Ch. 10: Digital Signature, conf. encryption & PKI REVISED to remove sol.-client privileged material ITSS Legal Issues Working Group 9/18/96 10-6 Chapter 10 Digital Signature, Confidentiality Encryption and Public Key Infrastructure NOTE: THIS CHAPTER HAS BEEN REVISED FROM THE ORIGINAL TO DELETE SOLICITOR-CLIENT PRIVILEGED INFORMATION IN ORDER THAT THIS CHAPTER COULD BE DISSEMINATED TO THE PUBLIC. AS IS TRUE FOR ALL CHAPTERS OF THIS REPORT, DEVELOPMENTS HAVE OCCURRED SINCE THIS CHAPTER WAS WRITTEN IN JUNE 1995, AND NO ATTEMPT HAS BEEN MADE TO UPDATE THIS CHAPTER OR ANY OTHER PART OF THIS REPORT SINCE THAT TIME. THIS CHAPTER, AND THIS REPORT, ARE INTENDED TO PROVIDE THE READER WITH BACKGROUND INFORMATION ON IDENTIFYING THE VARIOUS LEGAL ISSUES RELEVANT TO THE TOPICS IDENTIFIED, BUT NEITHER THIS CHAPTER NOR ANYTHING IN THIS REPORT SHOULD BE TAKEN AS PROVIDING A DEFINITIVE STATEMENT OF THE LAW. A. Digital signature, confidentiality encryption, public key/private key encryption: what are they and what are the legal issues relating to them? 10-3 B. What is a public key infrastructure? 10-8 C. Overview of how liability can arise from a PKI 10-12 D. Issuing, publishing and revoking keys and certificates 10-13 E. Contract liability 10-18 F. Tort liability 10-19 G. How can PKI liability be limited? 10-23 H. Other legal issues relating to the operation of a PKI 10-28 I. Issues for deciding whether or not to establish a PKI 10-34 J. Recommendations 10-36 Introduction As government departments attempt to implement Blueprint for Renewing Government Services Using Information Technology, and the Information Technology Security Strategy, to the fullest, they will want to take advantage of the service and cost efficiency benefits that can be provided through electronic communications. The percentage of businesses and governments doing business electronically is low - estimates range from 10 to 15%. One reason for the low uptake rate for electronic commerce is the lack of security - there has been no means of ensuring confidentiality, and no “electronic signature” functionally equivalent to the hand-written signature in the paper world. Encryption makes it possible to exchange documents electronically between parties who do not even know each other with a high degree of confidence that the parties are who they say they are, that the messages exchanged between them have not been altered, that the parties cannot deny having sent them, and that no one other than the parties could read them. These characteristics are also known as electronic communication with authentication, integrity, non- repudiation, and confidentiality. An even higher degree of confidence can be provided by certification by a third party. In the security context, there are two primary applications for encryption: digital signatures and confidentiality encryption. Both applications can be supported by a public key infrastructure. This Chapter explains digital signature, confidentiality encryption, public key/private key encryption, and public key infrastructure; addresses legal issues with these technologies; and makes recommendations with regard to the use of these technologies. Many of the legal issues with these technologies are already discussed elsewhere in this report, and cross-references will be made where appropriate.1 A government department considering security for electronic communications, financial transactions, and recordkeeping for a particular operation should consider the applicable statutory and policy requirements, including: · statutes which that department administers, · the Financial Administration Act, · the Access to Information Act, · the Privacy Act, and · the National Archives Act; · the Treasury Board Government Security Policy; · the Treasury Board Electronic Authorization and Authentication policy; and · internal departmental policies. A threat-risk assessment (described in the Government Security Policy), taking into account both security and legal requirements, will indicate which electronic documents require a digital signature, confidentiality encryption and a public key infrastructure. A. Digital signature, confidentiality encryption, public keyprivate key encryption: what are they and what are the legal issues relating to them? What is a digital signature? In the paper world, a handwritten signature on an original paper document proves who signed it. In addition, the physical nature of paper and ink enable the parties to detect alterations. In the electronic world, the original of an electronic document is indistinguishable from a copy, has no handwritten signature, and is not on paper. The potential for fraud is great, due to the ease of intercepting and altering electronic documents, and the speed of processing multiple transactions. Where parties deal with each other frequently, or there are no legal consequences, a signature may not be necessary. However, where there is a high potential for dispute, either a handwritten or a digital signature is required. A ”digital signature” binds the sender of a message to the message (”authentication” and “non-repudiation”), and it confirms that the message has not been altered or the signature forged (”integrity”). Examples of digital signature algorithms are RSA (Rivest, Shamir, Adleman) and DSA (digital signature algorithm). (A ”digitized signature” is an electronic representation in bits of a handwritten signature (e.g. the signature on a fax). It looks like a handwritten signature. However, it does not bind the sender to the document, and it does not provide the parties with any assurance against alteration or forgery. An ”electronic signature” is a vague term which should not be used without further definition). This is how a digital signature using public key/private key technology works: 1. Each user generates or is given a unique public/private key pair. (A key is a very large number produced using a series of mathematical formulae applied to prime numbers. There is a mathematical relationship between the public key and private key, but one cannot be derived from the other.) The user must keep the private key secret. The individual user does not need to know his private key. (The private key will probably be kept on a smart card, accessible through a personal identification number or, ideally, biometrically, e.g. a thumbprint.) The user’s public key is in a public directory. It is virtually impossible to derive a user’s secret private key from his public key. (The most common algorithms for public key/private key encryption are based on an important feature of large prime numbers: once they are multiplied together to produce a new number, it is virtually impossible to determine which two prime numbers created that new, larger number.) Information encrypted by one of the keys forming the key pair, can only by decrypted by the other key. 2. The sender prepares a message (for example, an Email, or a request to transfer funds) on his computer. 3. The sender prepares a “message digest” (a compressed form of the message) using a secure hash algorithm. (If someone alters even one bit in the message after it is ”signed”, there will be an obvious change in the message digest). 4. The sender encrypts the message digest with his private key. (The private key is applied to the message digest text using a mathematical algorithm.) The digital signature consists of the encrypted message digest. 5. The digital signature is attached to the message. 6. The sender sends the digital signature and the (unencrypted) message to the recipient electronically. 7. The recipient decrypts the sender’s digital signature, using the sender’s public key. Decryption using the sender’s public key proves that the message came from the sender (”authentication”, “non-repudiation”). 8. The recipient also creates a “message digest” of the message, using the same secure hash algorithm. 9. The recipient compares the two message digests. If they are the same, then the recipient knows that the message has not been altered after it was signed (”integrity”). 10. The recipient obtains a certificate from the certification authority verifying the information in the public key directory. The certification authority is a trusted third party which administers the digital signature system. The certificate contains the public key and name of the sender, digitally signed by the certification authority. The whole process is automated and simple for the end user. What are the legal issues relating to digital signature? The legal issues with the digital signature are: 1. the lack of express statutory authority for digital signature. (See the discussion in Chapter 9.) There is now some federal legislation which specifically provides for the use of an electronic signature, which is further defined in regulations. In addition, there is Canadian case law supporting the use of electronic technology communication (such as faxes, e-mail, and computerized records), the formal requirements for which are governed by statutes or common law which do not specifically provide for such technology. However, there is no federal legislation of general application (such as the Canada Evidence Act or Interpretation Act) which specifically permits the use of a digital signature to replace a handwritten one. In the absence of legislation, Canadian courts will probably accept the digital signature as evidence, provided the party introducing the digital signature into evidence can give ”foundation evidence” as to the integrity and accuracy of the digital signature system and record- keeping procedures, such as showing that: a. the digital signature algorithm and public key infrastructure chosen comply with an industry, national, or international standard; b. proper security and audit procedures are followed in accordance with the chosen standard; and c. the certification authority is a trusted entity; 2. the requirements in some statutes that certain documents be ”signed”, “in writing”, “certified”, “commissioned”, “notarized” or “in prescribed form”. It it is likely that a court would find a digital signature to meet the requirements that something be in ”signed” or “in writing” but it is not certain whether the courts will decide that a digital signature meets the other statutory requirements; 3. the patent law issues with public key/private key technology, which arise with many digital signature products. A government department considering using a digital signature should ensure that there is no patent infringement, that licensing fees have been paid, or that the vendor will indemnify the government department for any unpaid licensing fees or patent infringement. What is confidentiality encryption? Confidentiality encryption is a method of encoding an electronic communication using a mathematical formula to provide confidentiality, so that only the sender and the receiver of the message will be able to read it. Confidentiality encryption can be provided using: 