Platonic forms.
Wherever two or more are gathered in the name of access control, there are usually forms.
Why do we have forms? Where they exist on paper, they’ve usually served any of three functions:
1) to ensure correctness and completeness of information being submitted;
2) to provide some show of authorization ("I permit this person to get what they’re asking for with this form"); and
3) to obtain some legal acknowledgment of responsibility ("I affirm that the information on this form is true and correct” / “I promise I will not do anything heinous with the access you are about to give me").
You can get all three of these things on a paper form by getting two more more signatures. However, once you try to put any of this process online, you get the opportunity to split these up or forgo them altogether.
You can get written requests without the use of a form.
You can assume that someone has “signed” a form, in the sense of 2) or 3), by the mere fact that they sent it in an email to you from an individually registered account, or in any other way authenticated themselves beforehand (usually by means of knowing a password).
This starts begging the question of what you really need. If someone knows the information you need and can provide it, does he really have to fill out a form? If he’s authenticated himself once, does he need to go through the trouble of filling out an online form, printing it out, and affixing a signature on it just to get another form of acknowledgment on it?
Digitized signatures have never made much sense to me. They’re a throwback, a gesture of accommodation to the kind of person who wants to see a scribble on a piece of paper or a screen, even though the sender probably didn’t put it there himself. It doesn’t carry any legal weight, that’s for sure; it’s just a feel-good flourish.
Digital signatures, on the other hand, add a little bit more to the assurance: you can reasonably expect that whoever knew the password protecting the private key used it to sign a message and then it was no longer altered after that. Not quite as foolproof as some would have it, but it’s better than just a login on AOL.
But do digital signatures, or clicking an “I agree” box from a login, reasonably provide the function of #3 above? My state’s statutes say that you can use digital signatures to close any deal where both sides agree to use them. But I don’t know how many lawyers would be willing to come out and say that they’d always be willing to accept them in lieu of a cold, hardcopy signature.
Do auditors still need to see forms? I can easily see how an organization could resort just to using email to request and authorize access, as long as all the information was being provided and it was being authorized by the right holders-of-passwords. If the functional requirements are being met, does it matter to them that not all the emails look the same? Is there an additional aesthetic that causes an auditor to reject this method of access management?
I’m almost tempted to try an experiment: use two different processes for the same account requests. They both require the originator to log in to the same account, but in one process, they click through an online form and submit it, and in the other process, they just send an email from that account. Functionally, they are both the same, but I somehow doubt that an auditor would consider the latter to be as acceptable as the former.
(I said ”almost tempted.” I’m not that fond of my auditors that I want to spend any more time with them, thankyouverymuch.)
Posted by shrdlu on Monday, August 06, 2007(0) Comments • Permalink •
