• No results found

Appendix
D
‐
Managing
risks
of
signature
use
and
document
integrity
for
electronic

D. Appendix D - Managing risks of signature use and document integrity for electronic conveyancing

61

Digital
signatures
are
used
to
mitigate
two
important
risks:


a) the
apparent
signer
of
a
document
asserting
they
did
not
sign
(signer
identity
 authentication);
and


b) the
apparent
signer
asserting
that
the
document
was
altered
after
signing
(content
 integrity).


Signer
Identity
Authentication


Signer
identity
authentication
(risk
‘a’
above)
involves
mathematical
proof
that
the
document
was
 signed
by
the
signing
key
for
which
the
key‐holder
is
responsible.
A
fundamental
purpose
of
Public
 Key
Infrastructure
(PKI)
is
to
provide
strong
evidence
when
a
document
has
been
signed
by
a
 particular
private
key,
to
prevent
the
identified
key‐holder
for
that
private
key
from
effectively
 repudiating
the
signature.
The
identified
key‐holder
is
strongly
presumed
to
be
the
signer
of
the
 electronic
document
digitally
signed
with
that
private
key.




Really
what
is
established
from
a
technical
perspective
is
that
a
specific
private
key
was
used
to
sign
 the
document.
Through
the
key‐holder
registration
process
by
the
Registration
Authority,
it
can
be
 established
that
at
the
time
a
DSC
containing
the
corresponding
public
key
was
issued
by
a


Certification
Authority,
the
CA
was
satisfied
that
the
relevant
private
key
was
controlled
by
a
specific
 individual
or
organisation
named
in
the
DSC.


The
strong
presumption
that
the
individual
or
organisation
named
in
the
DSC
applied
the
private
key
 to
create
the
digital
signature
assumes
that
individual
or
organisation
has
retained
exclusive
control
 over
the
use
of
the
private
key
since
the
DSC
was
issued
and
is
therefore
responsible
for
its
use.


The
physical
and
IT
security
protecting
the
private
key
controlled
by
the
key‐holder
is
generally
the
 weakest
link
in
the
overall
security
of
a
PKI
(indeed
of
any
electronic
authentication
solution).
The
 security
of
the
private
key
can
be
compromised
by
the
key
holder
either
knowingly,
or
unknowingly
 providing
a
third
party
with
access
to
their
private
key,
or
the
Subscriber
organisation
IT
security
 being
inadequate
and
allowing
malware
to
access
the
key.


It
is
important
that
Subscriber
organisations
ensure
their
physical,
IT
and
network
security
is
 adequate
and
that
there
are
business
processes
and
policies
in
place
to
manage
the
security
of
 private
signing
keys
and
their
use
to
create
digital
signatures.











61
The
material
following
identifies
key
risks
and
treatment
options
relevant
to
digital
signing
of
electronic
 instruments
for
NECS,
from
the
NSW
Land
Registry
perspective.
Management
arrangements
for
the
risks
and
 treatments
identified
here
will
include
the
Certificate
Policy
for
DSCs
for
electronic
conveyancing,
NECS
 Participation
Rules,
jurisdiction
enabling
legislation
for
electronic
conveyancing,
practice
and
practitioner
 fidelity
and
indemnity
insurance
provisions,
and
practices
maintained
by
NECS,
NECS
Subscribers,
and
 Certifiers.

It
will
be
necessary
that
NECS
national
consultation
arrangements
determine
policies
and
 enforcement
arrangements
for
acceptable
practices.
The
material
is
presented
here
as
an
information
 resource
supporting
consideration
of
the
issues
raised
in
this
Digital
Signing
of
Electronic
Instruments
 consultation
paper.





 
 


Regardless
of
whether
there
is
internal
organisational
approval
for
a
third
party
to
use
the
private
 key,
such
use
will
be
a
breach
of
the
Certificate
Policy
under
which
the
DSC
is
issued.

A
Certificate
 Policy
under
Gatekeeper
requires
the
person
to
whom
a
DSC
was
issued
to
protect
the
security
of
 the
corresponding
private
key
and
to
only
use
it
within
the
scope
for
which
it
was
issued.



Whether
the
key
holder
has
an
Individual
DSC
or
an
Organisation
DSC,
any
use
of
the
private
key
by
 a
party
other
than
the
key
holder
represents
a
breach
of
the
Certificate
Policy
under
which
the
 certificate
was
issued62.


