18 November 1997
Source:
http://www.iccwbo.org/guidec2.htm
GUIDEC
General
Usage
for
International
Digitally
Ensured
Commerce
Restrictions
The GUIDEC is a copyrighted work of the ICC. It is a work product of the ICC developed by the Information Security Working Group of the ECP.
The GUIDEC may only be reproduced for personal, educational or research purposes. All reproductions of the GUIDEC must be made in its entirety and must contain this section on restrictions. Any copy made should mention the ICC as the owner of this work.
There may be no use of the GUIDEC, or any part thereof, for commercial purposes without the express written consent of ICC Publishing S.A.
(c)1997 International Chamber of Commerce
All rights, including the right of reproduction in any form, reserved.
This General Usage for International Digitally Ensured Commerce (GUIDEC) has been drafted by the International Chamber of Commerce (ICC) Information Security Working Party, under the auspices of the ICC Electronic Commerce Project. The ICC Electronic Commerce Project is an international, multidisciplinary effort to study, facilitate and promote the emerging global electronic trading system. Existing ICC Commissions participating in the Electronic Commerce Project include the commissions on Banking, Air Transport, Maritime and Surface Transport, Computing, Telecommunications and Information Policies, Commercial Practices, Financial Services and Insurance to provide a globally comprehensive approach to implementing digital commerce.
The Electronic Commerce project brings together leading corporations, lawyers, information technology specialists, government representatives and industry associations world-wide to focus on pivotal issues in digital commerce. Electronic Commerce working groups have been formed to examine specific critical issues in the context of digital commerce.
The proposal to develop international guidelines was raised at the ICC in November 1995 in the context of ICC work on the legal aspects of electronic commerce and on the establishment of an international chain of registration and certification authorities.
Upon examination, the ICC and its Electronic Commerce Project determined that the issues involved in electronic commerce, including the use of digital signatures, and the role of certification authorities in enabling their use, were sufficiently complex to merit a distinct new group.
The GUIDEC was first drafted and discussed under the name of the Uniform International Authentication and Certification Practices (UIACP). During the consultation period the title was changed to the current GUIDEC to reflect the use of the word "Ensure" in the title (for a definition and explanation of this concept, see post).
The GUIDEC aims to draw together the key elements involved in electronic commerce, to serve as an indicator of terms and an exposition of the general background to the issue. It also addresses one of the key problems in talking about electronically signed messages, in that they are not signed physically , but require the intervention of an electronic medium. This in turn alters the function of the signer , and introduces problems which a physical signature does not encounter, most especially the possibility of use of the medium by a third party. The GUIDEC therefore adopts a specific term , "ensure", to describe what elsewhere is called a "digital signature" or "authentication", in an attempt to remove the element of ambiguity inherent to other terms employed.
General Usage in International Digitally Ensured Commerce
1. Scope and Objectives
2. Underlying Policies of the GUIDEC
II. The Advent of Commercial Electronic Transactions
1. The Emerging Global Electronic Trading System
2. EDI and Closed Networks
3. EDI and Efficiencies derived from electronic forms
4. EDI Trading Agreements
5. Transition from Closed Systems to Open Systems and the Internet
III. Electronic Transactions and Information Security
1. Open Networks
2. Information Security
3. Public Key Cryptography and Digital Signatures
4. Ensuring and Certification Authorities
5. Biometric Technology
IV. Existing Law and Electronic Transactions
1. General
2. Form Requirements
3. Common Law Issues
4. Civil Law Issues
5. Consequences
V. International Legal Approaches
1. UNCITRAL Model Law on Electronic Commerce
1. Ensure
2. Certificate
3. Certification Practice Statement
4. Certifier
5. Repository
6. Digital Signature
7. Hold a private key
8. Human-readable form
9. Issue a certificate
10. Notice
11. Person
12. Public key certificate
13. Revoke a public key certificate
14. Subscriber
15. Suspend a public key certificate
16. Technologically reliable
17. Trustworthy
18. Valid certificate
19. Verify a digital signature
1. Ensuring a message as a Factual Matter
2. Attribution and Legal Significance of Ensuring a Message
3. Ensuring a message by an Agent
4. Appropriate Practices for Ensuring a Message
5. Scope of an Ensured Message
6. Safeguarding an Ensuring Device
7. Representations to a Certifier
1. Effect of a Valid Certificate
2. Accuracy of Representations in Certificate
3. Trustworthiness of a Certifier
4. Notice of Practices and Problems
5. Financial Ressources
6. Records
7. Termination of a Certifier's Business
8. Suspension of Public Key Certificate by Request
9. Revocation of Public Key Certificate by Request
10. Suspension or Revocation of Public Key Certificate Without Consent
11. Notice of Revocation or Suspension of a Public Key Certificate
GUIDEC
General Usage in International Digitally Ensured Commerce
This document is intended to provide the context and policy underpinnings of the GUIDEC, with the objective of promoting the world business community's understanding of the issues relating to the use of techniques in electronic commerce. In its effort to balance different legal traditions, the GUIDEC reflects both the civil and common-law treatment of the subject as well as pertinent international principles. In doing so, the GUIDEC presents both business and governments with a comprehensive statement of best practices for the emerging global infrastructure.
The GUIDEC also attempts to address the problem of terminology, in that a digital signature is not really a signature at all. It has therefore employed the term "Ensure", to denote the act of digitally signing an electronic message. Please refer to the explanation given in the section on "Core Concepts" for a fuller explanation.
2. Underlying Policies of the GUIDEC
The principle objective of the GUIDEC is to establish a general framework for the ensuring and certification of digital messages, based upon existing law and practice in different legal systems. In so doing the GUIDEC provides a detailed explanation of ensuring and certification principles, particularly as they relate to information system security issues and public key cryptographic techniques. It also provides succinct standard practices or recommendations relating to ensuring or secure authentication of digital information, and comments upon relevant Civil and Common Law issues.
The GUIDEC framework attempts to allocate risk and liability equitably between transacting parties in accordance with existing business practice, and includes a clear description of the rights and responsibilities of subscribers, certifiers, and relying parties.
The underlying policies articulated and promoted in the GUIDEC are:
1. to enhance the ability of the international business community to execute secure digital transactions;
2. to establish legal principles that promote trustworthy and reliable digital ensuring and certification practices;
3. to encourage the development of trustworthy ensuring and certification systems;
4. to protect users of the digital information infrastructure from fraud and errors;
5. to balance ensuring and certification technologies with existing policies, laws, customs and practices;
6. to define and clarify the duties of participants in the emerging ensuring and certification system, and;
7. to foster global awareness of developments in ensuring and certification technology and its relationship to secure electronic commerce.
The GUIDEC treats the core concepts, best practices and certification issues in the context of international commercial law and practice. In so doing, the document assumes practices in which transacting parties are expert commercial actors, operating under the lex mercatoria. The document does not attempt to define rights and responsibilities for transactions involving consumers. Neither is it intended to outline practices for transactions in which overriding national or other public interests may demand additional transactional security, such as notarial or other public intervention, although many notarial principles are enshrined in the document. In this regard, it is also important to note that the GUIDEC does not attempt to set out rules for certification of information relating to authority, legal competence, etc., which notaries are often called upon to certify.
Although the GUIDEC is organised primarily as an outline for parties involved in public key based systems (i.e., "digital signatures"), the fact that it draws upon existing law means that it is not technology specific; it may be equally applied to paper-based and other methods for ensuring.
The GUIDEC acknowledges the groundwork laid out in the Digital Signature Guidelines of the Information Security Committee of the Science and Technology Division of the American Bar Association, and attempts to enhance some of the concepts set out therein from an international and commercial point of view.
The document also draws upon and extends existing international law treatment of digital signatures in particular that articulated in the United Nations Model Law on Electronic Commerce (UNCITRAL Model Law).
II. The Advent of Electronic Commercial Transactions
1. The Emerging Global Electronic Trading System
The movement of commercial and other related information has become a critical part of the international trading infrastructure. Businesses throughout the world are transmitting and exchanging commercial information, software, and services electronically, setting the stage for a revolution in the way commerce is transacted. Fuelling this revolution are the substantial efficiencies to be gained from the transition from paper-based to electronic data exchange in the global economy. The rapid evolution of digital communications technologies and expansion of computer networks form the basis for the emerging global electronic trading system.
Electronic Data exchange technologies, such as electronic data interchange (EDI), have long held the promise for a less burdensome, more highly efficient system for transacting global business, as well as the possibility for creating new channels for distribution, sales, and licensing. Overall, the application of digital technologies to business communications have offered a powerful new means for international commercial expansion, permitting businesses to forge new paths toward higher productivity, competitiveness and growth.
