Digital Signatures and Certificates
Ensuring Authentication and Non-repudiation

By Ronald R. Tidd and Gary Heesacker

E-mail Story
Print Story
MAY 2008 - The AICPA’s 2007 Top Technology Initiatives named “identity and access management” and “securing and controlling information distribution” as the second and seventh most influential technologies, respectively. These technologies depend, in part, on policies, procedures, and practices that verify (authenticate) an individual’s identity prior to granting access to digital resources, such as a computer network and the files it contains. Login names, passwords, and personal identification numbers (PIN) are familiar and acceptable methods for implementing authentication policies.

The combination of a digital signature and certificate, however, provides a more- secure authentication mechanism. When used to convey digital documents, the combination ensures that the document’s content has not been altered, restricts document access to authorized individuals, and records who sent and received the document and when they did so. The latter feature improves on the common practices of either using PDF files or password-protecting Microsoft Office documents, which provide no assurances as to time or user identity. Used together, these features prevent the parties from repudiating their participation in a digital communication. Digital certificates, therefore, can play an important role in electronic contracts, maintaining adequate internal controls, and performing audits.

Legal Status

Digital signatures would not be implemented if their legal status was in doubt. In the United States, the Electronic Signatures in Global and National Commerce Act (Public Law 106-229, 2000,
www.ntia.doc.gov/ntiahome/frnotices/2002/esign
/report2003/electronicsignaturesact.pdf
) established the legal foundations for using digital signatures at the federal level. It provides, in part, that digital signatures have the same legal status as handwritten signatures in interstate and international commerce. At the state level, the National Conference on Commissioners on Uniform State Laws (NCCUSL) approved the Uniform Electronic Transactions Act in 1999 (www.ncsl.org/programs/lis/CIP/ueta.htm) and recommended it be enacted by all states. It also established a legal foundation for the use of digital documents and signatures. As of the end of the 2005 legislative season, only Georgia, Illinois, New York, and Washington had not enacted the act, but each of these states had other enabling legislation in effect.

Implementation Foundations

The mechanisms for implementing digital signatures have evolved to exploit the power of the new technologies known as “Web 2.0.” The foundations for implementing this technology, however, have not changed significantly since explained by Fritz Grupe, Stephen G. Kerr, William Kuechler, and Nilesh Patel, in June 2003 (“Understanding Digital Signatures,” The CPA Journal).

The process for implementing a digital signature requires two main components. The first is the public key infrastructure (PKI), which uses cryptography and generates two mathematically related digital keys. One is a private key, available only to the signer of an electronic document. The other is a public key, available to anyone who needs to access a document signed by that signer’s private key. The recipient who uses the public key to unlock the document knows that the message came from the person controlling the private key, and the underlying processes verify that the message content was not altered by anyone after it was sent.

The second component is a certificate authority (CA), a trusted, independent third party that issues the private and public key pair and a digital certificate on behalf of a message sender. Effectively, that certificate is attached to every message processed with the private key. Through this process the CA—

  • facilitates the distribution of the public keys to message recipients;
  • assures the private key owner’s identity (depending on the level of service subscribed to by the key owner); and
  • verifies the private key’s validity and revokes a private key’s credentials when notified that the key’s security has been compromised.

By verifying and documenting a message’s sender and recipient, with the times a message was sent and received, the CA ensures that the message cannot be repudiated. The necessary conditions for an enforceable contract in cyberspace are non-repudiation, sender authentication, and message integrity. The process described above ensures that these conditions are met.

Implementation Process

The technological and legal foundations for using digital signatures are sound. The process for implementing them depends on which of the two available strategies is chosen.

The more established strategy entails selecting a CA (see Exhibit 1) and a level of service (security) that is both appropriate for the sensitivity of the information to be exchanged and easily integrated into the communication process. The main distinction between the service levels offered by any CA is the effort it exerts to verify the identity of the applicant or subscriber. That effort ranges from verification of identity without a physical meeting to verification via a physical meeting with the CA or its designated representative (e.g., officers at a financial institution). Once the subscriber’s application and verification process is completed, the related digital certificates must be installed on the subscriber’s computer or network, integrated into e-mail and browser applications, and then maintained by IT personnel. Alternatively, the administration of the certificate can be outsourced to the CA.

As Rebecca Buckman reports (“Signing Up for E-Signatures: More Companies Are Using New Technology to Cut Costs—and Fraud,” Wall Street Journal, July 3, 2007), some regard the established implementation process as overly complicated. In response, a variety of web-based services (see Exhibit 2) are emerging that eliminate the need to download and install digital certificates. The process varies between service providers and levels of service offered, but generally a subscriber registers with the provider, who verifies the subscriber’s identity. The subscriber then places a document online and notifies the recipient, who will then go to the service provider’s website. The service provider verifies the recipient’s identification, perhaps by using questions related to the recipient’s credit report, and then grants access to the document. Although service providers are focusing on digital signatures and web-mediated contracting, these services are appropriate for any document that requires sender and receiver authentication (i.e., non-repudiation), message integrity, and a date stamp (e.g., confirmations of balances, verification of an audit client’s contractual obligations).

Whether a web-based or PC/network-based strategy is chosen, a reliable and trustworthy service provider is essential. In this respect, the established service providers (Exhibit 1) have a decided advantage over the emerging service providers (Exhibit 2), and they also provide certificate management solutions that relieve a subscriber of some administrative responsibilities. Web-based services, however, mitigate the problem of coordination of the PKI mechanism when a subscriber uses digital certificates with multiple business partners. Because they do not require significant investment in infrastructure or change in internal processes, they are an appropriate choice when communications requiring digital certificates are infrequent.

Application

Internet-mediated contracting is the most obvious and common use of digital certificates, suggesting their potential value with engagement letters or audit documents that provide management representations. They would generally be appropriate when assurance is necessary of who worked on a digital document and of when they did so. For example, digital certificates could be used to document the required authorization by the appropriate personnel for internal control purposes. Alternatively, digital certificates can help auditors clearly identify the source of management-prepared documents and responses to confirmations sent to third parties.

Simplifying Authentication

Digital signatures and certificates have had the requisite legal foundation since 2000, but the complexity of the underlying technology generally made implementation infeasible except for those who engaged in high-volume online contracting. The promise of the emergent web-based services is to simplify implementation of digital signatures and certificates. If those services fulfill that promise, then accountants and their clients may find that they can extend the horizons of their e-commerce activities and opportunities.


Ronald R. Tidd, PhD, CPA, and Gary Heesacker, MBA, CPA, are both professors of accounting at Central Washington University, Ellensburg, Wash.


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices