| 
|
|
Section Links:
|
|
|
What is this Chapter About?
Key Points
Detail
The Law & PKI
Public Key Infrastructure
Message Assurance Requirements
Means to achieve electronic message assurance
Electronic Signatures
The European Electronic Signatures Directive
|
The UK Electronic Communications Act
Liability
UK- PKI & Trust Models
MOD Situation
DECS Situation
US Situation
Summary
Who should I contact if I want to find out
more?
|
|
| What is this Chapter About?
|
[top] |
|
This Chapter is about identity management – how, in an environment
where information is being accessed or shared across organisations,
each organisation can be confident that the people involved are
who they say they are. Without this, there is no basis for trust.
Organisations need the ability to prove employees’ trustworthiness
to be able to conduct e-Business securely in a sound commercial
and legal manner.
|
| Key Points |
[top] |
|
|
-
MOD has established its own Root Authority for MOD employees
within Government networks, but requires the use of a commercial
Root Authority, CAs and RAs for interactions with its Industrial
partners.
|
| Detail
|
[top] |
| The Law & PKI |
|
|
English law permits any parties involved in a commercial arrangement
to use almost any mutually agreed form of signature to signify intent
in an electronic or written form. However, the advent of widespread
and international electronic business is demanding a standard mechanism
for trusted identification, managed at the corporate level, or higher.
The most common approach is a Public Key Infrastructure (PKI), which
encompasses the means of proving identity and the cross-organisational
management mechanisms for ensuring that the means of proving identity
remain trustworthy at all times.
|
| Public Key Infrastructure
|
[top] |
|
A private key authenticated by a digital certificate generated within
a PKI can be considered as the electronic equivalent of a passport.
Both establish identities for persons who have met the requisite
identity checks. The community accepts the validity of the holder's
identity because it trusts the issuer. The identity can be used
to authenticate the holder in subsequent transactions without directly
involving the issuer.
|
| With PKI, the holder's
identity is contained in a digital certificate, and the issuer is
called the Certificate Authority (CA). The Trust Level of a certificate
can range between 1 and 10; with 1 being the lowest trust level
and 10 being the highest. The higher the degree of trust, the more
rigorous the verification method to which a person is subjected
by the Registration Authority (RA) before a certificate is issued.
All certificates in a PKI community of trust originate from the
Root Authority. In certain circumstances, it is possible to cross-certify
PKI communities of trust, using Trust Bridges – particularly
important in multinational programmes.
|
| The digital certificate
on which the private key is based acts like a passport to prove
an identity to other organisations. However, a digital certificate
also contains:
|
| |
o Authentication. To prove the person’s identity.
o Non-Repudiation. To prove that a person received Information.
o Encryption. To protect the information from being read.
o Integrity. To prove that the information or message content
has not been tampered with or read by an unauthorised third
party.
|
| |
| Message Assurance Requirements |
[top] |
|
In general, the recipient of an electronically sent message wants
to know who sent it (authenticity), and whether the content has
been deliberately or inadvertently altered after leaving the sender
(integrity). Depending upon the nature of the communication, the
sender may also want assurance of the recipient's identity before
sending the message, and evidence that the message was successfully
delivered which the recipient cannot later deny (non-repudiation).
|
| For postal mail, the sender's
hand-written signature can be taken as message authenticity. The
difficulty in making an undetected change to hardcopy provides sufficient
assurance of integrity. The use of registered mail, to collect the
recipient's own signature as confirmation of delivery, provides
non-repudiation.
|
Parties should also be
able to communicate reliably with each other, with confidence that
their identities are established, with neither party being impersonated,
and with an assurance that communication cannot be repudiated after
it has occurred.
|
Means to achieve electronic
message assurance |
[top] |
Industry have been exchanging data by electronic communications
for years using Electronic Data Interchange (EDI) connected over
Value Added Networks (VANs). These member-only networks provided
message assurance by behaving as the equivalent of a trusted, courier
service. Whilst major Industrial corporations adopted EDI, it has
not found favour with smaller Industrial organisations mainly on
cost grounds. Conversely, the Internet has a comparatively low entry
cost, but provides none of the value-add implicit in VANs. Alternative
mechanisms to provide message assurance are required.
|
Electronic Signatures |
[top] |
An electronic signature can be considered as the digital equivalent
of a hand-written signature. If an electronic signature can be inextricably
bound to a message, it can provide an assurance of authenticity.
