PLSO Oregon Surveyor July/August 2020

14 The Oregon Surveyor  | Vol. 43, No. 4 T he vast majority of complaints OSBEELS receives are filed by the public. By law, the board is re- quired to review/consider all submitted complaints. Once a complaint is re- ceived, it is evaluated to determine what, if any, rules or statutes within OSBEELS’s jurisdiction may have been violated. The investigators themselves are not able to make a final determination on this matter, however, they will present the complaint to the Law Enforcement Com- mittee (LEC) for a preliminary review. If more information is needed, the investi- gator may notify the complainant with a deadline to provide clarification prior to submitting it to the LEC. The LEC meets every other month throughout the year on even-numbered months, with board meetings held in odd-numbered months. Recent concerns and questions raised by the professional community regard- ing Oregon Administrative Rule (OAR) 820-025-0010, digital seal and signature requirements, have been received by the Oregon State Board of Examiners for Engi- neering & Land Surveying (OSBEELS) and prompted a discussion about digital sig- natures and signing final documents. To address these questions and concerns, we have developed this article that will share resources and information to help professional registrants, and the users of their documents, to understand the differences between an electronic sig - nature and a digital signature. Relevant rules to this topic include: 1) OAR 820-025-0001 – defines digital sig - nature and digital certificate 2) OAR 820-025-0005(5) – specifies digital signatures as an acceptable alternative to a wet signed signature if specific cri - teria are met 3) OAR 820-025-0010 – outlines require- ments for digital seal and signature for electronic final documents A digital signature in compliance with OAR 820-025-0010 utilizes a public-private dig- ital key pair provided through the services of a certificate authority. The private key is known only to the signer and is often in the form of a password. The public key is utilized by the certificate authority to validate the document. To verify a digital signature, the verifier must have access to the signer’s public key and have assur- ance that it corresponds to the signer’s private key. In the case of OAR 820-025- 0010 this assurance must be provided by using a certificate authority as a trust - ed third party to associate an identified signer with a specific public key; essen - tially the certificate acts like a notary. A self-signed certificate is one that is cre - ated by the individual signer without the services of a certificate authority; this is not sufficient for purposes of compliance with OAR 820-025-0010. The term “third party” in all the above cited OAR sections requires specific dis - cussion. Some software will allow the user to make their own digital signature The Difference Between Electronic and Digital Signing By Tim Fassbender, PLS, and Renee Clough, PE, PLS certificate which is often referred to as a self-signed certificate. This is often made in the same software being used to cre- ate the particular document but could be made in some other software. The upshot though is that anyone seeking to verify the authenticity of the digital signature will be coming back to the signer for that authentication. In the case of a non-self- signed certificate, an entity known as a “Certificate Authority” has made the cer - tificate and verified your identity as part of the process. When the digital signa- ture is applied to the document the local software communicates with that Cer- tificate Authority. Later when someone verifies the signature their local software also communicates with that Certificate Authority. Hence the term “third party.” That certificate authority is not you, it is not the person receiving the document —it is a third party. A “third party” Certif - icate Authority is equivalent to a notary. The table and discussion below summa- rize the differences: Electronic Signatures Digital Signatures A functional term A legal term Not technically bound to a specific individual or the result of a validation process Tied to a specific individual via a PKI- based digital certificate Created via options such as typed names, scanned images, online tools, or a “click wrap” agreement Created using a digital algorithm to bind the document using a certificate, resulting in a unique “fingerprint” Legal, but not easily identifiable to one unique user and can be replicated Easily identifiable to a unique individ - ual, auditable, and non-replicable Does not meet OAR 820-025-0010 requirements Does meet OAR 820-025-0010 requirements OSBEELS