Judicial Studies Board - Publications: Digital Signature Guidelines, July 2000

Illustration of the use of a Digital Signature

11. This illustrates one potential commercial use of digital signatures. Similar digital signature processes could be used in conjunction with payment for goods by credit cards or in on-line banking. Digital signatures could also be used to prove authenticity and integrity of electronic documents that are not sent anywhere but which are created and retained for legal and commercial purposes.

12. Dream Ltd are wholesale distributors of videos. In March 2000 they receive on their computer an email ordering £5,000 worth of videos, which purports to come from Mr Blank who owns and runs a shop called Videomad of High Street, Nowheretown.

13. Dream Ltd are anxious to know exactly who is buying their videos and where purchasers are located. This is because they have past experience of dealing with retailers who have caused them losses by copying and distributing video tapes they have sold wholesale. Dream Ltd therefore responds to Mr Blank informing him that they will only do business with him if he uses a digital signature which has been certified by Signicorp which is a certification authority (CA) (the functions of a CA are set out in the next paragraph ).

14. Mr Blank contacts Signicorp to find out what steps have to be taken to obtain the necessary certificate. Signicorp respond that they are based in London but they have a local registration authority (LRA) which is the Rich Bank in the High Street in Nowheretown. They say that Mr Blank should attend the Bank taking with him evidence that he runs the shop called Videomad, evidence of his identity such as a passport and a bill for business rates addressed to him at Videomad’s address. Mr Blank, attends Rich Bank with lease documentation showing he rents the premises from which Videomad is run. He also takes a bill for Videomad’s business rates which shows Videomad’s address at High Street, Nowheretown. The bank official checks all the documentation. He asks Mr Blank for his mother’s maiden name and tells him that is to be his initial password. Using a computer program supplied by Signicorp, the official creates a private and public key pair for Mr Blank and then sends the public key to Signicorp who create an electronic certificate (see paragraph 24). The certificate contains Mr Blank’s name, his public key and the digital signature of Signicorp (digital signature is explained in paragraphs 18-22). The certificate states that it is valid until March 2001 unless explicitly invalidated and that anyone who intends to rely on it should first check as to its current validity with Signicorp. It also states that Signicorp will not be responsible for losses in excess of £50,000 suffered by anyone as a result of relying on the certificate. The bank official produces a printout of the certificate and a receipt to which another copy of the printout is attached. The receipt contains a statement that the certificate is accurate. An instant photo is taken of Mr Blank, it is attached to the receipt and Mr Blank is asked to sign it in the presence of the official. Mr Blank is then handed a smart card which contains his private key and the Signicorp digital certificate. He is told to keep the smart card safe and to make sure nobody else has access to it. He is also told not to divulge the password and to change it as soon as possible.

15. Mr Blank returns to his office. Using his computer, he creates an electronic ordering document. Then he inserts his smart card into his computer, types his mother’s maiden name and digitally signs the document (see paragraphs18-22). He adds Signicorp’s electronic certificate to the document and sends it off to Dream Ltd. Dream Ltd contact Signicorp to find out whether the certificate is still valid. They are informed that it is. Using Mr Blank’s public key in the certificate Dream Ltd then verify that the document has been signed using Mr Blank’s private key and has not been altered en route and they meet Mr Blank’s order. Dream Ltd record and store all the electronic documents, signatures and certificates received from Mr Blank at Videomad.

16. Mr Blank orders videos from Dream Ltd regularly over a period of some months. Dream Ltd delivers the videos to Videomad’s premises and sends electronic invoices to Videomad for payment within seven days.

17. Mr Blank uses Signicorp’s technology to send electronic documents to order videos from other companies apart from Dream Ltd. With each signed document, he sends a copy of his Signicorp certificate for the recipient to use in verifying his digital signature.