PUBLIC KEY INFRASTRUCTURE (PKI)
PKI stands for Public Key Infrastructure. To enable the use of digital signatures in an open environment (such as the Internet) where the participants do not know each other, it is necessary to know who the signer is. PKI is a system created for this purpose and in this system a reliable third party issues an digital certificate. The certificate contains information about the person to whom the certificate is issued to. PKI uses a key pair, in which one key is public and the other is private. The system is based on asymmetric encryption. The signer signs the message with a private key, known only by the signer. The recipient can verify the authenticity of the signature and the integrity of the message with the public key given in the certificate.
THE ELECTRONIC TRANSACTIONS ACT
It addresses the legal issues necessary to set the stage for a secure and pro-business environment for electronic commerce in Mauritius.
Broadly, the ETA seeks to:
There is a provision for public sector agencies to accept electronic filing and issue electronic documents without having to amend their respective Acts. The ETA also provides that public sector agencies can specify as regulations, additional requirements for the retention of electronic records under their purview.See Section 40 of ETA for more information.
The ETA provides that a service provider is not subject to criminal or civil liability for third party material for which the provider merely provides access. See Section 9 of ETA for more information.
The ETA is partly based on the UNCITRAL Model Law on Electronic Commerce.
Under the ETA, an digital signature shall be treated as a secure digital signature if it can be verified, through the application of a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved so long as the signature is:
See Section 16 for more information.
There are 4 ways in which a digital signature can be given legal recognition under the ETA:
See Section 19 for more information.
The duties of a CA include using trustworthy systems in performing its services and maintaining secure procedures for the issuance, renewal, suspension, revocation and publication of its certificates. See Sections 24 to 32 for more information.
The duties of the subscriber include providing accurate and complete information when applying for certificate, safeguarding the private key and initiating suspension or revocation requests if his private key is compromised. See Sections 33 to 36 for more information.
The role of the Controller of CAs (CCA) is to regulate and license the activities of CAs in Mauritius. As CAs perform a trusted role in verifying the identities of parties in electronic transactions, the CCA seeks to provide the assurance that the CAs' responsibilities are met and that these services are made available with high integrity, security and service standards.
ELECTRONIC TRANSACTIONS (CERTIFICATION AUTHORITY) REGULATIONS
During online transactions, transacting parties may not be able to reliably verify each other's identity. A CA thus plays the important role of a trusted third party in vouching for the identities of holders of certificates that it issues (i.e. its subscribers). The Regulations seek to set a benchmark for the integrity and security of the services offered by CAs.
The Regulations aim to ensure high standards of integrity, security and service levels for licensed CAs in Mauritius by:
The Regulations were enacted on 1st of December 2010.
Yes, CAs operating in Mauritius shall be duly licensed by the Controller of CAs.
The criteria that CAs will be evaluated against include their financial standing, operational policies and procedures, and the security of their systems.
CAs that apply to be licensed will have to be audited for compliance against the ETA, the Regulations, its Certificate Practice Statement (CPS), the Security Directives and other licensing conditions imposed by the Controller of CAs.
A CA's licence will be revoked if the CA is wound up or at the request of the CA. The Controller of CAs may also revoke or suspend the CA's licence if it fails to comply with any mandatory conditions pertaining to the issuance/ renewal of the licence.
Foreign CAs are recognised in Mauritius if they
Public sector agencies applying to become an approved CA in Mauritius should:
The entire licensing/recognition/approval process involves:
An application has to be accompanied by the following documents:
Provided that all the required information and documents are in order, the application can be processed within 90 days.
The application/ renewal fee payable is Rs5,000 in respect of each submission. In addition, the applicant must also pay an initial licence fee of Rs50,000 and an annual licence fee of Rs50,000 for the entire duration of the licence upon approval of the application.
The audit of the CA is carried out by such auditor as the Controller may appoint or determine.
Yes, a re-audit is necessary. The auditors can recommend whether a full or partial audit is required.
Yes, a CA must be minimally insured against liability arising from errors or omissions on its part, its officers or employees.
A digital signature is a signature produced by using the public key method. With a digital signature it is possible to verify that the recipient receives the message in its original form and that the signer is who he or she claims to be. The creator of the digital signature has a private key, which is needed to sign the message. The recipient of the message has signer's public key, which can be used to verify the signature. Digital signatures are based on the Public Key Infrastructure (PKI) and the use of asymmetric encryption methods and hash functions.