Until recently, businesses engaging in electronic commerce did so solely over closed networks. Closed network communication systems permitted businesses to control physical access to the system, conduct communications according to written and approved procedures, maintain record systems designed to facilitate quality assurance, and created legal obligations between users and the organisation responsible for operating the system. Closed network technologies such as electronic data interchange (EDI) combined the functional capabilities of computers and telecommunications, permitting the computer-to-computer transmission of commercial information. Through EDI technology, two parties could directly exchange information electronically, reducing and in some cases eliminating the use of paper. By decreasing reliance on paper in business-to-business-communications, EDI technology has dramatically affected the way commercial relationships are conducted and defined. Through EDI, business have been able to communicate with greater speed, respond faster to business demand, and significantly reduce repetitive computer input, inventory needs, time needed to market products, and errors in commercial data exchange.
EDI therefore represents an important first step towards overcoming the traditional physical barriers to a seamless and efficient global trading system.
3. EDI and Efficiencies derived from electronic forms
The use of EDI technology requires parties to agree on a broad range of technical issues including those related to message format, standards and implementation guidelines, third party providers, and computer and communications development and maintenance. The process of negotiating and implementing these agreements resulted in the emergence of electronic forms, enabling electronic data communications between distant commercial parties according to pre-arranged standards. Today, electronic forms have evolved into a highly efficient vehicle for the exchange of standardised information, facilitating purchases and sales with minimal human intervention. Electronic forms offer standard message formats enabling automated data handling and eliminating language and interpretation problems between senders and receivers of electronic data. The use of electronic forms permit highly efficient means of storing and reconstituting data, enhance the speed, accuracy and security, and reduce the expenses and delays normally associated with traditional modes of data transmissions between commercial actors. Overall, the development of electronic forms have established economies of scale and permitted the fulfilment of digital communications less expensively than was previously possible.
EDI trading agreements (or "interchange agreements") have also served a critical function in facilitating a global electronic trading system. The use of EDI trading agreements has evolved in the absence of standardised rules governing the complete data exchange process. Through these private agreements, parties seeking to use EDI technology have been able to structure their electronic communications relationship and benefit from contractual allocations of responsibilities and liabilities arising in that exchange. The use of private agreements to govern electronic trading arrangements through the use of EDI confers important benefits. Trading partners used contractual agreements to minimise risk and address legal uncertainties for activities that may not yet have been adequately addressed by law. Through such private agreements, parties could analyse and provide for the appropriate allocation of risk, including risk of errors or omissions in the electronic transmission or the apportionment of liability for the acts of third parties. Electronic interchange agreements have also allowed parties to specify procedures and safeguards needed to protect system security and integrity and address critical issues such as the extent of access to and use of data transmitted electronically and the confidentiality of that data. Electronic trading agreements have thereby offered parties a flexible means by which they could establish specific procedures and conditions by which to govern their rights and obligations within the framework established by their technological arrangement
The earliest international mode interchange agreement was published by the ICC as long ago as 1987 in response to the need for harmonised principles promoting certainty in electronic commercial transactions conducted through EDI, as well as the need to promote parity between trading partners. These Uniform Rules of Conduct for Interchange of Trade Data by Teletransmission (UN-CID) have serves as the basis for many of the model or standard trading agreements issued by national, regional and sectoral organisations.
Despite significant differences, many of these model agreements address common issues, including technical requirements, acknowledgement or verification, third party service providers, record storage and audit trails, digital security, confidentiality, and data protection. In doing so, the development of model trading agreements established the foundation for a contractually-based legal structure for electronic commerce.
5. Transition from Closed Systems to Open Systems and the Internet
The fast pace of technological innovation and the increasing development and adoption of universal standards both as communication protocols and for message development have permitted the proliferation of computer networks that are inter-operable and interconnected. User demands have also evolved, as businesses world-wide seek technological tools to strengthen productivity and minimise costs. Together, these developments are establishing a new information infrastructure of "open" networks, such as the Internet, enabling a truly global electronic trading infrastructure. The proliferation of business applications for these open, non-proprietary networks holds the promise of a new platform for inexpensive global communication and electronic commerce. Open network systems offer access and communication between multiple parties not contractually obligated to system managers, thereby exposing businesses to trading partners with whom those businesses have no prior relationship. Unlike closed network systems like EDI, which have traditionally developed along defined lines and been implemented between existing trading partners with ongoing commercial relationships, open network systems offer the possibility for broadening market access to new participants and provide a means for potential trading partners to conduct business through exchanges of information in the absence of a pre-existing relationship.
III. Electronic Transactions and Information Security
The current movement from closed network to open network communications systems, such as the Internet, poses significant challenges to implementation of a global electronic trading system. Among the most significant barriers to global electronic commerce over open networks are those pertaining to information security. Conducting commercial transactions over open networks poses the challenge of "many-to-many" transactions. With the expanding use of publicly available infrastructures such as the Internet to effect corporate communication among geographically dispersed locations, securing transactions that occur over this infrastructure becomes of paramount importance. The importance of security and reducing the risk of fraud and unauthorised access will increase significantly with the growth of the number and volume of international commercial transactions over networked computers.
Information security refers to the level of trust present in the transfer of information between parties. In its simplest form, information security issues arise when information is transferred from one party (a sender) to another party (a recipient). Information security risk is compounded when commercial dealings are transacted over open networks such as the Internet, which is a public infrastructure and for which no single locus of responsibility exists.
Companies engaging in electronic commerce over closed network systems, nowadays called "Intranets", had assurance of the identity and authority of transacting parties through contractual agreements and closed network security procedures. In open networks, however, these mechanisms for establishing the technical and legal security of transactions are no longer adequate to prevent unauthorised access, fraud or other commercially detrimental risks.
Industry recognises the need for a reliable framework for ensuring and certifying parties to a transaction. New technologies for strengthening the reliability and security for digital commercial transactions are developing every day. However, without an underlying legal framework for information security, these technological innovations cannot deliver their promise of a truly trustworthy electronic commercial environment.
Infrastructure solutions should be industry-driven, with government providing support through legislation and international agreements. An efficient and fully effective information security infrastructure for digital commerce over open networks cannot be realised only by contractual means, particularly with respect to resolving security issues. As electronic transactions become commonplace and involve ever more numerous potential parties, the need for a more generally applicable legal approach increases. This General Usage in International Digitally Ensured Commerce attempts to enhance legal predictability by providing a statement of commercial ensuring and certifying practices, thereby enhancing the overall level of trust in the electronic information infrastructure.
Security systems for commercial transactions have long been developed and established by businesses seeking to raise the level of trust in commercial transactions. Existing systems include those used for checks, telephone trading, and credit card purchases. Stronger systems are needed for use on open networks, given the challenges posed by the increased number of users, vulnerability to computer hackers, and the risk of unauthorised access.
Ensuring, as defined within this document, presents the opportunity for higher security in electronic commercial transactions, thereby raising the level of trust that will be placed by users in the global communications infrastructure. Through specific cryptographic technologies, including digital signatures, a new infrastructure is emerging that offers the key benefits of higher levels of non-repudiation, message integrity and verification.
3. Public Key Cryptography and Digital Signatures
Public key encryption assures two things for commercial actors:
a) that their messages are secure, and
b) that other transacting parties are authenticated.
Using this technology, senders and receivers of electronic messages each possess two keys -- a public key and a private key -- one of which is never shared with anybody, and the other of which is shared with everyone. These two keys correspond to each other, so that whatever is encoded with one key can only be decoded by the other. In the encrypting process, the sender of the message encodes it with the recipient's public key (which has been shared with him and all other parties), making it impossible for any party other than the one holding the private key to decrypt the message. Encryption protects the message from all parties other than the recipient, without the recipient having to divulge his private key to the sender.
By reversing the process described above, public key cryptography also provides a highly dependable mechanism, known in the GUIDEC as "ensuring a message", or within a Public Key Infrastructure as a "digital signature". This ensuring, or digital signature, is an attachment to a set of data which is composed by taking the output of a hash function, or digest, of the original data that is encrypted with the sender's private key. The hash function puts the original data through an algorithm, resulting in a data sequence unique to a particular message but much shorter than the message itself. The resulting digital signature can only be decrypted if the recipient has the correct public key, thereby permitting a recipient to verify the identity of the sender. In a given transaction, therefore, the sender encrypts the message with the public key of the recipient, and digitally signs or ensures the message with his own private key, and the recipient uses his private key to decrypt the message, and the public key of the sender to verify the message ensured.
Because an ensured message is difficult to forge, its use binds the signatory, precluding a later repudiation of the message. Digital signature technology also forms the basis for forming legally binding contracts in the course of electronic commercial transactions since it can provide electronically the same forensic effect a signed paper message provides.
