Outsourcing digital signatures: a solution to key management burden

Digital signatures are only enjoying a gradual and reluctant acceptance, despite the long existence of the relevant legal and technical frameworks. One of the major drawbacks of client-generated digital signatures is the requirement for effective and secure management of the signing keys and the complexity of the cryptographic operations that must be performed by the signer. Outsourcing digital signatures to a Trusted Third Party would be an elegant solution to the key management burden. We investigate whether this is legally and technically feasible and we propose a framework for outsourced digital signatures. In our approach a relying party trusts a Signature Authority for the tokens it issues, rather than a Certification Authority for the certificates it creates in a traditional PKI scheme. Given that a signing request is strongly authenticated, we argue that passing the control of signature creation to a Signature Authority rather than the signer file:///C|/Documents and Settings/dlek/My Documents/Papers/DS_outsourcing/2006IMCS.htm (1 of 16)8/10/2006 10:51:16 •• Outsourcing Digital Signatures: A solution to key management burden herself, is not a stronger concession than the dependence on an identity certificate issued by a Certification Authority.