Focus on Electronic Authentication


	Home Join/Renew Professional Development Contact Français

Client Service

Client Engagement

Conflicts of Interest

Finances

Recession Resource
Centre

Leadership

Recruitment & Retention

Life Balance

Marketing Strategy

Productivity

Technology

Podcasts

Client Service Standards

Conflict Checking

Conflicts of Interest

Work-Life Balance

Work-Life Balance
Resource Centre

	Focus on Electronic Authentication
	<< Back

CBA PracticeLink is featured in each issue of National Magazine.

Subscribe to our Newsfeed
What is RSS?

Printer Friendly

Focus on Electronic Authentication

By Mairi S. MacDonald

As Canadians and as lawyers, we are becoming more and more comfortable with information technology as a tool that facilitates the processes — research, communicating with clients and authorities, managing our practices — in our professional lives. But what is the best way to approach the legal issues associated with a technology that can substantively improve evidence of intention?

This is the promise of digital signature technology, one of a group of electronic authentication measures intended to improve the security of on-line transactions. Electronic authentication is usually discussed in the context of electronic commerce: buying and selling over the Internet. But its potential extends to all sorts of transactions where it is essential that the parties know who, or what, is making a representation, and that the message received is exactly the same as the message sent. Transactions, in other words, for which Canadians often rely on lawyers as intermediaries.

Questions of how to prove authenticity and intention are central to law, and to how we practice law. Consider the deed poll and indenture, systems devised in medieval times to solemnize and authenticate messages. A written agreement signed by only one person would be delivered with a straight-cut — or polled — edge, to distinguish it from a deed signed by more than one person, or an indenture. The indenture would have an indented or serrated edge, to represent its origins in a single piece of parchment, torn in half, with a half given to each party. Each party could be sure that the other could not forge his half because it would be impossible to match the tear.

In the electronic world, authentication systems can supply the modern equivalent of that torn parchment: they can provide near-irrefutable proof that an electronic document is authentic. The challenge is to help people get comfortable with the process.

1. The Signature in the Electronic Age
Digital signatures, and other electronic authentication techniques, permit information to be sent securely over open electronic communications media, like the Internet. Using strong cryptography, digital signatures can achieve the objectives we traditionally associate with handwritten signatures — some say more securely and efficiently:
• Signer or identity authentication: A signature is used to indicate who signed a document or message. It should be difficult for someone other than the signer to produce without authorization;

• Document or integrity authentication: The signature is also used to identify what is being signed. Affixing a signature to a document is intended to make it impracticable to falsify or change either the signed matter or the signature itself;

• Solemnization: Signing a document or message is also intended to serve ceremonial and approval functions. We intend to sign, we approve of what we purport to say in the document, and we acknowledge the potential legal effect of that which we have signed;

• Efficiency: A signature, its creation and its verification should provide the greatest possible assurance of the authenticity of both the signer and the message, with the least possible expenditure of resources.

As we move away from using the Internet solely to obtain information, and towards actually conducting transactions over this open, public environment, it is increasingly important that the messages we rely on as buyer and seller, filer and government agency, can be "signed" electronically. Without secure electronic authentication, the range of transactions we can safely conduct, whether as citizens, consumers, or legal representatives, remains narrow, and the usefulness of the Internet remains limited.

2. Electronic Authentication and PKI
Electronic authentication generally relies on electronic signatures, of which digital signatures are a subset. The most common digital signature technology in use today is called Public Key Infrastructure or PKI (see 3. How it Works). In PKI, the originator of a message applies software to "sign" the transmission with a private key. The recipient of the message uses a public key that corresponds with the originator's private key to verify that the message did, indeed, come from the originator, and that its contents are unchanged since they were sent. PKI depends on a trusted third party, usually a certification authority or CA, to issue electronic "certificates" attesting to the validity of public and private keys and to the relationship between them.

For someone choosing to use a PKI or other authentication system 8212 and even for someone who wants to conduct a transaction with a person who has chosen to use an authentication system #8212 the questions and concerns are both numerous and fundamental. How can I be sure that the system will work? Will the system respect my privacy? How do I know I can trust the CA and the certificates it issues? Can I sue if something goes wrong, and if so, whom?

3. How it Works
Authentication can be defined as "a measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an authorization to receive specific categories of information." It generally relies on electronic signatures — signatures in electronic form that are attached to, or logically associated with, data — of which digital signatures are one type.

To send a message secured by a digital signature, the originator first establishes what is to be signed. The originator's software then uses a mathematical algorithm, called a "hash function", to create a digital representation of the message — a "hash result" — of a standard length, which is effectively unique to the message. Any change to the message invariably produces a different hash result, even using the same hash function. The software then transforms the hash result into a digital signature using the originator's "key". The digital signature associated with a message is usually sent and stored together with it.

