherlands. The Republic explicitly states in its framework document on encryption that no single technology should dominate in the digital signature area. That is because technologies change swiftly and enforcing a standard can lock in an outmoded approach (as opposed to other areas of software development, where standards can speed innovation by creating common ground on which new ideas can be sown).
There's nothing inherently wrong with smart cards - as a matter of fact, many in the encryption and digital signature industry believe they are a very effective and useful method for ensuring identity, added to the password one needs for accessing the software to create the signature. It's just that they should not be required.
Additionally, there are many markets for digital signatures, some in which an added layer of security might be important, and others in which it would just be irksome, as in internal business matters. If you're simply sending email, or perhaps a purchase order to another department and just need to verify that it came from you, fiddling with smart or swipe cards is an annoyance.
We have not seen the end of the directive. It will be reconsidered in January and will be voted on in April, presumably with the smart card segment removed.
The Government's own legislation in this area, which was supposed to have been drafted, will likely be brought up in the first quarter of next year. It is important that this happen soon, as the State needs more than a statement of intention to signify its support of an e-commerce environment.
Karlin Lillington is at klillington@irish- times.ie
