E LAW - MURDOCH UNIVERSITY ELECTRONIC JOURNAL OF LAW ISSN 1321-9347 Volume 9 Number 3 (September 2002) Copyright E Law and author File: lim93.txt ftp://law.murdoch.edu.au/pub/elaw-issues/v9n3/lim93.txt http://www.murdoch.edu.au/elaw/issues/v9n3/lim93.html ________________________________________________________________________ Digital Signature, Certification Authorities and the Law Yee Fen Lim Macqaurie University Contents * Introduction * Handwritten Signatures * Electronic Signatures * Public Key Cryptography * Public Key Infrastructure (PKI) * Conclusion * Notes Introduction 1. There are many issues raised by electronic signature technology. It is not the intention here to canvass them all, indeed, the aim here is modest and it is to focus on one particular issue relating to a particular subset of electronic signatures, namely, digital signatures. In particular, the focus is on how effective the Australian legal landscape is in promoting certainty in the use of and reliance on digital signatures. 2. The importance of electronic signatures cannot be underestimated and they are significant both at a conceptual level and at a practical level. The conceptual level is important as that is where the examination of whether electronic signatures achieve functional equivalence with traditional handwritten signatures takes place. Once electronic signatures have attained functional equivalence with handwritten signatures, their practical importance becomes evident. Electronic signatures would then be entitled to have the same legal validity as handwritten signatures. With legal validity, electronic signatures will have a prominent role to play in the uptake of e-commerce. E-commerce cannot be expected to flourish of its own accord. The proper and necessary legal framework and institutions must first be in place. Electronic signatures are in short, a vital ingredient in the success of electronic commerce. 3. Electronic signatures are significant in both the commercial and non-commercial realm. They are an important part of contract formation in the digital realm but their utility in the non-commercial arena should not be under-estimated. For example, if the head of one nation wished to send a message to the head of another nation about a matter of national security, there would need to be assurances that the message really did in fact come from the first head of nation and that it would be received by and possibly only received by, the second head of nation. 4. The legal validity of electronic signatures is patently of international significance because without common, or similar, definitional frameworks, there can be little progress in developing the legal institutions necessary for the conduct of international electronic commerce. The Internet is after all global and international, and it transcends national boundaries. Further, the exceptional success of electronic commerce will depend more on facilitating and encouraging dealings between unknown parties across different jurisdictions, rather than on dealings between known parties, whether in the same jurisdiction or not. To date, different jurisdictions have taken different approaches to the question of what should be regarded as a legally valid electronic signature. Some, such as the European Union, has set different levels of legal recognition for different forms of electronic signatures that meet different technology requirements.[1] Australia has not taken this path as yet, but it is certainly under consideration.[2] 5. Although the Electronic Transactions Acts at the Federal and State levels in Australia recognise electronic signatures without setting any technology specific conditions, the aim of the legislation is permissive rather than promotive. The following is a normative argument that sets the framework for the maximum acceptance and usage of electronic signatures, and hence electronic commerce. Handwritten Signatures 6. Before one can embark on the question of functional equivalence, an examination of traditional paper-based handwritten signatures is necessary to elucidate the elements that give handwritten signatures their legal validity. Any mark can qualify as a handwritten signature, from a squiggle, to a thumbprint. However, the thing to note is the difference between a signature and an autograph. A signature can be differentiated from an autograph through the element of intention. A signature is any mark that has been affixed by the signer with the intent to be bound by the contents of the document. Once affixed, the signature and the document becomes one composite thing. This encapsulates an awareness of the terms above the signature, agreement to be bound by those same terms, knowledge of consequence of breach, awareness that the signature is non-repudiable as a sign of intent, and providing an unalterable permanent record of event. This brings us to the first function of a handwritten signature, that of integrity. 7. If a handwritten signature is disputed and proof is required, the law has mechanisms to verify whether the signature is genuine. Usually, the court will call on the witness to the signature, or a person with intimate knowledge of the person's signature, or a handwriting expert. In this sense, once a handwritten signature is affixed to a document, the signer is aware that she cannot repudiate the signature. This second element of a handwritten signature is commonly known as the element of non-repudiation. 8. There are two remaining elements of handwritten signatures, or more precisely with documents that are signed by means of handwritten signatures, that are perhaps not explicitly acknowledged by the law but they reflect the real world practices which must be present or at least somehow mimicked in the electronic realm.