1. symmetrical encryption (e.g. DES: Digital Encryption Standard) (for an explanation of symmetrical encryption, see discussion of public key/private key encryption below); or 2. public key/private key encryption (also called asymetric encryption) (e.g. RSA: Rivest Shamir Adleman, PGP: Pretty Good Privacy, or Clipper/Capstone key escrow encryption). Different confidentiality encryption products have different strengths and weaknesses, and the appropriate choice depends on the application. (The Communications Security Establishment is responsible for evaluating various products and providing advice about them to other federal departments.) What are the legal issues relating to confidentiality encryption? There are law enforcement access questions with regard to confidentiality encryption (see discussion in Chapter 8 on Computer Searches and Privacy). There are patent law issues with public key/private key technology, and therefore with some confidentiality encryption products. A government department considering using a confidentiality encryption product should ensure that there is no patent infringement, that licensing fees have been paid, or that the vendor will indemnify the government department for any unpaid licensing fees or patent infringement. What is public key/private key encryption? Before 1980, there were various methods of electronically signing a document, and encrypting it for confidentiality, but none were secure or practical for large numbers of users. Symmetric key encryption (e.g. DES) was in use prior to 1980 and still widely used today, for example, in the banking industry. Symmetric key encryption involves the use of a single encryption key, which is known to and used by both parties. Since both parties have access to the key, symmetric encryption cannot be used for digital signature because either party could forge the other’s signature. Key distribution with symmetric encryption alone (i.e. not used in combination with public key/private key encryption) must be manual, which makes the use of symmetric encryption on its own impractical for large numbers of users. For these reasons, symmetric encryption on its own is not suitable for parties who do not know each other, who do not trust each other, or who deal together infrequently. In 1980, a new encryption method was invented which was based on a mathematical formula that allows the encryption key to be divided into two parts, the private and public keys. The private key is kept secret. The public key can be made public. Although there is a mathematical relationship between the public and private keys, it is not possible to calculate the private key if you know the public key. Here is how public key/private key encryption works: 1. A is issued a private key, which only A knows (a key is a long number derived from a mathematical algorithm applied to a randomly chosen number) 2. A is issued a public key, which everyone can know, through an electronic bulletin board (similar to a telephone directory) 3. B is also issued a private and a public key 4. A message which has been encrypted with A’s private key can only be decrypted using A’s public key; and a message which has been encrypted with A’s public key can only be decrypted using A‘s private key 5. If A wants to send a confidential message to B, A encrypts the message with B’s public key, and then only B can decrypt it because only B has B‘s private key 6. If A wants to digitally sign a message, A encrypts the message with A’s private key, B decrypts it with A’s public key, and then B knows that A must have digitally signed it, because only A had the private key (there are other security features with digital signatures discussed above). What are the legal issues relating to public key/private key encryption? There are patent law issues with public key/private key technology, and therefore with digital signature and confidentiality encryption products which use public key/private key technology. A government department considering using public key/private key technology should ensure that there is no patent infringement, that licensing fees have been paid, or that the vendor will indemnify the government department for any unpaid licensing fees or patent infringement. B. What is a public key infrastructure (PKI)? In order for public key/private key encryption to serve its intended purposes, it needs to provide a way to send keys to a wide variety of persons, many of whom are not known to the sender, where no relationship of trust has developed between the parties. For this to happen, the parties involved must have a high degree of confidence in the public and private keys being issued. If B can decrypt A’s message using A’s public key, B will consider this to be proof that it was A who sent the message, and B will act accordingly: make a financial commitment to A, begin work ordered by A, accept payment from A, and so on. In order for B to have confidence that the decrypted message purportedly from A is in fact from A, B must be confident that A’s public key has not been tampered with. For example, if C is able to replace A’s public key with C’s public key, but make it look as though it is still A’s public key, C will be able to forge transactions in A’s name without A or B knowing it. Therefore, B must have confidence that A’s public key is in fact the match to A’s private key. This kind of confidence may be present between parties who trust each other, who deal with each other continually over a period of time, who communicate on closed systems, who are within a closed group, or who are able to govern their dealings contractually, for example, in a trading partner agreements. However, this kind of confidence will not be present when the parties do not trust each other, deal infrequently with each other, communicate over open systems, are not in a closed group, or do not have trading partner agreements or other law governing their relationships. In addition, because public key/private key encryption is a highly mathematical technology, all users must have confidence in the skill, knowledge and security arrangements of the parties issuing the public and private keys. Finally, where encryption is used to keep messages confidential (rather than as a way to prove a person’s signature), it is important that there be a way to recover encrypted messages if the private key is lost, in case the encrypted message has important legal, financial or public accountability value (e.g.: National Archives Act, Access to Information Act). The technology permits the issuer of the public-private key pair to retain or recreate the missing key. Therefore, there must be a high degree of trust in the authority that issues the public-private key pair. (There is no need for a private key used to create digital signatures to be retained or recreated, and having the technical ability to do this would reduce the confidence in the system as a whole). A public key infrastructure (PKI) is a way to provide confidence that · A’s public key has not been tampered with and in fact matches A’s private key; · the encryption techniques being used are sound; · the parties issuing the public-private keys can be trusted with respect to their abilities to retain or recreate the public- private key used for confidentiality encryption; · different encryption technologies are interoperable. To provide the confidence described above, a PKI would offer the following services: · Managing encryption keys used for confidentiality encryption; · Managing encryption keys used for digital signatures. (It is optional who would generate the public key/private key pair: the root authority, the Certification Authority (CA) or the user (not the Local Registration Authorities (LRAs)). It could be done by giving a smart card to an individual such that the only place the private key exists is on the smart card. The LRAs could provide the smart card to the individual. The risk of being found responsible for the compromise of a private key is so great that key generation should be carried out within the end entity’s system.); · Certifying that a public key matches a private key; · Publishing a secure directory of public keys and distinguished names; · Privilege management services (i.e. deciding which users will have which privileges on the system) · End-entity initialization services (i.e. providing the key to end users); · Managing personal tokens (e.g., smart cards) that can identify the user with unique personal identification information or can generate an individual’s private keys; · Non-repudiation services; · Client interface services (checking the identification of end users, and providing them with services); · Timestamping services The above services will be described in greater detail when discussing the legal issues that relate to each of those services. However, it is necessary to understand who provides the various PKI services before a more detailed explanation of those services can be given. Who provides the PKI services? The proposal of the PKI Working Group is for a PKI established as follows: Policy-making Authority (PMA) A Policy Management Authority (PMA) would establish the policies for the government’s PKI. Root Authority Under the current proposal before the ITSSSC, the Communications Security Establishment (CSE) would implement the PKI and would be the ”root” authority. The root authority certifies the technology and practices of all parties authorized to issue public-private key pairs. By its nature, there is only one ”root” authority. In the proposal by the PKI Working Group the root authority would not have the technical ability to retain or recreate private confidentiality keys. Certification Authorities (CAs) Below the ”root” authority are the “certification authorities” (CA’s) (also called Management Nodes) who would certify that A’s public key actually matches A’s private key (i.e., has not been tampered with). The CA provides this certificate electronically, by issuing a certificate encrypted with its own private key, which anyone else can decrypt, using the CA’s public key. Thus, there must be a high degree of confidence in the CA’s ability to keep its private key secret and protect its public key from being tampered with. The CA’s certificate acts as a form of guarantee to the world at large about the reliability of A’s private-public key pair. In the proposal, the CAs would be the large departments and possibly federal government or private sector service providers, who would offer CA services to smaller government departments. In the PKI, there will be more than one CA. One issue concerns the relationship between the various CAs. The CAs can be established in a hierarchical structure, where some CAs do nothing more than certify other CAs, who provide services more directly to users. Thus, in this model, CAs are subordinate to other CAs. In another model, some CAs are equal to other CAs. In this case, it is necessary that