Ensuring the Authenticity of Certificates
25. The receiver’s computer verifies the digital signature on the certificate by creating a summary of the certificate, using the CA’s public key to decrypt the encrypted summary of the certificate and comparing the two summaries of the certificate. If they are the same then the authenticity of the certificate is established. Since it is possible to buy computer programs which create certificates it would be possible for a fraudster to impersonate a CA. If the receiver wants to check that the certificate comes from the CA who has purported to sign it then there will have to be a certificate from a second CA of the first CA’s public key. The authenticity of that second certificate would also be proved by verifying it using yet another public key. There could therefore be a chain of certificates. At present some common computer operating systems have installed on them by the manufacturer a set of certificates that verify the certificates of a number of the largest commercial CAs.
26. There is, at present, no comprehensive system for absolute security as to the authenticity of certificates. So when electronic commerce takes place between parties who do not know each other they may pass all their electronic documents through a trusted third party. That party will check the source of the documents and forward and store them.
27. In practice Mr Blank and Dream Ltd see very little of the above process. It may be helpful to describe an example of a typical set of steps that may be taken by the individuals concerned. The sender puts the smart card into a slot in the computer. There is also a program on the computer itself. The sender enters that computer program, creates the electronic document, saves it and then clicks on an icon to apply the signature. At this point the sender is asked for the password or, if a biometric template has been taken by the CA, to present his eye to a retinal scan or finger to an electronic sensor. Once that is done a warning may appear on the screen to the effect that a signature may be legally binding. The sender clicks his mouse or presses a key in order to sign the electronic document. That effects the two stages of producing the electronic document summary and encrypting that document summary. It is possible to view details about the signature.
28. The receiver enters a similar program on his computer and clicks on an icon to verify or validate the digital signature on the document. The computer decrypts the document summary, creates another document summary and compares the two. The computer or the receiver checks with the certification authority on-line to see whether the certificate is valid. The receiver sees on his screen a message which informs him whether or not the signature has been validated.
Ensuring that the correct party has received the electronic document
29. Some software in e-mail programs allows senders to request a receipt when the document has been received in the receiver’s in-box .There is also software which can notify a sender when an e-mail has been opened. Neither indicate whether or not the document has been read. The best way of obtaining proof of receipt is to ask the receiver to send a digitally signed acknowledgment of the document on the text of the document which has been sent. If timing is important then time stamping can also be built into this process.
© Crown copyright 2002