[3] They are the elements of authenticity and confidentiality. Authenticity means ensuring that a party to a transaction or communication is whom she purports to be. It is concerned with the source or origin of the communication. In the real world, one is normally sure of the identity of the parties with whom one is dealing with. The identity can be verified through means such as face-to-face meetings, telephone conversations, visits to the offices of the other party, the exchange of business cards and so on. While the verification of identity can be achieved with relative ease in the real world, this cannot be easily done in the electronic realm. 9. Confidentiality refers to the ability to keep documents and communications confidential and private. In the real world, it is quite straightforward to maintain the confidentiality of dealings and documents. If for example one has signed a document, to keep the document away from prying eyes, one could keep the document sealed in an envelope in a safe, or in a safe-deposit box or some other secure place where the document is not likely to be disturbed. Again, the ease of achieving confidentiality is not as simple in the electronic realm as in the real world as communications on the Internet can be eavesdropped very easily. 10. In summary, there are four functional elements present when dealing with documents signed by handwritten signatures and these must also be present in the electronic realm with electronically signed documents if they are to be given equal legal validity. Electronic Signatures 11. The term electronic signature encompasses a great many variety of "signatures". Electronic signatures are simply an electronic confirmation of identity. This definition is deliberately broad enough to encompass all forms of electronic identification, from biometric signatures such as iris scans and fingerprints to non-biometric signatures, such as digital signatures. Electronic signatures can be further subdivided into the highly secure and the insecure. An example of an insecure electronic signature would be one's initials at the end of an email. A secure electronic signature uses digital cryptography , but for it to attain legal validity, it would need to satisfy all four elements identified above. 12. Electronic signatures must serve the same essential functions that we expect of documents signed by handwritten signatures, namely integrity, non-repudiation, authentication and confidentiality. In the digital realm, integrity means ensuring that a communication has not been altered in the course of transmission. It is concerned with the accuracy and completeness of the communication. The recipient of an electronic communication must be confident of a communication's integrity before she can rely on and act on the communication. Integrity is critical to e-commerce transactions, especially where contracts are formed electronically. 13. The elements of authentication, integrity and non-repudiation are all elements that allow for trust to be placed in the document or communication. In the real world, there are numerous indicators of trust that one can rely on. Tools have been employed to ensure the signature and content are genuine, authentic and reliable. In the electronic realm, none of these indicators of trust can be utilised. One can type one's initials at the end of an email, but it would be quite unreliable as an indicator of source. As a result, one form of electronic signatures, digital signatures using public key cryptography, has been developed to meet the requirements of authenticity, integrity, confidentiality and non-repudiation. Public Key Cryptography 14. Public key cryptography[4] uses two different, but mathematically related keys, known as a 'key pair'. One of these keys is called the public key, the other is the private key. The public key is designed to be freely distributed to anyone who requires it. The associated private key is kept secret by the individual. The golden rule of public key cryptography is that anything encrypted with a public key can only be decoded with the associated private key, and vice versa. Hence, both keys are capable of encoding and decoding. The crucial thing to note is that in the digital realm, it matters not whether we are dealing with a message such as "Let's have lunch" or a signature that says "Jane Citizen". Digital technology simply treats both as messages consisting of zeroes and ones. For ease of understanding, we take the example of Superman wanting to write a message consisting of "I love you" to Lois Lane. 15. The first thing Superman would do would be to encrypt his message with his private key. Anyone with Superman's public key would be able to decrypt the message. This would satisfy the element of authenticity as because the public key belonging to Superman was able to decrypt the message, the message must have come from Superman. However, the message would be able to be read by anyone with Superman's public key. To ensure that only Lois Lane read the message, Superman would have to encrypt his already encrypted message with Lois Lane's public key. This way, Lois Lane is the only person who would be able to decode the message as she is the only one with the associated private key. Having a double layer of encryption ensures that the message can only be read by Lois Lane, the intended recipient, and hence, the element of confidentiality is satisfied. 