4. Ensuring and Certification Authorities
The use of public key cryptography for digital signature purposes require that a trusted third party establish that holders of public keys are indeed who they purport to be. Without a trusted third party certifying that a given individual is in fact the holder of a public key, it is impossible for other transacting parties on the network to know for certain that the holder of the public key is not an impostor. This third party, known in the GUIDEC as a Certifier , will form the trust backbone for all types of commercial and non-commercial transactions taking place over open networks. Certifiers will certify the identity of the public key holder, and publish and update public keys, in a process referred to as certificate issuance. The effectiveness of the ensuring process depends upon establishing certifiers to provide parties with a means for reliably associating the public and private key pair with an identified person, and a trustworthy means of ascertaining the public key needed for verification. Given the importance of the accuracy of the information provided by the third party institution (i.e. the public key of the sender), the certifier should be sufficiently trustworthy to assure a high level of trust in electronic commercial transactions. In communications among different organisations, a certification authority must be an institution trusted by all parties relying on its information. To provide further assurance of actual trustworthiness, a hierarchy of certification authorities may need to be established to represent that individuals comply with rules, such as those articulated in the GUIDEC. In a hierarchy of multiple certifiers, each certifier has an ensured text certified by the certificate authority above it, forming a certificate chain to assure that sub-certifiers are identifiable.
Because certificates issued by certifiers will essentially be guarantees of the certificate holder's commercial identity, laws are currently being developed which prescribe clear rules and liabilities for certifiers. This document outlines the general set of international rules that govern ensuring and certifying for commercial applications. The GUIDEC is designed to restate and harmonise existing law and practice relating to the particulars of the ensuring, certification, and verification process.
There are also in existence some technologies which are designed to mirror the current paper based function involved in signing, in that they make use of a template upon which the signer physically reproduces his or her signature. The technology then either relates the template signature to a previously archived and identified signature "specimen", thereby assuming part of the function of a Certifier, or it makes use of the string produced to attach itself to the file which is being ensured. As much of the technical approach in achieving this varies considerably from Public Key Cryptography, reference is made to this technique here, but it is not felt that the general legal principles behind it, at least as far as the GUIDEC is concerned, differ substantially from those involved within a public key infrastructure.
IV. Existing Law and Electronic Transactions
Although many of the technological issues pertaining to global digital commerce are being readily addressed, significant legal questions remain unresolved, posing significant barriers to further development of a global electronic trading system. The continued vitality of the emerging global electronic trading system depends on the progressive adaptation of international and domestic laws to the rapidly evolving networked infrastructure. Although analogy to existing rules may be possible in many cases, the application of pre-existing rules that have not been reconsidered in light of progressive technologies may lead to inappropriate results. Applying paper-based rules to electronic transactions without sufficient consideration of the ramifications of such rules increases uncertainty, working to the detriment of the international trading community.
Similarly, conflicting legislative efforts directed at facilitating electronic commerce at the domestic level can effectively deter the development of a coherent global framework. This concern applies both to consistency among individual domestic states and consistency between nations, amplifying the need for convergence and harmonisation in legislative approaches. Substantive and procedural legal incompatibilities between countries threaten to create a complex and unpredictable environment for international electronic commerce.
The increasing importance of open networks such as the Internet, which promotes borderless interactivity between users, compounds the need for a uniform and harmonised approach to developing an international legal infrastructure for ensuring. The increasing importance of raising the level of trust and reliability in these new communications systems stimulates the need for a globally coherent, unified regulatory approach to information security, and in particular ensuring and certifying messages.
The traditional rationale for requiring the formalities of a signed writing for commercial transactions has been to discourage reliance on oral agreements. The requirement of a written record of commercial transactions has also endured for regulatory purposes, such as to discharge administrative tariffs and fees associated with taxation, customs, et cetera. Despite this traditional formality, however, writings have not been required to the exclusion of other evidence of a transaction or agreement. Indeed, in common law countries, where requirements for writing may exist in the context of sales of goods, a writing is loosely defined as anything that contains the essential elements of the contract. Under civil law regimes, a writing is merely treated as better evidence than the lack of one.
Nevertheless, the use of digital signatures for commercial purposes faces a number of existing legal impediments that derive from both common and civil law treatment of form requirements for many types of commercial transactions. In both the common and civil law traditions, existing law imposes specific requirements relating to written, signed, certified, and/or original form which do not contemplate the use of electronic messages. Several areas of the law, such as land law, are rife with requirements relating to form that presuppose the use of a traditional pen and ink signature on a paper message. This is especially true in the civil law, where form requirements for transactions involving notarial intervention impose a rigidly defined legal regime for authenticating commercial and other messages.
One of the most nettlesome problems arising out of the use of electronic means of communications in common law-based jurisdictions derives from uncertainty as to whether or not electronic transmissions satisfy the writing and signature requirements to be found in the Statute of Frauds, embodied in United States law in U.C.C. Article 2-201, or originally in section 40 of the English Law of Property Act 1925, now to be found in section 2 of the Law of Property (Miscellaneous Provisions) Act 1989. Because there is virtually no case law regarding these issues involving the use of electronic means for transacting commercially, general thinking on the question of electronic messages as signed writings has focused on common law commercial theory and judicial precedent involving other forms of non-traditional writing used in commerce, such as teletype and facsimile evidence.
The U.C.C. defines "signature" as "any symbol executed or adopted by a party with present intention to authenticate a writing.'' The Official Comment to section 1-201 emphasises that the appropriate focus of the signature requirement is the "intention to authenticate" rather than the manner of symbol adopted by the parties. This is borne out by the courts, which have found a number of non-written signatures to be the functional equivalent of one, including a typewritten name, a hand printed name, company letterhead, a sales brochure, and a tape recording. Although these interpretations would suggest that ensuring techniques probably satisfy statute of fraud requirements for signatures, this is unclear without specific judicial precedent or statutory provision .
Civil law systems typically contain a variety of form requirements. For example, under German Law, contracts may generally be concluded if the parties have given declarations of will to be bound. As a general principle, such a declaration may be given electronically, such as by ensuring the message.
However, there are many cases where statute or the relevant code of laws require that certain declarations of will be made in written form; in such cases, the code defines what it means - generally a written signature made by pen on paper. This is the case in German and French law with respect to real estate, and contracts which do not observe this written form are considered to be void.
The historical and currently perceived function of formalities has an important effect on their adaptability to electronic commerce. The advent of electronic commerce has challenged, and will continue to challenge, the validity of these formalities. As electronic commerce becomes more and more a reality in the international trade, the function of legal formalities which govern these transactions must evolve to include electronic means. At the present time a number of national and international efforts to treat the use of digital messages, including message ensuring techniques, have begun to address form requirements as a legal barrier to electronic commerce. Many of these efforts, particularly those state-based legislative implementations in the United States treating the use of digital signatures, as well as related efforts in Australia, Austria, Chile, Denmark, France, Germany, Italy, Japan, Malaysia, Singapore, South Korea, Sweden, and the United Kingdom, have been influential in the drafting of this document.
The United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce, certainly the most comprehensive international legal treatment of form requirements as they relate to electronic commercial transactions in existence today, is also extensively drawn upon in the GUIDEC.
V. International Legal Approaches to Digital Signatures
1. UNCITRAL Model Law on Electronic Commerce
The most definitive treatment of the issues for international electronic commercial transactions is that embodied in the United Nations Commission on International Trade Law Model Law on Electronic Commerce (the UNCITRAL Model Law), adopted by UNCITRAL during its 29th Session.
Although the Model Law provides for the legal enforceability of electronic ensuring methods for commercial transactions, it does not specifically treat the surrounding issues. In this regard, the GUIDEC is designed to build upon and extend the Model Law's treatment through the concept of ensuring a message, particularly with regard to certification of ensurer identity information.
The Model Law treats electronic signatures as they relate generally to problems deriving from form requirements in existing commercial laws of the major legal systems. Specifically, the Model Law provides that form requirements relating to signatures may be met in relation to data messages where a method is used that identifies the person and indicates that person's approval of the contents of the data message, and where the reliability of the method of signing is appropriate under the circumstances. Recognising that signature requirements derive from fundamental commercial law and public policy issues relating to intent of contracting parties, the Model Law does not specify what method of signing a data message might be appropriate under what circumstances. The Draft Guide to the Model law does indicate, however, that it may be useful in the context of data messages, to "develop functional equivalents for the various types and levels of signature requirements in existence." The GUIDEC attempts to build upon the Model Law in this regard, by defining requirements for signatures used in international commerce, in particular digital signatures, in which there is the additional requirement of certification.
The Model Law further treats signature requirements in the context of the evidential weight of data messages based upon the reliability of the manner in which the data message was generated, stored, communicated, , and maintained in general. In the context of storage and retention of data messages for evidentiary purposes, the Model Law provides that document retention provisions may be satisfied for data messages if the following conditions are met:
- the information contained in the data message is accessible so as to be subsequently usable;
- the data message is maintained in the same format in which it was generated and communicated, or in another format which demonstrably maintains the accuracy of the message's content, and;
- the information is retained in a fashion that enables the identification of the origin, destination, date, and time it was sent and received.
