Signatures 2.0

Signatures form the foundation of the current trust network, but they are a shaky foundation given the increasingly complex demands of determining identity. GETTY

Signatures form the foundation of the current trust network, but they are a shaky foundation given the increasingly complex demands of determining identity. GETTY


I have a confession to make. When I get contracts sent to me as PDFs, I do not normally print them out, sign them in ink, scan them back in, convert the images to PDF and send them back to the counterparty. Instead, I take a JPEG of my signature, paste it into the PDF in Adobe Acrobat, save the file, then sent it back. I wouldn’t even bother to do this, save that there are still people out there who get agitated when they don’t have a random swirl of ink on a piece of paper.

Signatures may form the basis of a trust network, but let's be honest. Signatures can be readily forged - I can open up a document in Photoshop, extract the signature and create a duplicate that with a few keystrokes would be indistinguishable from a person's signature because it IS that person's signature. Somewhere along the line, I learned calligraphy, and from there the natural jump to graphology - the study of writing patterns. A good graphologist might be able to determine the likelihood that two signatures were written by the same person about 75% of the time, but the field is still more art than science, and there's a lot of pseudosciences that gets wrapped up in it that keeps graphology from being taken seriously by most forensic teams.

A signature is an assertion - it asserts that I am the person agreeing to the terms of the contract, and the presence of the signature holds the force of law. However, in an increasingly distributed world, such signatures are rapidly losing their value simply because forging them is trivial.


The role of a notary public is to serve as a trusted witness, with that trust, in turn, deriving from the authority of a government. GETTY

The role of a notary public is to serve as a trusted witness, with that trust, in turn, deriving from the authority of a government. GETTY


Many legal documents utilize an implicit credentialing system. In such a system, any transaction also requires a neutral third party, typically a notary public. A notary public requires the presence of certain credentials - a driver's license, a birth certificate, a passport, or some other form of government credential, to determine that you are whom you say you are, and once having determined that you are you, will attest to this fact. Such notaries are themselves bonded, meaning that they have both paid for an NP license and bond and themselves been credentialed and authorized to act in good faith, at the risk of losing that bond.

This credential process has been carried into digital signatures on the web. For instance, about a year and a half ago, a decision was made at the standards level to phase out ordinary, raw web traffic (HTTP) in favor of secured web traffic (HTTPS). What that means in practice is that whenever you connect to a web server from your browser, the first thing that happens is that your browser will check to see if the browser has a certificate indicating that the server is whom they say they are. Specifically, the browser asks the server for a document that says that some higher authority has declared the DNS address (the domain name) to be legitimate. The document in question will also point up the chain from the higher authority to see who authorized the declaration in the first place, and then who authorized the authorizer, and so forth until eventually, you get to some trusted authority that the browser does know about.


Trust networks work by creating a chain of trust authorities, each of which can certify that a given identity is legitimate. This is part of the foundation on which the secured web (https) works. GETTY

Trust networks work by creating a chain of trust authorities, each of which can certify that a given identity is legitimate. This is part of the foundation on which the secured web (https) works. GETTY


If such a certificate doesn’t exist, the site in question will not send any contents to the browser beyond generalized data that identifies some minimal metadata about the connection. If it is valid, what gets sent back is a public cryptographic key for the domain name that is then used to decode information that has been encoded with a private key on the server. Because the content is encoded, it’s secure - you cache a private key that let lets you decode the content when it gets to you, and this happens automatically with any future communication to that server.

This has gone a long way towards securing the web. If a company loses its credentials due to conducting illicit activities, it makes it much harder for it to gain new credentials. Most browsers now will not let people visit websites that fall outside the secure perimeter, reducing the possibility of phishing or man in the middle attacks and standards such as CORS (cross-origin resource sharing) means that code within web pages can't cross boundaries to get resources if secure encryption and credentialing to the cross-site doesn't exist.

The biggest problem with such a system, however, is that it doesn't work as well outside of the web, and requires some kind of centralization. This can result in a lot of overhead. For instance, consider a company that issues badges to its employees. Traditionally, a number is assigned from a database for every new person who's given a badge. That number may be unique, but usually, the uniqueness is only local to the company in question; if two different companies issue badge #419, the individuals associated with the badges are almost certainly going to be different.

Now, suppose that instead of being given a paper badge with no real way to determine whether the badge uniquely identifies the person, the badge issuer can now create a data structure that gives a person's name, identifying characteristics, one or more images or similar biometric data and some kind of authorization chain - the person who created the badge saw the person's driver's license and passport photo, in effect acting in the same role as the notary public. This information, in turn, is encrypted as a hash (a long sequence of numeric characters), with the issuer providing the private key of that encrypted hash.


Blockchains use cryptographic hash keys to determine transaction participants and focuses. Because they are distributed and synchronized, blockchains and similar distributed ledger technology will play a big part in any credentialization system.GETTY

Blockchains use cryptographic hash keys to determine transaction participants and focuses. Because they are distributed and synchronized, blockchains and similar distributed ledger technology will play a big part in any credentialization system. GETTY


Now, let's put the hash onto a blockchain, a form of a distributed ledger. The hash becomes a key into the ledger, with enough information in the entry to decode that hash into enough metadata about that person to determine both that the key represents them and that the individual in question has been vouched for by a chain of other hashes that each can be quickly looked up. These are called verifiable credentials, with the hashes themselves called decentralized identifiers (DIDs).