16. Technology has devised a way of achieving the element of integrity through the use of a pre-agreed one-way-hash functions. A one-way-hash function is an algorithm which, unlike a key, has no relation to any other algorithm and which is freely available. When the hash function is applied to simple text (a process called the 'crunch'), a number, known as a hash, is produced. The number is of a determined bit length depending on the size of the function-for example a 128-bit hash-and the longer the hash, the more secure the algorithm. A simple algorithm would be one that associates each letter of the alphabet with a number, for example, a=1 b=2 c=3 d=4 z=26 and then to use the sum of the numbers as the function. For example, the message "I love you" would be worked out as: i=9 l=12 o=15 v=22 e=5 y=25 o=15 u=21. Utilising the sum function: 9+12+15+22+5+25+15+21=124 produces the hash of 124. The one-way hash functions that are normally used are far more complex than just a simple summation and would usually utilise factorials, and other more complex mathematical algorithms. A hash is usually included at the end of the message that was the basis for its creation. This enables the recipient to verify a message by using the same simple text and the same one-way-hash function. If the hash produced by the recipient matches the hash sent with the message, it is guaranteed that the simple text sent with the hash has not been altered. 17. It should be noted that in normal practice, the actual information being sent is encrypted using a secret key algorithm called symmetric cryptography. The reason for this is because symmetric algorithms are much faster and more efficient than public/private key algorithms (asymmetric cryptography). However, as the name suggests, symmetric keys are not secure as both keys are identical and can be easily compromised. Superman would then use his private key to encrypt the symmetric key. He would then add the second layer of encryption to the encrypted symmetric key before sending the double encrypted symmetric key and the message that was encrypted with the symmetric key. 18. This leaves the remaining element of non-repudiation. How do we know that it was really Superman that wrote the message? Perhaps it was a fraudster posing as Superman claiming the public key belonged to Superman when it did not. In situations where the parties have had prior dealings, it may be possible to verify the owner of the public key, for example, at a personal meeting, parties may exchange public keys on floppy disks. However, if the parties are unknown to each other, and perhaps in different jurisdictions, the requisite level of confidence is not present. The solution to this lies in the public key infrastructure. Public Key Infrastructure (PKI) 19. To achieve the element of non-repudiation, the system for distributing keys must be reliable. Systems developed to manage the public keys are referred to as public key infrastructures (PKIs).[5] The main role of PKI is to provide a mechanism for public keys to be made publicly accessible. However, PKIs must also fulfil a number of other correlated functions. First, there must be confidence that the given public keys belong to whom they purport to belong. The system would be unworkable if a public key is thought to belong to X when in fact it belonged to Y masquerading as X. Y would then be able to receive private, confidential and even commercially sensitive information intended for X. Second, there must be a means of revoking public keys if the owner's private key has been compromised. The suitable analogy here would be the credit card owner who loses her credit card. There must be an effective mechanism whereby the key can be cancelled quickly and effectively. Third, disused public keys must be kept and archived in the event of a dispute in the future. The keys would be required to be produced to enable the settlement of disputes. 20. It is possible that the last two of these functions can be performed by the key owner. However, it is doubted if key owners can be trusted to remain honest in the event of a dispute. If businesses and consumers cannot be assured of the authenticity and the impenetrability of the signature systems they use, there is little likelihood of e-business becoming the benchmark for global commerce. 21. The PKI systems in use around the world generally utilise the services of a trusted third party to be responsible for attaching an individual with a public key. The trusted third party is generally known as a certification authority. The certification authority would require evidence that a particular individual is appropriately using a digital signature and this is normally achieved through requiring the applicant to present themselves at an office of the certification authority with proof of their identity. The certification authority then issues a digital certificate containing a copy of the public key of the individual signed by the certification authority.[6] 22. Digital certificates are in essence messages indicating that a public key belongs to a particular person or entity. Digital certificates are themselves digital signatures as the certification authority uses its private key to validate the message. A certification authority in turn can be validated by higher certification authorities, thus creating a certificate chain. Hence, the trustworthiness of a certification authority may depend on its reputation in traditional business transactions, or, it may be a subscriber of a higher certification authority, and use the certificate of the higher certification authority to reassure subscribers and relying parties that it is not a bogus certification authority. The certification authority at the pinnacle of the certification authority hierarchy is known as a root certification authority and it issues root certificates. The root certification authority self-authenticates for purposes of determining the validity of the certificates.