Timing of electronic documents
30. If it is important to prove when the document was created or signed it is insufficient to rely on the date which can be inserted automatically using a word processing system on the sender’s computer. It is easy to alter the dates or the computer’s clock. A trusted third party can be used to verify timing. (A CA may perform this function). The summary of the electronic document can be sent to a third party who provides an individual time “stamp” for each summary, so establishing the time at which it was sent. Obviously a time stamp is always somewhat later than the actual time of signature. The length of the delay may be milliseconds or longer. This depends on the time taken for the document to travel from the signatory or sender to the time stamper. A trusted third party can provide this service automatically on the Internet. Each time the third party is sent a summary it returns a dated and electronically signed time certificate or time stamp. The time stamped matter may include both the electronic document and its digital signature in order to establish a date at which the document was signed. If an electronic document bears multiple digital signatures multiple time stamps can show the relative time of each.
31. Proof of the authenticity and integrity of an electronic document are different matters from ensuring that no unauthorised person can read it. There are many ways of achieving that end. One way is by the sender encrypting the document using the receiver’s public key. It can then be decrypted only by the receiver’s private key, which is secret to the receiver. Because encryption and decryption using public and private keys operate rather slowly, there is another approach which is used, for example, by many retailers who sell goods or services on the Internet. Using a standard computer program a third key is generated which is known as a “session key”. It encrypts the exchanges or documents sent during a session when the web site retailer and the customer are communicating on-line. The session key is encrypted using the public key of one of the parties and sent to that party who can then decrypt it and use the session key to decrypt subsequent communications which have been encrypted with it. The session key may, for example, be used to encrypt credit card details. Information which has been encrypted using a session key could also be digitally signed. It is not, however, generally good practice to use the same key pairs for the purposes of signing documents and for rendering them confidential. A person may have more than one pair of keys to use for different purposes.(See also secure sockets layer.)
32. Encryption for confidentiality is particularly important in communications between legal practitioners, their clients, and the courts. The Law Society of England and Wales has produced e-mail guidelines for solicitors which state that firms should not include confidential information in non-encrypted e-mail without the informed consent of clients. Firms are recommended to adopt systems that provide the facility for retrieving and automatically decrypting encrypted incoming mail and automatically encrypting all outgoing e-mail to those offering similar facilities.
33. In our illustration the certificate was created for multiple use but the same process may be carried out on a one-off basis in order to undertake a single transaction. An example could be a conveyancing transaction which might work in the following way. The client goes to the lawyer’s office to sign and deliver the electronic equivalent of a deed. On attending the lawyer’s office the client shows his passport. This is the equivalent of the registration process. The deed can be shown to the client on a visual display unit and read by the client who, in the presence of the lawyer, clicks the mouse on the icon labelled “sign”. This creates a digital signature. The lawyer creates a transactional certificate certifying the digital signature in the deed as being that of the client. The certificate contains the client’s public key and the lawyer attaches the transactional certificate to the deed and transmits it to the Land Registry.
34. A one-off certificate might be useful even if the signatory has a general-purpose certificate. For example if the general certificate has a reliance/liability limit of £10,000, that might be sufficient for almost all of the signatory’s business transactions. However, once in a while he may want to enter into a transaction in which the amount at stake is much greater. For that, he needs a transactional certificate.
© Crown copyright 2002