- Legal recognition: the Directive stipulates that an electronic signature cannot be legally discriminated against solely on the grounds that it is in electronic form. If a certificate and the service provider as well as the signature product used meet a set of specific requirements, there will be an automatic assumption that any resulting electronic signatures are as legally valid as a hand-written signature. Moreover, they can be used as evidence in legal proceedings.
- Free circulation: all products and services related to electronic signatures can circulate freely and are only subject to the legislation and control by the country of origin. Member States cannot make the provision of services related to electronic signatures subject to mandatory licensing.
- Liability: the legislation establishes minimum liability rules for service providers who would, in particular, be liable for the validity of a certificate's content. This approach ensures the free movement of certificates and certification services within the Internal Market, builds consumer trust and stimulates operators to develop secure systems and signatures without restrictive and inflexible regulation.
- A technology-neutral framework: given the pace of technological innovation the legislation provides for legal recognition of electronic signatures irrespective of the technology used (e.g. digital signatures using asymmetric cryptography or biometrics.)
- Scope: the legislation covers the supply of certificates to the public aimed at identifying the sender of an electronic message. In accordance with the principles of party autonomy and contractual freedom it does, however, permit the operation of schemes governed by private law agreements such as corporate Intranets or banking systems, where a relation of trust already exists and there is no obvious need for regulation.
- International dimension: so as to promote a global market in electronic commerce the legislation includes mechanisms for co-operation with third countries on the basis of mutual recognition of certificates and on bilateral and multilateral agreements.
Another important requirement for public key cryptography to be practically useful is the secure distribution of public keys. If you are dealing with a small group of people, you could exchange public keys directly, say using a disk. This is rarely possible in real life where you may need to deal with a large number of complete strangers and need to be sure of their true identities. This is where digital certificates come in. A digital certificate is an assurance provided by a third party (called a Certification Authority), e.g. GlobalSign, Verisign, etc., that a public key indeed belongs to the purported owner. A digital certificate contains a public key, the name of the person (or organisation) that the key belongs to, and the whole thing is authenticated with a digital signature.
Implementing the use of public keys on a large scale requires a lot of manpower as, technically, PKI is the combination of the technologies, infrastructure and practices needed to enable use of public key encryption and digital signatures in distributed applications on a significant scale. The main purpose of PKI is to distribute public keys accurately and reliably to those needing to encrypt messages or verify digital signatures. This employs digital certificates issues by certification authorities. PKI also covers certificate renewal, revocation, status checking and private key backup and recovery.
Organisations typically have two options:
- go for an in-house PKI, whether or not assisted by a third party with experience in PKI implementations;
- go for an outsourced PKI solution.
Even large governmental bodies such as the Belgian government have recently chosen for an outsourced solution. As part of an overall strategy to deliver e-government services to its citizens, the Belgian government defined the Belpic project, providing an electronic identity card to each Belgian citizen over a period of five years. The electronic identity card contains a photo, some basic identity information and a signature of the cardholder in visual and electronic format. Digital certificates stored on the card will allow secure identification and electronic signing.
The PKI market has not delivered on its promise because the implementation and maintenance of an in-house Public Key Infrastructure requires highly specialized internal staff. What customers such as the Belgian government want are digital certificates to secure their applications. They don't want the hassle of implementing and maintaining a complex PKI environment. Some Managed Security Service Providers, e.g. Ubizen, offer such outsourced PKI solutions.
Infosecurity Europe is Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 29th April - 1st May 2003. www.infosec.co.uk