FREQUENTLY
ASKED
QUESTIONS
▶ What is a Contract?
▶ What is Contract Management?
▶ What is an Electronic Signature?
▶ What is a Digital Signature?
▶ How to digitally sign and authenticate documents?
▶ What are the benefits of Digital Signatures?
▶ Who uses electronic & digital signatures?
▶ Are electronic and digital signatures legally binding?
▶ What are the countries where electronic signatures are legally recognized?
▶ Can my business lower costs using electronic signatures?
▶ What is a Public Key Infrastructure (PKI)?
▶ How does PKI secure messages and documents?
▶ What is a digital certificate?
▶ Why use digital certificates for online transactions?
▶ Why use smart cards to store private keys?
▶ What are the components of a PKI?
▶ What is a certification authority (CA)?
▶ Who is IdenTrust Inc?
▶ What is a root certification authority (RCA)?
▶ What is a registration authority (RA)?
▶ What is a certificate policy (CP)?
▶ What is a certification practice statement (CPS)?
▶ What is a policy approval authority (PAA)?
▶ What is a policy creation authority (PCA)?
▶ What is a certification revocation list (CRL)?
Q: What is a contract? ˄ Top of Page
A contract is an agreement between two or more parties which is enforceable by law. Therefore it is said that "all contracts are agreements but all agreements are not contracts". The law regards contracts as collections of obligations. Contracts form the foundation of any enterprise by representing most business relationships throughout their lifecycle, for instance, from procurement to sales; employment to partnerships and real estate.
Q: What is an e-Contract? ˄ Top of Page An electronic contract is an agreement created and "signed" in electronic form -- in other words, no paper or other hard copies are used. Since a traditional ink signature is not possible on an electronic contract, people use several different ways to indicate their electronic signatures, including typing the signer's name into the signature area, pasting in a scanned version of the signer's signature, clicking an "I accept" button on a “click to agree” contract in an online store, or using the secure cryptographic technology to place a digital signature.
Q: What is e-Contracting? ˄ Top of Page
Electronic contracting (e-contracting) means contracting in the electronic medium. An e-contracting process basically includes two stages: contract establishment (formation) and contract enactment. E-contracting activities such as identifying, checking and validation of contractual parties, negotiation and validation contract, are included in the stage of contract establishment.
Contract enactment is further separated into two phases: performance and post-contractual activities. Monitoring of contract performance and compensation activities belong to the contract performance phase while contract enforcement may be involved in both contract performance and post-contractual activities.
Q: What is Contract Management? ˄ Top of Page Contract management is concerned with managing the lifecycle of a contract from negotiation and authoring through performance monitoring, making amendments and the end or renewal of it. Contract management helps companies/ entrepreneurs enhance profits by minimizing the probability of legal and regulatory risk.
Q: What is an Electronic Signature? ˄ Top of Page
Electronic signature is a broader term that refers to any electronic data that carries the intent of a signature. National legislation worldwide provides for the legal significance and validity of a variety of electronic signatures. Such legislation generally does not impose limitations on the technology used for creating or signing an electronic document. For instance, the Federal Electronic Signatures in Global and National Commerce Act of USA (E-SIGN) passed in year 2000 provides that a signature in an electronic agreement can be "an electronic sound, symbol, or process attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the electronic record". An electronic signature does not necessarily have to involve the name (handwritten or otherwise) of the signer.
Electronic signatures can take several different forms:
-
Click signature: To buy something online, you fill in your personal information, enter a credit card number, and click a button to finalize the purchase. Clicking the button is equivalent to signing the register tape when you use a credit card at a brick-and-mortar store.
-
Typed signature: Some online agreements are executed by having the signer type his or her name into a browser-based form. Alternatively, a typed name in a contract can function as a signature. Like a click signature, a typed signature relies on a simple overt act to indicate the signer's acceptance of the terms of an agreement.
