- Email: [email protected]
To be or not to be — Legally Binding Digital Certificates
feature
To be or not to be — Legally Binding Digital Certificates Henk Tobias, Unilever As more and more organizations conduct business over the Internet, the need to securely identify users across the anonymity void of the Internet has never been more paramount. EEMA, the non-profit making trade organization for electronic business in Europe, has been at the forefront in the fight to create a legal framework for online identification, placing the issue high on the agenda at this year’s ISSE conference in October. Thanks to photographic IDs such as passports and driving licenses, personal identification in the physical world is a relatively easy method of ensuring the validity of an individual. Indeed, such IDs, as well as the hand-written signature, are unanimously accepted as a legally binding method for many every day transactions, including bill payment, contract signing and even entry into our places of work. Until now, these practices have been taken for granted. However, photographic IDs and handwritten signatures simply can’t work in an electronic environment. Within today’s infrastructure, Internet users remain relatively anonymous — existing only as numbers at the end of a network — making it hard to identify who is accessing what information. Without the ability to identify people in the digital world, how can people be expected to embrace E-commerce and place their trust in the medium as a carrier for sensitive information? Above the need for simple identification, EEMA has witnessed a growing need for a legal framework to protect the interests of Internet users. Although the hand-written signature is accepted across the globe to legally bind a contract there is no universally accepted method of legally securing a contract in the digital world. So, how can electronic contracts be made legally binding without a written signature? Digital certificates and digital signatures are two technologies all ready
proven and in operation across the globe. Digital certificates are being hailed as the Internet’s equivalent to a signature or passport. A digital certificate operates as a personal identity card for E-business and therefore a means of securely authenticating identities of people across the Internet. It is an electronic document that contains information describing the holder, such as the user’s name (in a special format), a public key, the validity period and operations for which the public key is valid (whether for encrypting data, verifying digital signatures or both). The current preference for storing digital certificates is to embed them within cryptographic smart cards to provide a hackerresistant storage medium. As its name would suggest, the digital signature offers an electronic version of the traditional signature — a final guarantee that the user at the other end of the network is who they say they are. Today, virtually everyone wants electronic certificates and signatures to be made recognizable in law. However, to guarantee their integrity requires a secure mode of transport to carry these certificates along with any correspondence to their destination without the threat of interception.
The infrastructure Public Key Infrastructure (PKI) is acclaimed by some of the world’s leading
IT vendors as the most flexible and secure method of achieving electronic transactions. Indeed, the subject plays a major
“Digital certificates are being hailed as the Internet’s equivalent to a signature or passport.” role at this year’s ISSE conference in Berlin, with companies such as iD2 Technologies, Entrust, Gemplus and Infineon Technologies all demonstrating PKI’s central role in the future success of e-business. PKI-based solutions act as a carrier for digital certificates, enabling secure online identification by adding cryptography and encryption technologies. PKI uses a matching pair of keys, one for encryption and one for decryption, more commonly known as public and private keys. In cryptography, the key refers to a numerical value, which is altered by an algorithm (a large number with special mathematical properties). The identity of the individual remains secure as the key is only visible to the person who has the corresponding key to decrypt and recover the information. The private key performs a one-way transformation of data by scrambling the information contained in it. The transformed data is the electronic signature that can only be reversed by its matching key. The signature can be checked that it is valid using the public key. The public key can be distributed publicly without compromising the private key, which is kept secret and only accessible by the owner.
Trusted Third Party So, we have established that the technology is available, but there is still a slow uptake from companies to conduct business across the Internet — security is still a major concern. Before industry can reap the benefits of E-commerce, users also require a high level of trust in the organizations that issue the digital certificates.
9
feature The level of trust required is similar to how consumers and businesses trust a bank, solicitor or GP. These services are trusted because they have been in existence for hundreds of years and are regulated. Building such trust over night in the electronic world is an impossible task. In order to instil the level of trust required, digital certificates are created, issued and managed by a trusted third party (TTP). The TTP is responsible for certifying the authenticity of the users (i.e. checking that people are who they say they are), authenticating the digital
“PKI-based solutions act as a carrier for digital certificates, enabling secure online identification by adding cryptography and encryption technologies.” certificate and securely binding the signature of user to their public key. A TTP is a company or organization that provides ‘trust services’ for the digital exchange of data — comparable with the way notaries publicly guarantee the authenticity of certain documents. In essence, a TTP is similar to a passport office. A passport, a paper ID, is a secure document issued by an appropriate authority that certifies the person is who they claim to be and is recognized as an official ID in every country around the world. The goal in the E-commerce world is for the digital certificate to be recognized in the same way i.e. that if an electronic identity has been issued by a TTP, that should be proof that the person has been authenticated and is therefore who they say they are. By using digital certificates issued by TTPs, people can securely identify themselves over an electronic network authenticating the sender and recipient of sensitive data. A network is an anonymous environment and confirming the identity of users is vital to ensure
10
the integrity of communications and legal contracts that are entered into electronically.
