Secure electronic commerce and communication requires a method of electronic
signing that provides the contractual and legal status of a handwritten
signature. The solution is digital signatures and for private individuals
and commercial enterprises this will soon become an acceptable and indeed
necessary tool. The technologies and infrastructure to provide this
service are available and the necessary 'trust' elements of legislation
and standards are being implemented. When all the operating and 'trust'
elements are in place the usage of digital signatures will escalate
to the point that we will take them for granted. The reality is that
the level of security offered in digital signatures is far superior
to the traditional hand written signatures. The authenticity of a hand
written signature can be denied or disputed unless there is a physical
witness procedure whereas a digital signature enables instantaneous
authentication. This feature is called non-repudiation and means the
sender cannot deny having signed and sent the specific document.
There is an overriding need for the providers of electronic signatures
and supporting 'qualified' certificates to deliver in accordance with
the legal definition of advanced electronic signatures. Users must be
able to 'trust' that the signature they are using has legal status in
national and European courts. The need to establish this 'trust' is
recognised in the directives and legislation and has been responded
to in different ways in different countries. Some countries have chosen
strict regulation but the vast majority have opted to support independent
assessment and accredited certification schemes.
An electronic signature is any unique set of letters,
characters, symbols or code attached to an electronic document with
the intention of identifying the sender. At the lower end of the e-signature
security scale are formats such as email signatures and the simple attachment
of signature images. Higher up the scale we find more secure formats
such as pin numbers. At the upper end of the scale are formats using
more complex technologies combining mathematical processes, encryption
and controlled systems.
An electronic signature is also frequently referred
to as a digital signature
An Advanced Electronic Signature, is an electronic
signature generated and managed using a complex combination of systems
and processes to offer a high level of authentication and security
If an electronic signature is generated under certain
terms and conditions it can be deemed an 'Advanced Electronic Signature'
and will be afforded legal recognition. An Advanced Electronic Signature
meets the following requirements:
1. It is uniquely linked to the signatory
2. It is capable of identifying the signatory
3. It is created using means that the signatory can maintain securely
under his/her control
4. It is linked to the data to which it relates in such a manner that
any subsequent change of the data is detectable
An Advanced Electronic Signature can provide
the four attributes of trust - confidentiality, integrity, authentication
and non-repudiation. The signature is generated using complex mathematical
processes on the underlying text and because of this each digital signature
is unique to the document that is used to generate it. Users of AES
will have a pair of keys (algorithm processes) that are uniquely connected
and strict guidelines must be adhered to in the management of these
keys. The private key is used to sign and must be very securely managed
so that only the owner has access to it. The public key, on the other
hand, is used to authentication documents signed with the matching private
key and must be registered with a Certification Authority. (see section
on Certification Authority below).
AES are generated using keys (note 1) that involve
mathematically complex procedures.
Firstly, the entire text of the document to be signed is compressed
using a hash procedure.
Next, the users private key (note 2) is used to encrypt the compressed
data to generate the signature that is then attached to the document.
The document (with digital signature attached) is then transmitted and
the receiver can chose to authenticate the sender and authenticate the
document by using the sender's public key (note 3).
The receiver (relying party) can acquire the sender's public key from
the Certification Authority
The Certification Authority, on request, will provide the public key
and a digital certificate (see below)
Having verified the sender the public key is used on the document to
recalculate the signature from the text of the document received. If
the resulting signature matches the sender's attached signature it proves
that the document has not been altered and therefore authenticates it.
The process has now established that
PKI is not a software application
or a specific technology but is a security system based on a combination
of technologies including hardware, software and procedures. The PKI
solution caters for the secure storage, transmission, key access and
all the other elements needed to support digital certificates. Any enterprise
establishing a digital signature service will be required to install
PKI technology.
One problem remains with PKI
and that is the number of different incompatible technologies that are
available from different vendors, as solutions to different enterprise
needs. Efforts to standardise the PKI technology has been undertaken
by EEMA (European Forum for Electronic Business) in a project named
The PKI Challenge. This was launched in January 2001 and is funded by
the European Commission. The objective is to build a globally accepted,
integrated, heterogeneous PKI.
Certification Authorities provide a centralised directory where owners
of digital signatures may store their public key. Receivers of a document
with attached digital signature may be permitted to acquire the senders
public key and a digital certificate from the appointed CA and use it
establish the integrity of the sender and authenticate the document.
The owner of the key will set the distribution scope so access may be
restricted or open to all requests.
