FW: Signature certification

Caspar Bowden cb at fipr.org
Wed, 28 Mar 2001 16:02:47 +0100 

Sorry if duplicated - didn't seem to get through

>Ben Laurie
>> Nicholas Bohm wrote:
>> Has anyone come across a service offered by a certification authority
>> consisting of receiving digitally signed data and certifying
>the signature
>> on it?  If so I would be grateful for a pointer to the CA in
>question.
>
>Why would you want to do that? If the CA has certified the public key,
>they can add no value to a signature that is verified by it.
>
>> This is how the Lord Chancellor's Department's Consultation Paper on
>> electronic conveyancing suggests that certification should be done.
>
>Then the Lord Chancellor's Department is a twit. Or you've
>misunderstood them.

The document is at http://www.open.gov.uk/lcd/consult/general/e-conv.htm

The immediate significance seems to be that a third-party certified sig.
will be REQUIRED.

The summary starts off reasonably, but the detail descends into utter and
self-contradictory confusion and ambiguity between keys, certificates,
hashes etc. Evidently the author doesn't understand, and was winging it.

The draft regs don't define certification except by reference to ECA2000
(which doesn't define it in a technically recognizable sense either), and
there seems plenty of scope for confusion with a "duly certified notary
public".

It looks like problem is traceable to the fact that the words of ECA2000 are
designed to cover case where a non-digital electroic sig. (whatever that may
be) is "certified" (i.e. witnessed) by someone after signing, as well as
"standard" usage of digital signature certs. I would guess the author
panicked, and fudged the language accordingly.

Its a bit of shocker, really. I would guess more of the same and worse an be
expected as each Dept. tries to get their head around ECA.
--
Caspar Bowden               Tel: +44(0)20 7354 2333
Director, Foundation for Information Policy Research
RIP Information Centre at:    www.fipr.org/rip#media


16...the date and time at which the charge is to take effect is fixed by the
parties and is inserted into the electronic document. Mrs Jones then
executes the document as agent for Mrs Smith. ( Endnote 37 ) She does this
by incorporating her own electronic signature into the document. ( Endnote
38 ) A CERTIFYING AUTHORITY THEN CERTIFIES MRS JONES'S SIGNATURE

26...the method that tends to be most widely employed commercially is
"public" or "dual" "key cryptography". ( Endnote 60 ) In the barest outline,
the way in which this will work in electronic conveyancing is as follows.
One party to a disposition, typically a seller or mortgagor of registered
land, will send to the other party, the buyer or mortgagee (and HM Land
Registry), some TEXT which the sender will have ENCRYPTED using a "private
key". ( Endnote 61 ) The recipient will be able to decode the text by means
of a "public key", which will normally be OBTAINED from the certification
authority. That authority will have supplied the sender with his or her
private key and the public key will only decipher the encoded text if it was
indeed encoded by that private key.

28.   ...each electronic signature must be certified. Certification is the
mechanism by which the "private key", mentioned above, ( Endnote 67 ) can be
linked to a particular individual who signs a document electronically. (
Endnote 68 ) A private KEY will be ISSUED to an individual by a certifying
authority, which will have satisfied itself as to his or her identity, and
will take appropriate steps to ENSURE THAT IT IS NOT EMPLOYED BY ANYONE ELSE
(??!!). The private key will commonly be incorporated in a smart card issued
to the individual (thanks but no thanks), which will ALSO contain an
ELECTRONIC CERTIFICATE (??!!) from the certifying authority. The CERTIFICATE
will, therefore be SENT electronically by the person signing the electronic
document TOGETHER with the document that he has just signed (??!!)

54. ...When the terms of the contract are finalised, Mr Edwards and Mrs
Green will agree the time and date at which the contract is to take effect.
( Endnote 118 ) There is no "exchange of contracts". What happens instead is
that there is just one version of the contract on the secure Intranet and
each solicitor signs the contract on behalf of his or her client by
incorporating his or her own electronic signature into that contract. A
certifying authority will certify each of those signatures. The contract
will then be FROZEN (??!!) on the secure Intranet (gosh!) so that no further
changes can be made to it.