equivalent CAs recognize the services provided by each other, so their respective users can communicate with each other more efficiently and with greater confidence in the security procedures being used. It is likely that in any reasonably large PKI, there would be both subordinate and cross-certified CAs. Legal issues may arise with regard to cross-certifying or chaining of certificates when where are multiple security policies involved, such as determining whose misconduct caused the loss. Local Registration Authorities (LRAs) Below the Cas are the “local registration authorities” who would take requests from users for public key/private key pairs, require proof of identification and check identities of potential users. In the PKI proposal currently before the ITSSSC, LRAs would likely be the security branch of individual departments. Notaries public have been considered as likely candidates for LRAs in Quebec, where their attestations are given special recognition in several federal statutes. The Chambre des notaires du Quebec is currently running a pilot project to computerize some real estate transactions. However, in the rest of the country, not all notaries have the qualifications or training to make them candidates for LRAs. Factors to consider in choosing the PKI trusted entities Generally, the choice of entities to provide PKI services is based on trust of those entities. While trustworthiness is a judgment call, the following are examples of factors which increase trust: · financial ability to indemnify for loss; · no financial or other interest in the underlying transactions; · expertise in the PKI technology; · familiarity with proper security procedures; · longevity. The root CA and subordinate CAs may be required to produce evidence of certification or decryption keys many years after the underlying transaction has been completed, in the context of a lawsuit or property claim;2 · in the case of LRAs, experience in attesting documents. C. Overview of how liability can arise from a public key infrastructure (PKI) Balancing Liability with Efficiency The Government Security Policy already requires encryption in some circumstances, the public will want some of their personal information encrypted as government increasingly connects its computers to the outside world, and government will want to take advantage of cost savings and service improvements made possible by digital signatures. Thus, liability exposure must be balanced against cost efficiencies, service improvements and trust in government systems. Limiting liability while ensuring the certification is meaningful also requires a careful balancing of risks. Specific Liability Issues In the following discussions, we will examine specific liability issues relating to issuing, publishing and revoking keys and certificates, contract and tort liability issues, as well as ways to limit liablity. However, first, we will give a brief overview of other statutory requirements that could potentially be relevant to the functions of a PKI. Statutory offences potentially relevant to a PKI Throughout this discussion on public key infrastructure, we have mentioned provisions in the Financial Administration Act, Crown Liability and Proceedings Act and Criminal Code which affect government contracting. In addition, there are other statutes which are relevant to a PKI, most of which are discussed elsewhere in this report. To summarize: · there are criminal offences for interception of private communications (Chapter 8), theft of property but not information (Chapter 4), possessing a device for unlawfully obtaining telecommunications services without paying for them, mischievous use of a computer (unauthorized entry, interfering with data) and forgery (see Chapter 7); · the Crown Liability and Proceedings Act prohibits unlawful interception and disclosure by Crown servants of private communications (see Chapter 8); · the Income Tax Act makes it an offence to use a Social Insurance Number for any purpose other than that for which it was provided (and government policy requires any use of a Social Insurance Number to be authorized by statute or regulation - see Chapter 3 comments on peronal identification information); · the Income Tax Act and other statutes3 make it an offence to file false information with the government (for the purposes of the statute in question) or for an official to communicate or disclose information obtained in a way other than as set out in the statute in question (see Chapter 5); · the Canada Business Corporations Act makes it an offence for a corporation to fail to take reasonable precautions to prevent loss, destruction, falsification or inaccuracies in records required to be maintained by the Act and an offence to file a mandatory report with the Director that contains an untrue statement of a material fact (see references in Chapter 2); · in Chapters 2, 3, 4, 5 and 8 we discussed the application of the Access to Information Act and Privacy Act (which are discussed in the context of the PKI below). D. Issuing, publishing and revoking keys and certificates Timestamping Time stamping means electronically recording the date and time that a transaction occurs. Two alternatives are an effective policy on how to determine when timestamping should be used, or a general policy that it must be used unless its non-use is authorized. Key generation and archival function Key generation is a basic function of the PKI, although there are options as to who actually generates the keys within the PKI (see discussion of who provides services below). Another basic function of the PKI is to archive public keys so that the user can be connected to a public key, combined with the need to recover encrypted messages for purposes which include evidence in litigation and enforcement of contracts. What is required for a certificate to be issued or revoked? If the function of a public-key certificate is to provide evidence of the binding between the holder of a private key and his public key, then the foundational requirement is that the identification of that keyholder be correct and accurate. The nature and extent of the evidence required to support the issuance of a certificate will depend on the level of security and strength of binding required for particular applications. A signature verifier or authenticator may consider what credentials and verification techniques (Certificate Request Data) are implemented by a particular CA or CAs in its decision as to whether to trust the certificate for its purposes. These decisions are policy ones and are application-dependent. Examples of credentials required by government departments for issuing government identification (such as passports) include: a birth certificate; marriage or change of name certificates where applicable; the full name, name at birth, date and place of birth, mother and father’s full names; signed photographs; statutory declarations of the applicant; and the statutory declaration of a guarantor, who has personally known the applicant for at least two years, who is a Canadian citizen residing in Canada, and who is a minister, signing officer of a bank, judge, police officer, school principal, professional accountant, engineer, lawyer, doctor, or notary public. There is a policy issue of whether a CA should refuse to issue a certificate to a user, for example, with a criminal record, or at least a criminal record that might be relevant to the trustworthiness of a public key, such as convictions for fraud, forgery, personation, perjury, computer mischief, or a history of defrauding the PKI system. Another reason to revoke a certificate might be for users who have attempted to repudiate transactions based upon PKI. There is a distinction between the certification function and the underlying transaction. A CA certifies that the person and the public key are linked. It does not certify that the transaction is legally authorized or otherwise valid. Different considerations apply in the certification of subordinate CAs or in cross-certifying CAs because they must inherently be trustworthy and financially able to bear liability in order for others to justifiably rely on the representations they make in their certificates. The Utah draft legislation requires considerable reporting of the financial stability of the CAs, and does not permit a CA to have an employee with a criminal record. The Ontario Consumer Reporting Act does not permit a credit reporting agency to have an employee with a criminal record. Entity v. individual certification Whether certificates should be issued to entities such as corporations or restricted to individuals is largely a question of policy to be determined with reference to the underlying transaction. For legally significant communications, corporations, unincorporated associations, partnerships and joint ventures cannot sign paper documents so as to bind the entity. Corporations and the government act through their representatives on paper as in electronic communications. The others are not considered ”persons” in law capable of contracting or suing or being sued except in the personal capacity of the individual owners. Generally, there should be as little deviation from the practice in the paper world as possible, so that entities themselves cannot be signers. The question then is whether the signature to be certified should be that of the individual or of the individual on behalf of the entity. If the latter, then Certification Request Data should include the appropriate authorizations, such as directors’ resolutions or corporate by-laws in the case of private corporations, and delegations of authority in the case of government. In the paper world, the indoor management rule applies so that one is entitled to assume, in some instances, the authority of the signer, and in many cases, nothing further is required. In significant transactions, however, verifiers will require that the authority to sign be supported by appropriate documentation. Distinguished names When a PKI certifies a user’s public key, it must make that party’s public key known to the world. To do this, each user must have a unique name, called a ”distinguished name” for PKI purposes. Individual names are governed by statute, such as the Ontario Vital Statistics Act, and Change of Name Act, and by the common law. There is no legal prohibition on two individuals having the same name. Corporate names are governed by corporate legislation. Non-numerical names must be cleared through a name search process which is often computerized, and there are restrictions on the names which may be used. Numerical names are usually assigned. For a name to be approved, it must not be the same as or similar to the name of a known body corporate, trust, association, partnership, sole proprietorship or individual, or to the known name under which any of them carries on business or identifies himself if the use of the name would be likely to