Digital signatures are used to electronically ensure the integrity of electronically transmitted information and also to ensure that the person sending the information is who he or she claims to be and cannot later deny having sent the information. Therefore digital signatures have additional features compared to handwritten signatures.
The public key encryption is used in creating digital signatures. The public key encryption is based on the use of key pairs (private/public). The message is encrypted with one key and decrypted with the other. The digital signature is created using the signer's private key. The recipient can verify the signature using the signer's public key.
The signer first computes the hash value of the message that intends to be signed. The hash value is like a compressed version of the message. Hash algorithms work so that it is very hard to find two messages with the same hash value. When the signer has computed the hash value the signer transforms it to a signature with the private key. The recipient of the message transforms the signature back to the hash value with the sender's public key, and then compares the hash value computed from the message. If these hash values match it can with certainty be verified that the message and the signature belong to the holder of the private key used to sign the message. Since the signer uses a unique private key to sign the message the signature is authentic.
In simple terms, a certificate is a data structure that binds the name of the person the certificate is issued to and that person's public key together. The certificate is an electronic proof issued by a reliable authority - a certification authority. It verifies that the public key and other information in the certificate, for instance, the person's name/identity, correspond to each other. Certificate also includes the name of certification authority and a period of validity for the certificate. The certification authority's digital signature guarantees the origin and integrity of the certificate. When a signed message is received, the recipient can search for the certificate in a directory with the sender's personal data. The signature can be verified by using the public key given in the certificate. Certificates are issued not only to individuals but also to associations, organisations and computer devices.
The certificate contains, among other things, the public key of the holder, the name of the holder, the period of validity for the certificate, the name of the certification authority that issued the certificate and the serial number of the certificate. The issuing certification authority digitally signs the certificate.
The Controller of Certification Authorities as the “Root” Authority certifies the technologies, infrastructure and practices of all the Certification Authorities licensed to issue Digital Signature Certificates.
A certification authority is an organisation that issues certificates, and signs the certificates and the revocation lists with its private key.
A Registration Authority (RA) can be used to offload many of the administrative functions from the CA, including end-user registration.
A Certificate Revocation List (CRL) is a compilation of certificates that a certification authority has revoked before their period of validity has expired. A revoked certificate cannot be restored to use.
Certificates can be used, for instance, for the following purposes:
Privacy: certificates can be used to encrypt and decrypt messages.
Authenticity: certificates can be used to digitally sign a message. A digital signature verifies the authenticity of the sender of the message and that the message has remained unaltered.
Access control: certificates can be used to control, for instance, the access of employees to the organisation's intranet.
Certification service operation means issuing and maintaining certificates. Certification service operation includes registration of the applicants, creation of certificates, distribution of certificates through the directory service, revocation of certificates and revocation list service.
A key is a long number sequence that is used as a parameter for the encryption and decryption algorithms. Symmetric algorithms use the same key for encryption and decryption. Public key algorithms use both a public and private key. The length of the key is an important factor in ensuring the security of communications. The key lengths are given in bits. In symmetric encryption a key length of 128 bits and in asymmetric encryption a key length of 1024 is considered to be secure
Encryption algorithms are mathematical formulas that are used to transform a readable message to a message that can only be read by the intended recipient. In this encryption method the information is encrypted so that only the intended recipient is able to read and transform the message. The message can be intercepted, but it is useless to a person, who cannot decrypt it. Encryption and decryption of the information requires, in addition to the encryption algorithm, a key. Only the person, who has the right key and the algorithm, can decrypt a message encrypted in this way.
The algorithms of a public key are encryption algorithms that require two keys: a public and a private key. When one of these keys is used to encrypt the message only the other key is able decrypt it. The private key must be kept secret. The public key may be published, for instance, in a public directory. The public key can be used to verify the message that has been signed with a private key or to encrypt a message that can only be decrypted with the private key.If someone wants to send you a message it can be encrypted using your public key and you can decrypt it with your private key. Since you are the only one with access to your private key, you are also the only one who can decrypt the message. Public key algorithms are also called asymmetric encryption algorithms.