The recipient of the message can then verify the digital signature of the originator, to be certain the message comes from its purported originator, and contains what the originator intended it to contain. To do this, the recipient's software computes a new hash result of the original message by means of the same hash function that was used to create the digital signature. Then the recipient uses another "key" to check whether the digital signature was created using the original "key" — thereby assuring herself of the originator — and whether the newly-computed hash result matches the original hash result that was transformed into the digital signature in the signing process.

In some systems, the "keys" used by originator and recipient are the same. More often, authentication systems are asymmetric, meaning that the originator uses a private key, accessible only to him, to sign the message, and the recipient uses a public key to verify it. This asymmetric system is called Public Key Cryptography.

The implementation of a digital signature using public key cryptography requires what is known as a public key infrastructure or PKI. PKI rests on a series of digital certificates. Certificates in the PKI context are electronic records that list a public key as their "subject", and confirm that the prospective signer listed in the certificate holds the corresponding private key, as well as the beginning and ending dates of the period where the certificate is operational. Digital certificates must be handled by a trusted party, usually a Certification Authority or CA.

The CA in a PKI is responsible for a range of management functions, including generating, issuing, distributing, renewing, revoking and suspending digital certificates. CAs also provide information about whether particular certificates have been expired or revoked.

The receiver of a message who wants to rely on a digital signature created with a private key will obtain a certificate from the CA, and then use the public key listed in the certificate to verify that the corresponding private key was used to create the digital signature. The certificate also names the entity that has subscribed to the key pair. The issuing certification authority also digitally signs the certificate to authenticate it — both as to the content of the message and as to the identity of the CA — and similar authentication processes are used to verify the CA's digital signature. Finally, the certificate has to be made available to prospective relying parties who want to verify a digital signature, which can be accomplished by publishing certificates in a repository or on-line database accessible to the verification program.

Source: Information Security Committee, Section of Science and Technology, American Bar Association, Tutorial, 38 Jurimetrics J. 243-260 (1998)
The ABA has also developed Digital Signature Guidelines. See www.abanet.org/scitech/ec/isc/dsgfree.html

4. Establishing a Framework for Authentication and Certification
Establishing trust in the technologies available, the CAs on which the technologies rest, and the market in which a user will choose an authentication method, can be a formidable task. Creating a trustworthy environment at a speed that corresponds to the rate of innovation and invention on the Internet poses a special challenge.

In the absence of several hundred years of common law, how do we set about defining and allocating the risks associated with electronic transactions that use authentication? Can we rely solely on private contract, or is legislation required? And how do we condition the environment so that people know what to expect when they encounter an authenticated transaction?

Though other countries are experimenting with more direct regulatory methods, Canada's approach to these questions has been to try to build a consensus around the principles that should be embodied in the legal instruments we use to resolve these questions. The first step was the decision that the Government of Canada took in 1998 not to regulate private sector entities providing authentication and certification services. ["A Cryptography Policy Framework for Electronic Commerce: Building Canada's Information Economy and Society", October 1998;
http://e-com.ic.gc.ca/english/crypto/631d11.html]
Industry Canada's Electronic Commerce Branch then initiated several rounds of consultation with stakeholders in the public and private sectors to build a consensus around what steps it should take next. Consensus was reached that a framework should be established for authentication and certification services, for four reasons:

• To provide a means for users to establish the trustworthiness of certification authorities;
• To establish a consistent and auditable level of trust in authentication services;
• To allow for users to make choices based on some known parameters for trust and confidence; and
• To minimize situations where businesses and consumers, involved in more than one authentication scheme, may be faced with differing — even conflicting — requirements. ["Building Trust and Confidence in Electronic Commerce: A Framework for Electronic Authentication in Canada", Industry Canada, July 2000: http://e-com.ic.gc.ca/english/authen/doc/framework.pdf]
The first step in creating this framework is to enunciate a set of principles, or "voluntary assurance standards", to create some common ground for the implementation of electronic authentication systems. This work began in May, 2001, and the CBA has been an active participant from the start.

Though they are supposed to work as minimum standards for implementation of authentication services in Canada, the principles being developed address the issues at a high level. They are also intended to be technology-neutral — that is, they are supposed to be applicable not only in PKI implementations, but in other types of authentication systems, such as those using biometric data. Within this framework, the working group is addressing a range of issues — many of which have significant substantive and procedural legal implications.

The principles are expected to extend the "governance structure" around these issues. At this point, that structure consists largely of policies, such as the 1998 Cryptography Policy and consumer protection principles [Principles of Consumer Protection for Electronic Commerce: A Canadian Framework, http://strategis.ic.gc.ca/epic/internet/inoca-bc.nsf/vwGeneratedInterE/ca01185e.html], supplemented by the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (http://laws.justice.gc.ca/en/P-8.6/text.html). The objective of the principles is to set a baseline for matters such as the allocation of liability among users, authentication service providers, CAs and other entities playing a role in an authentication transaction. Questions of roles, responsibilities, risk management, and liability also raise related issues of dispute resolution and complaint procedures.

Consider, for example, efforts to place patient health records on-line. In this type of application, the need for electronic authentication is obvious. It is imperative to protect the privacy and confidentiality of these records, as well as to ensure that they are accurate; this means that only authenticated persons #8212 such as designated health professionals — can be allowed to contribute, review, or amend patient records, according to the privileges associated with each authenticated person.

Working out the risks of failure, and who is best placed to bear them, can be complex. The key seems to be to identify when, where and by whom there is reliance on the process — then working out who should manage the resulting risk, and how. It might be appropriate to ask the originator of a patient record, such as a family physician, to bear the risks associated with matters within her control: limiting access to the physician's private key, for instance. But this will only be reasonable if the authentication service provider has clearly expressed its reasonable expectations about security measures that the parties it authenticates, like the physician, must take. And if the originator of the information is the patient himself, should the authentication service provider be under additional obligations to explain or assume risks in view of the originator's presumed lack of sophistication about these technologies?

Adherence to the principles being developed will also help authentication services created for one industry or jurisdiction to gain acceptance in another industry.

For example, the Government of Canada has already developed a PKI for use primarily within government, using commercial, off-the-shelf authentication products. This GOC-PKI protects personal and sensitive information and communications. Seven internal CAs have been cross-certified, and efforts are underway to cross-certify with external government and quasi-government agencies in Canada and internationally.

From the point of view of the user of an authentication system, reliability is a key concern. Principles that establish common benchmarks will encourage suppliers to define themselves in the market by their adherence to the benchmarks, and by the ways in which they exceed the minimum framework of these principles. For the system to be reliable, it is also important that there be some way to evaluate a supplier's adherence to the principles. Should the supplier be audited or reviewed periodically? If so, must the evaluation be external, or is the supplier's internal auditing process adequate? Does the answer change if the supplier is one player in an industry, such as banking, or a third-party offering authentication services in support of transactions involving a number of industries?

5. Developing Law in Interesting Times
The work being done to develop the Authentication Principles is interesting on a number of levels.

Trying to identify and propose resolutions to legal and business implications of an evolving technology — or set of technologies — forces us to take a pretty general approach. It is a very different process from writing an agreement, or even a statute, to promote specific outcomes and resolve foreseeable difficulties between known parties.

Most types of entities involved in the authentication process can play a number of roles. As lawyers, for instance, we can easily see ourselves in the role of the originator or recipient of a transmission, and as a user of authentication either as an authenticated entity or as a relying party. In fact, Juricert's Trusted Digital Credential^TM is an important first step towards these roles (see Juricert^TM). It is not much of a stretch to see ourselves needing to verify transmissions accompanied by electronic signatures and sent by other parties, such as our clients and other law firms with which we do business. But we could also expand our traditional roles to be the "trusted third parties" in electronic authentication services — the CA — as well. This potential scope, though liberating, certainly makes it more difficult to work through the risk management calculus that each role entails.

6. Juricert^TM
An initiative of the Law Society of British Columbia and other Canadian Law Societies, Juricert^TM offers a service to register and then confirm the professional identity of lawyers, notaries, their staff and their clients.

Though not a digital signature, the Juricert^TM Trusted Digital Certificate^TM can be used by the registrant to activate commercial and government products or services that offer secure communications. Juricert^TM can also provide validated registration services that will work with the requirements of digital CAs.
Also interesting, from a law-building perspective, is the effort to extend a governance structure through consensus-based principles, rather than by statute or judicial interpretation of private contracts. Perhaps PIPEDA's Part I, which relies on and establishes a regulatory framework to enforce the CSA Model Code for the Protection of Personal Information, incorporated as Schedule 1 to the Act, is a model for this sort of law-making, though one that makes many lawyers uncomfortable.

For most lawyers, most of the time, what will matter about electronic authentication is whether or not the software works reliably. But having input to the development of the principles and framework that is intended to guide the development of these technologies in the Canadian market gives us an opportunity to start working through the issues — even before we are called on for advice.

Mairi S. MacDonald

Neither the author nor the CBA should be construed as endorsing any product or website listed in this article. The views expressed in this article are those of the author and do not necessarily reflect the views of the CBA.
In this document, any reference to "jurist" or "lawyer" includes, where appropriate, "Québec notary".