Guidelines For Records Created Under a Public Key
Infrastructure Using Encryption And Digital Signatures
Background
Section 12(1) of the Library and Archives Canada Act states that no record under the control of a government institution may be destroyed without the consent of the Librarian and Archivist of Canada. Even if institutions do not actively dispose of electronic records through the deletion of data or the destruction of recording media, de facto disposal of records in electronic form can occur if access to the content and the structure of the document is lost by the creating institution.
Issue
To facilitate the development of electronic communication at all levels, the federal government has implemented a Public Key Infrastructure (PKI), which enables documents in electronic form to be encrypted and to carry a digital signature. All such electronic documents potentially can be designated records(1) within the meaning of the Library and Archives Canada Act, and therefore be identified for transfer to Library and Archives Canada at the end of their operational retention period.
To explain its position and assist institutions in the management and disposal
of records created under a Public Key Infrastructure using encryption and
digital signatures, Library and Archives Canada has prepared the following guidelines.
Encryption (2):
Encryption can be used to increase the security of electronic documents
in storage and during transmission. It enhances the confidentiality of
the content of the document and limits access to that content. In the case
of stored documents, encryption is analogous to physical security measures
and as such, is external to the document itself.
Encryption of documents during transmission provides the function
of a traditional paper envelope. Because this "envelope" is not an integral
part of the document, and because envelopes have not traditionally been
appraised as having archival value, Library and Archives Canada will not preserve
the encrypted version of records in electronic form. In addition, external
notations relating to the encryption history of a document will not be
required, but they could, at the discretion of the institution, be included
within an electronic records management system.
Library and Archives Canada will not accept any records encrypted
using the technology currently available through the federal PKI system
(i.e. in the .ent file structure). Records deemed to be archival will have
to be un-encrypted prior to transfer to Library and Archives Canada. It is important to note
that loss of the ability to un-encrypt an encrypted record may de facto
constitute destruction of the record under the terms of Section 12(1) of
the Library and Archives Canada Act.
Library and Archives Canada will also not preserve any records
encrypted using any prior encryption technologies.
Digital Signature (3):
Digital signatures confer three qualities on an electronic document.
These are data integrity, authentication and non-repudiation. Successful
verification of a digital signature ensures the recipient that the "document
received" is identical to the "document sent" (data integrity) and confirms
the identity of the sender (authentication). It also prevents any subsequent
denial by the sender that the document originated with them (non-repudiation).
The importance of these assurances is paramount at the time the document
is received but diminishes once the recipient's decision to act on the
document is made. For Library and Archives Canada purposes, the integrity and authenticity
of records will continue to be inferred from their placement within an
organization's record-keeping system during the normal course of business,
and from proof of that organization's reliance on records kept within their
record-keeping system.
Library and Archives Canada will not attempt to maintain the capacity to re-verify
a digital signature after transfer to its control, nor to preserve the
traces of a digital signature generated under the current federal PKI system.
Further, Library and Archives Canada will not accept records made unintelligible
by the presence of a digital signature, but will accept records where the
content, context and structure of the document, exclusive of its digital
signature, remain intelligible and their integrity and authenticity can
be inferred from their placement within an organization's record-keeping
system. It is important to note that loss of the ability to render an intelligible
electronic record may de facto constitute destruction of the record
within the meaning of Section 12(1) of the Library and Archives Canada Act.
Records generated by non-PKI electronic signature technologies will
be evaluated on a case-by-case basis during the archival appraisal process.
For further information, please contact us at:
Government Information Management Office
Library and Archives Canada
Telephone: (819) 934-7519
Fax: (819) 934-7534
E-mail: imgi@lac-bac.gc.ca
Appendix A
Technological Considerations in the
Long-Term Preservation of Digital Signatures on Records
The digital signature technology being implemented as part of the federal
government's Public Key Infrastructure (PKI) is based on the issuance of
key pairs to users. Each pair is made up of a private and a public key.
Key pairs currently have a life span of 1 hour to 3 years, at which time
the original key pair expires and a new key pair is issued to the user
by a Certification Authority (CA), in the form of a certificate. Library and Archives Canada has considered various technical approaches to the preservation
of digital signatures but concluded they could not be implemented at this
time.
Authentication of Digital Signatures
To ensure authenticity, one must be able to verify and even re-verify
a digital signature. The re-verification process requires two things: first,
access to the public signing key of the sender (which is included in the
signed document); and second, access to the public signing key of the relevant
Certification Authority. This approach would require Library and Archives Canada
to acquire and maintain access to every public signing key in a CA's operational
lifetime. It is too early in PKI implementation to know exactly how many
keys this would involve. The number of CA's could range from a single one
to support all government activity, to more than one CA per department.
Furthermore, the re-verification process is dependent upon proprietary
software, which would also have to be kept operational for as long as the
re-verification of a digital signature is required.
Finally, the digital signature currently depends on a "hash", the result
of a mathematical algorithm. The hash must be successfully duplicated for
the signature to be verified. For the hash to calculate identically, the
document must be identical in its content and its structure. Migration
(i.e., conversion from obsolete logical file formats) would permanently
prevent the calculation of an identical hash, thus destroying the digital
signature during archival preservation.
Authentication Servers
One attempt to extend the lifetime of a digital signature beyond the
current maximum 3-year horizon (set by the lifespan of the key pair) has
revolved around the concept of "authentication servers". This would expand
the verification of a digital signature to include the gathering of "snapshots"
of the data which supported the process. Beyond simply verifying the signature,
the process would, for example, capture the Certification Authority's Revocation
List, to document the fact that the relevant key pair was valid at the
time signature verification occurred (i.e., was not included on the Revocation
List).
While an important development for organizations needing better documentation
of the signature verification process, it does not appear that this approach
will address the long time-frames required by archival institutions. The
"digital objects" captured by this enhanced verification process will also
display software dependencies which will require the development of migration
strategies in the future.
1. According to the Library and Archives of Canada Act, a record includes "any documentary material other than a publication, regardless of medium or form."
2. Cryptography is a method to provide
security to telecommunications by converting information to a form unintelligible
to an unauthorized interceptor and by reconverting information to its original
form for authorized recipients. (Introduction to Cryptography and its
Applications, Communications Security Establishment, November 4, 1997)
3. A digital signature is defined
as "the result of a transformation of a message by means of a cryptographic
system using keys such that a person who has the initial message can determine:
(a) whether the transformation was created using the key that corresponds
to the signer's key; and (b) whether the message has been altered since
the transformation was made". (Policy for Public Key Infrastructure
Management in the Government of Canada, draft version 1.0, January
29, 1999)
|