|Networking government in New Zealand.

Tabs

Site map Access Keys Contact us About this site

You are here: Home » Services » SEEMail » S.E.E. PKI: Paper 5 - Identity, evidence of identity, and the registration process for S.E.E. Keys » 8 The impact of digital signatures

8 The impact of digital signatures

8.1.1 The scope of S.E.E. Key is limited to authentication initially. However decisions should not be made now that may exclude digital signatures at a later date.

8.1.2 If the EOI requirements for legal digital signature are not significantly more onerous than those needed for inter-agency authentication, it makes sense to aim for digital signature-level EOI now.

8.1.3 However, it appears likely that legal digital signature will require stronger registration processes, audit trails, long term certificate status checking and digital time stamping facilities. This is not to say that a S.E.E. Key used for signing could not be used to support a case, nor that it wouldn't add weight to a relying party's decision to trust the signed data.

8.1.4 Digital signatures for government business need to include the organisation name if they are to be acceptable to relying parties. This implies a business card approach.

8.1.5 The Electronic Transactions Bill will not be passed into legislation until later in 2001, and private sector CAs are also unsure as to minimum requirements for legal digital signature. However the bill does state:

"24 Presumption about reliability of electronic signatures (1) [snip] an electronic signature is as reliable as is appropriate if: (a) the means of creating the electronic signature is linked to the signatory and to no other person; and (b) the means of creating the electronic signature was under the control of the signatory and of no other person; and (c) [snip] (2) Subsection (1) does not prevent any person from proving on other grounds or by other means that an electronic signature: (a) is as reliable as is appropriate; or (b) is not as reliable as is appropriate"

8.1.6 With respect to digital certificates, this gives a strong direction. The private key must be demonstrably tied to an individual and the private key must be extremely well managed.

8.1.7 24(2)(a) does leave open the ability for the use of a scheme with minimal EOI and possibly for organisation liability. This may, however, not be to the complete satisfaction of a well-informed relying party.

8.1.8 Different CAs will probably have different 'standard' EOI requirements, some of which may be more suitable for digital signature than others. Agencies can make their own choice about what level of digital certificate to adopt in excess of the S.E.E. Key requirements.

8.1.9 Digital certificates are typically replaced annually, and staff could be asked to reapply to satisfy new EOI requirements for digital signature if required. This would be more of a burden on staff, administrators, and CAs than a simple certificate renewal process.

8.1.10 A key question for each agency will be how soon legal digital signature interaction with the public is required and for what proportion of staff.

8.1.11 There is a case to be made for having separate digital signature and authentication certificates, with the keys for each stored separately. Users will thus clearly see the difference between authenticating themselves and applying digital signatures.

8.1.12 Also note section 6.5 - Protection of the private key and the token

[ Previous | Next ]