[7] 23. Public key infrastructure is a matrix of non-governmental certification bodies which have developed a system of cross-verification. This system produces authenticity by assuming that each authority wishes to protect and enhance its reputation. This assumption is then tested as each authority checks the security of another authority's system. In this way, one authority can often carry the seal of numerous others, as a testimony to its own reliability. In return, that authority will test and seal numerous others. The question for users is one of information. Without certification, it would be impossible to tell whether the public key to be used in a transaction is either legitimately attached to the person you are led to believe it is, or as secure as you are led to believe. If the non-governmental authorities are relatively unknown in the sender's jurisdiction the problem is only slightly alleviated, because while there may be a seal, the consumer may have little knowledge of the authority behind it. 24. Together with the question of the authority behind a seal, the question at the forefront of the user's mind is the issue of liability in the event of the failure of a certified signature. Without confidence of where liability lies in PKI systems, consumers and businesses will not be willing to take up the use of digital signatures. Australia unfortunately, is one amongst many jurisdictions where parties that rely on certified signatures will be faced with a confusing array of possible legal recourse should a certified signature fail. In the recent report by the National Electronic Authentication Council[8] examining the types of liability allocation and management models used in Australia by Gatekeeper-accredited PKI service providers, a number of legal avenues were identified, including contract law, law of negligence and s52 of the Trade Practices Act 1974.[9] 25. Gatekeeper is the Australian Commonwealth Government's strategy for the use of PKI and a key enabler for the delivery of Government Online and e-commerce. It represents one example of a public sector section of the PKI matrix. In terms of liability allocation, as between the subscriber or key owner and the certification authority, reliance will most likely be on contract law. For a relying party however, the outlook is particularly grim. In most cases, a relying party will not have a contract with either the subscriber or the certification authority. It is also unlikely that a relying party will be owed a duty of care by the subscriber or certification authority due to the relying party being a member of a large and diffuse class incapable of determination.[10] The only possible avenue for a relying party would be a statutory regime such as s52 of the Trade Practices Act 1974 where they may be able to argue that the failed certified signature was a result of some misleading or deceptive conduct on the part of the certification authority. 26. The effect of the Australian legal landscape is far from satisfactory for a relying party. For a relying party familiar with Australian laws, the uncertainty in liability and uncertainty in the success of any action based on the Trade Practices Act 1974 would be sufficient to discourage any reliance on a certified signature for a transaction worth a substantial amount. For a relying party who is perhaps domiciled in another jurisdiction and who is unfamiliar with the Australian jurisdiction, the lack of any simple regime that stipulates the allocation of liability would provide a sufficient deterrent against relying on a certified signature from Australia. Whilst it has been the tradition of the law to move incrementally with each new change in technology, it is submitted that in order for successful take up of electronic commerce, it is imperative that the roles, responsibilities and liability within the PKI system are clearly defined. Without a clear definition, it would be difficult for the function of non-repudiation to be properly achieved and without non-repudiation, users such as relying parties would not have the requisite level of confidence to rely on certified signatures. The end-result would be a slow and hesitant take up of electronic commerce. Conclusion 27. Digital signatures utilising the public key cryptography system have every potential to achieve the same level of legal recognition as handwritten signatures. However, the main obstacle at present is in the functional element of non-repudiation. This element, unlike the other three elements of handwritten signatures discussed, cannot be achieved by technology alone. Assistance is required from the law to help it attain the functional element of non-repudiation. Once non-repudiation has been achieved, then and only then, can electronic commerce be expected to be successfully taken up. Notes [1] European Directive on a Community Framework for Electronic signatures 1999/93/EC. [2] See for example the report of the National Electronic Authentication Council, Liability and other Legal Issues in the Use of PKI Digital Certificates (May 2002). [3] See further Thomas J. Smedinghoff & Ruth Hill Bro, "Moving with Change: Electronic Signature Legislation as a Vehicle for Advancing E-Commerce", 17 John Marshall Journal of Computer & Information Technology Law 723 (1999). [4] See further B. Schneier, Applied Cryptography (John Wiley & Sons 1994), W. Diffie, The First Ten Years of Public-Key Cryptography, 78 Proceedings of the IEEE 560-77 (1988) which provides an excellent history of the development of public key cryptography, and RSA Laboratories, RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Version 4.1 2-1-1 (2000), available at accessed 11/03/01. [5] One of the most widely known PKI model is based on the model of the telephone directory first put forth by Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography", IT-22 IEEE Transactions on Information Theory 644 (1976). See also Joan Feigenbaum, "Towards an Infrastructure for Authorization, Position Paper", 3rd USENIX Workshop on Electronic Commerce (September 1998). [6] It is believed that the notion of "certificates" was first put forth in 1977 by Loren Kohnfelder, then an undergraduate at MIT, see L. M. Kohnfelder, "Towards a Practical Public- Key Cryptosystem" (1977) (unpublished B.S. thesis), cited in Rohit Khare and Adam Rifkin, "Weaving a Web of Trust", v. 1.126 (Nov. 30, 1997), available at