More than just PKI

(This article was originally published in the iTech Supplement of the Times of Malta in October 2002)

Servers have been clustered and mirrored, systems have been monitored and secured, firewalls have been put in place, all systems go for the issuing of digital certificates. But what about the legal documentation required for the certificates?

The implications and ramifications of using and relying on digital signatures make legal issues and considerations a critical element in the PKI lifecycle that no Certification Service Provider can afford to ignore.

Digital certificates are expected to become an essential part of doing business on-line. Based on a range of encryption techniques, digital signature systems allow people and organizations to electronically certify such features as their identity, their ability to pay, or the authenticity of an electronic document. With the current developments in the local eGovernment projects, digital certificates will surely become an important block in secure and authenticated electronic communications with Government

In any Public Key Infrastructure a comprehensive legal environment is essential to document the practices and procedures of the applications. Compliance with relevant legal frameworks including the newly enacted E-Commerce Act and Data Protection Act as well compliance with international enactments and standards is thus essential.

While the proliferating electronic signature regulation focuses largely on PKI it mandates certain legal conditions that give uncontested recognition to certain types of electronic signatures.

Having the adequate technology is not enough. Certification service providers must ensure that a proper legal framework encapsulates their services. The list of legal documentation required by a Certification Service Provider is broad. A solid Certification Practice Statement (CPS) is fundamental.

The CPS is a statement of practices adopted by a Certification Authority in issuing digital certificates. Apart from the CPS certificate polices must also be drafted. Basically, these are a set of rules that indicate the applicability of a digital certificate to a particular community and/or class of application with common security requirements.

Subscriber Agreements are also a building block of the Certification Service Provider's legal regime. It is with the use of Subscriber Agreements that the relationship between a certification authority and a subject is created. Such agreement would be concluded between the certification authority and the person who is named or identified in the certificate and who hold the private key that corresponds to the public key listed in the certificate.

Before commencing any kind of operation in issuing digital certificates, Certification Service Providers must study the procedures that will be adopted by their Registration Offices as well as arrange proper agreements that would be pertinent between a registration authority and an agent authorised to register subscribers on behalf of a certification authority at a local level.

Insurance is also a must. Certification Service Providers have to ensure that they declare clearly their intention to provide reliance limits for the usage of the certificates to their subscribers or private parties.

Another important building block in the legal environment in which Certification Service Providers operate is the Relying Party Agreement. This is an agreement between a certification authority and a person who has received a certificate and a digital signature verifiable with reference to a public key listed in the certificate and is in a position to rely on these certificates.

Policies governing the collection of information for digital signatures, and the architecture and legal liabilities associated with these technologies, also raise important privacy and consumer protection issues.

Certification Service Providers must therefore also have a Data Protection Statement. This would be where the provider sates compliance with both local as well as international Data Protection regimes. Surely, local certification service provider will have to comply not only with the Maltese Data Protection Act but also with EU Data Protection Directive 95/46/EC.

Certification Service Providers need also to provide for a Consumer Protection Statement showing compliance with local consumer protection legislation but also with other international legislation such as the European Consumer Protection Directive.

The provision Digital Certification services does not exist in a vacuum. Any service provider must make sure that he is abreast with all developments, both in the local as well as in the international sphere of digital certification regulation.

Compliance with the whole plethora of legislation and regulatory and standardisation frameworks pertaining to electronic commerce is therefore essential. Certification Service Providers must undergo studies on all the phases of the proliferation of the EU Electronic Commerce Directive mainly EESSI (European Electronic Signatures Standardisation Initiative), ETSI (European Telecommunications Standards Institute) as well as ETSI Specialist Task Force (ETSI STF 155) on the standardisation of the Certification Policies for qualified certificates. Certification Service Providers, if intending to provide certificates on hard tokens must also keep abreast with the eEurope Smart Card Charter.

Issuers of digital certificate may also opt to provide for signature policies which have important legal considerations. A signature policy is a set of rules for the creation and validation of an electronic signature, under which the validity of signature can be determined.

A given legal/contractual context may recognize a particular signature policy as meeting its requirements. A signature policy has a globally unique reference, which is bound to an electronic signature by the signer as part of the signature calculation. The signature polices required for the conclusion of a contract via the Internet between two companies would be much more onerous than signature policies for a consumer to buy goods or services through an access-restricted site. Signature policies are important when dealing with digital certificates issued to companies and other legal persons. Who would be able to appear on contract for the company would thus have to be specified in the signature policy of the certificate. Signature polices ensure that no person would conclude arrangements using digital certificates or sign documents which he could have not signed in real-world.

The signature policy of the digital certificate needs to be available in human readable form so that it can be assessed to meet the requirements of the legal and contractual context in which it is being applied.

Digital certificate provision will become an important aspect within the current initiatives of the Maltese Government in eGovernment services. The take up of citizens and companies in the usage of digital certificates for their daily business with government and governmental bodies and departments still has to be seen but surely citizens need to be informed of the advantages of relying on this form of technology. Above all, Certification Service Providers have to understand that the issuing of digital certificates is not only concerned with technology issues such as secure encryption and proper redundancy of the system but also of the various legal considerations that have to be kept in mind.