You may likely be unfamiliar with these - the DID specification and Verifiable credentials have just recently become working drafts within the W3C. They are to resources (peoples, places, organizations and things) what domain names and URIs are to the web. The one distinction is that unlike domain URIs, they are not in general human-readable - they are intended primarily as keys into indexed data systems (which is what blockchain ledgers are)

What’s important with such credentials are the implications they bring for both privacy and application development. In my previous article for Forbes, Data Privacy, By Ref Sharing and the End of Business Cards (Maybe), I talked about the shift from data passing by copy to data passing by reference, and how that's changing the discussion about data privacy and control. Verifiable credentials become another part of that puzzle - how to identify individuals uniquely in a distributed network, how to determine the rights that people have for getting to current information and how to reduce the overall burden (and the potential for abuse) that comes with aggregating copies of data.

For instance, consider again the question of badges within an organization. Many organizations now make use of badges with RFID or NFC transmitters. These cards are generally not cheap, and most readers who have used them have likely found themselves outside a secured perimeter after having taken their badges off to authenticate their computers, leaving the badges on a desk or someplace otherwise inaccessible. Similar situations often are involved with secured VPNs that require some form of key generator.

Suppose, however, that there was a consistent public standard for verifiable credentials. It means that you could create a blockchain wallet that held the encrypted keys on your cell phone, your laptop or even (gasp) your wallet, tied into your identifier. Since you’re just passing keys around, each electronic lock need only check to make sure that at least one of the keys that are associated with that wallet (transmitted via Bluetooth or NFC) is listed in the device’s registry. VPNs could make use of the same mechanism to autoconfigure access, reducing the overall cost of getting someone onboarded onto a VPN from weeks to seconds.

Each device, of course, could also have verifiable credentials. If a device’s credentials can’t be authenticated through the trust network, then even if you have the appropriate user keys, the network may still keep the device outside of its trust perimeters. This has obvious implications for the Internet of Things, especially given the ramifications of not having a broad security framework in place to keep people from hacking IoT devices.


Verifiable credentials may prove a necessary technology for truly fair electronic voting, as it ensures that neither voters nor politicians are attempting to fraudulently game the system. GETTY

Verifiable credentials may prove a necessary technology for truly fair electronic voting, as it ensures that neither voters nor politicians are attempting to fraudulently game the system. GETTY


One additional area where this comes in is the potential to manage identifiers for elections. There are two fundamental (and competing) facets to any election: the need to ensure that as many people as possible can vote anonymously (so they can vote without fear of reprisal) while at the same time making sure that a person only votes for one person in the races for which they are allowed to vote. Note that this doesn’t mean that a person can’t vote more than once in a race, rather that only the last vote by that person counts.

In a verifiable credential scenario, both of these constraints can be fulfilled, though only by providing encryption keys upon voter registration that can be cached in a phone or laptop wallet, embedded in a smart card, or passed via other means. It could also serve as a mechanism to keep elected officials from purging voter rolls and can even do the unthinkable - provide real-time election results while reducing the potential for illegal miscounting. Historically it's been the latter situation (electoral fraud) rather than voter fraud that's been the real problem in elections, and the combination of distributed ledgers and verifiable credentials could readily make such electoral fraud a thing of the past.

In all of this, it's important to realize that the issuer of the identifiers no longer needs to retain the whole record for each person or resource, because it is the resource itself that retains its identifying information and its key. That doesn't mean that the issuer can't retain this information (the badges example, for instance, would almost require it), but in most cases, what it means is that the issuer of the ID doesn't have to store all of the information about a given resource because the resource itself is the holder of its information. The ID is in this case just part of a key (as the public part of a cryptographic pair) that can be used to unlock that information from the resource's metadata with the right permissions (the private part of the pair).

Standards take time to create, and once approved, to disseminate. Verifiable Credentials is part of the W3C Verifiable Claims Working Group, with the roadmap for completion of all parts now looking at late 2021 or early 2020 for completion of all components. This effort is building on an emerging consensus both on blockchain and the Internet of Things, as early implementations of both of these give way to an effort to standardize intercommunication.

Ultimately, Verifiable Credentials is about ensuring trust, not just at the level of human-to-human transactions but ultimately human to machine and machine-to-machine interactions. It does so by making resources (people and things) holders of their data, representing a major shift in thinking away from the dominant data paradigm of the last forty years. It likely may take a couple of decades to fully integrate into the web, but once done the emerging noosphere will be a far more secure platform than it is today.

Follow me on Twitter or LinkedIn.


Kurt Cagle is Managing Editor for Cognitive World, and is a contributing writer for Forbes, focusing on future technologies, science, enterprise data management, and technology ethics. He also runs his own consulting company, Semantical LLC, specializing on Smart Data, and is the author off more than twenty books on web technologies, search and data. He lives in Issaquah, WA with his wife, Cognitive World Editor Anne Cagle, daughters and cat (Bright Eyes).