A digital signature is an electronic signature that is fully or partially reinforced through cryptography. Given the present state of information technology (IT), it is the best signature method to ensure the integrity and origin of an electronic document. However, the reliability of a digital signature depends on the following constituent elements:
- Certification Authority (CA) The CA issues a digital certificate that allows a person to digitally sign a document based on a Public Key Infrastructure (PKI). The very design of this PKI must maximize the management security of all digital certificates that depend on it.
- Identity management How does the CA verify identities? Does it accept declared identities or is there a thorough and reliable verification process? Poor identity management will result in a less reliable digital signature.
- Attribute management In situations where the CA certifies that information other than the identity are true, such as the professional status or time stamping, what is the verification and certification process and is it reliable? Is the certification valid only upon the issuing of a certificate, or each and every time a document is digitally signed? How does the CA manage the data when one of its members leaves the group?
- Management of authentication elements Once the identity of a new customer has been validated, the CA must ensure that the customer has secure, reliable and exclusive authentication in order to obtain his/her digital certificate every time a document is digitally signed. Does the CA apply robust methods in order to achieve these objectives?
- Management of the chain of trust Does the CA maintain a secure and reliable chain of trust that documents who can authorize each key event in the life cycle of a digital certificate (excluding signatures), such as its issuance, activation, revocation and renewal? Such a chain of trust is required in order to react promptly in the event of a security breach. Does the CA apply a robust method in order to achieve this objective?
- Management of IT processes The PKI is based on the management of IT processes and human processes. In the first case, have these processes been designed to maximize security and not simply to reduce costs?
- Management of human processes The parts of the PKI that depend on human processes must be designed with due care in order to reduce the risks of fraud and errors. Did the CA do this in a way that is reliable and certified?
- Continuous optimization IT relating to digital signatures and the environment in which digital signatures are used are constantly evolving. Does the CA adapt itself and optimize its PKI on a regular basis?
- External certifications Critically analyzing each step of said system of trust may not be something that comes easily to the uninitiated. It is therefore common practice to use external certifications and verifiers. Is the CA also verified and certified?
In the next article on the Notarius trusted signature, we explore how it meets the highest requirements in terms of the elements described above.