deceive.4 Both the Ontario and the Canada Business Corporations Acts require that “a corporation shall set out its name in legible characters in all contracts, invoices ... and orders for goods or services issued or made by or on behalf of the corporation. ...”5 The likelihood of deception or confusion in relation to similar names is also protected by the law of trademark. Refusal to certify The administrative law rules of procedural fairness could apply to a refusal to certify. Rules of fairness could require the PKI to notify the applicant of its intention not to certify, to provide the applicant with the reasons for so doing, and to give the applicant an opportunity to make representations. Revocation of a certificate Who can request the revocation of a certificate? Only a CA can revoke a certificate. A CA may revoke a certificate either on its own initiative, upon request of the user whose public key was certified, or upon request of a verifier or third party. With respect to requests for revocation by users, there are two main concerns. The first is the possibility that the user may make the request in order to sabotage a transaction. The second is that someone else may be impersonating the user in order to sabotage a transaction. A request must be made with sufficient authenticating information upon which a CA may make an informed decision as to the identity and authorization of the person making the request. The rules of procedural fairness must be considered in revoking certificates. Where a CA revokes a certificate for reasons other than the request of a user, it may be necessary to notify a user of its intention to revoke, or of its revocation of a certificate, to provide it with the reasons for so doing, and to give it an opportunity to make representations. Push or pull revocations of certificates? There is a policy issue as to whether revocations should be “pushed” out to all users, in other words, that all users be notified of a revocation, or whether it will be up to a user to take an active step to “pull” down revocations from a central directory. Pushing revocations is more effective notice. Requiring users to pull revocations is much less expensive. Timeliness and availability of notices of revoked certificates Policy decisions have to be taken regarding how timely notices of revocations have to be, and how they will be made available and to whom. The concern here is how those decisions will be made, and who will make them. It may not be feasible to do a cost/risk analysis for every transaction, and the decision- making mechanisms of government users may not yet exist or be structured to do so. Michael Baum has suggested that co-signatures and confirmations of signatures may be employed to mitigate the risks.6 Reason codes The standard forms for certificates, hold notices, and certificate revocations which are contemplated for use by the PKI may contain reason codes. Certificate holds (suspensions) A certificate ”hold” notice suspends a certificate, indicating to potential verifiers that revocation is under consideration, for example, because a revocation request has not been authenticated; and gives instructions to verifiers as to possible courses of action until the hold notice is either itself revoked or the certificate is revoked. Hold notices contain an expiration date, at which time they are removed from the CRL. A hold notice may be earlier terminated at the instance of the user, or by a revocation of the certificate. The time period must be adequate for the CA or for the user to verify the authenticity of the request or to confirm the desire to revoke. If, after investigation, the request is validated, then the issuing CA can proceed with the ordinary revocation, or extend the hold notice, or issue another. Date/Time-stamping of Certificate Revocation Lists and Hold (Suspension) Notices CRLs and hold (suspension) notices are time-sensitive. Their utility depends on the date and time at which the binding between an entity’s public key and identity has been terminated, being the date and time from which an entity can no longer generate valid certified signatures with the associated private key and at which a verifier can no longer rely on the certificate. E. Contract Liability A PKI entering into contracts with users must take into account that the private law of contract applies, whether the PKI is operated by a federal government department or an independent contractor. If the PKI is operated by a federal government department, its capacity to contract, and its rights and obligations may be circumscribed by contract. Further, a federal government department must have authority to contract. Issues relating to the government’s authority to contract include the following: · Parliamentary control. The Financial Administration Act7 provides that federal government funds can only be expended when authorized by Parliament: no contract or other arrangement providing for a payment shall be entered into for any program...unless there is a sufficient unencumbered balance available out of the appropriation ... 8 It is a term of every contract providing for payment of money by the Crown that it is subject to an appropriation.9 However, if the appropriation is not made, the contract is still binding on the Crown.10 · Government Contracts Regulations. These regulations impose tendering requirements and monetary limits on departments for entering into contracts, unless Treasury Board authority is received. Lack of compliance may not, however, invalidate the contract. · Departmental statutes. A provision in a departmental statute which says that no deed or contract is binding on Her Majesty unless signed by the Minister or by some person specially authorized in writing by the Minister does not mean that all contracts must be in writing and signed. Rather, it means that if the contract is in writing, then it must be so signed.11 · Fees charged for services. The FAA12 and the Treasury Board Cost Recovery Policy limits discretion somewhat concerning when and how much to charge for certain government services; · Ministerial authority. A Minister operating a statutorily- created department has the implied authority to enter into contracts;13 · Crown prerogative. The authority to contract may, in the absence of such statutory authority and restrictions, be found in the prerogative of the Crown; · Apparent authority. An employee with actual, apparent, or ostensible authority can bind the Crown in contract.14 Breach of contract Whether or not there is a breach of contract depends on the terms and conditions of the contract. A breach of contract by the PKI could render the Crown or the independent contractor operating the PKI liable in damages. Not all contractual remedies normally available to a private party are available against the Crown. Obligation to contract If a PKI or a CA refuses to issue a certificate, there is as yet no contract, and the PKI would not likely be held liable. Implied Warranties There are warranties in contracts for goods, which are implied at common law, or imposed by statutes such as the Ontario Sale of Goods Act. Such implied warranties become part of the contract without having been agreed upon by the parties. Remedies Most remedies for breach of contract are available against the Crown. Generally, the Crown cannot be compelled to perform a contract by injunction or an order for specific performance, but an action for damages in contract will lie against the Crown. Damages is the primary remedy for breach of contract. The measure of damages is the value that performance of the contract would have had if actually performed, or to put the plaintiff in the position he would have occupied had the breach not occurred. Damages may include reliance damages or damages for consequential losses if they were reasonably foreseeable by the party in breach of contract. Consequential damages (for example, for lost profits) can be considerable, and out of proportion to the value of the contract or the fees charged for the service. F. Tort Liability In negligence law, there is no rule of privity, and liability has often been found to extend to parties with whom the defendant had no previous relationship. Chapter 5 provides a discussion of tort liability and negligence principles generally, including breach of confidence and breach of statutory duty. Chapter 6 discusses liability for fraudulent and negligent misrepresentation, defamation, inaccurate information and creating but failing to meet legitimate expectations. The law of negligent misrepresentation may also be relevant. Negligent misrepresentations are false statements, made honestly, but carelessly. Liability for negligent misrepresentation can exist whether or not there is a contract between the parties. (If a contract exists, however, a plaintiff would have to show that the terms of the contract do not exclude or limit the liability of the parties for the negligent misrepresentation.15) The party to whom the misrepresentation was made must have reasonably relied on that information in order for there to be liability. Liability for actions of employees, agents and independent contractors A person under contract (to the Crown or to a private corporation) may be an employee, an agent or an independent contractor. A business under contract (to the Crown or to another business) may be an agent (of the Crown or the other business), or an independent contractor. Whether one is characterized as an employee, agent or independent contractor affects the question of who is liable for damages in a particular circumstance. In deciding whether a person is an employee or an independent contractor, the courts look at the degree of control the Crown had over the person’s work, and whether the person was carrying on his own distinct business.16 If the Crown has a significant degree of control over a person’s work, and he is not really carrying on a distinct business, the person will be an employee in law, regardless of the terminology used in the contract. In deciding whether a business under contract to the Crown or another business is an agent or independent contractor, the courts look at similar factors. Rules governing the conduct of employees, independent contractors and agents of the Crown The conduct of Crown employees is regulated by statutes, regulations, case law and policies, for example: · the Financial Administration Act: · gives Treasury Board the power to establish terms and conditions of employment for Crown employees;17 · gives Treasury Board the power to establish disciplinary procedures;18 · makes it an offence for a Crown employee connected with the collection, management or disbursement of public money to receive compensation or reward for the performance of any official duty, to conspire or collude to defraud Her Majesty, to wilfully make or sign any false entry in any book, or wilfully make or sign any false certificate or return;19 · makes