The
only
situation
under
Gatekeeper
where
a
third
party
can
apply
a
key
holder’s
private
key
is
with
 respect
to
Hosted
Certificates63.
This
is
a
complex
and
risky
arrangement,
introduced
to
satisfy
a
 particular
agency
business
requirement.

Use
of
Hosted
Certificates
is
restricted
to
closed


communities
of
interest
and
is
not
widely
promoted
largely
due
to
the
inherent
risks
associated
with
 allowing
third
parties
to
manage
and
use
private
keys
on
behalf
of
the
key
holder.
Allowing
a
third
 party
to
use
your
private
key
is
equivalent
to
allowing
a
third
party
to
sign
your
name
on
a
legal
 document.



The
NSW
Land
Registry
does
not
support
the
use
of
Hosted
Certificates
for
NECS.


To
“legally”
allow
the
key
holder
to
delegate
the
use
of
their
keys
and
certificate
to
another
person
 within
the
same
Subscriber
organisation
would
require
the
drafting
of
a
Certificate
Policy
that
 specifically
allows
it
as
well
as
very
rigorous
business
rules
to
manage
the
risks.


It
is
highly
unlikely
that
a
Gatekeeper
Certification
Authority
would
support
such
an
endeavour
–
one
 delegation
can
lead
to
others
and
then
to
other
“informal”
arrangements
–
all
of
which
increase
the
 risks
to
the
Subscriber
organisation
(and
thus
to
relying
parties).


The
NSW
Land
Registry
does
not
support
any
allowed
delegated
use
of
a
private
key
for
electronic
 conveyancing.


The
Gatekeeper
Core
Obligations
Policy
states
that
a
Subscriber
(key
holder)
must:


• only
use
Keys
and
DSCs
within
the
limits
specified
in
the
Certificate
Policy
under
which
the
 DSC
was
issued;


• take
all
reasonable
measures
to
protect
their
Private
Key(s)
from
compromise
and
take
all
 necessary
precautions
to
prevent
loss,
disclosure,
modification,
or
unauthorised
use
of
their
 Private
Key(s);


• ensure
that
all
information
provided,
and
any
representations
made
to
a
Gatekeeper
 Accredited
Registration
Authority,
a
Relationship
Organisation,
a
Known
Customer
 Organisation
or
a
Threat
and
Risk
Organisation
are
complete
and
accurate;











62
Note
that
the
National
Project
Team
has
recommended
use
of
organisation
DSCs
only
for
electronic
 conveyancing.


63
See
Department
of
Finance
and
Deregulation,
Australian
Government
Information
Management
Office,
 GATEKEEPER
PKI
FRAMEWORK,
HOSTED
CERTIFICATE
POLICY
SPECIFICATION,
February
2009,


http://www.finance.gov.au/e‐government/security‐and‐

authentication/gatekeeper/docs/Hosted_Certificate_Policy_Specification.pdf,
viewed
20
November
2009.




 
 


• perform
any
additional
requirements
as
specified
in
the
Certificate
Policy
under
which
the
 DSC
was
issued;


• promptly
notify
the
Certification
Authority
in
the
event
that
they
consider
or
suspect
there
 has
been
a
compromise
of
their
private
keys;
and


• promptly
notify
the
relevant
Registration
Authority,
Relationship
Organisation,
Known
 Customer
or
Threat
and
Risk
Organisation
in
the
event
that
they
consider
the
Evidence
of
 Identity
information
provided
by
them
is
or
may
be
incorrect.


NSW
Land
Registry
considers
that
in
the
electronic
conveyancing
environment,
confidence
in
digital
 signing
may
be
increased
by
enforcing
an
‘intent
confirmation
check’
at
the
time
the
key
holder
 signs,
to
the
effect
“You
are
now
about
to
sign
for
legal
effect
–
do
you
wish
to
continue
Yes/No?”



This
form
of
intent
confirmation
check
would
have
the
effect
of
reinforcing
in
the
mind
of
the
key
 holder
the
significance
of
what
they
are
doing,
and
may
also
assist
with
the
evidence
to
support
non‐

repudiation
of
the
transaction
–
i.e.
there
was
a
clear
intent
on
the
part
of
the
key
holder
to
sign
the
 specific
transaction.


