Introduction: Best practice dictates you should use a digital certificate to access business computer systems over the Internet. To do so, you would need to register your details with a certificate authority or its subordinate registration authority, a process which can be frustrating at times. Registering with a recognised certificate authority or registration authority to be issued with a digital certificate should be a necessity; there are some real risks out there that you need to manage when transacting online.
Transacting online: Most computer systems require some form of access control. Most common is username and password, which can be too risky for when the business risks are high.
Take for example conveyancing online, namely the electronic communication of bond information (e.g. instructions, re-instructions, NTUs, acknowledgments, milestone statuses, payment advices, and rating files) between the home loan divisions of the banks and their respective panels of conveyancing attorneys. In a conveyancing transaction one cannot run the risk of allowing fraud to easily happen as a result of unauthorised data access, data manipulation and leakage, and misuse of access by persons unknown. The companies involved need to know with a degree of certainty who is accessing their computer systems online, and need for those persons to take responsibility for that which they do whilst online with them. It should also provide those companies with a level of confidence that only personnel authorised to communicate electronically on the company’s behalf can in fact do so. Standard components of a sound security solution include authentication that makes use of encryption technologies, i.e. digital certificates.
Examples of other components not dealt with here, but also very important, include firewalls, anti-virus scanners, content security management, intrusion prevention systems, virtual private networks and security incident and event manager tools.
There is a particular government department that used to use username and password to manage access to its payroll system. Just before a particular payment run fraudulent “ghost” payee lists are uploaded to this system, payment is then made to these “ghosts”, the lists are then removed, and nobody can pin-point the culprits – yet the money has been paid out. Surely the costs of subsequent investigation and prosecution (if any) can be mitigated by simply using properly issued digital certificates to know and track who has access to the system and to remove the “it wasn’t me” excuse.
Digital certificates: A digital certificate is an electronic form of identification, much like an identity document, passport or driver’s license.
Technically it is:
• a strong method of authentication – likened to a cryptographic handshake as opposed to a shared secret like a username and password;
• immune to “man-in-the-middle” attacks, phishing scams, key loggers etc;
• the method of choice in web services development as seen in languages like SAML, XML etc;
• a roadmap for further use, i.e. signing to preserve integrity of data messages, transactions, e-mail, PDF’s, word docs, excel etc;
• based on the widely accepted X.509v3 format, which means system and program interoperability is almost guaranteed.
Certificate authorities and registration authorities: Digital certificates are issued by certification authorities. A certification authority plays an important role in that it creates the digital certificates, sets policy (as shown in its Certification Practice Statement (“CPS”)) on what a subscriber may and may not do when using his/her digital certificate. A subscriber is a natural person who applies to be issued with a personal digital certificate.
Examples of recognised reputable certification authorities include Entrust (www.entrust.com) and L@Wtrust (www.lawtrust.co.za).
A certificate authority or its subordinate registration authority is contractually obliged to verify and confirm the accuracy of (i.e. authenticate) information concerning the identity of a subscriber (e.g. RSA identity document), and the information to be contained in personal digital certificates to be issued to subscribers and made available for use in providing secure electronic communication services.
Applying for your digital certificate: You, as subscriber, need to:
• complete a Personal Digital Certificate Application Form, to be signed by the certificate administrator or an authorised representative of a certificate authority;
• sign a Subscriber Agreement; and
• present the original and one copy of your identity document, passport or drivers licence (there might be other criteria that need to be adhered to, depending on which certificate authority you choose to deal with).
After authenticating your identity and completing certain internal checks and controls, the certificate authority will issue you with a digital certificate. You will then be notified and directed on how to download the digital certificate and commence using it to access computer systems online. Usually a call centre agent will be available to assist you.
Revoking your digital certificate: Your digital certificate has been issued to you for a specific purpose – namely to enable your online access to certain computer systems in order for you to receive and send information relating to a particular commercial transaction. As such, your digital certificate will have to be revoked where:
• you are no longer employed by the company with whom your digital certificate is to be associated; or
• information contained your digital certificate is subsequently found to be inaccurate, or
• the private key associated with your digital certificate has been compromised.
If this is not done, one of the risks you run is having persons unknown transacting online in your name.
Conclusion: Registering for a digital certificate is a potentially frustrating process; but done properly means the benefits of working online should far outweigh the frustration. Can you imagine having to go back to manually receiving bond instructions (in a conveyancing transaction) because the risks of doing so online are too great – I think not.
Name: Grant Christianson
Designation: Legal Advisor