The Liability of a Certification Authority Pursuant To the Israeli Electronic Signature Law

On 26th March 2001 the Knesset approved the Electronic Signature Law, 5761-2001 on second and third reading. The Law regulates the evidential status of electronic signatures, lays down the effect of electronic certificates (which confirm that a person has a particular signature verification device - the on-line equivalent of an identity document) and provides how a certification authority, which issues electronic certificates, should act.

Coincidentally, only a few days earlier Verisign, which holds 97% of the electronic certificate market around the world, made a disquieting announcement: the company had mistakenly issued an electronic certificate to a person who had identified himself to it as a representative of Microsoft, despite not being connected with the software giant of Redmond, Washington. Verisign's control arrangements discovered the error too late and a complaint was made to the FBI in the USA. The impostor now has a certificate that can be used, for example, to disguise the source of computer applications with destructive potential like ActiveX applications. Anyone wishing to install those applications is likely mistakenly to believe, in reliance upon the electronic certificate, that he is dealing with a Microsoft application, whilst he is in fact about to install a hostile application on his computer.

The above coincidence is a convenient springboard for analysing the nature and function of a certification authority pursuant to the new Electronic Signature Law. What does the Law require of such an authority, which is effectively the on-line world's Ministry of the Interior? In the dry and precise language of the definitions clause of the new Law (section 1), a certification authority is an "authority that issues electronic certificates and is registered in the Registry under the provisions of this Law". An electronic certificate, for its part, is "an electronic message issued by a certification authority, confirming that a certain signature verification device belongs to a certain person". (A signature verification device is "unique software, object or information required for verifying that a secure electronic signature was created using a specific signing device".) Hence, an electronic certificate links a person with his signature verification device (a clear example being a private encryption key), and the function of a certification authority is to issue such certificates (section 18(a) of the Law). Verisign, which incorrectly issued an electronic certificate to an impostor, is a certification authority although, of course, it does not operate, and is not registered, in accordance with the new Israeli Law.

A certification authority need not be registered in accordance with the Electronic Signature Law. The new Law does not require the registration of authorities as a condition precedent to their activity and it is certainly possible for there to be a certification authority that is not registered. However, the Law does provide an indirect incentive for certification authorities to register with the Registrar of Certification Authorities. It does so in each of the following ways. Firstly, in the case of any enactment that requires a signature, the requirement may only be fulfilled by the use of an electronic signature if it is accompanied by an electronic certificate that has been issued by a registered certification authority (section 2(a) of the Law, together with the definition of "certification authority" in section 1). Secondly, if a person includes with his electronic signature an electronic certificate issued by a registered certification authority, it is presumed to be a secure electronic signature (section 4 of the Law) and if it is a secure signature, it enjoys certain statutory presumptions (section 3 provides that: "an electronic message signed with a secure electronic signature is admissible in any legal procedure and will constitute prima facie evidence that: (1) the signature is that of the owner of the signing device; and (2) the electronic message is that which was signed by the owner of the signing device"). Thirdly, a registered certification authority may be exempt from appearing to give evidence in order to confirm that it issued a particular certificate. Instead of appearing in court, the court may content itself with the certificate of a certifying authority as corresponding with the certificate of a public employee under the Evidence Ordinance (section 5 of the Law). Finally, the Law creates a specific arrangement in respect of the liability in tort of a registered certification authority. It will not be liable for damage caused due to reliance on an electronic certificate issued by it, if it proves that it took all reasonable steps to perform its duties under the Law (section 21(a) of the Law). In addition, if it has set limits to the ways in which the certificate can be used or to the value of the transactions in respect of which the certificate can be used, it will not be liable for damage caused due to use that exceeds the limit, provided that it has detailed the limit on the certificate (section 21(b) of the Law).

What are the damages for which a certification authority can be liable? These are essentially third party damages resulting from an error in the issue of an electronic certificate, namely issuing a certificate that incorrectly certifies the identity of the holder of a signature verification device (section 18(b) of the Law). This is exactly what happened with Verisign.

