Tata Group | Knowledge centre | other articles

Knowledge centre links
	Betting on technology
	Research and development
	Intellectual property rights

other articles

Cross certification issues

Subramaniam Vutha*

Continuing his discussion of implications of the rules relating to certifying authorities in the new IT Act, Subramanium Vutha takes up the vexed question of how to verify the certification given to a digitally signed document

Certification Authorities: As stated in an earlier article the Certification Authority (CA) is a key component in the "public key infrastructure" necessary for reliable electronic commerce.

A CA's primary role is to link the public key of a subscriber to such subscriber. In other words, the CA attests to the authenticity of the public key and links it to the purported signatory of the digital message. This is achieved through the issue of a Digital Signature Certificate (DSC) which includes the name of the subscriber, his public key and other identification information. Such CA's digital signature would, in turn, also need to be verified. It is the need to verify the public key of the CA, for such purpose, which gives rise to the need for cross verification.

Cross Verification: Cross Verification (CV) is a method used to verify the public key of a CA. This process assures the person who uses the public key of another person to verify a digitally signed document sent by such other person and relies on a DSC issued by a CA, that the DSC is indeed authentic.

Typically, the recipient of a digital signature message would rely on the DSC issued by a CA to verify the public key of the sender of the message Where the recipient of the message does not know or trust the CA who issued the relevant DSC, he would next proceed to verify the digital signature of the CA itself.. He may do this by requiring another CA that he knows and trusts to certify the public key of the original CA.

The converse may also occur. For example the subscriber for a digital signature with the original CA aforesaid may require such original CA to certify the public key of the other CA where he uses such CA's public key to verify the digital signature of a subscriber of the other CA. This whole process used for such verification is called cross verification.

In some cases the chain of verification of CAs' public keys may result in a "certificate chain" or a "hierarchy of trust", at the end of which the recipient of the digitally signed message finally assures himself that the digital signature of the original CA is genuine by securing its verification by a CA at the end of the chain (whom he knows and trusts).

The situation is not too different from payments, which are secured by a letter of credit issued by the bank of a purchaser in a foreign country. In such a case, if the seller does not know or trust the bank that has issued the letter of credit, he may require such letter of credit to be confirmed by a banker of his choice.

Potential Liability of Certification Authorities: The CA may face several risks arising from circumstances such as these:

	Failure to properly identify the person who claims to own or control the relevant public key. Some legal scholars have recommended an initial face-to-face meeting and evaluation of the credentials of a potential subscriber before the issue of a DSC.
	The private key of the CA itself may be stolen either through an electronic or computer based theft or in collusion with the CA's employees. Therefore, the CA should be held to very rigorous standards of security. The CA would also need to, initially, and on an on-going basis, periodically, check the credentials of its employees.
	The DSC issued by CA may become unreliable, for instance, where the subscriber to such certificate loses control over his private key.
	The party in possession of an old key of a CA could create backdated attestations for fraudulent and fictitious documentation and defeat the CA's security methods even where the CA frequently changes its keys.

Conclusion: In short, there are many potential risks and attendant liabilities which may attach to a CA whose operations should therefore, be rigorously methodical and subjected to frequent (and sometimes unplanned) reviews and checks. The CA would also need to maintain comprehensive records of such methodologies, practices, checks and reviews to assure itself and its clients about its reliability.

Issues:

Here are some issues on which we invite your thoughts and comments:

	What role do you foresee for off line verification or validation of e-commerce transactions? what would be the additional costs by way of expenses and delays?
	Should such offline verifications be prescribed or used only for certain transactions? What criteria should be used for determining which transactions should be subject to such offline verification?
	Should there be graded CA's or graded CA services commensurate with the risk and value profiles of the transactions or the client need for greater security or assurance?
	Should self certification accompanied by guarantees up to specified values be encouraged?
	Should banks be the prime candidates for CA roles?
	What rules should be considered to avoid conflicts of interests ?
	Would greater collaboration with foreign CAs help? How?

Please send in your queries and comments to Y. Lobo at yolynd.lobo@tatainfotech,com

About the author

Subramaniam Vutha is senior vice president (secretarial & legal) with Tata Infotech Ltd, Mumbai. A graduate in commerce and post-graduate in law, Subramaniam is a member and Indian correspondent for the International Bulletin of the Computer Law Association's magazine, and a contributor to the World Internet Law Report, a publication of BNA International Inc., London. He was recently invited to join their advisory board.

He is also a speaker and contributor on intellectual property rights, e-commerce and information technology law issues, and a member of the Confederation of Indian Industries’ working group on TRIPS (Agreement on Trade-Related Aspects of Intellectual Property Rights).