The Model Law recognises that data message retention will often be undertaken by intermediaries and other third parties which do not fall under the definition of "intermediary" in the Model Law, and provides that data messages may be retained by third parties as long as the above requirements are met. Although the Draft Guide makes it clear that retention may be carried out by non- "intermediary" third parties, it does not distinguish whether responsibilities of these parties in the context of the Model law would be regarded as the same or similar to those of intermediaries, or whether third party obligations fall outside the ambit of the Model Law.
The GUIDEC treats these issues much more fully than the Model Law with regard to certifiers acting in the capacity of intermediaries or non-intermediary third parties, and outlines specific rules of practice for certifiers relating to the issues enumerated above for the purposes of assuring that digitally authenticated or ensured messages retain their non-repudiable characteristics for evidentiary purposes.
Because the Model Law treats signature issues only generally, and because it indicates that different ensuring mechanisms employed in international electronic commerce need to be more fully articulated, the Information Security Working Party, saw its role in drafting the GUIDEC as expanding upon the Model Law treatment of signatures to more fully define how these issues need to be treated in the context of ensuring digital signatures and digital certification.
To record or adopt a digital seal or symbol associated with a message, with the present intention of identifying oneself with the message.
Clarification
"Ensure": .
In American usage, the term "authenticate" is often used to denote the act
of identifying oneself with a message, but in European usage "authenticate"
is more associated with the verification of a signature (see post). Furthermore,
there is a fundamental difficulty in the concept of "digitally signing" a
message, in that there are significant differences between a physical signature,
and one effected through an electronic medium. The most important difference
is that most digital signatures rely upon a smartcard or some other storage
facility in order to reproduce the algorithm necessary for securing the
"signature" to the message with which it is to be associated. It then follows
that if this storage facility is accessed by someone other that the person
to whom it belongs, a message can be "signed" and appear to have originated
from the owner, either with or without his consent.
It is for this reason that we have employed the term "Ensure", which is defined
by Websters Universal College Dictionary as "1. To secure or guarantee.
2. To make sure or certain. 3. To make secure or safe, as from harm". It
is exactly this which is being sought in an electronic message - to make
it secure from subsequent alterations.
"message": This means only the message that is ensured. If the message is altered (other than by the ensurer with ratification), then there is no intention of the ensurer to be identified with the message, and the ensuring around the message does not apply to the alteration.
"intention of identifying oneself with the message": The act of ensuring may be founded on additional intentions besides the minimal identification of the ensurer with the message. Often, it further indicates the ensurer's approval of, or intent to be legally bound by, the message. Based on the expression of these various intentions through ensuring, the law and/or commercial usage give the message a certain effect as the formally recognised act of the ensurer; (see post: "legal significance of ensuring a message"). Certification addresses the need for guaranteeing the effectiveness of ensuring, and some legal systems require it for certain messages, particularly when public filing is required or permitted, or the risks of false identification affect some other interest protected under a legal system's policy.
See UNCITRAL Model Law art. 6 (criteria for satisfaction of signature requirements), art. 11 (attribution of data messages) (1995); United Nations Convention on International Bills of Exchange and Promissory Notes art. 5(k) (1988) ("'Signature' means a hand-written signature, its facsimile or an equivalent authentication....").
Commentary
(1) Fundamentally and minimally, ensuring a message provides evidence that
a. the ensurer had contact with the message and
b. the message has been preserved intact since it was ensured.
Ensuring may also indicate more, depending on the circumstances, or have legal significance deriving from an agreement or law. Further, most means of authentication provide only imperfect evidence of the ensurer's contact and the message's integrity, and are vulnerable to forgery or tampering.
(2) A forged message which had been ensured, altered without the ensurer's authorisation creates no binding obligation on the ensurer. It is void, or subject to being declared void at the instance of the purported ensurer. In some legal systems, a spoilt message, one materially altered without its ensurer's authorisation, is traditionally considered void, and may not be enforced according to its original tenor. Preferably, and according to many other jurisdictions, tampering with a message is simply ignored, and the message may be enforced as originally ensured.
A message ensured by a person, which message attests to the accuracy of facts material to the legal efficacy of the act of another person.
Clarification
"message ensured": A certificate is itself a message, and ensuring its authenticity is ordinarily an important fact. In order for the certificate to be clearly reliable in commerce, the certifier creating it should exercise a degree of care exceeding the care for ensured messages generally.
"fact material to the legal efficacy of the act of another person": Examples of facts which may be the subject of certification include the identity of the person performing an act such as ensuring a message, circumstances affecting that person's existence as a valid legal entity, and/or the authority of a person to perform an act in question. A single certificate may attest to one or more such facts.
Commentary
(1) A variety of different types of certificates are recognised. Notaries of various legal systems issue certificates varying in form and effect, such as the public or authentic, and private forms of the civil law tradition, and the less rigorous "acknowledgement" of North American notaries. Technical computer standards typically envisage a certificate whose validity is measured according to a time period, whereas traditional certificates are valid on a per-transaction basis. Public key certificates as defined below are a specific type of certificate, but nevertheless fit within this general definition. This definition recognises the often profound distinctions in the concept of a "certificate" but nevertheless seeks to focus on a common gist.
(2) A certificate does not, by definition, include an indication of the scope of its intended effect. A certificate valid for only one message or transaction fits this definition, as well as one valid for multiple transactions over a specified time. If a certificate is valid for only one message or transaction, it should so state and be clearly associated with that message or transaction. If a certificate is limited according to a time period, that time period should ordinarily be specified in the certificate.
(3) The content of a certificate depends on the type and purpose of the certificate, and is often prescribed by law or custom.
3. Certification practice statement
A statement of the practices which a certifier employs in issuing certificates generally, or employed in issuing a particular certificate.
Clarification
"statement": The statement may include a technical standard, rules of professional conduct or practice, laws applicable to the certifier, or a brand or a mark representing other rules with which the certifier complies.
Commentary
(1) If a certification practice statement is not already well-known or agreed upon by the parties to a particular transaction, widely accepted by usage and generally well known in the trade, or a matter of widely known custom and/or relevant national law, its form should be optimised to provide notice to relying parties and for efficient reference and utilisation. A certification practice statement need not necessarily be documentary in form; however, its expression should provide for a reasonably high degree of readability, accessibility, and efficiency. It should also make advantageous use of electronic means of delivery and presentation, if electronic means are contemplated for the transaction or material to it, in order to reasonably facilitate automated processing and/or computer-assisted look-up of important terms. A certification practice statement functions mainly as notice of a certifier's practices in issuing certificates, and a certifier acts untrustworthily and perhaps even in bad faith if an important portion of a certification practice statement is unreasonably obscure.
(2) This document may serve as a guide for the contents and form of a certification practice statement.
A person who issues a certificate, and thereby attests to the accuracy of a fact material to the legal efficacy of the act of another person.
Clarification
"person": is defined in this publication to include any physical being or legal entity capable of ensuring a message, and would therefore include corporations, partnerships, governmental agencies, and other legal entities. However, these non-physical entities have no human senses and cannot perceive certain facts, except through their human agents. Ultimately, therefore, the process of certification must be performed by human beings, although incorporeal legal entities may assist in providing facilities, services, and assistance.
Commentary
(1) Examples of certifiers include notaries, public key certification authorities (which may also include notaries and other trusted entities), and governmental officers and other persons.
A computer-based system for storing and retrieving certificates and other messages relevant to ensuring a message.
Commentary
A digital certificate repository may be provided by a firm specialised for such a business, in conjunction with services as a certifier or other person involved in electronic commerce. A digital repository is distinct from a repository of messages on paper.
A transformation of a message using an asymmetric cryptosystem such that a person having the ensured message and the ensurers public key can accurately determine:
(a) whether the transformation was created using the private key that corresponds to the signer's public key, and
(b) whether the signed message has been altered since the transformation was made.
Clarification
"cryptosystem": This term signifies an information system employing cryptographic techniques to provide data security over communication channels that may not be secure. The data security thus provided includes the capability of associating a given message with a particular cryptographic key, and one or more operations for determining whether a given message is precisely the same as when the operation was previously performed.
"asymmetric cryptosystem": An asymmetric cryptosystem, also often termed a "public key cryptosystem", is an information system utilizing an algorithm or series of algorithms which provide a cryptographic key pair consisting of a private key and a corresponding public key. The keys of the pair have the properties that (1) the public key can verify a digital signature that the private key creates, and (2) it is computationally infeasible to discover or derive the private key from the public key. The public key can therefore be disclosed without significantly risking disclosure of the private key.
"the ensurers": The ensurer is the person employing the algorithm in order to be associated with the content of the message. This definition assumes that a cryptographic key pair has itself been associated with an identified person, so that the digital signatures created by that person can be reliably attributed to him by others. The association of a person with a key pair can be accomplished by a certificate identifying the person and including the person's public key. Such a certificate is termed a "public key certificate" in this document.
"correspond": "Correspond", as used in this definition with regard to cryptographic keys, means to belong to the same key pair.