-
Digitized signature: This is what most people think of when they visualize an electronic signature—accepting a package by signing with a stylus on a digitizer strip. A similar process allows someone to sign on a computer screen using a light pen. Another type of digitized signature is created by signing on paper, then scanning the signature into an image file (biometric signature).
-
Digital signature: A technologically advanced type of electronic signature. A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit (tamper-proof). Digital signatures are commonly used in financial transactions, software distribution, and in other transactions where it is important to detect forgery and tampering.
Q: What is a Digital Signature? ˄ Top of Page
Digital signature is a subset of electronic signatures. It is a technologically advanced type of electronic signature, based on a digital certificate that is used to prove a communication originated from a particular sender and has not been tampered with. It is not a digitized image of the sender’s hand-written signature. A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit (tamper-proof). Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery and tampering.
Q: How to digitally sign and authenticate documents? ˄ Top of Page
Digitally signing a document: Creating a digital signature requires a digital certificate, which is issued by an agency called a Certification Authority (CA). This method of signing also requires a pair of numeric keys. The first is the private key, which is known only to the signer and must be kept absolutely secret for the entire system to work properly. The second key, the public key, is freely available to anyone who wants it, and is part of the public information in the signer's published digital certificate. Because of the mathematical nature of these two keys, only documents that are locked (encrypted) by one key can be unlocked (decrypted) by the other. The final requirement is a digital document, ready to be signed. Digital signature technology capitalizes on the fact that digital documents are (at their lowest level) just numbers, and mathematical operations can be performed on them. One such operation is the hash function by which a document's numerical content is processed in order to create a numeric "fingerprint" of that document. This signer's private key is used to encrypt the document fingerprint, resulting in a digital signature. The digital signature is embedded within the original document, creating a digitally signed document.
Authentication of a digitally signed document: Anyone who receives a digitally signed document will want to authenticate it before accepting it as "real". Document validation ensures that a signature was created by the specified signer, and that the document has not been tampered with in any way. The validation process goes as follows:
-
After separating the document and signature, the original document is processed using the hash function. This creates a second document fingerprint.
-
The signer's public key is obtained, either from the certificate authority's online certificate repository or from within the document itself.
-
The public key is used to decrypt the digital signature, releasing the first document fingerprint.
-
The two document fingerprints are electronically compared.
-
If the two fingerprints are not absolutely identical, the document is considered invalid. It means the message has been tampered with since even the slightest alteration to the message would generate a different hash value. If the two fingerprints match, then the signature—and the document to which it is attached are proved valid, and the signed document is accepted as legitimate. It means that the message has originated from the claimed source.
Q: What are the benefits of Digital Signatures? ˄ Top of Page
For efficiency concerns, when organizations move away from paper documents and ink signatures or stamps, digital signatures can provide added assurances of the evidence to provenance, identity, and status of an electronic document as well as acknowledging informed consent and approval by a signatory. Properly implemented digital signatures are more difficult to forge than the handwritten type.
Authentication: Although messages may often include information about the entity sending a message, that information may not be accurate. Digital signatures can be used to authenticate the source of messages. When ownership of a digital signature secret key is bound to a specific user, a valid signature shows that the message was sent by that user. The importance of high confidence in sender authenticity is especially obvious in a financial context. For example, suppose a bank's branch office sends instructions to the central office requesting a change in the balance of an account. If the central office is not convinced that such a message is truly sent from an authorized source, acting on such a request could be a grave mistake.
Data Integrity: In many scenarios, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. Although encryption hides the contents of a message, it may be possible to changean encrypted message without understanding it. (Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a message is digitally signed, any change in the message after signature will invalidate the signature. Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions.
Non-repudiation: Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim s/he did not sign a message, while also claiming their private key remains secret. Further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective.