Signer
Identity
authentication
applies
both
in
relation
to
the
document
between
“there”
and
“here”


(i.e.,
to
the
sender
and
receiver)
as
well
as
between
“now”
and
“then”
(i.e.,
when
it
was
signed
and
 when
it
was
relied
upon).


It
is
intended
in
NECS
that
where
a
Certifier
is
the
named
key
holder
in
an
Organisation
DSC
which
 also
names
the
Subscriber
Organisation,
both
the
Certifier
and
the
Subscriber
organisation
would
be
 liable
for
application
of
the
corresponding
private
key
to
create
digital
signatures.


There
should
there
be
no
exceptions
to
the
rule
that
a
Subscriber
organisation
is
responsible
and
 liable
for
the
use
of
private
keys
which
correspond
to
valid
DSCs
naming
the
Subscriber
organisation
 or
its
employees
or
agents
(attribution
rule).

This
is
so
whether
the
use
occurs
through
misuse
by
 the
key‐holder
or
as
a
result
of
third
party
fraud
(i.e.,
via
person
who
is
not
the
key‐holder).
A
 Subscriber
organisation
remains
liable
for
the
activities
of
its
key
holders
‐
i.e.,
those
individuals
that
 are
directly
linked
either
by
employment
or
contract
and
who
can
have
their
name
and
that
of
the
 Subscriber
organisation
linked
within
the
certificate.


General
practice
is
that
a
key
holder
must
be
bound
to
the
Subscriber
organisation
by
employment
 or
contract.
The
NSW
Land
Registry
view
is
that
for
a
contractor
to
legally
sign
a
registry
instrument
 on
behalf
of
a
Subscriber
the
individual
who
is
the
contractor
must
be
an
Industry
Certifier
and
this
 relationship
with
the
Subscriber
must
be
in
the
form
of
a
written
agreement.




Non‐employees
should
not
be
issued
DSCs
that
bind
them
to
the
Subscriber
organisation
(i.e.
the
 certificate
must
not
have
the
individual’s
name
and
the
name
of
the
organisation
in
it)
unless
the
 non‐employee
individual
satisfies
the
Industry
Certifier
and
written
agreement
contractor
 requirement.
This
should
be
the
requirement
both
with
respect
to
individuals
and
firms
acting
as
 agents
for
the
Subscriber
organisation.




The
legal
relationships
will
have
to
be
settled
by
reference
to
a
services
agreement
between
the
 agent
and
the
Subscriber
organisation.
The
challenge
will
be
to
establish
what
actions
an
agent
key
 holder
is
authorised
to
take
on
behalf
of
the
subscriber
organisation
(perhaps
even
more
complex
 with
respect
to
agents
and
other
non‐employees).



 
 


Content
Integrity


With
respect
to
Content
Integrity
(risk
‘b’
above),
content
integrity
may
be
mathematically
proven
if
 the
digital
signature
is
verified.
The
greater
variable
in
relation
to
the
integrity
of
a
signed
document
 is
the
infrastructure,
rules
and
practices
maintained
and
enforced
for
digital
signing
of
electronic
 instruments,
in
particular
by
Subscribers.



Each
digital
signature
is
unique
to
the
private
signing
key
used
and
the
content
of
the
document
 signed.
The
digital
signature
is
mathematically
created
by
the
signing
software,
and
validation
 software
uses
the
same
mathematical
concepts
to
validate
the
signature
with
the
content
of
the
 document.
All
of
this
happens
“behind
the
scenes”
–
i.e.
is
transparent
to
the
User
‐
and
proves
 content
integrity
from
the
time
of
digital
signing.


Variability
arises
principally
from
the
Subscriber’s
practices
and
protocols.
For
example,
the
 Subscriber
is
to
be
responsible
for
applying
the
prescribed
standard
and
practice
of
identity
 verification
for
applicants
to
become
the
key‐holder
of
a
‘child’
organisation
DSC,
and
enforcing
 organisation
protocols
on
key
security.
Where
inadequate
identification
is
conducted,
or
inadequate
 protocols
allowed,
a
digital
signature
might
not
in
fact
be
created
by
the
apparent
signer/key‐holder,
 but
the
Subscriber
organisation
should
be
responsible
for
the
signature.


Head office

1 Prince Albert Road Queens Square SYDNEY NSW 2000 T 13000 LANDS 61 2 8236 7173 www.lpma.nsw.gov.au

Download now "3. Digital Signing of ..."

Outline

Related documents