In the second of three articles, Elizabeth Thompson, John Kelsey and Richard Chapman discuss the nature and impact of digital certificates
|
Key points |
|
” A digital certificate links a person or organisation with a public encryption key ” The certificate is issued by, and can be verified by, a certification authority ” Once encrypted by a certification authority, the certificate cannot be forged |
Last week we considered digital signatures. These cannot provide the protection that business requires when dealing with strangers electronically and at a distance. The digital certificate is technology’s answer.
Digital certificates
A digital certificate associates a person or organisation with a public encryption key. The certificate is issued by a certification authority, which has verified the person’s identity. In an electronic transaction, the counter-party presents you with his digital certificate, an encrypted message from the certification authority containing the counter-party’s public key. You then contact the certification authority to recover that public key, enabling you to check the party’s signatures, as described last week. Why is this safe? As it has been encrypted by the certification authority, the certificate cannot be forged. As long as you can trust that authority, and you can contact it for verification, you can rely on the certificate.
Consider a non-digital analogy. A solicitor has an annual practising certificate that is issued by the Law Society. If someone doubted that the solicitor really was entitled to give legal advice, he could show that person his certificate. They could then ask the Law Society to confirm that it had indeed issued the certificate and that it was valid. Essentially, the Law Society is a non-digital certification authority.
However, a digital certificate can contain more than just a person’s public key. It can carry additional information, such as an expiry date (so a person can sign documents only during a particular time window) or a level of authority (restricting the type of document that can be signed). The format of a digital signature is governed by an international standard (X.509), whereby different products can be developed to carry out digital certificate functions and still work together. The practical problem is ensuring that digital signatures are issued and managed by an organisation that is trusted by the people who will rely upon them.
The answer to this problem may lie in developing a public key infrastructure (PKI).
PKI has no uniformly accepted meaning, but is essentially a set of protocols, services and technical standards to support the application of public key cryptography, which includes:
” issuing new certificates;
” revoking expired or cancelled certificates;
” deciding upon the validity of a certificate;
” deciding whether a certificate allows a certain operation.
Certification authorities
The UK parliament, when passing the Electronic Communications Act 2000, encouraged the self-regulation of the cryptography support services industry. Only if this proves unworkable (or fails to meet government objectives) will the government give effect to Part I of the Act, by which it is required to maintain a list of approved service providers. The Act implemented the EU Electronic Signatures Directive. This ensures that certificates are transportable across the EU (Article 4) and prevents any EU government from requiring a services provider to be authorised (Article 3). Thus, anybody can offer electronic trust services without any form of licence or assessment by any particular body. However, it is generally thought that some form of accreditation with a recognised body will be essential to gain approval for these services.
Not all European countries are following the self-regulation route. Germany intends to set up a governmental licensing scheme for some uses of digital signatures. It will be interesting to see what the Land Registry will accept when foreign companies are involved in UK real estate transactions. Will it accept a digitally signed transfer verified by an oversees-based certification authority? The Land Registry, after all, guarantees the title.
The UK’s industry-led approval process, called “tScheme”, was set up by the Alliance for Electronic Business in May 2000. If an organisation meets tScheme’s requirements, it can refer to itself as being “tScheme accredited”. There are currently no accredited service providers under tScheme, although several organisations, eg Chambersign, BT, Royal Bank of Scotland, Nexus TSP and Viacode (a Royal Mail venture), are on the way to becoming so. But a number of providers of digital certificate services are operating: Verisign, a US company, is one of the largest.
Private signature keys
While the foundations are laid for the development of a public key infrastructure, the digital signature process requires a private key for each transaction, and the security risk of the private key lies with the user. This risk must be recognised and procedures put in place to minimise it. The digital approach does not pretend to be foolproof, but the our paper system can produce, on average, 10 fraudulent land registry applications each month.
It is envisaged that law firms will provide a service for individual clients and those commercial clients that are unable to set up the internal systems for their own digital signature. The protocols for managing security risks will have to be considered carefully by the conveyancing profession. However, the profession has adjusted to, and accommodated, telephone exchange of contracts and the clearing house automated payment system for completion moneys, thereby abandoning, in the majority of cases, the need for face-to-face representation.
Elizabeth Thompson is a professional support lawyer, and John Kelsey and Richard Chapman are senior lawyers at Berwin Leighton Paisner