Q: Who uses electronic & digital signatures? ˄ Top of Page
Digital/ Electronic signatures are mostly used by:
-
Businesses/ organizations with formal approval workflows that involve agreements, contracts, licenses, and other official documents
-
Businesses / Organizations that need to route documents requiring authorizations across multiple offices
-
Businesses/ Organizations employing field sales or service representatives that need to complete and send signed reports or contracts
-
Travelling executives whose signatures are required to execute processes
-
Businesses/ Organizations collaborating with external partners whose approvals are required for workflows
Q: Are electronic and digital signatures legally binding? ˄ Top of Page
Following the UN Model Laws on e-Commerce (1995) and on Electronic Signatures (2001), many countries worldwide have adopted legislation and regulations that recognize the legality of electronic and digital signatures. In these countries electronic and digital signatures are just as binding as traditional pen and ink signatures as long as they are executed through a process that clearly establishes the intent to sign and ensures all legal elements of proof. For instance, the federal Electronic Signatures in Global and National Commerce Act of 2000 (ESIGN) and the Uniform Electronic Transactions Act (UETA) which have been adopted in most states of USA.
Q: What are the countries where electronic signatures are legally recognized? ˄Top of Page
Read the handbook Global Guide to eSignature Law: Country by country summaries of e-signature law and enforceability (Adobe Systems Inc). This guide covers the electronic signature laws of 47 countries, including all the largest economies. It gives a snapshot of each country’s electronic signature laws in the form of brief summaries. These provide a reference point for determining the scope of an organization’s use of electronic signatures in different jurisdictions. It is not meant to be an exhaustive or detailed legal analysis, but gives a solid place to start.
Also view the map Electronic and Digital Signatures Around the World, and the Database of Electronic Signature Legislation.
Q: Can my business lower costs using electronic signatures? ˄ Top of Page
Both public and private sector organizations use e-signatures to lower costs. The most common use is to sign legally binding contracts and agreements electronically, thereby lowering the costs associated with records management and mailing. In addition, many organizations are also using e-signatures to speed up transactions and lower the costs for internal processes. For instance, you can use electronic signatures to get sign-offs on internal reviews and approvals—particularly valuable for organizations with geographically-dispersed teams.
Q: What is a PKI? ˄ Top of Page PKI (public key infrastructure) is a comprehensive system of policies, processes and technologies, which together control the creation and management of digital certificates. Digital certificates are one of the key components, which enable an increased level of security for communications and transactions over the Internet.
Q: How does PKI secure messages & documents? ˄ Top of Page
The security and privacy of the data that is being exchanged via Internet, especially when you are sending sensitive information through it, is a major concern. Among many ways of securing data, encrypting the sensitive data is the most popular and effective way to have data security. Encryption is translation of data into a secret code called a cipher text. Decryption is the process of decoding data that has been encrypted into a secret format - this requires a secret code or password.
Computer encryption uses the science of cryptography. Most of the encryption systems belong to one of following two categories.
1. Symmetric-key encryption: In this technique, a single key is used to encrypt and decrypt the message. Keys are simply large numbers used to create complex mathematical formulas to make data unreadable.
2. Asymmetric or Public-key encryption: This technique uses one key (private key) to encrypt (i.e. lock) a message while another key (public key) to decrypt (i.e. unlock) the message. Public-key encryption uses the combination of a private key and a public key. The private key is kept secret and is only known to the person who encrypts the message, while the public key is freely disseminated which helps to verify the message. To decode an encrypted message, the receiver uses the public key of the sender.
Digital signatures employ a type of asymmetric cryptography. Encryption/Decryption is advisable while carrying out any kind of sensitive transaction, such as an online purchases or the communication of a company sensitive documents between different departments in the organization etc. Someone wanting to send a message would request the recipient's digital certificate, which contains the public key, from a trusted directory, and then use the public key to encrypt the message before sending. Once the message is encrypted it can only be decrypted using the intended recipient's private key. For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender.
