Sunday, November 19, 2017

Signatures and Endorsements

In addition to being a recording of personal experience, a logbook is also a record of training received.  As such, it must enable instructors to sign entries in student logbooks and issue endorsements.
MyFlightbook supports both of these scenarios, using two different paradigms.

  • In the first paradigm, the student and the instructor create a relationship between their accounts, so one appears as the instructor for the other.  Because each account is authenticated to MyFlightbook, and MyFlightbook validates the relationship, I refer to this as an "Authenticated" scenario.  This provides a very secure framework for signed flights and endorsements, but it requires that both parties use MyFlightbook.
  • In the second paradigm, the relationship is a one-off; there is no presumption of any ongoing relationship between the instructor and the student (a common example might be a check-out at an FBO).  This provides more limited functionality, but is very quick to set up.  I refer to this as the "Ad-hoc" scenario.  Because there is no authentication of the instructor in an ad-hoc relationship, this must be done face-to-face.

Endorsements

An endorsement is a sign-off from an instructor that determines the student hes met some criteria.  The key thing about an endorsement is that it is not tied to a specific flight.  Examples of endorsements include solo sign off, high-altitude training, tailwheel sign-off, readiness for a practical test, etc.

A wide variety of templates for common endorsements are in the system, as well as a template for a fully-customized endorsement.

Endorsements require an authenticated relationship between the student and the instructor.  The endorsement can be issued by the instructor by going to the list of their students; they can also view any previously-issued endorsements.

An endorsement, once issued, cannot be edited or deleted.  (After all, neither scenario is generally supported in the physical paper world), although as site admin I can, if needed, wade in and perform endorsement surgery as needed.  Endorsements also cannot be dated too far in the past or in the future, as a security measure.

Signatures

Most training flights result in the instructor signing the student's logbook entry for the flight.  Often, they even fill out the entry.  But one difference between MyFlightbook and a paper logbook is that saving the entry and signing it are separate sequential steps.  The reason for this is so that the signature can sign the flight as it exists in the database, without the possibility of modifying it between signing and saving.

If the instructor wishes to fill in the entry, they can do so.  But just as they can't fill in a student's logbook without the student being there to give it to them, the student must be present with their phone/tablet (or sign in on a website) and hand control over to the instructor.  For security, MyFlightbook does not allow instructors to create arbitrary new entries into a student's logbook.

There are two basic scenarios for how a flight can be signed once it has been saved:
  • In-person.  This requires a phone/tablet running the MyFlightbook app.  The student goes to the Recent Flights list, finds the flight to be signed (typically at the top of the list, if you're signing the flight you just took), and chooses the "Sign" option.  At this point, choose from a list of authenticated instructors or select a new instructor for ad-hoc signing, and then hand their phone/tablet to the instructor.  If it's an authenticated relationship, the instructor provides their password to prove it's them and thus digitally sign the flight; if it's ad-hoc, they can scribble a signature with their finger (which is why it requires a phone/tablet), which serves as the signature.  In either case, the instructors can add comments and, if authenticated, the instructor can cause the signed flight to be copied to their account (minus the signature and with Dual/CFI roles reversed).
  • Remotely.  This requires use of the website, and requires an authenticated relationship.  The student can request that the instructor sign specific flights.  The instructor will receive an email notifying them of the flights to sign, and can use the website to review and sign them.  Or, the student can optionally grant the instructor permission to view their logbook and sign any flights that don't already have a valid signature, as they see fit.
When a flight is signed, MyFlightbook stores a fingerprint of the key fields for the flight so that subsequent edits will invalidate the flight.  Some fields are excluded from this - e.g., it's OK if you change whether the flight is public or private, or to add/remove images.  But changing the comments, number of landings, or times (among other "core" data) will invalidate the signature.  An invalid signature can only be "revalidated" by either requesting that the instructor re-sign it, or by reverting the edit so that the flight's fingerprint matches that of the signature again.

Does the FAA recognize such digital signatures?  They claim to, and they outline the criteria for doing so in FAA circular AC No: 120-78A. I believe MyFlightbook is compliant with this AC, the FAA has thus far not indicated willingness to even evaluate, much less certify, online logbook systems for compliance.

A more in depth explanation of how signatures and endorsements work, along with why I believe MyFlightbook is compliant with AC 120-78A can be found here.

4 comments:

  1. Why does an endorsement require an authenticated relationship (instructor must have a MyFlightbook account)? It sounds like it's designed to prevent fraud, but a student/pilot could fraudulently write an endorsement in a paper logbook as well. It's not MFB's job to prevent fraud (if that's the reasoning)... the pilot should be honest in his logbook data.

    ReplyDelete
    Replies
    1. Indeed, and that's part of why when you're doing an ad-hoc flight-signing (i.e., that uses a finger-scribble signature rather than a password) I have the pilot affirm that they're not "self-signing".

      But ultimately, there are two reasons I don't offer scribble-signature endorsements, both of which are pragmatic rather than philosophical: (a) I didn't have any ad-hoc signing anywhere when I implemented endorsements, and (b) I don't have any way to create endorsements in the mobile apps (which is the only place I can assume a touch-screen necessary to do the scribble signature). Both are obviously solvable - I just need to write the code, I've just never done it.

      Delete
    2. By the way - on the subject of "self signing": AC 120-78A does require "non-refutability". I.e., you can't claim that you didn't sign something you signed. Requiring the authenticated relationship meets this bar much better than a paper logbook, or even a scribble, because you have proof that it was done by someone with access to that secure account. My personal on-screen scribbles look nothing like my (equally unintelligible) pen-on-paper signature, so it's far more "refutable." But I figure that requiring confirmation by the pilot that they're not self-signing at least puts the burden on the pilot.

      Delete
    3. I added support for ad-hoc endorsements a month or two ago.

      Delete