Are digital certificates and signatures legally binding? Today, the future of digital certificates remains unclear with international bodies undecided about its status as a legally binding signature. This is unnecessary indecision as digital certificates contain all the characteristics of a conventional hand-written signature — clarity, identification and verification. Anyone with access to the public key can check the digital signature and verify that it could only be signed by someone with access to the private key. Once verified, it is proven that the owner of the private key must have signed the message and cannot later deny having signed it. Therefore, why shouldn’t a digital certificate be legally binding? Across Europe, EEMA has identified a number of countries at various stages in acknowledging the legality of digital certificates and signatures. In the UK, there is currently no legal framework for the use of digital certificates, however, this is soon to change. The Department of Trade and Industry (DTI) is in the process of developing an E-commerce bill that will be put through parliament sometime this year. Once the bill has been passed, it will become legislation for E-commerce. The aim of the bill is to maintain the effectiveness of existing legislation and adapt it in response to new technological developments. Germany has had legislation for electronic sending of legally binding business information since 1997 — The German Signature Law (SigG). Finland is yet further ahead in the world of Ecommerce with its certification authority issuing electronic IDs to all Finnish citizens. In the UK, the intention is to introduce the option for TTPs to obtain a license to provide or facilitate cryptography and authentication services. The
licensing is designed to provide trust that the authentication process is reliable. In Germany the regulatory authority for
“Users also require a high level of trust in the organizations that issue the digital certificates.” Post Offices and Telecommunications companies is also the highest authority for digital certificates, responsible for issuing licenses to private companies who want to become TTPs for business-tobusiness communication. Governments must play a key part in ensuring that users can trust the technologies that produce secure digital certificates and the commercial organizations providing it. Hence the introduction of voluntary licensing arrangements to ensure that minimum standards of quality and service are met. A lot of work will need to be put into assuring that a service, by virtue of being licensed, is high quality, secure and trustworthy. In determining what kind of organization is entitled to a license, there needs to be a balance between the demands of the purchaser, the third party and the TTP. The purchaser of a license will expect it to offer some guarantee of quality. The customer will expect due care to have been taken in the generation and storing of both the private and public key. The third party will have similar expectations i.e. that any information stated on the certificate is true and that the TTP will have some liability if it turns out to be false as it is their responsibility to authenticate the information provided by the third party. The service provider would be expected to manage and limit its liability. If the liability is unlimited, it would be unlikely that organizations would apply for a license. The cap on liability would be viewed as an advantage and therefore encourage TTPs to seek a licence as it would reduce the cost of liability insurance.
feature
Who is liable? Liability in the world of E-commerce is a complex subject. The UK is looking at legislation to balance the interests of the various parties who may be involved — either directly or indirectly — in a particular transaction. The aim is to match the liability in the electronic world with that in the physical world. One approach would be to rely on the contract between the TTP and their client. The difficulty with this is that it would enable the TTP the option of contracting out all of their liability and therefore give a third party e.g. someone relying on an electronic signature, no protection at all. The current EU directive would make a TTP liable to any person reasonably relying on a qualified digital certificate issued by them for accuracy of the information contained in it. Having discussed where liability lies, there should also be a ‘duty of care’ imposed on holders of digital certificates. It must be made clear that it is their responsibility to keep their private key secure and to notify the TTP within so many hours of realizing it has be compromised — similar to losing a credit card.
What happens when companies conduct international business over the Internet? E-commerce is inherently global in nature and therefore international law must be taken into account when formulating legislation. The international picture is complex and the best approach is to move quickly once reasonable international consensus has been established and adopt best practice from elsewhere. In its discussions with international organizations EEMA has recommended that a close eye needs to be kept on foreign E-commerce policy developments to ensure that any national or even internal corporate policies can fit alongside them.
