Centrelink
Smart Card Technical Issues Starter Kit
Chapter 6

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 8 April 1998

© Xamax Consultancy Pty Ltd, 1998

This document was prepared for Centrelink. Its purpose was to support the consultation process between Centrelink and privacy advocates, during a project that was intended to lay the foundations for a variety of projects for Centrelink's client agencies that it was anticipated would involve smart cards

This is chapter 6 of an 8-part document whose contents-page is at http://www.anu.edu.au/people/Roger.Clarke/DV/SCTISK.html


6. Digital Signatures in Practice

A digital signature was explained in a previous section as being a message-digest, encrypted with the sender's private key, which enables a recipient, using the sender's public key, to confirm the security of the data transmission.

There are some vulnerabilities in the digital signature scheme. Important among them are the following:

Provided that an appropriate PKI exists, and appropriate security procedures are implemented by the relevant parties, digital signature technology addresses all data transmission security requirements.

During the mid-to-late 1990s, the emergent PKI has been the subject of feverish efforts in the United States, with initiatives in the technical, organisational and legal arenas (NIST 1993, NIST 1994, ABA 1995, Utah 1995).

In Australia, efforts by a Standards Australia committee (PKAF 1996) and subsequently by a committee convened by the Commonwealth Minister for Communications and the Arts (NPKI 1998) have resulted in measures being proposed to ensure that an appropriate public key infrastructure is put into place. The matter has also been addressed from the perspective of the interests of Commonwealth Government agencies (OGIT 1998). At least one organisation is ready to offer public certification authority (CA) services, as soon as that infrastructure is in place (Australia Post, with its KeyPost service).

The work of developing technical standards for the Australian PKAF is being undertaken by the Standards Australia IT/12/4/1 Committee.

Further concerns are that the law as it presently stands may not recognise digital signatures as being the equivalent of (or better than) a written signature. A United Nations Model Law on Electronic Commerce (UNCITRAL 1996) recommends an approach for addressing such problems. In March 1998, an Electronic Commerce Expert Group working in conjunction with the Commonwealth Attorney-General's Department, produced a report which recommended modifications to the law to ensure that digital signatures are accepted in law as evidence that a person originated a message (ECEG 1998).

Another problem that may undermine the intended PKI is a lack of clarity about the liabilities of CAs, or a degree of risk exposure that makes the business of being a CA too unattractive. Various proposals have been made as to how to ensure that the business of a CA is tenable, including the American Bar Association (ABA 1995) and the United Nations (UNCITRAL 1998) at Articles 11 and 12. Laws defining the extent of liability have been passed in some jurisdictions, including the State of Utah, as long ago as 1995.


References

ABA (1995) 'Digital Signature Guidelines', American Bar Association

Biddle B. (1996) 'Digital Signature Legislation: Some Reasons for Concern' Privacy Right Clearinghouse, April 1996

Chaum D. (1995) 'Digital Signatures and Smart Cards', Digicash bv, Amsterdam, October 1995

DSTC (1997) 'Public Key Infrastructure (PKI)', Distributed Systems Technology Centre, Brisbane

ECEG (1998) 'Electronic Commerce: Building The Legal Framework', Electronic Commerce Expert Group, Commonwealth Attorney-General's Department, 31 March 1998

Mass (1997) 'The PKI Page'

NIST (1993) 'Draft Federal Digital Signature Standard', National Institute of Standards and Technology (NIST)

NIST (1994) Federal Digital Signature Standard (DSS), [U.S.] National Institute of Standards and Technology

NIST (1997) 'The PKI Program'

NPKI (1998) 'National Public Key Infrastructure Report', National Office of the Information Economy, March 1998

PKAF (1996) 'Strategies for the Implementation of a Public Key Authentication Framework (PKAF) in Australia' Standards Australia, MP75, 1996

UNCITRAL (1996) 'UNCITRAL Model Law On Electronic Commerce With Guide To Enactment', United Nations, 1996

UNCITRAL (1998) 'Draft Uniform Rules on Electronic Signatures'

Utah (1996) 'Digital Signature Tutorial'

Utah Digital Signature Act, 1995

Utah (1997) 'Utah Digital Signature Program', slide-show

Utah (1997) 'Frequently Asked Questions Regarding Digital Signatures'

Utah (1997) 'Digital Signature Act: Examples'

Whittle R. (1996-) 'Public Key Authentication Framework: Tutorial - What is a digital signature?'

Ylönen T. (1996-) 'Introduction to Cryptography: Digital Signatures'


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 14 July 1998

Last Amended: 14 July 1998


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916