digital signature
Digital Signature Act 1997
The primary intent of the Digital Signature Act 1997 is to regulate the use of digital signatures and to provide for matters connected therewith.
We start with the privacy implications of digital signatures in general. A digital signature is a 'message digest' encrypted using the sender's private key.
The recipient can recreate the message digest from the message they receive using the sender's public key. He can then compare the two results to satisfy himself that the contents of the message received is the same as that which was sent (data integrity) but also that the message have been sent by the purported sender (sender authentication) and that the sender cannot later deny that he did not send the message (non-repudiation). Digital signatures are subject to a form of 'spoofing' by the creation of a bogus public key that purports to be that of a particular person. To address that risk, a certification authority's (CAs) duty is to certify that a public key is that of a particular person. The current practice is to use separate key-pairs for encryption of message content and for digital signatures. The OECD encryption guideline states that this distinction should be taken into account in development of national policies on access to keys.
The first concern is regarding how private keys are generated. For security reasons, it is therefore essential that key-generation is undertaken entirely under the control of the individual concerned, and that the private key never leaves the possession of that person without strong security precautions being taken. If any other approach is used, serious privacy and security issues arise because there is opportunity for the individual to be convincingly impersonated. The second concern relates to how the private keys are stored and backed-up and how back-up copies are stored. In most cases, other organizations are involved and therefore the private key must be subject of
The primary intent of the Digital Signature Act 1997 is to regulate the use of digital signatures and to provide for matters connected therewith.
We start with the privacy implications of digital signatures in general. A digital signature is a 'message digest' encrypted using the sender's private key.
The recipient can recreate the message digest from the message they receive using the sender's public key. He can then compare the two results to satisfy himself that the contents of the message received is the same as that which was sent (data integrity) but also that the message have been sent by the purported sender (sender authentication) and that the sender cannot later deny that he did not send the message (non-repudiation). Digital signatures are subject to a form of 'spoofing' by the creation of a bogus public key that purports to be that of a particular person. To address that risk, a certification authority's (CAs) duty is to certify that a public key is that of a particular person. The current practice is to use separate key-pairs for encryption of message content and for digital signatures. The OECD encryption guideline states that this distinction should be taken into account in development of national policies on access to keys.
The first concern is regarding how private keys are generated. For security reasons, it is therefore essential that key-generation is undertaken entirely under the control of the individual concerned, and that the private key never leaves the possession of that person without strong security precautions being taken. If any other approach is used, serious privacy and security issues arise because there is opportunity for the individual to be convincingly impersonated. The second concern relates to how the private keys are stored and backed-up and how back-up copies are stored. In most cases, other organizations are involved and therefore the private key must be subject of