Digital Signatures and Certificates

Article excerpt

Ensuring Authentication and Non-repudiation

The AICPA's 2007 Top Technology Initiatives named "identity and access management" and "securing and controlling information distribution" as the second and seventh most influential technologies, respectively. These technologies depend, in part, on policies, procedures, and practices that verify (authenticate) an individual's identity prior to granting access to digital resources, such as a computer network and the files it contains. Login names, passwords, and personal identification numbers (PIN) are familiar and acceptable methods for implementing authentication policies.

The combination of a digital signature and certificate, however, provides a more-secure authentication mechanism. When used to convey digital documents, the combination ensures that the document's content has not been altered, restricts document access to authorized individuals, and records who sent and received the document and when they did so. The latter feature improves on the common practices of either using PDF files or password-protecting Microsoft Office documents, which provide no assurances as to time or user identity. Used together, these features prevent the parties from repudiating their participation in a digital communication. Digital certificates, therefore, can play an important role in electronic contracts, maintaining adequate internal controls, and performing audits.

Legal Status

Digital signatures would not be implemented if their legal status was in doubt In the United States, the Electronic Signatures in Global and National Commerce Act (Public Law 106-229, 2000, www.ntia .doc.gov/ntiahome/frnotices/2002/esign /report2003/electronicsignaturesact.pdf) established the legal foundations for using digital signatures at the federal level. It provides, in part, that digital signatures have the same legal status as handwritten signatures in interstate and international commerce. At the state level, the National Conference on Commissioners on Uniform State Laws (NCCUSL) approved the Uniform Electronic Transactions Act in 1999 (www.ncsl.org /programs/lis/CIP/ueta.htm) and recommended it be enacted by all states. It also established a legal foundation for the use of digital documents and signatures. As of the end of the 2005 legislative season, only Georgia, Illinois, New York, and Washington had not enacted the act, but each of these states had other enabling legislation in effect.

Implementation Foundations

The mechanisms for implementing digital signatures have evolved to exploit the power of the new technologies known as "Web 2.0." The foundations for implementing this technology, however, have not changed significantly since explained by Fritz Grupe, Stephen G. Kerr, William Kuechler, and Nilesh Patel, in June 2003 ("Understanding Digital Signatures," The CPA Journal).

The process for implementing a digital signature requires two main components. The first is the public key infrastructure (PKI), which uses cryptography and generates two mathematically related digital keys. One is a private key, available only to the signer of an electronic document The other is a public key, available to anyone who needs to access a document signed by that signer's private key. The recipient who uses the public key to unlock the document knows that the message came from the person controlling the private key, and the underlying processes verify that the message content was not altered by anyone after it was sent.

The second component is a certificate authority (CA), a trusted, independent third party that issues the private and public key pair and a digital certificate on behalf of a message sender. Effectively, that certificate is attached to every message processed with the private key. Through this process the CA

* facilitates the distribution of the public keys to message recipients;

* assures the private key owner's identity (depending on the level of service subscribed to by the key owner); and

* verifies the private key's validity and revokes a private key's credentials when notified that the key's security has been compromised. …