What do businesses need to do to ensure that an electronic contract is water-tight? As things stand today, it is impossible for any business to ensure that an electronic contract it water-tight. However, once domestic and international law has been established regarding the regulation of digital certificates, EEMA recommends that a company should ensure the following: • A PKI is implemented. • Ensure that the TTP is ensured for the appropriate level of liability. • Ensure that anyone who will be involved in conducting e-business has a digital certificate and that they are contracted to have a ‘duty of care’ to keep the certificate safe. • Check that the digital certificate belonging to the third party is valid and trustworthy. • Ensure the TTP that issued the digital certificates is reputable and licensed. • Obtain legal protection against a breach in electronic contracts by a customer or supplier.
So what’s next? An E-commerce explosion is imminent. There is no doubt that the technology is tried and tested and available to enable consumers and businesses to conduct
“It is their responsibility to keep their private key secure and to notify the TTP within so many hours of realizing it has be compromised.”
Internet — despite the technology available! This article has established that we can securely identify a user on the Internet. There are three hurdles to overcome in order to see the realization of E-commerce; peoples’ confidence in security; the lack of a legal framework surrounding liability of electronic contracts; and the establishment of TTPs. The uncertainty of who the TTPs are also undermines peoples’ confidence — a vicious circle! Something to consider in increasing confidence in security is the assurance of
“There remains a nagging doubt in the minds of many regarding the confidentiality of information that flows through the Internet.” redress when things go wrong as well as making any unauthorized misuse of cryptographic keys an offence. The Government should put in place simple and effective dispute resolution mechanisms. Another way could be to update the data protection law in the context of E-commerce. Once the legal framework has been established, TTPs and confidence are likely to slip into place. It looks like the Year 2000 is when the explosion will really happen! EEMA is a not-for-profit organization, formed in 1987, to promote awareness of and stimulate interest in electronic commerce and business across Europe. The membership consists of corporations, governments and academic institutions throughout Europe.
business over the Internet. There is also no doubt about the benefits that Ecommerce will bring. However, there remains a nagging doubt in the minds of many regarding the confidentiality of information that flows through the
11
To be or not to be — Legally Binding Digital Certificates Henk Tobias, Unilever As more and more organizations conduct business over the Internet, the need to securely identify users across the anonymity void of the Internet has never been more paramount. EEMA, the non-profit making trade organization for electronic business in Europe, has been at the forefront in the fight to create a legal framework for online identification, placing the issue high on the agenda at this year’s ISSE conference in October. Thanks to photographic IDs such as passports and driving licenses, personal identification in the physical world is a relatively easy method of ensuring the validity of an individual. Indeed, such IDs, as well as the hand-written signature, are unanimously accepted as a legally binding method for many every day transactions, including bill payment, contract signing and even entry into our places of work. Until now, these practices have been taken for granted. However, photographic IDs and handwritten signatures simply can’t work in an electronic environment. Within today’s infrastructure, Internet users remain relatively anonymous — existing only as numbers at the end of a network — making it hard to identify who is accessing what information. Without the ability to identify people in the digital world, how can people be expected to embrace E-commerce and place their trust in the medium as a carrier for sensitive information? Above the need for simple identification, EEMA has witnessed a growing need for a legal framework to protect the interests of Internet users. Although the hand-written signature is accepted across the globe to legally bind a contract there is no universally accepted method of legally securing a contract in the digital world. So, how can electronic contracts be made legally binding without a written signature? Digital certificates and digital signatures are two technologies all ready
proven and in operation across the globe. Digital certificates are being hailed as the Internet’s equivalent to a signature or passport. A digital certificate operates as a personal identity card for E-business and therefore a means of securely authenticating identities of people across the Internet. It is an electronic document that contains information describing the holder, such as the user’s name (in a special format), a public key, the validity period and operations for which the public key is valid (whether for encrypting data, verifying digital signatures or both). The current preference for storing digital certificates is to embed them within cryptographic smart cards to provide a hackerresistant storage medium. As its name would suggest, the digital signature offers an electronic version of the traditional signature — a final guarantee that the user at the other end of the network is who they say they are. Today, virtually everyone wants electronic certificates and signatures to be made recognizable in law. However, to guarantee their integrity requires a secure mode of transport to carry these certificates along with any correspondence to their destination without the threat of interception.