influence peddling an offence;20 · the Treasury Board Government Security Policy provides for reliability checks and security clearances for Crown employees; · the Treasury Board Conflict of Interest Code requires Crown employees to disclose actual or apparent conflicts of interest, and prohibits them from accepting or soliciting transfers of economic benefit that are not generally available to the public; · the Criminal Code makes it an offence for a public official to accept or solicit bribes21 or to engage in breach of trust makes breach of trust22 and removes the power to contract with the Crown from anyone convicted under section 121;23 · the Crown Liability and Proceedings Act24 prohibits the unlawful interception and disclosure by Crown servants of private communications. The Crown is liable to pay damages to the injured party, but the Crown servant is obliged to reimburse the Crown; · Crown employees are required to take an oath of office which includes an oath of secrecy; and · the common law imposes duties of fidelity and loyalty on employees, including Crown employees. Employees generally have a duty not to disclose information obtained in the course of their employment. However, it may be advisable to remind them of that duty, in their terms and conditions of employment, or in a policy directive. The conduct of Crown agents and independent contractors is governed by generally applicable statute and common law, and by contract, including the Treasury Board Security and Contracting Management Standard25 which requires all contracting departments to ensure the protection of sensitive information through the entire contracting process, and includes the requirement that a written agreement be obtained with respect to the responsibilities of the parties concerning sensitive information and providing for accountability therefor. For vicarious liability to be imposed on an employer, the employee must have committed the wrongdoing in the course of his employment, and not outside the scope of his employment, or for his own account.26 In the case of Crown employees, the Treasury Board policy on Indemnification of Servants of the Crown states that a Crown employee will be indemnified by the Crown and will not be held liable in cases of negligence provided the employee acted within the scope of his employment or duties, honestly and without malice. (However, in such a case, an employee may still be disciplined, which can extend to termination of employment.) Agency and trust give rise to fiduciary obligations. A finding of a fiduciary relationship leads to the imposition of fiduciary obligations, and possible liability for their breach. The principal duty of the fiduciary is to protect the interests of the other party and to refrain from acting against the interests of the other party. The standard of care for a fiduciary is a high one, and the remedies include the right to trace funds, the imposition of a constructive trust, or restitution. An agency may be created expressly, by contract, or by statute, or by implication from the relationship of the parties: “To the extent that any person has authority to act on behalf of another, he is that other person’s agent.”27 An agent is in a fiduciary position with respect to his principal, so that, for example, confidential information acquired by him from or on behalf of his principal is the property of the principal. Agency is the relationship which exists between two persons, one of whom expressly or impliedly consents that the other should represent him or act on his behalf, and the other of whom similarly consents to represent the former or so to act.28 The agent acts as an intermediary between his principal and the third party and his actions can result in his principal being liable to the third party, or the third party being liable to his principal. If the agent exceeds his authority, or improperly profits from it, he is liable to his principal. Both the Crown and private sector corporations may possibly be held vicariously liable for the acts or omissions of their agents. The Crown can be bound by the unauthorized acts of an agent, provided that the acts of the agent were within the agent’s actual, apparent or ostensible authority.29 The Crown’s liability for the acts of a Crown agent depends to some extent on the reasonable expectations of third parties dealing with that agent.30 If a person or entity is found to be an agent of the Crown, then immunities available to the Crown are also available to the agent. For instance, the Crown is immune from statutes which do not expressly bind the Crown, and may be entitled to the benefits of the provisions of the Canada Evidence Act governing public documents. An agent is not generally liable under contracts which it enters on behalf of the Crown. A trust is a different kind of fiduciary obligation. “A trust is a relationship under which one party, the trustee, holds property for the benefit of another party, the beneficiary.”31 The trustee has a variety of duties and obligations towards his beneficiary which, if not fulfilled, expose him to liability towards the beneficiary. Contractors The Crown is not responsible for the conduct of an independent contractor. However, the Crown and the independent contractor may in some circumstances be held jointly liable if there is contributory negligence. G. How can PKI liability be limited? Example of Society for Worldwide Interbank Financial Telecommunications Handbook The Society for Worldwide Interbank Financial Telecommunications (SWIFT) is a secure network that banks have set up to handle international transfers of money. SWIFT sets out its liability rules in its User Handbook. The handbook states that SWIFT is not liable for any segment of the teletransmission not directly under its control, but is responsible for the maintenance of security in the part of the system that it does control. In particular: · it is not responsible for loss or damage caused by technical failure or force majeure; · it is not responsible for an unauthorized transaction unless the victim proves it could not reasonably have assumed the validity of the transmission; · it is not responsible for unauthenticated payments or transfers or for the negligence of the user or a lack of cooperation between users, or for failure of users to follow Handbook procedures when such failure is an essential element in events leading to the loss or damage incurred; · it is liable for its negligent acts, errors or omissions in failing to perform services and to maintain the security procedures described in the Handbook, and · it is liable for the fraud of its employees, subcontractors and third parties when acting within the area under its control. With respect to the latter, SWIFT is responsible only if it could not have reasonably assumed the validity of the message or if the fraud was made possible by its failure to follow its own security procedures. If it is found negligent or liable for their fraud, it will only be liable for users’ direct losses or damages such as the non-recoverable loss of funds in the transfer, and loss of interest. The SWIFT rules are modelled on the Hague Rules for maritime carriers and espouse the principle that as a carrier, “it must be shielded against losses likely to cripple the carriage enterprise.”32 Limiting liability through effective secure technologies and procedures Employees pose the greatest risk to the PKI, since they have the knowledge, the access and sometimes the incentive to breach security, through unauthorized disclosure of confidential information, unauthorized access to or use of telecommunication facilities, theft, destruction or alteration of information. In the U.S., bonding of PKI employees is being considered. The Canadian federal government does not generally bond its employees because it self-insures, and because the reliability check/security clearance process provides evidence of reliability of employees. Consideration must be given to the policies and procedures with respect to the life of a public key certificate, whether it can be renewed and, if so, whether an abbreviated procedure ought to be adopted for renewal. Publication of policies can create expectations. Both the law of contracts and the law of tort operate to enforce the reasonable expectations of parties. In tort law, the policies will help define the standard of care to be met by the participants. Exclusion clauses generally Exclusionary clauses will be carefully scrutinized by the courts. This is particularly so where the contracts are not negotiated, but are accepted by conduct or the signing of a standard form agreement. The contra proferentum rule provides that exclusionary clauses are strictly interpreted against the author. Any words that are ambiguous are to be construed in the way least favourable to the party relying on them.33 This rule is applied even more rigorously when the clause purports to exclude, as opposed to limit, liability. Clear words must be used to successfully exclude liability. The doctrine of fundamental breach of contract may render an exclusionary or limitation clause ineffective. Such a clause will not be construed to apply if “the person benefitted by the clause creates a situation that is radically different from that contemplated by the agreement as a whole - ‘outside the four corners of the contract’ ...”34 In Canada, this rule is subject to the expressed intention of the parties,35 but lower courts continue to strike down clauses where the breach is such that the very thing contracted for was not provided or performed. Exclusionary clauses will not be enforced if they are found to be unconscionable. A finding of unconscionability most often occurs in cases where the parties have unequal bargaining power, and is rare in a commercial context. Liquidated damages clauses Liquidated damages clauses stipulate in advance the amount for which a party will agree to assume liability. In Quebec, liquidated damages clauses are valid. In the common law provinces, the amount must be a genuine pre-estimate of loss that would be caused by the breach in order for the clause to be enforceable.36 The Utah draft legislation proposed ”reliance limits” of stipulated monetary amounts for its CAs, such that a user chooses its CA by determining whether the particular reliance limit will adequately compensate it for its loss. EDI Council of Canada Model Trading Partner Agreement The Electronic Data Interchange Council of Canada Model Trading Partner Agreement attempts to overcome the legal impediments to contracting through EDI by means of agreement by the parties concerning security, allocation of liability for breaches of security, confidentiality, authenticity, integrity and non-repudiation. It does not contemplate the use of digital signature, but requires confidentiality of information and obliges the parties to exact similar undertakings from personnel. Authorization is achieved by placing