During the signing, once the user initiates the process, a mathematical code is generated with the help of an algorithm and the digital contents. The code so generated, known as the 'message digest', is unique for each process and content. The individual's private key is now used to encrypt this code. This is termed as the 'Digital Signature'. Since the private key of a person is involved, the 'Digital Signature' is unique to that individual. This establishes the identity of the signer. This signature is then bound to the message and sent along with the document or the transaction. The public key of the individual is also sent. A "signer" can be either a person or a computer, making this type of signature ideally suited for automated processes.
Though digital signatures use encryption technology, they do not hide anything about a signed document. Instead, they provide a way to validate the identity of a person signing a document, and the contents of the document itself.
Private keys are closely guarded secrets as they are the means by which a person signs a message and creates legally binding obligations. To aid in securing the private key they are often stored in physical tokens, such as smart cards
The key pair must be revoked if a subscriber's private key is lost, stolen or compromised in any way.
Q: What is a digital certificate? ˄ Top of Page
A digital certificate is one of the foundations of a public key infrastructure (PKI). A digital certificate is in many ways the electronic equivalent of a passport or driver's license, and may be used to identify and authenticate someone making online transactions.
A digital certificate is issued to a certificate holder by a certification authority on the request of a registration authority. Details on a digital certificate include the certificate holder’s name, their public key, the name of the certification authority and an indication of the certificate policy under which it was issued. Most digital certificates are in the format specified in the X.509 standard.
The public key and private key pair can be generated on a secure device. A certification authority creates the digital certificate, incorporating the public key and signs it, protecting the integrity of the information.
The public key in a digital certificate is linked to the private key. The certificate holder must hold the private key securely. The security of the private key is extremely important. In many applications a private key is stored by placing or creating the private key on a physical token such as a smart card.
Q: Why use digital certificates for online transactions? ˄ Top of Page
The security we take for granted in the physical world has been developed over time to ensure the credibility and authenticity of the people we do business with. These include, amongst other things, sealing envelopes to ensure privacy, presenting credentials and signatures to confirm identity and providing receipts to confirm transactions. As e-commerce and Internet transactions grow, similar safeguards are required to meet the needs of the online world. PKI encryption, digital signatures and digital certificates provide a level of security and trust for e-commerce transactions implemented in the online world.
Q: Why use smart cards to store private keys? ˄ Top of Page
A smart card is a form of secure token. Physically a smart card is a plastic credit card-sized card with a computer chip embedded that holds information in electronic form and controls the use of that information.
Security of private keys is extremely important, as this is the means by which a person signs messages (or documents) and creates legally binding obligations. If a person’s private key is lost, stolen or compromised in any way, regardless of whether this is due to the owner’s negligence or a hacking attack, the key pair must be revoked.
There are a number of ways to store a private key. In many applications, digital certificates and private keys are stored on the user’s hard drive of their PC, but this can leave them vulnerable to attack by hackers.
Another method involves placing or creating the private key on a physical token such as a smart card. This option provides additional protection against electronic theft and thus impersonation, as the user is able to carry the key with them meaning it is stored away from the workstation they access systems from which reduces the availability to hacking attempts. Furthermore, a pass-phrase must be entered on each occasion a smart card is used, providing additional protection should the card be lost or stolen.
Smart cards are considered to have advantages over other tokens (such as a USB tokens) these advantages include the ability to use chips that can store and process multiple applications.
Q: What is a subscriber? ˄ Top of Page
Subscribers are those who have signed up to a PKI service and who agree to operate in accordance with the certificate policy and the prescribed terms and conditions for the service. They subscribe to the certification authority (via the registration authority) for a digital certificate and key pair that they will then use to authenticate themselves online.
Q: What are the components of a PKI? ˄ Top of Page
A PKI is typically made up of a certification authority, a root certification authority, a registration authority, certificate policy and a certification practice statement. It may also include, as is the case with IdenTrust consortium of financial institutions’ PKI, a policy approval authority and a policy creation authority.
