1. What is a digital signature?

Digital signatures utilising public key infrastructure (PKI) are the dominant security measures in place around the world for signing and authenticating electronic communications.

A digital signature is not a computerised image of a handwritten signature, but is the electronic equivalent of a signature. It is unique for each electronic document produced as it is derived from the document itself. Any change in the document will generate a new signature allowing the recipient to ascertain whether an alteration has occurred after the first digital signing.

A digital signature involves a process where a user of the Internet can leave an individual electronic mark or series of codes on an electronic communication. The existence of this mark or code will enable other parties to be assured that the communication came from the person designated as the owner of that mark or code. Digital signatures can aid completion of the contract in an online environment.

A detailed discussion of digital signatures and PKI can be found in the Secure Electronic Transactions Fact Sheet.

2. How does a digital signature authenticate electronic messages?

(a) The consumer and merchant advise each other of the name of the certification authority (CA) to whom each is associated.

(b) The message in paragraph (a) must identify the certificate serial number that specifies the public key.

(c) Each recipient of the message in paragraph (a) accesses the relevant CA certificate directory (including the Certificate Revocation List or CRL) to ascertain the corresponding public key.

(d) The public key certificate will be signed by the CA (ensuring the integrity of the certificate) and will identify the validity date of the public key pair.

(e) Once the relevant public key certificate is obtained, the recipient of a digitally signed document can verify the validity of the digital signature using the public key.

(f) A recipient should check the CRL to satisfy itself the private key has not been compromised prior to expiration.

3. Digital signatures and electronic contracts

A digital signature is a method for signing electronic contracts to establish:

(a) identity of the parties to the contract;

(b) integrity of the terms and conditions governing the contract;

(c) timeframe of the terms and conditions; and

(d) acceptance of the terms and conditions by the parties to be bound.

4. When should digital signatures be used?

A digital signature should be used if a transaction or electronic communication requires any of the following:

(a) confidentiality: the prevention of third-party access to message content (see Confidential Information Fact Sheet);

(b) message authentication: the recipient of a message can confirm that the message was sent by the person who claims to have sent it (see Secure Electronic Transactions);

(c) message integrity: proof that the contents of a message has not been accidentally or deliberately altered during transmission (see Contract);

(d) non-repudiation: the sender cannot later deny or repudiate having sent the message (see Contract);

(e) personal details: of a person such as age or country of origin (see Online Gambling Contracts, Best Practice Model, Online Content Regulation).

Generally the higher the risk that the transaction will be compromised, invalid or unenforceable without a mechanism to enforce or secure the transaction, the greater the need for a risk management procedure. Digital signatures represent one strategy and may be complemented by others such as biometric or smart card technologies (eg microchips).

For example, a digital signature could be used to verify the identity, age and country of origin of a customer to ensure the customer has legal capacity and is authorised by domestic and international law to enter into the transaction. This is particularly important in relation to online gambling services, restricted viewing services and customers from countries who are prohibited by their domestic law from entering into online transactions.

5. Legal risk with digital signatures

(a) A private key number may be between 160 and 500 digits long and must be kept secret by its lawful holder via a secure token or other secure means. The security of any system is only as strong as its weakest link. If a private key is stored on a private computer accessible by a five digit password, the system is only as strong as the fidelity and security of that password (eg from Trojan attack or fraud by neighbours).

(b) A digital signature system may use encryption technologies that are prohibited under the export or import law of a country. See Encryption of Data.

6. Managing legal risk with digital signatures

(a) Parties using digital signatures should clearly and precisely allocate liability for acts and omissions which compromise a private key. Generally the private key holder should be held responsible for compromising the private key. The parties may negotiate liability for compromising a private key on a sliding scale from strict liability to reckless indifference or intentional behaviour. It is preferable to cap or limit liability for each scale.

(b) Consider registering with an organisation that deals exclusively with security issues on the internet. For example, the Directory of Electronic Authentication Technologies (at www.aeema.asn.au) collects information on security solutions. AusCERT is another example at www.ausCERT.org.au. Such organisations will generally be linked to trusted counterparts around the world, providing up-to-the-minute information on vulnerable systems and potential security attack methods. If requested, they may complement the work of in-house security groups by providing a central repository of information, a source of expertise and a channel of communication on security matters.

(c) Ensure your website has a comprehensive privacy and security policy that is drawn to the attention of users of the website. The policy should implement or cover the following:

* procedures which comply with privacy laws (see Privacy Fact Sheet);

* provide consumers with information about the security and authentication mechanisms used in clear simple language in order to assist consumers to judge the level of risk in relying on those systems (see Trade Practices and Consumer Protection);

* where appropriate, provide a level of security for protecting the personal and payment information of users of the website (including consumers);

* provide appropriate levels of security for identification and authentication mechanisms to be used by consumers;

* discourage consumers from providing confidential information in an insecure manner;

* procedures to ensure personal information is kept secure and in compliance with International Standards and national guidelines including:

(i) competent security design and capability of data architectures;

(ii) integrity and supervision of personnel who have access to information;

(iii) proper maintenance of log-ons, password allocation and rotation systems and other identifier protocols;

(iv) proper maintenance of encryption systems;

(v) regular or adequate monitoring of overall data operations; and

(v) undertake appropriate action when a security breach is detected and to publicise the action as a deterrent.


Other relevant Articles on this site:
Best practice model
Secure electronic transactions
Electronic payment systems
Trade practices and consumer protection
Contract
Online gambling contracts
Encryption of data

Other relevant Fact Sheets:
Confidential Information
Consumer Protection
Electronic Payment Systems
Electronic Transactions Act
Keeping Electronic Records
Online Content Regulation
Online Contracts
Online Gambling
Privacy
Secure Electronic Transactions 

End Notes