the onus on each party to establish proper security and access controls, and by a warranty by the sender that the document is duly authorized and is binding on it. Liability is allocated for unauthorized transactions. The sender has the ability to control access, and thus bears the risk of unauthorized access. The receiver is entitled to rely on the transmission as having been authorized. Authentication is achieved by the incorporation into each message of “criteria permitting the Receiver to verify that it is an authentic Document of the Sender.” Contributory negligence/obligation to mitigatenegligence/obligation to mitigate. In contract, the party complaining of a breach of contract is obliged to mitigate his damages, which means he or she must take reasonable steps to reduce the total damages. In tort law, liability may be apportioned between the plaintiff and the defendant if the court finds that the plaintiff was contributorily negligent. Self-insurance/liability funds The Crown is self-insured. Commercial insurance is another option, but at the time of writing, no such insurance is available, or expected to be available in the near future, until the industry has a track record, and risks are known. Statutory models relevant to limiting liability of a PKI The Ontario Ministry of Community and Social Services Act37 contains a statutory limitation of liability. The Ontario Consumer Reporting Act, which governs credit reporting agencies, contains registration, financial responsibility, accuracy and fairness, and confidentiality requirements, and provides for the introduction into evidence of certificates. The Ontario Business Corporations Act38 provides that a certificate of incorporation is conclusive proof of incorporation. The Canada Business Corporations Act contains provisions: · entitling the Director to require a corporation to change its name; · protecting corporations from duties owed to third parties by registered holders of the corporation’s securities; · setting out the credentials required for a person to become a registered holder of a security; · making signatures admissible and prima facie genuine and authorized; · making an issuer liable for loss due to a delay, failure or refusal to register a transfer; · permitting a security holder alleging a wrong entry or deletion to apply to a court for rectification and compensation; · setting out appeal rights for a refusal to file documents; · making it an offence to provide false information; · providing for the admission of certificates as proof of the facts certified without proof of the signature or office of the person signing them; and · requiring the Director to issue a certificate of incorporation on the receipt of articles in the prescribed form. In the Canada Business Corporations Act, while there is no provision for or exclusion of liability for losses caused by an error, there is no record of any action against the Director for such losses. It should be noted that the Director can revise a certificate retroactively, which could reduce losses. The Bank Act: · requires the Superintendent to issue a receipt on the filing of a prospectus unless it appears to him that the prospectus fails substantially to comply with the Act or contains a misrepresentation or misleading statement;39 · provides that a prospectus must contain a certificate signed by the CEO and chief financial officer of the bank to the effect that ”according to the person’s information, knowledge and belief, the disclosure required in the prospectus has been provided;”40 · entitles a bank to rely on any information contained in certain disclosures and “no action lies against the bank ... for anything done or omitted in good faith in reliance on any such information;”41 · provides that a certificate issued on behalf of a bank stating any fact set out in its constating documents is, “in the absence of evidence to the contrary, proof of the facts so certified without proof of the signature or official character of the person appearing to have signed the certificate;”42 · provides that an entry in the securities register of a bank is evidence that the person in whose name the security is registered is the owner of the securities described in the register.43 The State of Utah’s draft “Digital Signature Verification Act,” under consideration by the Utah legislature in January 1995, has been used as a model for other states. Utah was of the view that: · legislation was necessary to deal with certain concerns in digital signature and public key certificates; · legislation was the only way to create a rebuttable presumption that a digital signature linked in a valid certificate to a public key verifying the signature is a signature, unless the parties have otherwise agreed in their particular transaction. The Utah legislation: · does not make uncertified digital or electronic signatures invalid; · for public key certified digital signatures, it shifts the burden of proof to the party who denies the authenticity of the signature. To establish the prima facie authentication of a digital signature, a party need only show the verification of it by reference to a valid certificate issued by a CA having certain indications of reliability. Thus, if a person finds the certificate in a directory, the certificate identifies the signer as the holder of the public key, and the verifier has applied the public key to the digital signature to validate it, then the signature is considered valid. California is considering adopting a modified version of the Utah legislation which apparently will emphasize security of private keys held by government employees. In addition, there are approximately 20 states in the U.S. with certification authority bills before their legislatures. Policy considerations re: how and how much to limit liability The extent of potential liability the federal government is willing to accept is a policy decision to be discussed by the PKI working group, and ultimately to be made by the federal government. H. Other legal issues relating to the operation of a PKI Admissibility of electronic records One of the purposes of introducing public key/private key encryption and the public key infrastructure is to create the conditions necessary to create a presumption that messages using this technology come from the sender, have not been altered, and cannot be repudiated by the sender. In Chapter 9, we reviewed the broader question of whether electronic messages constitute ”writing”, “signature” and a “record” for statutory purposes, and concluded that they probably do, although we noted that the question is not entirely without doubt. In their text Information Technology and the Law, (2nd ed., 1990) Edwards, Savage and Walden state at p. 240 that, under the law in the United Kingdom, a signature has been regarded by the courts as including a rubber stamp with a facsimile signature, a thumb print and, more simply, initials. They go on to suggest: It would seem reasonable to presume therefore that the various forms of electronic authentication (e.g. encryption/digital signatures) would be viewed by the courts in a positive light. PKI subject to record-keeping and confidentiality requirements There are a variety of transactions which may be supported by the PKI, with a variety of recordkeeping and record retention requirements. The National Archives Act44, Canada Business Corporations Act45, Bank Act46, Income Tax Act47, Unemployment Insurance Act, Canada Pension Plan Act, and Financial Administration Act48 impose various record retention requirements on citizens, businesses and government departments. In addition, users may want to retain records for a number of years to protect themselves in the event they are sued, or to prove ownership of property. Because of these requirements, signature verification or decryption may be required many years after the original transaction occurred. Given the variety of transactions which will be supported by the PKI, the PKI can: · establish a baseline period, and place the onus on the user to request a longer or shorter period of retention; · consult each user department to determine the retention period it requires; or · provide notice to the user of the expiration of the retention period, prior to destruction or transfer of the record, thereby giving the user the opportunity to re-assess its requirements. In addition, the Government Security Policy and various federal statutes, such as the Access to Information Act, the Privacy Act, the Bank Act, the Criminal Code, the Charter of Rights and Freedoms, the Crown Liability and Proceedings Act and the Canada Evidence Act, require that federal government information not be disclosed except as authorized. One of the functions of the PKI is to assist in protecting the confidentiality of information through the use of confidentiality encryption, and in providing secure means by which keys for confidentiality encryption may be distributed, as part of a security program designed to protect designated information. The PKI will have to comply with applicable legislation governing the protection and disclosure of information in providing the following services: · the collection and storage of personal identification information; · the issuance or posting of public key certificates; · the issuance or posting of attribute certificates; · the generation of private keys; · the archiving of private keys; · the provision of directory services, either open or secure, in terms of posting of certificates, certificate revocations or holds, etc.; · audit, archives and record-keeping services; · general security services such as access controls, which may provide an expectation of privacy of the underlying message; · provision or supervision of algorithms or seed keys. Most of the obligations and concerns arise if the PKI is a federal government operation, in which case information provided to a PKI will be “under the control of a government institution”, and therefore: · information will be subject to disclosure under the Access to Information Act (except with respect to records not subject to that Act, such as published information and cabinet confidences), but various exemptions under the Act will likely protect much of the information from being disclosed, especially information the disclosure of which would likely be financially injurious to a third party or to the government or where the encrypted information would be exempt under another part of the Act (such as advice to government, information obtained in confidence from another government, and so on); · the Privacy Act will prohibit the PKI from disclosing personal information provided to the PKI, without the consent of the individual concerned, unless the disclosure falls within one of the 13 authorized disclosures under s. 8 of the Privacy Act; and · the head of the government department responsible for the PKI will be required by the Privacy Act to establish a personal