Furthermore, if that signature is bound to the message, i.e. integrated
with the message in a way that any changes to the message will result
in the signature verification failing, an assurance of integrity
of the message can also be provided.
|
Multiple technologies exist
to create an electronic signature of this sort. The European Electronic
Signatures Directive, which provides a common framework for electronic
signatures, is technology neutral. However, the Directive is largely
based on the use of asymmetric encryption (using Public and Private
Key pairs) and certificate-based verification, which are characteristics
of Public Key Infrastructure (PKI) - the most common example of
electronic signature technology.
|
The European Electronic Signatures
Directive |
[top] |
The European Electronic Signatures Directive (submitted by the European
Commission in May 1998, in law from July 2001) provides a common
framework for electronic signatures. This includes a legal framework.
As a general principle, the Directive states that Member States
may not deny the legal effect of an electronic signature merely
because of the electronic form of the signature.
|
A second principle of the
Directive is that Member States are obliged to recognise certain
types of electronic signature as having the same legal effect as
they would give to hand-written signatures. This second guarantee
only applies to "advanced" electronic signatures which
are based on a "qualified" certificate and which are created
by a "secure" signature creation device. For qualified
certificates, the Directive is not technology neutral: it mandates
certificate-based asymmetric cryptography and CAs.
|
The Directive thus provides
two levels of legal certainty for electronic signatures depending
on the level of technical security relating to the signature. On
the first level, electronic signatures in general cannot be denied
legal effect. On the second level, electronic signature filling
certain technical security requirements (as defined in the Directive)
will have same legal effect as hand-written signatures.
|
The Directive also establishes
a minimum liability regime for certificate services providers (CSPs)
issuing qualified certificates to the public. Member States are
obliged to ensure that CSPs are liable for damage caused to a person
who reasonably relies on the certificate. The Directive allows CSPs
to indicate limits on the uses of certificates and the value of
transactions for which the certificates can be used. The CSP is
not to be liable for damages arising from contrary use of a qualified
certificate which includes limits on its use.
|
The UK Electronic Communications
Act |
[top] |
In May 2000, the UK Electronic Communications Act (ECA 2000) was
passed. This defines any electronic signature as anything in electronic
form incorporated into a communication or data to establish the
authenticity or integrity of the communications or data. An electronic
signature is admissible in evidence in relation to any question
as to the authenticity of the communication or data or as to the
integrity of the communication or data.
|
ECA2000 does not however
fully implement the Electronic Signatures Directive in that it does
not deal with:
a) The enhanced protection for advanced electronic signatures as
defined in the Directive or;
b) Certificate Services Providers (service provision based on CAs
and RAs), and in particular the provisions of the directive relating
to the liability of CSPs who issue qualified certificates.
|
Instead, the Government's
preference for self-regulation has resulted in the Alliance for
Electronic Business setting up a voluntary self-approvals scheme
(the tScheme) for CSPs. The tScheme publishes Approval Profiles
describing how CSPs should operate in order to attain accreditation
status.
|
Liability |
[top] |
A CSP takes responsibility for issuing digital identities to individuals
who have met authentication pre-requisites, and for revoking (blacklisting)
users on receipt of valid notification. Its liability covers failure
of the registration and issuing processes within its control which
result in either the certificate contents being incorrect, or that
the holder identified in the certificate does not hold the corresponding
signature creation data.
|
Importantly, the CSP does
not warrant the data/information secured using a certificate - the
ECA 2000 does not require this. The lack of case law in this area
however results in a corresponding lack of clarity regarding what
is a reasonable level of liability in the event of damage caused
by an incorrectly issued certificate being used as part of a high
value transaction.
|
UK- PKI & Trust Models |
[top] |
A PKI provides the capability to register and securely issue identities
to users. It doesn't actually "do" anything with the certificates.