A critical element of the process
is the methodology the CA uses to establish the identity of the owner
of that public key. Simply 'depositing' the key in the directory without
any method of proving identity is not acceptable. In Germany, for example,
where CA's are regulated, the law requires that 'the certification authority
shall use a reliable method to identify those persons who apply for
a qualified certificate'. To register with a CA, key owners may be required
to physically present themselves with passport or other acceptable proof
of identity. The logistics of all this will vary from CA to CA. Having
a registration code of practice for identifying individuals as the owners
of the keys is critical to the credibility of the digital certificates
provided in respect of that key.
The procedures and management
of the CA is a critical element in establishing the 'trustworthiness'
of a specific digital signature. In some countries CA's can only operate
under the approval of a regulatory authority, while others allow more
flexibility with the onus on the CA to prove that it is using reliable
methods. Independent assessment by an accredited certification service
such as Certification Europe can help to establish this.
The digital certificate can be described as the 'passport' that identifies
people across the Internet. It is the proof of identity. They are created,
issued and managed by a Certification Authority as part of the public
key directory service. As outlined above, the owner of the key pair
will choose to make the public key available to other parties by 'depositing'
it with a CA, where it can be accessed and made available for the authentication
a signature. In addition the CA, through the digital certificate, explicitly
binds the public key with a named person (the owner).
The CA is responsible for certifying
the authenticity of the owner of a public key and as outlined above
this obliges the CA to take great care and employ strict procedures
to prove the identity of key owners before accepting them. By implementing
a high-level identity procedure and ensuring that the service itself
is highly secure, the CA will establish an equally high level of trust
in the digital certificates it issues.
The Certificate contains the
Public Key and information on:
The status of the key itself
The owner of the key (see section on Certification Authority below)
The Certification Authority issuing the certificate.
To acquire and use a digital signature requires a combination of services.
This will include key generation, registration services, certificate
management, key escrow, revocation services etc.. The term CSP is usually
used to describe an entity that provides all these separate elements
as one complete service. Entities that provide one specific element
may be referred to as 'trusted third parties'. A CA, as already described,
specifically provides the digital certificate part but in practice usually
also provides the rest of the services. This leads to the obvious surmise
that many CA are in fact operating a CSP service and the distinction
between a CA and a CSP has become blurred to the point of being interchangeable
terms
Digital signatures are now recognised in law and offer contractual status.
In Europe the Electronic Signatures Directive, published in 1999 by
the European Commission, recognised the need to promote eCommerce in
Europe and the need to give a legal basis to electronic transactions.
By providing a legal basis and recourse to the courts the Commission
also achieved a basis for trust. All EU member states were obliged to
implement the directive in their national legislation and many countries
have already done so.
Within the legislation there
is recognition of the 'trust' issue in relation to CSP's and digital
certificates. The Irish Act specifically recognises the need and value
of independent CSP certification schemes.
Trust is a key factor in all types of commercial activities but it features
very strongly in the virtual market that is eCommerce where the medium
is more anonymous and faceless than in the real world. In eCommerce
the overriding concerns of security and protection of information is
balanced delicately against the equally rated need to establish integrity,
verify identities and authenticate transactions. PKI is the security
solution in use and in terms of hardware and software it delivers to
target. But PKI has a weak link and this is not in the infrastructure
but in the area of digital certificates. The digital certificate is
regarded as the individuals Internet 'passport' and is accepted as a
proof of identity. It is issued and managed by a CA and users of the
certificate must be able to 'trust' that the key in question really
does belong to the party stated in the certificate.
The onus then is on the CA
to establish 'trust' in the digital certificates it issues. It can do
so by displaying that it is operating to best practice, implementing
the highest levels of key owner identity, managing keys in a secure
manner and meeting high standards all round. But who is to say if a
CA has such a system is in place and it is being applied? The answer
is in one of two solutions (or both).
The first method is government
regulation of CA's, an approach adopted in Germany for example.
The second solution is for CA's to seek
independent assessment and be certified as compliant.
PGP - Avail of
a free digital signature service using an established technology
Hush Communications
have developed some new technologies and products for encryption and
online security and they also provide a secure e-mail service, for free
Baltimore
Technologies provide a useful downloadable e-security guide
EU
Directive on Electronic Signatures 1999
Irelands
Electronic Commerce Act 2000
European Forum
for Electronic Business and the PKI Challenge
Quality
Environment
Health & Safety
Information Security
E-Signatures
Training
AIC Inspection