information bank listing all personal information. If the PKI is not operated by the federal government, but instead is contracted out to a truly independent contractor: · the federal Access to Information Act and Privacy Act will not apply, unless the wording of the contract makes those Acts apply or unless a court holds that there was illegal contracting out of the Acts (the Privacy Commissioner has long argued that the federal government should not hire independent contractors to conduct workplace harassment investigations or to receive and analyze anonymous employee feedback about their managers); · provincial legislation governing how provincial and municipal governments deal with information will not apply, although the province of Quebec has privacy legislation specifically applicable to the private sector; · provincial consumer protection legislation which protects some consumer information may also apply, depending on who the private sector provider is; and · it would be up to the contracting department to ensure that the Government Security Policy is complied with. Contracting out the PKI operation would only take the PKI outside the Access to Information Act and the Privacy Act if the contractor was truly independent. The existence of a contract is not sufficient to ensure that the contractor would be considered by the courts to be independent. Depending on the facts, a court could find that the contractor was a Crown agent, in which case, the same law that applies to a federal government PKI would apply to the contractor. Moreover, as a matter of policy, the government could insist through contractual agreement that information provided to the independent contractor will be subject to the Access to Information Act and Privacy Act. Even if the contract simply provides the government a right of access to information acquired by the contractor for the purposes of the contract, that is likely enough to bring that information under the control of the government and therefore subject to the Acts. PKI and the law of common carriers The Telecommunications Act governs ”telecommunications common carriers.” Telecommunications common carrier are persons who “own or operate a transmission facility to provide telecommunications services to the public for compensation“ and “telecommunications services” are services “provided by means of telecommunications facilities.” “Canadian Carriers” are telecommunications common carrier subject to the legislative authority of the Act. The Telecommunications Act is binding on Her Majesty in right of Canada. Most Value Added Networks (VANs) do not fall under the Telecommunications Act because they do not own or operate the transmission facilities themselves. The Telecommunications Act 49 gives Cabinet the power to make regulations respecting limitation of liability of Canadian carriers. and provides that “no limitation of a Canadian Carrier’s liability in respect of a telecommunication service is effective unless it has been authorized or prescribed” by the Canadian Radio-television and Telecommunications Commission. 50 The federal Parliament may be able to exclude the operation of the Telecommunications Act by legislation.51 Some independent contractors, such as Bell Canada, are subject to the Telecommunications Act, while others, such as provincial telephone companies are not. Whether an entity is subject to the Telecommunications Act depends on the particular services being provided and is determined by an application to the CRTC. Intellectual property issues A California partnership, Public Key Partners (”PKP”), has made claims that it has, in effect, ”patented” public key/private key technology. PKP holds Canadian patents for: 1. the Hellman, Diffie, Merkle cryptographic apparatus and method invention (Cdn. patent no. 1,121,480) 2. the Hellman, Merkle public key cryptographic apparatus and method invention (Cdn. patent no. 1,128,159); and 3. the Hellman, Pohlig (exponentiation cryptographic apparatus and method) invention (Cdn. patent no. 1,152,592); and U.S. patents for: · the above three Hellman patents (U.S. patent nos. 4,200,,770; 4,218,582; and 4,424,414 respectively); · RSA - the Rivest Shamir Adleman cryptographic communications system and method invention (U.S. patent no. 4,405,829); and · the Schnorr “method for identifying subscribers and for generating and verifying electronic signatures in a data exchange system” invention (U.S. patent no. 4,995,082). In addition to PKP’s patents, the U.S. government holds the patent for the Digital Signature Algorithm (Kravitz) (U.S. patent no. 5,231,668; Cdn. patent no. 2,111,572). There may be other patents which will affect the PKI. Intellectual property issues will have to be addressed by the PKI. Competition and restraint of trade implications The Competition Act attempts to prevent unfair trade practices or practices that would unfarily reduce competition between potential goods and services providers. The Act applies expressly to agents of the Crown52 Minimum requirements for electronic transactions At present, there are few standards by which to measure a digital signature certified under a PKI. The Uniform Rules of Conduct for Interchange of Trade Data by Teletransmission (UNCID Rules) are one of the few standards which exist, and it is thought that they could become baseline rules of practise for international electronic trade. The Rules relate only to the use of EDI in electronic contracts, but are relevant because they are based on the principle that adequate security can fulfil legal requirements for formalities and evidentiary purposes. The Rules have been summarized as requiring users of EDI to: 1. abide by chosen EDI standards; 2. communicate with care; 3. ensure messages are not altered without authority; 4. properly identify themselves in messages; 5. acknowledge or confirm good receipt upon request; 6. take remedial action if a received message is not in good order or has been wrongly delivered; 7. maintain the security of protected data; 8. keep an unchanged log of exchanged data; 9. designate a person to certify the log; and 10. refer questions of interpretation of the Rules to the ICC.53 The use of confidentiality encryption and digital signature, supported by a PKI, would clearly meet the requirements of the Rules with respect to integrity, identification, and confidentiality. Constitutional law A PKI established and operated to support the operations of the federal Government appears to present no constitutional difficulties. The jurisdiction of the federal Crown to legislate in relation to its internal operations falls within the peace, order, and good government clause of the Constitution Act, 1867. Eventually, if there is a desire to expand the PKI to create an integrated PKI system across Canada, serving more than the federal government’s needs, and if it is desirable to do this through legislation, there are a number of federal powers which could support such legislation, such as federal jurisdiction over interprovincial trade and commerce, interprovincial telecommunications, interprovincial works and undertakings, various powers over money and the general peace, order and good government power. However, any move in that direction would require further legal advice, possibly provincial consultation and probably a proven federal government PKI model. Arbitration and Alternative Dispute Resolution Dispute resolution can be carried out through negotiation, mediation, or arbitration, or through resort to a tribunal or court. Legislation is not required for dispute resolution by any of these means, however, it could be required to establish a tribunal responsible for PKI disputes. The Treasury Board Policy on Information and Administrative Management, Contracting Volume, ”Guidelines”54 deals with the use of negotiation, mediation and arbitration for the resolution of disputes arising out of contracts in specified circumstances. Provision for arbitration may be made in the contract between the parties, or may be agreed to later at the time of a dispute. Any arbitration to which the Crown may be a party would be subject to the Commercial Arbitration Act and the Commercial Arbitration Code. I. Issues for deciding whether or not to establish a PKI Establishing and investing in a PKI involves weighing a variety of policy factors, including the liability exposure and other legal issues described above, the cost of the technology and ongoing infrastructure support, and privacy concerns. Below is a summary of arguments for and against the government establishing a PKI. Arguments in favour of the establishment of a PKI are as follows: · it provides high integrity public key distribution to support both digital signature and confidentiality encryption, thus ensuring compliance with Government policies; · it makes key distribution for a large number of users practical and secure; · in a system where communicating parties are complete strangers, it: · provides assurances to the recipient (or verifier) that the public key which it uses to verify the message does indeed belong to the purported signer, and · that the message can be accorded some well defined weight in the eyes of established legal systems;55 · it can facilitate proof, both of underlying transactions and of signatures, and of securing the admission of computer evidence and convincing a court of its probative value. · it can reduce the risk of forgery and fraud, assuming that the security systems of participants are capable of adequately protecting the private key and integrity of communications at all stages; · it meets the demand of departmental user groups for a PKI, thereby offering the opportunity to establish consistency in policy and use throughout the government, and greater use of electronic commerce and other transactions, with consequent cost- savings and service and security improvements; · it supports the federal government’s policy objective of protecting individual privacy by ensuring confidential information supplied to the government stays confidential and, if the PKI expands to provide services to Canadians for their own dealings, provides them with encryption tools to assure their own privacy; · it is part of the role of the federal government in establishing a foundation for the infrastructure for the information highway; · it allows the federal government to fulfil a role in establishing Canadian security standards for the industry and trade in Canada; · it is consistent with the role of the federal Government as an OECD participant, effecting the objectives of the OECD Guidelines in establishing policy standards and laws to promote security standards in computer communications, and public acceptance of telecommunications; · the advent and existence of private sector and U.S. Government public key infrastructures, both national and state, may create industry practices and certification requirements with which the federal Government will have to