To use certificates, business software, capable of signing and verifying
certificates is required. Ideally, all business software would provide
these functions as a matter of routine, but this is currently not
the case - although it is improving.
|
The initial requirement
for PKI on DECS is for the authentication of users accessing DECS
over the internet. The PKI "aware" software for authentication
is Novell's iChain product set. ChamberSign, an initiative of the
British Chambers of Commerce, has been selected as the preferred
CSP for DECS authentication certificates.
|
Use of certificates for
message assurance (e.g. e-Procurement, e-Tendering) will be implemented
as the specific business drivers are articulated, and the PKI-aware
application software becomes available.
|
Other European nations
have emerging Government PKI initiatives for internal use. Chambersign
is perhaps the most relevant commercially available PKI as it is
backed by most European Chambers of Commerce, membership of which
is mandatory in several European countries, e.g. Italy and France.
ChamberSign is an initiative set up by Chamber of Commerce organisations
of 10 European countries and Eurochambres, which aims at creating
a comprehensive architecture for secure business-to-business electronic
commerce across international borders. ChamberSign is starting to
make digital signature technology widely available to the business
community and achieving international recognition and interoperability
of digital certificates issued by Chambers of Commerce. ChamberSign
covers the territories of Austria, Belgium, France, Germany, Italy,
Luxembourg, the Netherlands, Spain, Sweden and the United Kingdom.
Further expansion of the network is being planned to include nations
worldwide. Involvement with the USA is an early goal.
|
MOD Situation |
[top] |
To avoid potential issues of liability, the MOD has adopted the
strategy that Industrial partners should use certificates issued
by commercial CAs, whereas MOD personnel should use certificates
issued by public -sector CAs. To this end, the MOD has created a
top-level CA (known as a Root CA) under which subordinate CAs can
be created to issue certificates to MOD personnel.
|
DECS Situation |
[top] |
DECS trading partners will use commercially issued certificates,
whilst MOD users will be using both MOD certificates internally
and commercially issued certificates externally. Realisation of
the MOD policy therefore creates a minimum of two separate communities
of DECS users. Conceptually, to establish trust between these communities
there are two options: global trust in which a direct relationship
is established at CA level (for example cross-certification in which
CAs establish parity of trust) or local trust in which each business
application is configured with the list of CAs which it should trust.
The former option is primarily suited to internal CAs within hierarchical
organisations. The latter option is more suited to inter-organisational
trust, and is the intended approach for DECS.
|
US Situation |
[top] |
The PKI situation in the USA is both the most advanced and most
complex. Many corporations have identity management initiatives.
Exchanges are starting to offer various types of identity management
services including PKI. However, it is the US Federal community
that is most advanced:
|
§ US DOD External Certificate Authorities (ECA) provides
certification services for industry. http://www.disa.mil/infosec/pkieca/documents.html
§ US Federal Bridge Certificate Authority (FBCA) programme
is in the early stages of providing a bridging mechanism for all
Federal departments. One of the options being considered is to
link the ECA into the FBCA thus providing a trust path between
industry and the Federal environment. If this is agreed, then
there may also be an opportunity for approved US/UK corporate
PKI communities to be linked to the Federal Bridge. http://www.cio.gov/fbca
|
Summary |
[top] |
Any organisation that wants to engage in cross-organisational information
sharing or e-Business will need to address identity management.
Public Key Infrastructure is an essential tool for the electronic
conduct of commercial activities, providing for authentication,
non-repudiation and electronic signatures.
|
Who should I contact if I want
to find out more? |
[top] |
For further Information contact the MOD’s PKI Management Authority:
|
| Anne MacFarlane
Room 843
St Giles Court
London
WC2H 8LD Tel: 020 721 80603
E-Mail: Info-EnabSvcsAD@defence.mod.uk |
Are there any background documents?
|
Planning for PKI: best practices guide for deploying public key
infrastructures. Housley & Polk. Wiley. ISBN 0471397024
|
The European Electronic
Signatures Directive –
http://europa.eu.int/information_society/topics/ebusiness/ecommerce/8epolicy_elaw/
law_ecommerce/legal/documents/1999_93/1999_93_en.pdf
|
Electronic Communications
Act 2000 http://www.hmso.gov.uk/acts/acts2000/20000007.htm
|
Further information on ChamberSign is available from Eurochambres
at http://www.eurochambres.be/whatwedo/chambersign.htm
|
