Slightly OT: The paperless office: How far can we go?

Ok guys, now it happened to me as well: A client is going paperless with stuff like invoicing and such. This brings up a couple of questions and since many of you are consultants as well I guess this is a good NG for that topic:

a. Digital signatures: I think Jim T. already does that. No big deal to get a signature onto a PDF but what are the ramifications in terms of legality and safety? After all, email is not exactly a safe transport vehicle.

b. Document retention: Are there any "cast-in-concrete" rules over what constitutes proper records after they are scanned in? Can you really, really toss the paper copy afterwards? I could not find much via Google and the IRS site is surprisingly silent about it. I had hoped to find file formats accepted by them, compression ratios, resolution settings and so on. Tried our state tax board (California FTB) as well, found nothing worthwhile on that topic.

--
Regards, Joerg

http://www.analogconsultants.com
Reply to
Joerg
Loading thread data ...

Joerg hath wroth:

Reading between the lines, it appears that you may be re-inventing the wheel. See:

No need for the customer to actually impliment their own in house EDI system. There are service companies that will accept billing data and convert it to EDI format for submission to companies that require it (Office Max, Staples, Ma Bell, Costco, Walmart, etc). An industry specific EDI processing service a good way to get started. When the clients company grows, then bring the EDI system in house.

--
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
 Click to see the full signature
Reply to
Jeff Liebermann

The cripto folks have cute ways to solve this.

In public key encription, your private key can be used on a plain text file. The result is that if the person on the other end applies your public key, they get a plain text file. This provides a way for the guy on the other end to prove a file came from you.

If you encript with your private key and then with his public one, he has proof that he is the rightful person to receive the file.

Reply to
MooseFET

The best firms to inquire about this in are the insurance industry, as they have had it for over a decade.

Reply to
ChairmanOfTheBored

Yes, that would be an option. But I think the client doesn't go to the level of full EDI (yet). Just wants everything non-paper. Not a big deal with module specs and stuff but I am just wondering how contracts, invoicing and such are handled. My main concern is what agencies like the IRS are willing to accept. Precious little info on their site, and even with checks they supposedly insist on the mideaval cancelled checks. Which hardly any bank sends these days and where the process is ratehr wasteful.

--
Regards, Joerg

http://www.analogconsultants.com
Reply to
Joerg

I'll have to talk to them about that. Very few companies use that.

--
Regards, Joerg

http://www.analogconsultants.com
Reply to
Joerg

Good idea. I'll have a chat with my insurance agent. Although, out here in the boonies many things are still handled by stage coach ;-)

--
Regards, Joerg

http://www.analogconsultants.com
Reply to
Joerg

You've shifted the problem to guaranteeing that you have his public key (and he yours). This is usually "solved" by publishing public keys in as many places as possible.

Yes. Don't. Anything you say can and will be...

--
  Keith
Reply to
krw

I am not so concerned about transmission but more about what is legally accepted as a "document".

Hmm, does that mean that the much touted paperwork reduction act is bogus?

--
Regards, Joerg

http://www.analogconsultants.com
Reply to
Joerg

No, it isn't. It's solved by encasing the public key in a certificate that's signed by someone else's private key, someone big and public whose public key everybody knows. But yes, those keys must be managed also... but Bill and others take care of that for us... and typically we just trust them to do that! :-)

There are many more problems with PKI when you consider the legal goal of non-repudiation. For example, to repudiate my signature, all I have to do is show that my private key had "escaped", and I can claim "I never signed that". Escape can be managed in ways that are legally sound but unlikely to cause actual compromise... posting announced, unlabeled and not looking like anything but random bits on a website somewhere for example. No-one will look at it twice, yet it's plainly there for the world to see, and I can repudiate any signature that gets challenged that was made with its pair.

Or I can put it in a smartcard, and then it's nicely protected by a four digit PIN that can be skimmed by any machine in which I ever use the card. Wonderful security. I couldn't work out whether to laugh or cry when Clinton (IIRC) signed the digital signature act into law using such a card.

Clifford Heath.

Reply to
Clifford Heath

So then I guess it was a wise decision to replace the old fax with a new one when it quit. As a bonus it's also more reliable than the Internet, by far.

--
Regards, Joerg

http://www.analogconsultants.com
Reply to
Joerg

One "cast in concrete" rule about paper retention is how IMPORTANT are the documents?

Never forget the "Jacoby rule": "If it's on magnetic media it AIN'T backed up!"

The real question about "tossing paper copies" is how stable is your archival storage media. In case you didn't notice paper has EXCELLENT archival properties. Acid-free paper even more so. Magnetic media just plain sucks which means data must be constantly regenerated to be archival. Optical media has promise but lifetimes are unknown. All digital media have the obsolescence problem where after so many years hardware for reading media can no longer be obtained. These are all VERY serious questions of importance to the "paperless" office and many have not yet be effectively solved or answered.

Early in the days of computing I came up with a system of "bar codes" that could put relatively high density data (for the period) on paper to utilize the archival properties of paper while still retaining machine-readable copies. Today the system is pitifully primitive. However, the same kind of idea using oxide-covered silicon wafers would seem to provide truly excellent archival storage capability. The technology, however, has not been developed.

Reply to
Benj

Many aren't after a while. For example, design docs will also reside at my clients and sometimes my consulting agreements require the destruction of my copies after a phase is complete. So here backup times are short. Other docs aren't important in general but maybe an agency such as the IRS wants to see some.

Now, assuming that I am diligent enough to store on media that are safe, keeping multiple copies and so on, what constitutes a document scan to be good enough in authenticity versus the paper original? That's what I want to know.

Sure but there are ways to increase security. As we all know drive space becomes plentiful and ever cheaper. I still have docs on magnetic storage from back when I started in the late 80's. The old floppies are still readable but important stuff is also copied onto newer media. And those will be copied onto the next generation, so it's always on a fresh carrier. All the electronic docs from the first ten years of my career will fit onto the new network storage here about 50,000 times over. Yep, that's fiftythousand. Plenty of space for cheap backup, as long as you don't trust in a single device and keep offsite copies as well.

Many "modern" papers aren't that good. Your typical computer store slip off their cash register is gone after 4-5 years, barely more than the IRS requires. Thermal faxes, same thing, maybe 6-8 years.

CDs, well, I am a bit skeptical after I had a few delaminate.

Micro-fiche is an option but often the cost and space for the gear isn't warranted.

--
Regards, Joerg

http://www.analogconsultants.com
Reply to
Joerg

That's how all current digital signature systems (e.g. PGP, GPG, PKCS) work.

Well, sort of. The data that is encrypted with your private key isn't the complete document; that would be slow, and result in a "signature" which is as large as the original document. Instead, a secure hash (e.g. MD5 or one of the SHA family) of the document is encrypted.

However, there is a problem with this: there are practical collision attacks against some of the common hash functions, specifically MD5 and SHA-1 (I don't know whether the larger SHA-256 or SHA-512 hashes have been broken in practice).

A collision attack means that it is possible to create two different documents with the same hash. Because the signature is based upon the hash, a single signature can be valid for two different documents.

The solution is not to digitally sign any file which was created by someone else. In the case of a file which is to be signed by multiple parties, each needs to create their own copy containing identical "content", but with minor differences to ensure that there does not exist a file with substantially different content but the same hash.

Reply to
Nobody

Oh man. This stuff seems complicated. Maybe I should keep it all on paper and hope that there won't be too many "electronic" clients until I retire ;-)

--
Regards, Joerg

http://www.analogconsultants.com
Reply to
Joerg

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.