comply. Arguments against the establishment of a PKI are as follows: · in the paper world, formalities of documentation are being dispensed with, in statute of frauds, sale of goods, land registration, and provincial offences legislation; · a PKI will not eliminate the legal requirements for the underlying transactions. Offers and acceptances, for example, will still have to be proven, and issues such as whether the mailbox exception or the general rule of instantaneous communications will still have to be dealt with; · if a court insists that a requirement for ’writing and signature’ can only be fulfilled by a handwritten signature, then regardless of whether the signature is electronic, digitized, digital, or certified public key digital, it will be rejected; · if a court is convinced of the functional equivalency of a digital signature, or that a signature need not be handwritten to constitute a legal signature, then a digital signature, without the support of a certificate, may provide authentication, security, integrity, adequate non-repudiation, and possibly authorization; · failing to anticipate advances in technology may render the infrastructure redundant; · a PKI may be too costly given the costs of the technology and ongoing infrastructure support, fiscal restraint and competing demands for scarce resources; · a PKI may create a risk to privacy because the technology makes it possible to recreate or retain the public key/private key pair by someone other than the individual user. To conclude, the necessity of a PKI is largely based on policy, on developing industry standards, and on practical necessity. For high risk transactions, such as electronic funds transfers, the digital signature and the PKI will reduce the risk of irrecoverable losses. However, it must be noted that the establishment of a PKI will create other legal issues which will have to be resolved. J. Recommendations The following recommendations constitute legal advice about the best way to establish a PKI (and express no view on the policy considerations of whether or not a PKI should be established). 1. Omnibus legislation, such as amendments to the Canada Interpretation Act and the Canada Evidence Act, is desirable, to provide greater certainty in the area of electronic commerce and record-keeping generally, and the area of digital signature specifically. Omnibus legislation is more efficient than department-by- department legislation, and would achieve consistency, which is desirable for government and industry. However, omnibus legislation may be politically more difficult to achieve than department-by-department amendments. A comprehensive review at the departmental level of all federal legislation is also desirable, to amend statutes which do not expressly contemplate electronic commerce and recordkeeping, the digital signature or a public key infrastructure, where applicable. 2. Infrastructure decisions have to be made at the outset. The legal liability implications of a PKI can only be formulated with any degree of certainty when the legal mechanisms for implementing the PKI are known. These decisions depend on: · whether the PKI is to be entirely a government operation; · whether all or some CA services are to be contracted out, and if so, to whom; · if so, the degree of control that the root will or wishes to retain, and conversely, the degree of independence which it is willing to relinquish to non-government CAs; and · the degree to which the government wishes to ”follow through” with issues that arise by virtue of the creation of a PKI, such as the definition of what constitutes a signature, the difference between a certified digital signature and an uncertified digital signature, what representations are intended to be made in a public key certificate, whether the certificate should make such representations, whether it is desirable to establish legal presumptions of the validity and evidentiary value of public key certificates. If the PKI is to be entirely a government operation, then memoranda of understanding, Treasury Board policies and PKI policies can dictate when digital signatures and confidentiality encryption are to be used, when public keys must be certified, when time-stamps should be required, when on-line CRLs must be checked, how to determine what security level of certificate is required for the transaction, and apportionment of liability amongst departments. Contracts and PKI policies would be required for relations with non-Governmental entities. If PKI services are to be contracted out, then policies, contracts, or statute, or all three, will be required. The policy decision regarding the degree of control that the root CA will retain will determine the extent to which an independent contractor will be required to relieve the Crown of liability. Legal advice will be required throughout the process of establishing a PKI. 3. Once the infrastructure is decided upon, even if only in preliminary form, then more precise and concise legal advice can be provided as to the means by which the stated objectives of the PKI can be achieved and the degree of certainty of result which they are capable of providing. A PKI is necessitated more by practical considerations than by legal requirements, but once established, it may serve to reinforce the validity, efficacy and evidential value of electronic transactions having legal implications or significance. The federal Government is in a privileged position. It has the ability to govern and regulate its liability and that of others, and it has the influence to establish standards for security, conduct, and practise with respect to electronic authorization and authentication, and the protection of designated information for Canada. The opportunity therefore exists for creative structuring to limit or apportion liability and to facilitate the reliable communication of electronic messages and transactions. ABBREVIATIONS ATIA - Access to Information Act BNR - Bell Northern Research CA - Certification Authority CRD - Certificate Request Data CRL - Certificate Revocation List CSE - Communications Security Establishment EDICC - Electronic Data Interchange Council of Canada FAA - Financial Administration Act LRA - Local Registration Authority MN - Management Node PA - Privacy Act PKI - Public Key Infrastructure (also called the Canadian Electronic Key Management System) PMA - Policy Management Authority TA - Telecommunications Act UNCID - Uniform Rules of Conduct for Interchange of Trade Data by Teletransmission O:5600-12.117 ENDNOTES _______________________________ 1 A good source of information is Michael S. Baum, Federal Certification Authority - Law and Policy of Certificate-Based public Key and Digital Signature, U.S. Dept. of Commerce NIST GCR-94-654 June 1994, p. 48 2. The Utah bill provides that in the event of cessation of certification authority activities, the CA · must give notice to subscribers; · must unilaterally revoke all certificates and pay restitution; · may arrange for reissuance of certificates by a successor CA; and · must notify the Digital Signature Agency of its intention to cease acting as a CA. Some of the above requirements are subject to contract. The Utah bill also provides for the death or disability of a CA, but is not clear on who keeps the records of a discontinued CA. 3. See s. 24 and Schedule II of the Access to Information Act for a partial list of other statutes limiting the use of information. Schedule is a list of statutory provisions that apply notwithstanding the Access to Information Act. 4.. Ontario Business Corporations Act, s. 90. 5.. See s. 10 of both statutes. 6.. p. 69. Note that the wrongful revocation of a certificate, or the reliance on a revoked certificate, may not be the only contributing cause of any injury or loss. The revocation of a certificate does not necessarily mean that the digital signature is invalid or ineffective, so that other evidence may be adduced to prove authentication and non-repudiation. 7.. section 26 8.. subsection 32(1) 9.. section 40 10.. The Queen v. Transworld Shipping Ltd. (1975), 61 DLR (3d) 304 (FCA) 11.. The Queen v. Transworld Shipping Ltd. (1975), 61 DLR (3d) 304 (FCA) 12.. section 19 13.. The Queen v. Transworld Shipping Ltd. (1975), 61 DLR (3d) 304 (FCA) 14.. R. v. CAE Industries Ltd. (1985), 20 DLR (4th0 347 at 373 (FCA); leave to appeal to SCC refused 20 DLR (4th) 347 n 15.. Central & Eastern Trust Co. v. Rafuse (1986), 37 CCLT 117 (SCC); 16.. Wiebe Door Services v. MNR (1986), 70 NR 214 (FCA) 17.. section 7 18.. section 11 19.. section 80 20.. section 81 21.. section 121 22.. section 122 23.. subsection 748(3) 24.. sections 16 - 22 25.. ch. 2-5 26.. General Engineering services Ltd. v. Kingston and Saint Andrew Crop. (1988), 3 All E.R. 867 (P.C.) at p. 869 27.. F.R. Batt, The Law of Master and Servant, 5th ed. 1967, p. 9. 28.. Investors Syndicate Ltd. v. Versatile Investments Inc. (1983), 73 CPR (2d) 107 (Ont. CA) referring to Bowstead on Agency, 14th ed. (1976), p. 1 29.. Canadian Laboratory Supplies Ltd. v. Engelhard Industries of Canada Ltd. (1979), 97 DLR (3d) 1 (SCC); Rockland Industries Inc. v. Amerada Minerals Corp. (1980), 108 DLR (3d) 513 (SCC) 30.. S.M. Waddams, The Law of Contracts, 3rd. ed. 1993, p. 167 31.. P. W. Hogg, Liability of the Crown 2nd ed. Carswells 1989 at p. 186 32. Kozolchyk, “The Paperless Letter of Credit and Related Documents of Title,” 1992, 55 L. Contemp. Prob. 39, pp. 55- 58 33.. Cheshire & Fifoot, Law of Contract, 12th ed., Butterworths, 1991, p. 164. 34.. S.M. Waddams The Law of Contracts 3rd ed. 1993, p. 316. 35.. See, for example, Hunter Engineering Co. v. Syncrude Canada Ltd. (1989), 57 DLR (4th) 321 (SCC); Knowles v. Anchorage Holdings Co. Ltd., (1964), 43 DLR (2d) 300 (BCSC); and GM v. Kravitz, [1979] 1 SCR 790. 36. H.F. Clarke Ltd. v. Thermidaire Corp. Ltd. (1975), 54 D.L.R. (3d) 387, [1976] 1 S.C.R. 319 37.. subsection 4(3) 38.. section 7 39.. section 278 40.. section 279 41.. subsection 504(2) 42.. subsection 553(2) 43.. section 554 44.. subsection 5(1) 45.. sections 20, and 22 46.. sections 238, 239, 246; see also sections 243 and 245 47.. section 230; IT Regulation 5800; Information Circular 78-10R2 48.. section 9, subsection 17(3), sections 52 and 65 49.. paragraph 22(h) 50.. section 31 51.. In R. v. Eldorado Nuclear; R v. Uranium Canada Ltd., [1983] 2 SCR 551, the Court held that the Crown’s contractor was entitled to the Crown’s immunity from a statute notwithstanding that it did not meet the common law test of agency of de jure control because the “immunity extends to those acting on behalf of the Crown.” But see Alta. Government v. CRTC, (1985) 17 Admin. L.R. 190 (FCA) 52.. section 2.1 53.. Benjamin Wright The Law of Electronic Commerce - EDI, Fax and E-mail: Technology, Proof, and Liability Little, Brown and Co. 1991, p. 237 54.. paragraph 12.8 55.. F. Sudia, “The Role and Function of Certifying Authorities - a simplified Preamble”, Aug. 1, 1994