The infrastructure Public Key Infrastructure (PKI) is acclaimed by some of the world’s leading
IT vendors as the most flexible and secure method of achieving electronic transactions. Indeed, the subject plays a major
“Digital certificates are being hailed as the Internet’s equivalent to a signature or passport.” role at this year’s ISSE conference in Berlin, with companies such as iD2 Technologies, Entrust, Gemplus and Infineon Technologies all demonstrating PKI’s central role in the future success of e-business. PKI-based solutions act as a carrier for digital certificates, enabling secure online identification by adding cryptography and encryption technologies. PKI uses a matching pair of keys, one for encryption and one for decryption, more commonly known as public and private keys. In cryptography, the key refers to a numerical value, which is altered by an algorithm (a large number with special mathematical properties). The identity of the individual remains secure as the key is only visible to the person who has the corresponding key to decrypt and recover the information. The private key performs a one-way transformation of data by scrambling the information contained in it. The transformed data is the electronic signature that can only be reversed by its matching key. The signature can be checked that it is valid using the public key. The public key can be distributed publicly without compromising the private key, which is kept secret and only accessible by the owner.
Trusted Third Party So, we have established that the technology is available, but there is still a slow uptake from companies to conduct business across the Internet — security is still a major concern. Before industry can reap the benefits of E-commerce, users also require a high level of trust in the organizations that issue the digital certificates.
9
feature The level of trust required is similar to how consumers and businesses trust a bank, solicitor or GP. These services are trusted because they have been in existence for hundreds of years and are regulated. Building such trust over night in the electronic world is an impossible task. In order to instil the level of trust required, digital certificates are created, issued and managed by a trusted third party (TTP). The TTP is responsible for certifying the authenticity of the users (i.e. checking that people are who they say they are), authenticating the digital
“PKI-based solutions act as a carrier for digital certificates, enabling secure online identification by adding cryptography and encryption technologies.” certificate and securely binding the signature of user to their public key. A TTP is a company or organization that provides ‘trust services’ for the digital exchange of data — comparable with the way notaries publicly guarantee the authenticity of certain documents. In essence, a TTP is similar to a passport office. A passport, a paper ID, is a secure document issued by an appropriate authority that certifies the person is who they claim to be and is recognized as an official ID in every country around the world. The goal in the E-commerce world is for the digital certificate to be recognized in the same way i.e. that if an electronic identity has been issued by a TTP, that should be proof that the person has been authenticated and is therefore who they say they are. By using digital certificates issued by TTPs, people can securely identify themselves over an electronic network authenticating the sender and recipient of sensitive data. A network is an anonymous environment and confirming the identity of users is vital to ensure
10
the integrity of communications and legal contracts that are entered into electronically.
Are digital certificates and signatures legally binding? Today, the future of digital certificates remains unclear with international bodies undecided about its status as a legally binding signature. This is unnecessary indecision as digital certificates contain all the characteristics of a conventional hand-written signature — clarity, identification and verification. Anyone with access to the public key can check the digital signature and verify that it could only be signed by someone with access to the private key. Once verified, it is proven that the owner of the private key must have signed the message and cannot later deny having signed it. Therefore, why shouldn’t a digital certificate be legally binding? Across Europe, EEMA has identified a number of countries at various stages in acknowledging the legality of digital certificates and signatures. In the UK, there is currently no legal framework for the use of digital certificates, however, this is soon to change. The Department of Trade and Industry (DTI) is in the process of developing an E-commerce bill that will be put through parliament sometime this year. Once the bill has been passed, it will become legislation for E-commerce. The aim of the bill is to maintain the effectiveness of existing legislation and adapt it in response to new technological developments. Germany has had legislation for electronic sending of legally binding business information since 1997 — The German Signature Law (SigG). Finland is yet further ahead in the world of Ecommerce with its certification authority issuing electronic IDs to all Finnish citizens. In the UK, the intention is to introduce the option for TTPs to obtain a license to provide or facilitate cryptography and authentication services. The
licensing is designed to provide trust that the authentication process is reliable. In Germany the regulatory authority for
“Users also require a high level of trust in the organizations that issue the digital certificates.” Post Offices and Telecommunications companies is also the highest authority for digital certificates, responsible for issuing licenses to private companies who want to become TTPs for business-tobusiness communication. Governments must play a key part in ensuring that users can trust the technologies that produce secure digital certificates and the commercial organizations providing it. Hence the introduction of voluntary licensing arrangements to ensure that minimum standards of quality and service are met. A lot of work will need to be put into assuring that a service, by virtue of being licensed, is high quality, secure and trustworthy. In determining what kind of organization is entitled to a license, there needs to be a balance between the demands of the purchaser, the third party and the TTP. The purchaser of a license will expect it to offer some guarantee of quality. The customer will expect due care to have been taken in the generation and storing of both the private and public key. The third party will have similar expectations i.e. that any information stated on the certificate is true and that the TTP will have some liability if it turns out to be false as it is their responsibility to authenticate the information provided by the third party. The service provider would be expected to manage and limit its liability. If the liability is unlimited, it would be unlikely that organizations would apply for a license. The cap on liability would be viewed as an advantage and therefore encourage TTPs to seek a licence as it would reduce the cost of liability insurance.
