| |
|
|
Digital
Signatures and Certificates
Ensuring Authentication and Non-repudiation
By
Ronald R. Tidd and Gary Heesacker
MAY 2008 - The AICPA’s 2007 Top Technology Initiatives named
“identity and access management” and “securing
and controlling information distribution” as the second and
seventh most influential technologies, respectively. These technologies
depend, in part, on policies, procedures, and practices that verify
(authenticate) an individual’s identity prior to granting
access to digital resources, such as a computer network and the
files it contains. Login names, passwords, and personal identification
numbers (PIN) are familiar and acceptable methods for implementing
authentication policies. The combination of a digital signature
and certificate, however, provides a more- secure authentication
mechanism. When used to convey digital documents, the combination
ensures that the document’s content has not been altered,
restricts document access to authorized individuals, and records
who sent and received the document and when they did so. The latter
feature improves on the common practices of either using PDF files
or password-protecting Microsoft Office documents, which provide
no assurances as to time or user identity. Used together, these
features prevent the parties from repudiating their participation
in a digital communication. Digital certificates, therefore, can
play an important role in electronic contracts, maintaining adequate
internal controls, and performing audits.
Legal Status
Digital signatures would not be implemented if their legal status
was in doubt. In the United States, the Electronic Signatures
in Global and National Commerce Act (Public Law 106-229, 2000,
www.ntia.doc.gov/ntiahome/frnotices/2002/esign
/report2003/electronicsignaturesact.pdf) established the legal
foundations for using digital signatures at the federal level.
It provides, in part, that digital signatures have the same legal
status as handwritten signatures in interstate and international
commerce. At the state level, the National Conference on Commissioners
on Uniform State Laws (NCCUSL) approved the Uniform Electronic
Transactions Act in 1999 (www.ncsl.org/programs/lis/CIP/ueta.htm)
and recommended it be enacted by all states. It also established
a legal foundation for the use of digital documents and signatures.
As of the end of the 2005 legislative season, only Georgia, Illinois,
New York, and Washington had not enacted the act, but each of
these states had other enabling legislation in effect.
Implementation Foundations
The mechanisms for implementing digital signatures have evolved
to exploit the power of the new technologies known as “Web
2.0.” The foundations for implementing this technology,
however, have not changed significantly since explained by Fritz
Grupe, Stephen G. Kerr, William Kuechler, and Nilesh Patel, in
June 2003 (“Understanding Digital Signatures,” The
CPA Journal).
The process for implementing a digital signature requires two
main components. The first is the public key infrastructure (PKI),
which uses cryptography and generates two mathematically related
digital keys. One is a private key, available only to the signer
of an electronic document. The other is a public key, available
to anyone who needs to access a document signed by that signer’s
private key. The recipient who uses the public key to unlock the
document knows that the message came from the person controlling
the private key, and the underlying processes verify that the
message content was not altered by anyone after it was sent.
The second component is a certificate authority (CA), a trusted,
independent third party that issues the private and public key
pair and a digital certificate on behalf of a message sender.
Effectively, that certificate is attached to every message processed
with the private key. Through this process the CA—
- facilitates the distribution of the public keys to message
recipients;
- assures the private key owner’s identity (depending
on the level of service subscribed to by the key owner); and
- verifies the private key’s validity and revokes a private
key’s credentials when notified that the key’s security
has been compromised.
By verifying and documenting a message’s sender and recipient,
with the times a message was sent and received, the CA ensures
that the message cannot be repudiated. The necessary conditions
for an enforceable contract in cyberspace are non-repudiation,
sender authentication, and message integrity. The process described
above ensures that these conditions are met.
Implementation Process
The technological and legal foundations for using digital signatures
are sound. The process for implementing them depends on which
of the two available strategies is chosen.
The more established strategy entails selecting a CA (see Exhibit
1) and a level of service (security) that is both appropriate
for the sensitivity of the information to be exchanged and easily
integrated into the communication process. The main distinction
between the service levels offered by any CA is the effort it
exerts to verify the identity of the applicant or subscriber.
That effort ranges from verification of identity without a physical
meeting to verification via a physical meeting with the CA or
its designated representative (e.g., officers at a financial institution).
Once the subscriber’s application and verification process
is completed, the related digital certificates must be installed
on the subscriber’s computer or network, integrated into
e-mail and browser applications, and then maintained by IT personnel.
Alternatively, the administration of the certificate can be outsourced
to the CA.
As Rebecca Buckman reports (“Signing Up for E-Signatures:
More Companies Are Using New Technology to Cut Costs—and
Fraud,” Wall Street Journal, July 3, 2007), some
regard the established implementation process as overly complicated.
In response, a variety of web-based services (see Exhibit
2) are emerging that eliminate the need to download and install
digital certificates. The process varies between service providers
and levels of service offered, but generally a subscriber registers
with the provider, who verifies the subscriber’s identity.
The subscriber then places a document online and notifies the
recipient, who will then go to the service provider’s website.
The service provider verifies the recipient’s identification,
perhaps by using questions related to the recipient’s credit
report, and then grants access to the document. Although service
providers are focusing on digital signatures and web-mediated
contracting, these services are appropriate for any document that
requires sender and receiver authentication (i.e., non-repudiation),
message integrity, and a date stamp (e.g., confirmations of balances,
verification of an audit client’s contractual obligations).
Whether a web-based or PC/network-based strategy is chosen, a
reliable and trustworthy service provider is essential. In this
respect, the established service providers (Exhibit 1) have a
decided advantage over the emerging service providers (Exhibit
2), and they also provide certificate management solutions that
relieve a subscriber of some administrative responsibilities.
Web-based services, however, mitigate the problem of coordination
of the PKI mechanism when a subscriber uses digital certificates
with multiple business partners. Because they do not require significant
investment in infrastructure or change in internal processes,
they are an appropriate choice when communications requiring digital
certificates are infrequent.
Application
Internet-mediated contracting is the most obvious and common
use of digital certificates, suggesting their potential value
with engagement letters or audit documents that provide management
representations. They would generally be appropriate when assurance
is necessary of who worked on a digital document and of when they
did so. For example, digital certificates could be used to document
the required authorization by the appropriate personnel for internal
control purposes. Alternatively, digital certificates can help
auditors clearly identify the source of management-prepared documents
and responses to confirmations sent to third parties.
Simplifying Authentication
Digital signatures and certificates have had the requisite legal
foundation since 2000, but the complexity of the underlying technology
generally made implementation infeasible except for those who
engaged in high-volume online contracting. The promise of the
emergent web-based services is to simplify implementation of digital
signatures and certificates. If those services fulfill that promise,
then accountants and their clients may find that they can extend
the horizons of their e-commerce activities and opportunities.
Ronald R. Tidd, PhD, CPA, and Gary
Heesacker, MBA, CPA, are both professors of accounting
at Central Washington University, Ellensburg, Wash.
|
|