"private key": In an asymmetric cryptosystem, the cryptographic keys are paired, as mentioned above. The private key is the one of the pair used to create a digital signature. It must therefore be available only to the ensurer, and the ensurer accordingly has a duty to maintain exclusive control over the private key; (see safeguarding an ensuring device).
"public key": In an asymmetric cryptosystem, at least one cryptographic key of a pair may be disclosed without making discovery of the private key possible. The key that may thus be disclosed is generally termed the "public key".
Commentary
(1) Some methods of authenticating electronic messages do not employ an asymmetric cryptosystem. The results of such methods do not fall within the above definition of "digital signature". Thus, a digitally scanned image of a handwritten signature, a signature by means of a stylus and digitising tablet, a name signed using the keyboard, the use of passwords or other techniques for controlling access, and similar procedures could be used for ensuring a message, but are not "digital signatures" as the term is used in this document.
(2) A digital signature should be securely and unambiguously linked to its message. As long as such a link is maintained, it is unimportant whether a digital signature is kept within the message, appended or prefixed to it, or retained in a separate electronic file or information system.
To use or be able to use a private key.
Clarification
"to use or be able to use": The principal concept underlying this definition is availability or access as a matter of fact, rather than as a matter of right or legal entitlement. A person who obtains a key by theft, or who has access or use of the key subject to pre-emption by another, nevertheless "holds the key" as here defined.
Commentary
(1) Since the private key is essentially a device capable of creating a digital signature when used in an information system for the purpose, and since a digital signature can be considered as ensuring a message, the ability to use a private key for digital signature purposes must be limited to the ensurer only. Holding a private key should therefore legally be the exclusive right of ensurer.
(2) Holding a private key may include an employment or other agency relation, or another legally recognised relation in which rights of custody and control (or ownership, if "property" is involved) are shared or divided in a manner recognised under applicable law. For example, a corporate employer may designate a private key for use by an employee in the name of the corporate employer. Digital signatures by that private key could well be attributable to the corporate employer by application of agency or authorisation principles, although the digital signatures would also be traceable to the employee. See also post "ensuring a message by an agent".
(3) Ordinarily, a private key should have but one holder, unless holding is intentionally shared or divided. If an asymmetric cryptosystem is properly designed, implemented, and maintained, duplicate private keys occur rarely or not at all, unless a duplicate is obtained illicitly. If an unauthorised duplicate is discovered, a holder should immediately suspend the certificate pending an investigation, and, depending on the outcome, revoke the certificate.
A presentation of a digital message such that it can be perceived by human beings.
Clarification
"digital message": The information processed by nearly all computer-based information systems is fundamentally variations in voltage, alternating magnetic polarities, pits on plastic, and similar approaches to representing digital bits in physical matter and electrical energy. As a practical matter, bits thus represented are imperceptible and unreadable by human beings, unless the information system presents them as symbols such as letters, numerals, punctuation marks and formatting.
Reference is made to the UNCITRAL Model Law art. 7 (1995) (satisfaction of requirements or preferences for the original).
Commentary
(1) A human-readable representation is not, by definition, rendered by a technologically reliable information system nor ensured; in other words, this definition includes no assurance that the information system has accurately translated the message from its basic digital form into a human-readable form, or that that human-readable form is the same as another form perceived by an ensurer of the message. Whether a message is represented the same as it was for its ensurer generally depends on whether the ensurer included parameters adequately specifying the human-readable representation within the ensured message. See post "in determining the scope of an ensured message, variations in the form of the message may or may not be significant".
The process by which a certifier creates a certificate and gives notice to the subscriber listed in the certificate of its contents.
Clarification
"creates": Creation of a new certificate does not imply formation of a new client relationship with the subscriber. For certificates whose validity is limited according to a time period, the new certificate may substitute for or "renew" an earlier one, which has expired or been revoked, or is about to expire or be revoked
"notice" and "subscriber" see post. Issuance of a certificate does not necessarily guarantee effective delivery.
Commentary
(1) Certain Civil Law legal systems or national customs may prescribe the manner in which a certificate may be issued, particularly for specific transactions. Civil law legal systems generally require that a notary officiate at certain types of transactions in which certificates are issued. Civil law notarial practices often include detailed inquiry into the parties' intent and the transactional context, in order to be certain that the parties are fully informed about the consequences of their transaction.
To communicate information to another person in a manner likely under the circumstances to impart knowledge thereof to the other person.
Clarification
"information": Notice could occasion a claim for intentional or negligent misrepresentation, should the information prove to be inaccurate. Care by the notifier in drawing conclusions may be appropriate. A notifier may inform the recipient of relevant evidence or of an uncertain event, and leave the recipient to determine whether to rely on the notice as accurate. The recipient is often in the best position to weigh the indications and uncertainty in light of its risks.
"likely under the circumstances to impart knowledge" A duty to notify may be satisfied, even though the intended recipient of the notice fails to become aware of its contents, provided that the notifier acts in good faith and takes action which, in the ordinary course of business, should suffice to cause the notice to be delivered to the intended recipient and come to its attention. The UNIDROIT Principles of International Commercial Contracts note:
Where notice is required it may be given by any means appropriate to the circumstances.
(1)......
(2) A notice is effective when it reaches the person to whom it is given.
(3) For the purpose of paragraph (2) a notice "reaches" a person when given to that person orally or delivered at that person's place of business or mailing address.
(4) For the purpose of this article "notice" includes a declaration, demand, request or any other communication of intention.
International Institution for the Unification of Private Law (UNIDROIT), Principles of International Commercial Contracts art. 1.9 (1994). Comment 4 of the same article states in defining "reach" that notice reaches the addressee
as soon as [it is] delivered...to [the addressee's] place of business or mailing address. The particular communication in question need not come into the hands of the addressee. It is sufficient that it be ... received by the addressee's fax, telex or computer.
In an electronic setting, dispatching a reliably ensured message addressed to the intended recipient through a technologically reliable system, without apparent error, should suffice as a means of notification, unless the parties agree otherwise.
Commentary
(1) If the parties have formed a contract, it or a general contractual duty of good faith may well include a notice requirement, and perhaps an agreed upon definition better tailored to the parties. However, the parties may also find themselves in a pre-contractual state, and the ensuring of a message or certification which is the subject of the notice is part of an effort to form a contract or satisfy the form requirements for a contract. In such a pre-contractual setting, a duty to refrain from misrepresentation or to bargain in good faith, or the doctrine of culpa in contrahendo supply and define a basic requirement of notice.
A human being or any entity which is either:
(a) recognised by applicable law as capable of ensuring
a message, or
(b) capable of ensuring a message as a matter of fact.
Clarification
"entity": Information systems and other devices are not "entities" as the word is used in this definition. Rather, such systems and devices are the instruments of the persons who own and operate them.
A certificate identifying a public key to its subscriber, corresponding to a private key held by that subscriber.
Clarification
"public key": Public keys can be used by a person having a digital signature to determine which private key created the digital signature and whether the signed message was altered since it was signed. See ante "digital signature" and post "verify a digital signature"
"identifying": The process whereby the certifier ascertains the veracity of the statements made in the certificate.
13. Revoke a public key certificate
The act of a certifier in declaring a public key certificate permanently invalid from a specified time forward.
Clarification
"declaring": Revocation is a mere declaration, and does not include destruction of the invalidated certificate. The invalidated certificate remains available for verification of digital signatures effected while the certificate was still valid.
"time": This definition presumes that the validity of the public key certificate is limited to a specified period of time, which revocation cuts short. Public key certificates whose validity is limited to a particular transaction or by other criteria could perhaps be invalidated after issuance, but this document would not term such invalidation "revocation".
Commentary
(1) Although not an element of this definition, notice (see ante for definition) is required for a revocation.
A person who is the subject of a certificate.
Clarification
"subject of a certificate": Not every ensurer is a subscriber, since not every ensured message has an associated certification. "Subscriber" may well refer to an ensurer, but as the subject of a certificate, rather than as an ensurer per se.
Commentary
(1) For example, if a public key certificate states, either explicitly or by some form of incorporation:
I hereby certify on this 4th day of August , 1997, that John William Thompson of 38 Cours Albert 1er, 75008 Paris, France, personally appeared before me and was identified by .... Further, the same John William Thompson demonstrated to me that he held the private key corresponding to the following public key ....
then John William Thompson is the subscriber of that certificate.
(2) In some instances, a subscriber may consist of a person acting by the authority of another. Thus, the above example could include the following:
The same John William Thompson also produced a resolution of the XYZ Corporation SA, which I authenticated by .... Said resolution, a copy of which is attached hereto, authorises the said John William Thompson,, to act in certain matters on behalf of XYZ Corporation SA as its authorised signatory.
Ensuring a message by the private key corresponding to the public key listed in the certificate would, by application of domestic agency law, be legally recognised as ensuring a message of the principal through an act of the agent.
(3) A subscriber is generally also a client of, or under contract with, a certifier.
15. Suspend a public key certificate
The act of a certifier in declaring a public key certificate temporarily invalid for a specified time period.