Q: What is a certification authority (CA)? ˄ Top of Page
The certification authority issues and signs digital certificates at the request of a registration authority. The CA is one of the entities that provides the element of trust for the PKI. A party relying on a digital certificate trusts the CA to have correctly included the certificate holder's public key, and other details, in the digital certificate, and to have digitally signed the digital certificate to validate its authenticity and integrity.
Q: Who is IdenTrust Inc? ˄ Top of Page
IdenTrust Inc is an organisation formed in April 1999 by a group of the world's leading financial institutions who recognised the need for a global trust infrastructure to enable cross-border Internet commerce.
The IdenTrust™ scheme has established a technical and legal infrastructure based on a set of uniform system rules, business practices and contracts to assist in providing risk management for transactions and confidence in the identity of trading partners online. Lack of trust has been one of the key obstacles preventing business-to-business Internet commerce from thriving.
Through the IdenTrust™ framework, businesses are able to leverage the trusted relationship with their financial institution to assist in managing their B2B e-Commerce risks. In turn, financial institutions around the world are able to have greater trust in each other through the IdenTrust™ system.
Q: What is a root certification authority (RCA)? ˄ Top of Page
Digital certificates can only be an effective enabler of trade when all parties to a transaction have confidence in the certification authorities that issued the digital certificate. Trade is conducted globally and there will be times where a relying party will not be familiar with a certification authority and therefore may not feel confident in relying on a digital certificate they have issued.
To overcome this issue, certification authorities may be certified by a higher level certification authority that is more widely known and trusted. This is known as a trust hierarchy and at the top of a hierarchy is the Root certification authority, sometimes also referred to as a trust anchor.
The IdenTrust scheme is an example of a trust hierarchy. The IdenTrust organisation acts as a RCA and uses its own-signed digital certificate to certify the digital certificate of a participating financial institution, which acts as certification authority. By doing this IdenTrust™ also states that they have qualified to the standards of the scheme.
IdenTrust, IdenTrust & System and the IdenTrust logo are Trademarks and Service Marks of IdenTrust, LLC.
Q: What is a registration authority (RA)? ˄ Top of Page
A registration authority is responsible for processing digital certificate requests received from subscribers. The RA firstly checks that requests are valid and comply with the certification practice statement and certificate policy. It then authenticates the identity of the user in accordance with any requirements in the certification practice statement and certificate policy. Once satisfied, the RA forwards the request to the certification authority to sign and issue a digital certificate to the intended certificate holder.
The quality of the registration process determines the level of trust that can be placed in the digital certificates.
Q: What is a certificate policy (CP)? ˄ Top of Page
A certificate policy is a document, which contains a set of rules that indicates the applicability of a digital certificate to a particular community and/or class of application with common security requirements. The certificate policy typically outlines who may use the digital certificate as well as who may rely on the digital certificate.
Q: What is a certification practice statement (CPS)? ˄ Top of Page
A CPS outlines the practices employed to run a PKI. A CPS typically describes the processes of issuing, accepting, suspending and revoking certificates; as well as generating, registering, storing and distributing keys to users.
Q: What is a policy approval authority (PAA)? ˄ Top of Page
The policy approval authority is responsible for the management and operation of the overall PKI and establishment of the certificate policy and a certification practice statement. The PAA is also responsible for managing the integrity of the PKI by approving (or otherwise) recommended changes to the policies and procedures detailed in the certification practice statement and associated certificate policies.
Q: What is a policy creation authority (PCA)? ˄ Top of Page
The policy creation authority is a body setup by the PAA to research and recommend changes to the certification practice statement and associated certificate policy.
Q: What is a certification revocation list (CRL)? ˄ Top of Page
A certificate revocation list is a list compiled and maintained by the certification authority of all the digital certificates it has issued that that are no longer valid. However, the CRL does not include digital certificates that have expired. Any party wanting to rely on a digital certificate should check the CRL to determine whether that digital certificate has been revoked. digital certificates are revoked, for example, when they are lost, stolen or if an employee who had been issued with one had left the company.