feature
Who is liable? Liability in the world of E-commerce is a complex subject. The UK is looking at legislation to balance the interests of the various parties who may be involved — either directly or indirectly — in a particular transaction. The aim is to match the liability in the electronic world with that in the physical world. One approach would be to rely on the contract between the TTP and their client. The difficulty with this is that it would enable the TTP the option of contracting out all of their liability and therefore give a third party e.g. someone relying on an electronic signature, no protection at all. The current EU directive would make a TTP liable to any person reasonably relying on a qualified digital certificate issued by them for accuracy of the information contained in it. Having discussed where liability lies, there should also be a ‘duty of care’ imposed on holders of digital certificates. It must be made clear that it is their responsibility to keep their private key secure and to notify the TTP within so many hours of realizing it has be compromised — similar to losing a credit card.
What happens when companies conduct international business over the Internet? E-commerce is inherently global in nature and therefore international law must be taken into account when formulating legislation. The international picture is complex and the best approach is to move quickly once reasonable international consensus has been established and adopt best practice from elsewhere. In its discussions with international organizations EEMA has recommended that a close eye needs to be kept on foreign E-commerce policy developments to ensure that any national or even internal corporate policies can fit alongside them.
What do businesses need to do to ensure that an electronic contract is water-tight? As things stand today, it is impossible for any business to ensure that an electronic contract it water-tight. However, once domestic and international law has been established regarding the regulation of digital certificates, EEMA recommends that a company should ensure the following: • A PKI is implemented. • Ensure that the TTP is ensured for the appropriate level of liability. • Ensure that anyone who will be involved in conducting e-business has a digital certificate and that they are contracted to have a ‘duty of care’ to keep the certificate safe. • Check that the digital certificate belonging to the third party is valid and trustworthy. • Ensure the TTP that issued the digital certificates is reputable and licensed. • Obtain legal protection against a breach in electronic contracts by a customer or supplier.
So what’s next? An E-commerce explosion is imminent. There is no doubt that the technology is tried and tested and available to enable consumers and businesses to conduct
“It is their responsibility to keep their private key secure and to notify the TTP within so many hours of realizing it has be compromised.”
Internet — despite the technology available! This article has established that we can securely identify a user on the Internet. There are three hurdles to overcome in order to see the realization of E-commerce; peoples’ confidence in security; the lack of a legal framework surrounding liability of electronic contracts; and the establishment of TTPs. The uncertainty of who the TTPs are also undermines peoples’ confidence — a vicious circle! Something to consider in increasing confidence in security is the assurance of
“There remains a nagging doubt in the minds of many regarding the confidentiality of information that flows through the Internet.” redress when things go wrong as well as making any unauthorized misuse of cryptographic keys an offence. The Government should put in place simple and effective dispute resolution mechanisms. Another way could be to update the data protection law in the context of E-commerce. Once the legal framework has been established, TTPs and confidence are likely to slip into place. It looks like the Year 2000 is when the explosion will really happen! EEMA is a not-for-profit organization, formed in 1987, to promote awareness of and stimulate interest in electronic commerce and business across Europe. The membership consists of corporations, governments and academic institutions throughout Europe.
business over the Internet. There is also no doubt about the benefits that Ecommerce will bring. However, there remains a nagging doubt in the minds of many regarding the confidentiality of information that flows through the
11