The perils of non-repudiation

No comments

The perils of non-repudiation

The Law Society is right to be concerned about the risks involved in certification of electronic signatures, argues Raymond PerryThe introduction of new technology brings benefits but paradoxically it also leads to risks and unintended consequences.

The move to a system of e-conveyancing, driven by the government, provides a textbook example of this phenomenon.

The problem is that the risks involved may be subtle and their impact hard to forecast.Central to the concept of e-conveyancing is the digital signature.

Without digital signatures e-conveyancing cannot work.

At the same time, to have a workable system of digital signatures some kind of certification authority (CA) is essential.

A CA is necessary to provide a link between a digital signature and its owner.

If it is left to the sender to create his own digital signature, then the recipient cannot be certain that it was really, say, Mr Smith who created the digital signature on an electronic document.

The person relying on a digital signature needs to be sure that the signature was really generated by the apparent sender.

The solution is provided by a certificate issued by a CA confirming, among other things, who the signature belongs to.

Certificates have many other functions, too.

A certificate may limit the time that the signature is valid.

A CA also has to deal with the fact that some users may wish to withdraw or change their digital signatures, as the names of firms change and practices may merge or close down.Most important of all, the private key - a piece of binary code - used to generate the digital signature might be stolen and its owner would want the certificate revoked by the CA so that a third party does not rely on the digital signature.There are differing views about the safety of the use of digital signatures.

The optimistic hypothesis is that the technological aspects of the certification process provide the answers to concerns about security.

Others are more sceptical.

In a detailed response to the consultation paper produced by the Lord Chancellor's Department, the Law Society has outlined its concerns about a number of issues including that of certification of electronic signatures.

In deciding whether certification provides the answers to such concerns it is helpful to look at the development of digital signatures.Digital signatures are not new.

They have been commercially available for many years.

The technology behind them is undoubtedly impressive.

Assuming that they are properly used they cannot be faked and any tampering with a digitally-signed electronic document would be immediately apparent.

Given this, it might seem surprising that their role in e-commerce has been so limited.

However, as Internet based e-commerce has evolved it has become apparent that digital signatures are unnecessary for consumer transactions.

In all such dealings both the buyer and seller rely for security and authentication on the humble credit card.

This situation seems unlikely to change.That they have simply not proved necessary is only one, although perhaps the most important, of the reasons why the use of electronic signatures has not become widespread.

Since they will be necessary for e-conveyancing these other problems need to be examined.

From a practical point of view the most important difficulty is that they are complex and awkward to use but this problem is overshadowed by the disagreeable issue of non-repudiation.As Tim Travers made clear in his recent article (see [2001] Gazette 20 September, 45), one of the core principles of the technology is non-repudiation.

In simple terms, this means that the owner of a digital signature cannot deny having signed an electronic document that bears his digital signature.

Unlike an ordinary signature, which is unique to the person making it, a digital signature can be applied by someone other than the true owner, provided that person has obtained the private key used to generate the signature.

Because of this it is unlikely anyone would be prepared to rely on digital signatures without some form of non-repudiation.Unfortunately, non-repudiation has an obvious and significant disadvantage as far as the owner of a digital signature is concerned.

If his digital signature falls into the hands of a third party and is used for fraud then he may find himself forced to accept losses and liabilities under an agreement that he did not sign.

In short, the use of digital signatures has the effect of transferring the risk of fraud to the owner of the signature.To anyone with even a limited knowledge of the world of conveyancing, the implications for solicitors are extremely ominous given that it is suggested that, at least initially, solicitors will be signing documents on behalf of their clients.

Where property is involved even a single fraudulent transaction can involve the loss of millions of pounds.

Indeed from the fraudster's point of view, as the effort involved in stealing a private key is the same whatever the value of the subsequent fraudulent transaction, it is likely that they will be used for high-value fraud.

If the doctrine of non-repudiation applies, the loss will fall on the solicitor whose digital signature was used.There are two possible solutions to this problem.

The first is revocation of the certificate.

In theory this provides the answer, but in practice the theft of the private key may not come to light until sometime after it has occurred.

Indeed, the point at which a problem is detected is likely to be after the digital signature has been fraudulently used, by which time revocation will be of little use.The second solution is to ensure that the private key does not fall into the wrong hands.

While it remains unclear what security methods might be used to protect digital signatures, it is almost certainly impossible to achieve absolute security.

There are many different methods that could be used to secure digital signatures but almost all present problems.

To start with, solicitors' offices are relatively insecure.

The idea of upgrading the physical security of every office to the level of a high-street bank or building society is not practical.

Similar problems apply to the security of computer networks within solicitors' offices, most of which are now connected to the Internet in some way.In any event all security proposals have the drawback that they make the technology harder and more expensive to use.

It is possible to limit the validity of a certificate to a very short period or to make the process of generation more difficult by requiring the involvement of a physical token such as a smart card.

While these measures would make fraud harder they also erode the benefits of using the new technology.This brings us to back to the reasons for the introduction of e-conveyancing in the first place.

The rationale for the change to an electronic procedure is that it will be quicker and cheaper than the existing paper-based system.

There is no question that the technology actually works.

The danger for solicitors is that the cost involved, in both time and money, in trying properly to implement a secure system will completely outweigh the benefits to be obtained.

Raymond Perry is a solicitor at Davies and Partners in Gloucester

No comments

The perils of non-repudiation

No comments yet

Only registered users can comment on this article.

More from News

Fewer pupils would recommend a bar career

Rugby player's liability for collision upheld by Court of Appeal

Claimant cannot sue firm over report to SRA, rules tribunal

Recommended services

Law Society Learning

Bookshop

Events

Online library