1. Public Key Infrastructure
The Public Key Infrastructure (PKI) was developed in order to facilitate the use of digital signatures. It is well recognised as the most secure platform for e-Commerce transactions and also til now, the most matured solution which addresses to all the four key elements of security. The four key elements of security are authentication, non-repudiation, confidentiality and lastly, integrity. PKI refers to the while system of policies, processes and techonologies which includes digital certificates, certificate servers and Certification Authorities (CAs), which works together to enable users to exchange information over open networks securely and confidentiality.
2. Certification Authority
2.1 Role of Certification Authority
Under this infrastructure, the Certification Authority (CA) will certifies that a given public key is associated with a given individual. Before such certification is given, which is in a digital form, CA may perform face-to-face verification individuals. This certificate can subsequently be used to confirm the public key of an individual, and verify the signature that is generated by the individual.The first CA to issue keys for digital signatures in Singapore is Netrust Pte Ltd as of 14 June 2002.
2.2 Regulations for Certification Authority
As CA is a trusted third party which will verify the identity of an applicant registering for a digital certificate and issues a digital certificate binding his or her identity to a public key. It also provides certificate management services such as publications and revocation of digital certificates. In essence, CA acts like a trusted electronic notary public, telling everyone who the valid users are and what their digital signatures should look like.
Being in a position of trust, CA has to be subject to some standards and controls, so that the public would be confident in the services they offer. Hence, a voluntary licensing scheme is proposed in the ETA and the Electronic Transactions (Certification Authority) Regulations (ET(CA)R) to empower the Controller of CA (CCA) to regulate and license the activities of CAs in Singapore. It also states that only licensed and approved CAs will enjoy the benefits of the Act for signatures generated from the certificates they issue. An exception to this is where parties agree to be bound by signatures created by a commercially reasonable procedure. The Act provides for the appointment of a Controller of CAs. The Controller will, amongst other duties, license, certify, monitor and oversee the activities of CAs.
2.3 Benefits for a licensed Certification Authority
Benefits in which a licensed CA enjoys are as following:
1) Evidentiary presumption for digital signatures generated from the certificates it issues. With the presumption, the party relying on the signature merely has to show that the signature has been correctly verified and the onus is on the other party disputing the signature to prove otherwise. This thus assures online merchants of the security of their transactions when they use such signatures to validate electronic contracts and transmit them over the Internet (or by other electronic means).
2) The CA will not be held liable for any loss caused by reliance on a false or forged digital signature of a subscriber as long as the CA has complied with requirements under the ETA. The CA will also not be liable in excess of the reliance limit amount specified in the certificate, even if it failed to observe some of its obligations.
3) CA will be evaluated against thier finanical standing, operational policies and procedures and the security of their systems by CCA. Thus, when a CA has been licensed by the Controller, it is an indication to the public that the CA has met stringent regulatory requirements and is therefore trustworthy and deserving of consumer confidence.
The CCA is the Director-General (Telecommunications) of the Infocomm Development Authority of Singapore (IDA). As CAs perform a trusted role in verifying the identities of parties in electronic transactions, CCA aims to provide the assurance that the CA's responsibilities are met and that these services are made available with high integrity, security and service standards. Only CAs that meet the standards set up by the Controller will be licensed.