Clarification
"invalid": If the certificate is invalid, then it cannot be relied upon by a third party, though
this does not preclude the legal concept that if the relying party has acted reasonably (see clarification post) or in good faith in relying upon the certificate, then the fact that it is suspended does not prejudice that reliance.
"time": This definition is presumes that the validity of the public key certificate is limited to a specified period of time, which suspension cuts short. Public key certificates whose validity is limited to a particular transaction or by other criteria could perhaps be invalidated after issuance, but this document would not term such invalidation "suspension".
Having the qualities of:
(a) being reasonably secure from intrusion and
misuse;
(b) providing a reasonable level of availability, reliability, and correct
operation.
Clarification
"reasonably ... reasonable": The reasonableness standard of this definition reflects the fact that security exists in varying degrees, and should ordinarily be evaluated in light of the circumstances. A greater or lesser degree of security is possible in nearly all situations, much like public streets can always be made safer or airports more secure. In a case, therefore, the question should be, not whether the defendant could have done more, but rather whether the defendant exercised an appropriate degree of care in the design, maintenance, and operation of the system in question, taking into account the feasibility and cost of additional measures and the benefits they would have provided under the relevant circumstances. It should be noted that the use of the concept of "reasonable" can be problematic in Civil Law jurisdictions, although de facto the standards of a bonus pater familias or an orderly businessman can be used to adhere more closely to the concept.
"correct operation": What sort of operation is "correct" for a system depends on design specifications of the system. The expectations of a user of the system should be considered in light of what can reasonably be expected from the system, given the limits in its design and production, to the extent that those limits are made known to the user.
Commentary
(1) The objectives of a technological reliability are, in essence:
Conducting business in a manner that warrants the trust of a reasonable person active in commerce, and having capabilities, competence, and other resources which are sufficient to enable performance of one's legal duties, and assure unbiased action.
Clarification
"sufficient": The sufficiency of a person's capabilities, competence, and resources and the sufficiency of one's disinterest should both be tested according to standards of reasonableness. In any case, greater effort and investment will have been possible, but the question is whether a reasonable person under the circumstances would have expended the additional effort and investment to obtain greater capabilities, competence, or absence of bias.
Commentary
(1) Trustworthiness is a central concept to all business relationships, and is not a concept that can be closely defined. The commercial assessment of the risk involved in a certain transaction will always have a central role to play. Of course, there exist professions, such as that of a Notary, which remove much of the element of risk in establishing the legal bona fides of a signature by issuing a certification which takes the responsibility for the accuracy of the facts contained therein out of the hands of the receiving party. Indeed, a notary will remain liable for any statements made in a certificate notwithstanding the fact that there is no contractual relationship between him and the party relying on the statements made.
(2) It will be a matter of commercial risk assessment whether or not a person will rely upon a certification where the ensurer, subscriber and even certifier all lie within the same group. Paper-based examples such as the credit card industry have historically provided examples of unbiased performance of legal duties, despite acting in several roles in a transaction.
A certificate which its certifier has issued or disclosed to another person in circumstances where that person's reliance on the certificate is foreseeable, unless the certifier gives timely notice that the certificate is unreliable, or unless the certificate is a public key certificate which has been revoked or is, at the time in question, suspended.
Clarification
"gives notice": The notice must reach all persons who are in a position to rely on the certificate.
Commentary
(1) A certifier may seek to restrict liability for the contents of a certificate issued either through the contractual relationship with the subscriber, or by means of a general disclaimer in the practice statement, or even in the certificate itself. Care should be taken, however, of restrictions on such disclaimers which some jurisdictions regard as unfair or invalid contract terms. This is especially the case in transactions which are deemed to be "consumer".
19. Verify a digital signature
In relation to ensuring a given message (digital signature, message, and public key,) to determine accurately that:
(a) the digital signature was created by the private
key corresponding to the public key; and
(b) the message has not been altered since its digital signature was
created.
Clarification
"Verify": If a recipient person does not verify the said information, then reliance cannot be made upon the infrastructure mechanisms which have been created for just that purpose, and for securing the security of the message.
Commentary
This is, of course, the central element in relying upon an ensured message with a digital signature.
1. Ensuring a message as a Factual Matter
A message is ensured, as a factual matter, if acceptable evidence indicates:
(a) the identity of the ensurer, and
(b) that the message has not been altered since ensured.
Clarification
"as a factual matter": Distinct from legal significance or meaning, the factual question of ensuring a message is addressed simply to identifying the ensurer and the ensured message from the available and admissible evidence. Such a question seeks to discover simply the facts of who ensured what.
Commentary
(1) Ensuring a message for evidential purposes in proceedings before tribunals is generally to ensure a message as a factual matter. The focus of the inquiry is the genuineness of the proffered evidence and its factual linkage to the persons involved in the controversy. (For example, see the US Federal Rules of Evidence 901 , providing that the evidential requirement is satisfied by "evidence sufficient to support a finding that the matter in question is what the proponent claims", and listing several examples.)
(2) Ensuring a message can also serve as an indicator of origin, often in an evidential context, where the question is usually the fact of origin rather than any legal consequences of a signature.
2. Attribution and Legal Significance of Ensuring a message
A person must attribute an ensured message to the person who actually ensured the message.
Clarification
"must": Whether any consequence flows from a failure to attribute an ensured message depends on the import of the message. If the message may painlessly be ignored, then a failure to attribute it is of no consequence.
"attribute": The person having the ensured message must consider it to be associated with the ensurer in some significant way, which is often apparent from an accompanying expression of the ensurer's intent, the facts and circumstances of the transaction, course of dealing, or usage of trade.
"ensured message": In light of the definition of "ensure" (see ante), "ensured message" here means a message which is
(1) intact and unaltered since ensured,
and (2) identified with its ensurer.
"actually ensured": In a case of forgery, the forger, rather than the ostensible signer, is the actual ensurer.
In this context, see also the UNCITRAL Model Law art. 11 (attribution of data messages) (1995).
Commentary
(1) The duty to attribute an ensured message to its ensurer presumes that the person having the ensured message acts in good faith, exercises reasonable care in evaluating the ensured message, and lacks timely knowledge or notice that the ensured message is false or significantly questionable.
(2) In ascertaining who actually ensured a message, a person is entitled to receive reasonable further assurances that the ensurer has properly ensured a message. In determining what is reasonable in a case, a tribunal should consider indications of the reliability or lack of reliability of the ensured message, the availability of those indications to the person having the message, as well as the resources required to make further information available.
(3) If a person properly attributes a forged or improperly altered message erroneously and thereby incurs a loss, and if the forgery or improper alteration resulted from a failure by the purported ensurer to safeguard an authenticating device or other fault by the purported ensurer, then the purported ensurer must indemnify or compensate the attributing person for the loss.
(4) The effect of attribution to a ensurer depends on the content of the ensured message, the other facts and circumstances of the transaction, applicable law, the course of dealing between the parties, and/or usage of trade. For example, ensuring the written expression of a contract is customarily taken to indicate assent to the contract, and may satisfy formal requirements for ensuring a message sufficient to give effect or enforceability to the contract. Ensuring a letter ordinarily indicates authorship. Ensuring a negotiable instrument in the manner of an endorsement has the effect of an endorsement.
(5) Attribution or legal enforceability of an otherwise attributable message may be limited by formal ensuring and certification requirements.
3. Ensuring a message by an Agent
If an agent ensures a message and represents himself to do so by authority of a principal, the ensured message is valid as that of the principal if, under applicable law, the agent had sufficient authority to ensure the message.
Clarification
"sufficient authority to ensure": Legal systems differ in the processes commonly utilised for the granting of authority, and particularly in the degree to which implicit or apparent authorisation is recognised and accorded legal effect (see comment (2) below). If, under applicable law, the existence of sufficiency of the would-be agent's authority is reasonably in doubt, the recipient of an ensured message may well have reason to seek further assurances.
Commentary
(1) A person generally acts at his peril in relying on an agent's representation of authority. Rather than taking a purported agent's word for the effectiveness and scope of the agency, a person having an ensured message should require a certificate or other, more reliable proof of agency.
(2) Legal systems differ in the extent to which one may rely on representations of agency by the purported principal which fall short of a valid power of attorney, in cases where the principal later disputes the agency. At common law, "apparent authority" can arise from almost any manifestation of agency by a principal to third persons. Civil law legal systems have traditionally eschewed recognition of apparent authority, although jurisprudence in some has developed comparable doctrines in cases where the principal failed to dispel the appearance that the agent had authority or failed to stop the agent from acting in the principal's name.
4. Appropriate Practices for Ensuring a Message
An ensurer must ensure a message by a means appropriate under the circumstances.
Clarification
"must": The consequence of a failure to ensure a message properly is that the message may be disregarded. In general commercial practice and unless otherwise agreed, a message may be ignored if the manner of ensuring it either contravenes an agreement by the parties, is not suited to impart the legal efficacy intended by the parties for the message, or if reliance on the message as ensured would not be reasonable under the circumstances.
