Digital certificates will pass the test
There are legitimate concerns about e-conveyancing, but, says Tim Travers, there are also solutionsElectronic trust services are an emerging market in the UK.
The past six months have seen increasing media coverage of the related topics of trust, confidence, security, BS7799, digital signatures, digital certificates and encryption.
Government, banking, financial services, insurance, healthcare, legal and other markets have all either started, or accelerated, strategy debates as to how digital signatures and encryption can improve customer services.E-conveyancing has been the most topical discussion of electronic trust services in the legal arena and was the subject of a recent consultation paper.The Law Society published a detailed response 'welcoming the concept of e-conveyancing', but 'there are, however, a number of issues...
with which the Law Society does not agree'.
Scheme accreditation for electronic trust servicesThere is now a UK regulator in place.
tScheme is the UK industry-led self-regulatory scheme set up to create strict assessment criteria, against which it will approve electronic trust service providers and their services.tScheme approval will be an essential element in providing assurance to individuals and companies relying on e-business transactions, thus helping to fuel healthy growth in the e-business economy.
tScheme is the government's preferred method for dealing with the regulatory aspects of the Electronic Communications Act.Technical issuesIn short, the encryption technologies available are very good.
Why? The world's leading mathematicians have been working on cryptography for at least 30 years, and it works.On the other hand, many of the practical procedures, which are needed for effective implementation of digital certificate use in the workplace, need refinement, as the Law Society has highlighted in its response document.
Organisations, which have been actively researching and developing service solutions in this area for some time now, welcome the promotion of the debate.
Just as the Law Society has legitimate concerns on behalf of its members, so do other interested participants.However, there is much to be optimistic about.
Whether in the context of e-conveyancing or other practice areas, there are already many solutions to the perceived problems.Digital certificate principlesA digital certificate contains a number of fields of information.
The accepted international standard is the International Telecommunication Union's X.509 recommendation.The essence of a digital certificate is that it is bound to a unique identity through a public key.
The relevant identity can be that of an individual person, an organisation, a Web site, a server, software or other IT application.It is understandable that there can be confusion or lack of understanding in this area, because the mathematics underlying the technologies are extremely advanced.
However, the basic principles are clear.l Put simply, there are two distinct actions in using a digital certificate.
To sign digitally, the sender uses his private signature key, and the recipient authenticates the sender using the sender's public signature key.
To encrypt the communication, the opposite applies.
The sender uses the recipient's public encryption key, and the recipient uses his private encryption key to decrypt the communication.
Note here that there are, in fact, two key pairs, and not one.l Certification authorities (that is, issuers of certificates) are subject to regulation in the UK.
The tScheme has already published various detailed guidelines in the form of tScheme profiles, which include those relating to the verification of the identity of individuals and organisations.
As mentioned earlier, there is a voluntary accreditation scheme run by the tScheme.
Clearly, the legal profession will expect providers of electronic trust services to be accredited at the earliest opportunity, although there is going to be a short period of 'chicken and egg', since the accreditation is given in relation to the services provided, and not the service provider per se.
No current providers' services have yet been accredited.l A key pair (that is, public and private) is generated by the user, and not by the certification authority.
Of course, a client may ask the certification authority, for reasons of practicality, to generate the key pair, but this will not enable users to take full advantage of the laws open to them.
For example, the definition of 'qualified digital certificate' in the European Electronic Signatures Directive (which is the type of certificate that will be needed in the context of legal transactions) contains four requirements, one of which is that the electronic signature 'is created using means that the signatory can maintain under his sole control'.l A certification authority does not issue public keys.
The user generates the private key and corresponding public key.
The user sends the public key back to the certification authority, as part of the application process, so that the certification authority can issue and publish the digital certificate.l Certification authorities that issue digital certificates using the X.509 v3 standard are able to include various fields of information in the certificate.
There will be an agreement with the client as to what exactly should be included.
Some fields are mandatory and others are optional.
These fields include, for example, validity period, key usage, transaction limits, roles, and other identity attributes, such as the public key holder is a qualified solicitor with a current practising certificate.l Certification authorities do not keep the private signature key.
This would completely defeat the whole concept of non-repudiation, which is one of the four core principles of public key infrastructure technology (the other three principles are authentication, confidentiality and integrity).
If they did, a user could then deny having digitally signed the electronic communication.
Confusion is common, because it is often forgotten that there are two separate pairs of keys in issue per user.
What is absolutely crucial is that nobody other than the user has the private signature key.
On the other hand, there are good commercial reasons why persons other than the user, including the client and/or the certification authority, may, by agreement, have a copy of the private encryption key.
For example, in an emergency, it may be necessary quickly to decrypt an electronic communication or document.
The same principle equally applies in the case of a former employee.l Certification authorities do accept liability, but this is a matter of both contract and also common law.
As the market matures, the level and nature of the differing liabilities as between the certification authorities, the registration authorities, the certificate users and relying third parties will become clearer.l Tampering with either the digital certificate itself or the electronic communication or the document to which the digital certificate is attached cannot go unnoticed.
The foundation principle of public key infrastructure technology is that the private key cannot practically be deduced from the public key, and vice-versa.
But if participants are still concerned about this risk, however remote, then having certificates with a shorter than typical validity period is one way of mitigating against that risk.
Perhaps, in e-conveyancing, aone-time use certificate with a short validity period to sign digitally the transaction documents is one option to consider.There are legitimate concerns raised by the Law Society in the context of e-conveyancing.
However, there are many solutions, comprising a combination of technologies, procedures and protocols, which can be packaged together to alleviate those concerns, to the point where users can see that the advantages of using digital certificates greatly outweigh the disadvantages.Solicitor Tim Travers is a director of Notus Key Limited, an electronic trust services provider and member of the tScheme
No comments yet