A certification authority can also cause damage if it does not duly revoke an electronic certificate in one of the cases where it is under a duty to do so pursuant to section 20(a) of the Law or if it does not enter an electronic certificate in the register of void certificates, despite knowing that it is no longer valid (section 20(b) of the Law). Verisign quickly - and rightly - registered the electronic certificates that it had incorrectly issued in the register of revoked certificates that it keeps. According to the Law, an electronic certificate is to be revoked in each of the following cases: at the request of its owner; immediately the certification authority discovers that any of the information in the certificate is incorrect or that the certificate is no longer reliable for any other reason or that there is a flaw in the certificate owner's secure electronic signature; when the certification authority learns of the death or dissolution of the certificate owner; and, finally, immediately the certification authority discovers a flaw in its own secure electronic signature or hardware and software systems that is such as to impair the reliability of its signature or of the electronic certificates that it issues. In each of those situations, innocent third parties who rely on an electronic certificate and incur damage are likely to bring claims against the certification authority.

Other damages can occur if the certification authority has not performed its duties to equip itself with and maintain reliable hardware and software systems that provide reasonable protection against hacking, disruption in or interference or damage to a computer or computer material, and provide a reasonable level of availability and reliability (section 11(a)(2) of the Law), and damage can also occur if the certification authority has not given the owner of a signing device information about the risks involved in the use of a certified electronic signature and the duties that rest with the owner of a signing device in accordance with the Law (section 24(a)(8) of the Law).

The issue of liability brings us back to where we started. What should a certification authority do in order to relieve itself of liability for damages? Section 18(b) of the Law explains what is expected of it: "A certification authority shall not issue an electronic certificate unless it has taken reasonable measures to identify the applicant and to check his signature verification device and that the information in the certificate issue application is correct and complete". Three tasks face a certification authority that wishes to avoid liability in tort for the incorrect issue of a certificate.

Firstly, it must identify the applicant by taking reasonable steps. In its press release, Verisign did not specify what steps it had taken in order to verify the identity of the party who applied for the electronic certificate and was later found to be an impostor. Nevertheless, it does appear that it issued the certificate before it received Microsoft's confirmation by e-mail that it was in fact seeking the certificate.

Secondly, it must examine the signature verification device in the applicant's possession. Here the Law lets drop only the slightest hint. Such a signature verification device is "unique software, object or information required for verifying that a secure electronic signature was created using a specific signing device". In most cases the signature verification device is a private encryption key. The certification authority is required to verify that the signature verification device (the encryption key) is suitable for the issue of a secure electronic signature (namely "an electronic signature which meets all of the following requirements: (1) it is unique to the owner of the signing device; (2) it enables prima facie identification of the owner of the signing device; (3) it is created using a signing device that is under the sole control of the owner of the signing device; and (4) it enables identification of any change to the electronic message made after signing"). It is therefore under an onerous responsibility. In practice it will have to verify that the algorithm used by the signature verification device can produce secure signatures and that the encryption key is of such a length as to frustrate the ability to recreate it with unreasonable facility.

Thirdly, the certification authority must check that the information in a person's application for an electronic certificate is correct and complete. Implementation of the Electronic Signature Law will require detailed regulations and these are currently being prepared by the Ministry of Justice in Jerusalem. Section 24(a)(10) of the Law explains that the regulations will also regulate these duties of a certification authority and they will lay down methods for identifying the applicant and checking his signing device for the purpose of obtaining an electronic certificate.

As aforesaid, if the certification authority acts in accordance with the requirements of the Law when it issues a certificate, section 21(a) will relieve it of liability for damage caused to someone relying on the certificate issued by it. In case damage is nevertheless caused, the Law requires a certification authority to deposit with the Registrar of Certification Authorities, as a condition for its registration, a bank or other guarantee to secure its liability (section 11(a)(3) of the Law). The regulations will prescribe how the guarantee will be forfeited in order to compensate innocent parties who suffer damage.

The completion of the Law's legislative process is just the first stage in the adaptation of Israeli law to the computer networking era. The Ministry of Justice personnel who formulated and led the legislative process - the Deputy Attorney General for Civil Legislation, Tanna Spanitz, and the coordinator of the Electronic Trade Committee, Adv. Lihi Feldman - are already working on the text and its consistency with the requirements of modern electronic trade. When their recommendations are formulated into draft legislation, they will certainly have further meetings with MK Michael Eitan (Likud) who was the only Member of the Knesset to take an interest in and promote the enactment of the Electronic Signature Law.

Translated by Word Power