"appropriate under the circumstances": As the commentary below explains, the means should carry out the intent of the parties, or at least reasonably fit the transactional context. At least, signature requirements had the perhaps salutary effect of requiring a person to use minimal ensuring methods. However, imposing sanctions for failure to comply with form requirements has proved to be problematic. In the common law, case law has tended to weaken formal requirements, perhaps because of difficulty in finding a fitting sanction for non-compliance. In the civil law, there are more rigid forms to be adhered to, especially in the areas where the state might take an interest, such as real property law, inheritance, or commercial registration of companies. Such matters require the intervention of a Notary, as a certifier.
The UNCITRAL Model Law (art 6) would sweep aside formal requirements, and leave the recipient of the message to prove attribution. While this approach is sensible, one sticking point remains: the recipient bears the burden of proof on the attribution issue, but only the sender can ensure the sender's message. The recipient may act at her peril in rejecting a message which, under various current definitions of "signature", could be treated as authentic. This article seeks to address that problem by establishing in the recipient a right to demand reasonable assurance of an ensured messages authenticity.
Commentary
(1) The recipient of an ensured message may request further assurances of its validity, such as a valid certificate attesting to a critical fact, or replacement or augmentation of the ensured a message using a more technologically reliable method, if ensuring the message either was not accomplished as agreed by the parties, or is not suited to impart the legal efficacy intended by the parties for the message. In the absence of an express agreement, the parties are assumed to have intended a reasonable outcome, and therefore to have intended to use only ensuring practices that are reasonable under the circumstances.
(2) In determining what is reasonable under the circumstances, the recipient should consider:
The factors are listed approximately in order of importance.
5. Scope of an Ensured message
The creator of an ensured message must clearly indicate what is being ensured.
Clarification
"clearly indicate": The ensurer should both delimit precisely what the message is in order to distinguish it from other matter, and should create a clear link between the act of ensuring the message and the ensured message itself.
Commentary
(1) Since ensuring a message does not apply to alterations of the message, a person receiving the ensured message must determine whether the message arrives intact. Such a determination is only possible if the message has been clearly delimited and linked to when it was ensured. On paper, the delimitation is accomplished by the spatial limits of paper, formatting conventions, and the custom of signing at the end of the message. The linkage between signature and message is often accomplished by including them both within the same paper message, with the signature generally following the message.
(2) Defining the message is complicated by the fact that different systems may present the message in varying human-readable forms. For example, a printer or fax machine may utilise a different size of paper than another. Variance in representations of the signed matter may or may not be significant. With electronic messages, variations are common, even when all relevant information systems are technologically reliable, simply because the capabilities and preferences of information systems vary. A ensurer should express the ensured message in a manner that enables a receiving information system to represent it properly, either in the manner required by law, agreed upon by the ensurer and receiver, or in accordance with usage of trade, applicable technical standards, and/or common practices for messages of the kind. The parties should agree, in specifying the form for their messages, which variations are to be considered significant. In the absence of such an agreement, the ensurer may specify the variations to be considered significant alterations of the message. Ordinarily, minor variations in the media size, font, spacing, margins, and similar features are inconsequential; however, a change significantly affecting meaning, including a change to the logical structure of the message, should generally be treated as a significant alteration.
6. Safeguarding an Ensuring Device
If a person ensures a message by means of a device, the person must exercise, at a minimum, reasonable care to prevent unauthorised use of the device.
Clarification
"device": If the device consists of a system of interrelated components, the entire system need not be safeguarded. Rather, it suffices to safeguard one or more critical components of the system sufficient to prevent a falsely ensured message.
"reasonable care": "Reasonable care" is the degree of caution and prudence that a reasonable person would exercise under the circumstances. (for comments on "reasonable", see ante)
Commentary
(1) The ensuring device should be physically kept in a location where access is limited and carefully controlled. Access should be accorded only to trustworthy persons and ordinarily based on their need to utilise ensuring services. Persons to whom access is granted should be identified by presentation of a password or pass phrase, by biometric information, or other secure means.
(2) Where remedial action is possible following a loss of control over an ensuring device, the remedial action should be taken without delay. In a case in which a private key has been lost, the public key certificate should be revoked, or suspended immediately until it can be revoked.
7. Representations to a Certifier
A subscriber must accurately represent to a certifier all facts material to the certificate.
Clarification
"represent" This can take many forms. It may simply be the statements of the subscriber, or the certifier may have taken extraneous evidence of the matters contained in the certificate. As the certifier will be responsible for the statements made in the certificate, it would be advisable for the certificate to be clear as to how the statement of facts has been arrived at.
Commentary
(1) see generally the definitions in "Certification", post.
1. Effect of a Valid Certificate
A person may rely on a valid certificate as accurately representing the fact or facts set forth in it, if the person has no notice that the certifier has failed to satisfy a material requirement of ensured message practice.
Clarification
"rely": The extent to which one may properly rely is limited to what is reasonable under the circumstances. In other words, one is not entitled to rely when a businessman of ordinary prudence would not do so from substantially the same informational and circumstantial vantage point. This implicit limitation on reliance finds expression in substantive law in limiting relief for deception to plaintiffs who are not excessively gullible or tainted; see, e.g., US Restatement Second Of Torts § 548A (1977) ("A fraudulent misrepresentation is a legal cause of a pecuniary loss resulting from action or inaction in reliance upon it if, but only if, the loss might reasonably be expected to result from the reliance").
"notice": The UNIDROIT Principles of International Commercial Contracts point out that "notice" "includes a declaration, demand, request or any other communication of intention". (International Institution For The Unification Of Private Law (UNIDROIT), Principles Of International Commercial Contracts, art. 1.9 (1994).)
Commentary
(1) Fundamentally, a certificate is simply evidence of the fact or facts it represents. As such, it is only as good as the certifier is worthy of belief. For commerce to function properly, a society must provide a trustworthy means of establishing critical facts, such as the identity of a ensurer. Certifiers provide such a means, but only if the certifiers are trustworthy.
(2) Where trustworthy certification practices are generally known to be followed, certificates are customarily treated as establishing the facts represented in them. For each transaction, the parties may ordinarily determine whether a particular certificate or type of certificate is acceptable. In certain circumstances, and particularly in the absence of an agreement among the parties, applicable substantive law can often supply a rule determining validity, together with any supporting certification. Such substantive rules may relate to the legal system's supervision of certifiers.
(3) Although a certificate is fundamentally evidence, whether or not a certificate is admissible in a judicial or arbitration proceeding is determined according to the rules of the forum.
(4) All the foregoing presumes that the parties are acting in good faith and without deception or negligence in conducting their business.
2. Accuracy of Representations in Certificate
A certifier must confirm the accuracy of all facts set forth in a valid certificate, unless it is evident from the certificate itself that some of the information has not been verified.
Clarification
"set forth": This applies both to facts explicitly stated in the certificate and to facts on which conclusions in the certificate are based.
"some of the information has not been verified": This has been termed "Non-Verified Subscriber Information". See commentary, post.
Commentary
(1) One school of thought holds that all of the information set out in a certificate must have been verified by the Certifier. This would prove to be unnecessarily restricting in commercial practice, as circumstances may exist where it is required to ensure a message, but the ensurer is unable to provide satisfactory evidence, say, of his corporate authority to act. It should therefore be possible for the certificate to contain a statement to the fact that the ensurer is purporting to act on behalf of a particular corporation, but that this has not been proved. The receiving party is then able to make a commercial risk assessment as to whether to accept the ensured message as it stands, or to demand further proof.
3. Trustworthiness of a Certifier
A certifier must:
(a) use only technologically reliable information systems and processes, and trustworthy personnel in issuing a certificate and in suspending or revoking a public key certificate and in safeguarding its private key, if any;
(b) have no conflict of interest which would make the certifier untrustworthy in issuing, suspending, and revoking a certificate;
(c) refrain from contributing to a breach of a duty by the subscriber;
(d) refrain from acts or omissions which significantly impair reasonable and foreseeable reliance on a valid certificate;
(e) act in a trustworthy manner towards a subscriber and persons who rely on a valid certificate.
Clarification
"trustworthy personnel": A certifier must make reasonable efforts to screen, train, manage, and assure the loyalty of all employees performing functions significantly affecting the certification process.
"conflict of interest": To be trusted by the parties to a transaction and serve as a trustworthy verifier of facts should a dispute arise, a certifier must not have a stake in the transaction that would compromise the certifier's trustworthiness.
"subscriber": A certifier owes a duty to a subscriber for whom the certifier issues a certificate, and to successors to the subscriber's rights which are dependent on the certification.
Commentary
(1) The trustworthiness of a Certifier is central to the whole concept of certification. This trust in turn is generally founded upon the liability that the Certifier is willing to accept for its statements. The Certifier may seek to limit its liability to a certain level through its "certification practice statement" (see ante), but in doing so should exercise care that this limitation of liability is permissible within its jurisdiction. The very nature of electronic commerce as an international medium then further complicates this matter, as the Certifier may find that its certification is relied upon beyond its own borders. By the same token, a person relying upon a certificate should ascertain the level of reliance the certifier is expecting him to place on the same.
4. Notice of Practices and Problems
A certifier must make reasonable efforts to notify a foreseeably affected person of:
(a) any material certification practice statement, and
(b) any fact material to either the reliability of a certificate which it has issued or its ability to perform its services.
Clarification
"foreseeably affected person": To assure that a certifier foresees an effect, a person who believes himself to be affected may notify the certifier of the person's position and interest, and request a certification practice statement or further information.
Commentary
(1) Foreseeability is a difficult concept, especially when a certificate may be freely circulated, though of course it is an inherent element in assessing a commercial risk.
A certifier must have financial resources sufficient to conduct its business and bear the reasonable risks resulting from the certificates it issues.
Clarification
"sufficient": As between a certifier and its client, the subscriber, the sufficiency of the certifier's financial basis is apparent from their willingness to do business with each other in a setting where the subscriber could have retained the services of another. In relation to third parties, however, the sufficiency of a certifier's financial basis should be evaluated according to a reasonableness standard.
"reasonable risks": The reasonableness of a risk should be evaluated in light of what is foreseeable from the certifier's informational vantage point, and what is likely.
Commentary
(1) It is under this heading that we must consider the impact of insurance, either by bonding or through indemnity insurance. Existing professional certifiers, such as Notaries, are required to carry sufficient professional indemnity insurance to cover such losses as are likely to be occasioned as a result of others relying upon their certifications. Such insurance can be considered as adding to the available financial resources of a certifier, though evidently he will not have access to such resources unless and until a claim is made against him.
A certifier must keep records of all facts material to a certificate which it has issued for a reasonable period of time.
Clarification
"facts material to a certificate": The required records include evidence to support all representations made in a certificate.
"reasonable period of time": The duration of the record retention period is difficult to pinpoint, and requires weighing the need for reference to the records against the burden of keeping them. The records could be needed at least as long as a transaction relying on a valid certificate can be questioned. For most transactions, statutes of limitation will eventually place a transaction beyond dispute. However, for some transactions such as real property conveyances, legal repose may not be realised until after a lengthy time elapses, if ever.
Commentary
(1) Most professions already have established rules for the keeping of records, depending upon their nature. There is no reason that these rules should be any different in an electronic world, though added care must be taken to assure the retrievability of the information stored, especially in view of the rapid advances in technology.
7. Termination of a Certifier's Business
In terminating its business, a certifier must:
(a) act in a manner that causes minimal disruption to subscribers and persons relying on issued valid, operational certificates; and
(b) turn over its records to a qualified successor.
Clarification
"qualified successor": Another certifier is generally qualified to succeed a withdrawing certifier. A responsible, high-quality archiving service, a professional association, or regulatory agency may also be suitable. The successor need not issue new certificates, but must at least maintain suspension, revocation and retrieval services.
Commentary
(1) If no successor is willing to take over a certifier's business, it may be necessary to revoke all valid certificates outstanding, since the certifier will not be available to support them in the future.
8. Suspension of Public Key Certificate by Request
The certifier which issued a certificate must suspend it promptly upon request by a person identifying himself as the subscriber named in the public key certificate, or as a person in a position likely to know of a compromise of the security of a subscriber's private key, such as an agent, employee, business associate, or member of the immediate family of the subscriber.
Clarification
"certifier which issued": Although the certifier need not confirm the identity or agency of the person making the request, the certifier which issued the certificate should ordinarily be the person to suspend it, because the issuing certifier is in the best position to screen out and ignore requests that are obviously not in the subscriber's interest, such as requests intended as pranks, for harassment, or for improper interference.
"suspend": Since, by definition, a suspension cuts short an otherwise applicable time period, it relates only to certificates whose validity is determined according to time. If validity is measured by some other criterion, such as the scope of an identified transaction, this paragraph may well not apply.
"upon request": The certifier must act in good faith in responding to the request, but need not conclusively confirm the identity or agency of the person requesting suspension. The certifier may rely on the representations of the person requesting the suspension, though there will be an element of verification of identity made by the certifier.
Commentary
(1) Since suspension temporarily invalidates a public key certificate, it, in effect, temporarily severs the association of the subscriber to the public key listed in the certificate. Without such an association, digital signatures verifiable by that public key are not attributable to the subscriber. The subscriber has thus effectively put its digital signature capability on hold.
(2) Although the certifier is not required to identify the authority of the person making the request, it should have some form of procedure in place for the immediate confirmation of such a request. Failing this, the certifier may find itself in breach of its obligations to the subscriber, and liable for any loss arising out of the subscribers inability to use its digital signature.
(3) The ability to temporarily preclude attribution of digital signatures through suspension of the critical public key certificate is one of the principal means for the subscriber to manage the risk of holding a private key.
(4) A contract between a certifier and subscriber may limit or preclude suspension, so long as a person in a position to rely on the certification has notice of the limitation or preclusion. Such a limitation or preclusion could be included in a certification practice statement.
9. Revocation of Public Key Certificate by Request
The certifier which issued a public key certificate must revoke it promptly after:
(a) receiving a request for revocation by the subscriber named in the certificate or that subscriber's authorised agent, and
(b) confirming that the person requesting revocation is that subscriber, or is an agent of that subscriber with authority to request the revocation.
Clarification
"certifier which issued": The certifier which issued the certificate should be the person to suspend it, because the issuing certifier is in the best position to confirm the identity and agency of the person requesting the revocation.
"revoke": Since, by definition, a revocation cuts short an otherwise applicable time period, it relates only to certificates whose validity is determined according to time. If validity is measured by some other criterion, such as the scope of an identified transaction, this paragraph may well not apply.
Commentary
(1) The same comments as apply to the "Suspension of a Public Key Certificate by request" will apply to a revocation, though evidently, a revocation is permanent, and can be regarded as an ultimate step.
10. Suspension or Revocation of Public Key Certificate Without Consent
The certifier which issued a public key certificate must revoke it, if:
(a) The certifier confirms that a material fact represented in the certificate is false;
(b) The certifier confirms that the trustworthiness of certifier's information system was compromised in a manner materially affecting the certificate's reliability.
The certifier may suspend a reasonably questionable certificate for the time necessary to perform an investigation sufficient to confirm grounds for revocation pursuant to this article.
Clarification
"must revoke" If the Certifier does not revoke the certificate, or at least suspend it pending investigation, and can be proved to have notice of any of the grounds listed above, then it follows that the Certifier may be held liable for any consequential loss. Such failure to act may even bring into question the "Trustworthiness" of the Certifier vis-à-vis third parties.
"compromised" That the information which must be secret in order to safeguard the operation of the ensured message, has been revealed to parties who do not have the right to access such information.
Commentary
(1) It is anticipated that the exact parameters whereby a Certifier would be entitled to suspend or revoke a certificate without consent would be established through the contract between the certifier and the subscriber. In the absence of such provisions, any court proceedings brought as a result of a loss occasioned would have to establish if the certifier was entitled to act in this way.
11. Notice of Revocation or Suspension of a Public Key Certificate
Immediately upon suspension or revocation of a public key certificate by a certifier, the certifier must give appropriate notice of the revocation or suspension.
Clarification
"give appropriate notice": In determining what is appropriate, the certifier should evaluate the circumstances and make reasonable efforts to deliver notice to persons likely to be significantly affected by the suspension or revocation. Ordinarily for a certificate published in a digital certificate repository, the certifier should likewise publish notice of the suspension in the same repository, in the manner specified by a standard adopted by the repository or a statement of procedures which it has published. For an unpublished certificate, the notice should reach persons whose reliance on the certificate is foreseeable from the vantage point of the certifier and the person requesting the suspension or revocation.
Commentary
If the certifier fails to give notice, then it may find itself at least in breach of its contract with the subscriber, or at worst liable for any loss arising out of the subscribers subsequent use in good faith of an invalidated key.
It is intended that the GUIDEC serve as a foundation document in the application of digitally ensured Electronic Commerce, but it is freely acknowledged that we cannot hope to have addressed all of the issues at once. The whole field of Electronic Commerce is evolving at a rapid rate, and it is necessary that the concepts and definitions inherent thereto also evolve at an equivalent pace. The Electronic Commerce Project of the ICC will therefore seek to apply the definitions and principles as set out in the GUIDEC through further studies into the subject as it is enumerated here, and address itself to additional problems in the field as they continue to be identified. As technology develops, and the commercial world attempts to embrace such technological developments, further revisions and enhancements of this document will be made available, in order that the inevitably complex concepts can be readily understood by the business community, and put to the best use.
Copyright 1996 ICC ©. All rights reserved.