image not found image not found
image not found
image not found

Trust Sovereignty – Part 1 : The Rise of Digital Signatures

14 May 2020 | Scott Rea

We live and transact in a hyper-connected society. More and more of our identity in that society is being absorbed into virtual personas of our physical existence as we become entangled in the online or virtual aspect of the individuals and communities we interact with daily. And the protective controls precipitated by the advent of the COVID-19 Pandemic has only exacerbated this situation. For example, if someone wishes to communicate with me, only those in my household right now have an opportunity to engage with me physically face to face. For my business associates or clients, I am a Zoom, WebEx, or Teams account. For my family on the other side of the earth, I am relying on a Facebook account, interacting through our respective daily feed or Messenger group. But, by far for most communications, especially those that tend to be shorter, I am just a phone number, and likely accessed via some text-based social media platform.

When someone wishes to ensure it is the real me they are communicating with, not just some wombat on the internet (no one knows if you’re a wombat on the internet), there is some implicit trust placed in the medium/platform they are using. In most cases, this is based on some historical moniker associated with me and my previously authenticated identifier. Potentially some subsequent verification (live video, live voice, or asking contextual questions) to ensure that it is indeed me they are communicating with. But what happens in a new business transaction when the parties have never met? When there is only the virtual personas to try to draw some assurance from? Who is really at the other end of the transaction?

Trust is critical to any business transaction. Business occurs at the speed of trust – the very moment the conditions exist when two parties have enough assurance in the infrastructure/system and each other to have “trust”, is the point at which a transaction will occur, and not a moment before. So how do we create the environment where TRUST can be established in a virtual environment, without established historical context, and without the advantage of being able to physically verify with our senses that we are dealing with the real party we expect? This is particularly important in the Middle East where there is a tradition of physical, in-person, face to face communication and verification before business transactions occur.

Traditionally, to close a business transaction, each principal party will sign a document or agreement with a handwritten signatures, in ink. The wet ink signature is a symbol of commitment and non-repudiation from each party that is legally enforceable in courts of law. To effect the execution of an agreement, both parties are physically present with each other, or else their commitment can be witnessed by an independent party, e.g. a Notary, and it requires the physical application of a symbol or mark that uniquely represents each party. The signature both identifies the signer and symbolises their agreement to the contract, which is carefully reviewed before signing

Accomplishing an analogue of this process in our digital domains is a critical component to modern business. In the UAE, Federal Law #1, 2006 Electronic Commerce & Transactions Law (eSign Law), provides a mechanism for electronic signatures. It contains a framework for the equivalence between electronic and handwritten signatures as well as the basic guidelines for assessing the duties of signatories and the effect of reliance on electronic signatures accepted by the law. However, this law was written for an environment that was not as hyper-connected as our present day, and there are still some classes of electronic transactions that are excluded under the law because they were considered potentially repudiable and therefore not accepted in a court of law, e.g. Notarisations and Real Estate transactions.

Technology and frameworks exist today to enable certain kinds of electronic signatures to have the same veracity as wet ink signatures in the courts, and in fact, can provide a much greater assurance or trust than the original physical analogue if certain conditions are met. Therefore, an update to the UAE’s eSign Law is required to outlay the conditions necessary to establish these requirements for handwritten and electronic signature equivalence and to remove the exceptions codified in the current law, so that all types of transactions can be catered for electronically. The Telecommunications Regulatory Authority (TRA) is currently reviewing the eSign Law to do just that.

Looking at successful models for eSign frameworks adopted around the globe, such as those of the EU, there are several components that the TRA should consider to meet the demands of modern hyper-connected societies, such as the UAE. Digital Signatures as a type of electronic signature may be considered equivalent to wet ink signatures in a court of law when certain accompanying conditions are met:

  • The cryptographic algorithms used to apply the signature are considered safe in the context of the longevity of the signature
  • The cryptographic key size of the signing credential is deemed to be safe in the context of the longevity of the signature
  • The binding of identity in the signing credential to the key material is accomplished in an assured and trustworthy manner
  • The conditions and restrictions encoded in the signing credential for its use and reliance are adhered to, e.g. validity periods, validation requirements, key usage etc.
  • The key material of the signing credential is protected and managed in a trustworthy manner
  • Signing credentials should be issued under Trust Anchors established, operated and recognised for compliance with national trust frameworks
  • The system and Trust Service Provider processes used to issue the signing credential are managed in a trustworthy manner and regularly audited to confirm this
  • Trust Service Providers should be certified and regulated by national authorities to meet requirements of national trust frameworks

The good news is, all the above conditions exist today within the UAE with the establishment in 2016 of the UAE National Public Key Infrastructure (NPKI) governed by the UAE Certification Policy published by the TRA. The UAE NPKI was set up and is operated by DigitalTrust (a subsidiary of Digital14) as a partner of the UAE Government. The TRA has established a program for recognising and certifying Trust Service Providers who are capable of providing the necessary services in a trustworthy manner. When the current eSign Law is also updated to leverage the advantages offered by the NPKI, the UAE will have a legal framework capable of meeting the demands of our hyper-connected modern society. This framework will allow true end to end digital transactions to be realised without the necessity of the typical roadblock at the end of the process where the electronic workflow must pause to accommodate a translation to physical signatures to be legally enforceable. This advent will provide the necessary underpinnings for an acceleration of the digitisation of the UAE, and the potential for massive quality of life improvements for those of us blessed to call the Emirates our home.

We Are Digital14

Connect with us

© Digital14. All rights reserved.