Reality Check: Using Digital Signatures for Business Email

Posted on August 21, 2011 by


Communication is the lifeblood to do business – and email is still the lifeblood for communication.
Out of the box email of even the newest software and systems is not digitally signed.
When looking at  the advantages the use of digital email signatures theoretically has (sender authenticity, message integrity, communication transaction non-repudiation) one should think it should be  a piece of cake for the organization’s InfoSec Manager to convince the latter of the (mandatory) use of digital signatures for email – but it isn’t.  Why ?! A reality check:

Well, while there is actually lots of support and support efforts from governments and governing bodies for many years  (e.g. Electronic Signatures in Global and National Commerce Act (ESIGN) in the US and the Community Framework for Electronic Signatures of the European Parliament), there is apparently still no legal culture that would drive an organization to serious efforts towards a corporate email standard that sees digital signatures as a mandatory obligation.  It is simply still a commonly accepted legal practice these days that emails without any digital signature are accepted as evidence by a court as long as forensic requirements and the chain of custody have not been broken. One could argue that digital signatures would be a quite perfect means in both respects – forensics and chain of custody – true, but so is an MD5 hash…

Business Case:
What about the return of investment for bringing digital signatures to the email communication of your organization? At the end of the day, we need to sell the idea to the business guys, the ones with the funds, the ones with the permanently turned on calculators in their heads …
Email works just fine without digital signatures, without spending money for the digital user certificates needed for signing, without the (additional costs) for the certificate management and the user support. Is it expense necessary due to compliance/legal requirements ? What requirements ? Where ? Show me !
(” – And by the way: if something matters legally, we send a fax – or write a mail letter, something with real ink – and still less expensive than your digital signature stuff”- )

Technical Issues:
Ever got an empty email (with no body text at all) with a mysterious smime.p7m attachment into your Gmail (or Hotmail or Yahoo) inbox? Well, the optimistic sender obviously did put her/his trust into the S/MIME (Secure/ Multipurpose Internet Mail Extensions) standard (RFC 1847/2633/3851) – supported by most of the major email clients, such as Outlook, by a single mouse click.

It doesn’t matter why the digitally signed email got messed up in the recipients Gmail or Android or iPad or whatever-wherever inbox, as long as it gets messed up – this is a KO criteria for business users, there can be no doubt about that.

and last but not least at all:
The Human Factor
I have stopped counting the cases where users spoke of  “digital signatures” and were actually referring to scanned images of hand written signatures, embedded as a JPG or GIF into documents or emails. Let’s face it, real digital signatures have a (crypto-operations based) background (e.g. based on X.509 certificates) that is rather difficult to explain to the standard business user (ever tried to explain the difference between a digital certificate and a digital signature and why you need one to do the other to a senior manager and/or his/her secretary ?)

Fact: In ordet to be widely accepted for the use with day2day email, digital signatures:

  • a) have to get much simpler (to understand) for the standard business user;
  • b) need better and broader technical (working) global standardizations;
  • c)  need to provide a clear business case (e.g. compliance requirements driven, risk driven, legally driven)