Difference between revisions of "E-Signatures in the GC/E-Signature Terminology"
(21 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
<!--The following line of code hides the page title--> | <!--The following line of code hides the page title--> | ||
{{DISPLAYTITLE:<span style="position: absolute; clip: rect(1px 1px 1px 1px); clip: rect(1px, 1px, 1px, 1px);">{{FULLPAGENAME}}</span>}} | {{DISPLAYTITLE:<span style="position: absolute; clip: rect(1px 1px 1px 1px); clip: rect(1px, 1px, 1px, 1px);">{{FULLPAGENAME}}</span>}} | ||
+ | <multilang> | ||
+ | @en|__NOTOC__ | ||
+ | |||
{| class="FCK__ShowTableBorders" style="border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px; background-color: #404041" width="100%" align="center" | {| class="FCK__ShowTableBorders" style="border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px; background-color: #404041" width="100%" align="center" | ||
|- | |- | ||
− | | style="border-right: white 1px solid; padding-right: 0px; padding-left: 0px; padding-bottom: 10px; padding-top: 10px; text-align: center; font-family: (blue); font-size: 12pt" width="11%" | '''[[E-Signatures in the GC|<span style="color: red">Home</span>]] | + | | style="border-right: white 1px solid; padding-right: 0px; padding-left: 0px; padding-bottom: 10px; padding-top: 10px; text-align: center; font-family: (blue); font-size: 12pt" width="11%" | '''[[E-Signatures in the GC|<span style="color: red">Home</span>]] ''' |
|} | |} | ||
<center><div style="line-height: 2em; font-size: 300%; font-family:'Helvetica Neue', 'Lucida Grande', Tahoma, Verdana, sans-serif;"> '''E-Signature Terminology within the GC'''</div></center> | <center><div style="line-height: 2em; font-size: 300%; font-family:'Helvetica Neue', 'Lucida Grande', Tahoma, Verdana, sans-serif;"> '''E-Signature Terminology within the GC'''</div></center> | ||
− | <div style="line-height: | + | <div style="line-height: 1.5em; font-size: 175%; color:navy; font-family:'Helvetica Neue', 'Lucida Grande', Tahoma, Verdana, sans-serif;">'''Introduction'''</div> |
− | Jurisdictions throughout the world have adopted laws and regulations that recognize the validity of electronic documents and electronic signatures. Some jurisdictions are very technology specific, others are much more general and technology neutral. In addition, the terms and definitions surrounding electronic signatures tend to differ from one jurisdiction to another and this can lead to some degree of confusion. A more thorough examination of the terms and definitions used in other jurisdictions is provided in | + | Jurisdictions throughout the world have adopted laws and regulations that recognize the validity of electronic documents and electronic signatures. Some jurisdictions are very technology specific, others are much more general and technology neutral. In addition, the terms and definitions surrounding electronic signatures tend to differ from one jurisdiction to another and this can lead to some degree of confusion. A more thorough examination of the terms and definitions used in other jurisdictions is provided in [https://www.canada.ca/en/government/system/digital-government/online-security-privacy/government-canada-guidance-using-electronic-signatures.html#toc5 '''Appendix A of the Government of Canada Guidance on using Electronic Signatures''']. |
+ | |||
+ | At the Canadian federal government level, the terms electronic signature, digital signature and secure electronic signature are all present in Government of Canada (GC) legislation. The purpose of this post is to help clarify these terms so that they can be used consistently throughout the GC. This post is primarily based on the [https://www.canada.ca/en/government/system/digital-government/online-security-privacy/government-canada-guidance-using-electronic-signatures.html Government of Canada Guidance on using Electronic Signatures] but provides a more condensed tutorial on the terminology. | ||
+ | <br> | ||
+ | <div style="line-height: 1.5em; font-size: 175%; color:navy; font-family:'Helvetica Neue', 'Lucida Grande', Tahoma, Verdana, sans-serif;">'''GC e-signature legislation and terminology'''</div> | ||
+ | Part 2 of the [https://laws-lois.justice.gc.ca/eng/acts/p-8.6/FullText.html Personal Information Protection and Electronic Documents Act (PIPEDA)] defines an electronic signature as follows: | ||
+ | |||
+ | “a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document.” | ||
+ | |||
+ | Essentially, an electronic signature (also denoted as “e signature” for short<sup><small>1</small></sup> ) can be virtually any form of electronic representation that can be linked or attached to an electronic document or transaction. Although not intended to represent an exhaustive list, examples of e-signatures include: | ||
+ | *user authentication combined with a mouse click on some form of acknowledgment button to capture intent (i.e., “click to sign”) | ||
+ | *using a stylus on a tablet touchscreen to write a signature by hand and capture it in electronic form | ||
+ | *a typed name or signature block in an email | ||
+ | *a scanned hand-written signature on an electronic document | ||
+ | *a sound such as a recorded voice command (for example, a verbal confirmation in response to a question) | ||
+ | *a digital signature | ||
+ | *a secure electronic signature | ||
+ | |||
+ | Notice that both digital signatures and secure electronic signatures are considered to be a form of an e-signature. | ||
+ | |||
+ | In the context of the GC the earliest definitions for digital signature date back over two decades with the introduction of the [https://laws-lois.justice.gc.ca/eng/regulations/sor-98-130/index.html Payments and Settlements Requisitioning Regulation] and the [https://laws-lois.justice.gc.ca/eng/regulations/sor-98-129/index.html Electronic Payments Regulation]<sup><small>2</small></sup>. Both regulations define a digital signature exactly the same as follows: “the result of the transformation of a message by means of a cryptosystem using keys such that a person having the initial message can determine: | ||
+ | *whether the transformation was created using the key that corresponds to the signer’s key, and | ||
+ | *whether the message has been altered since the transformation was made.” | ||
+ | |||
+ | The Canadian Centre for Cyber Security also provides a definition for digital signature in [https://cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-and-protected-b-information-itsp40111 ITSP.40.111]: | ||
+ | “a cryptographic transformation of data which provides the service of authentication, data integrity, and signer non-repudiation.” | ||
+ | |||
+ | In essence, a digital signature is a type of e-signature based on asymmetric cryptography. The signer of the message, document or transaction uses their private signing key to create a digital signature and anyone with access to the signed data and the signer’s public key verification certificate can verify the digital signature<sup><small>3</small></sup>. | ||
+ | |||
+ | However, not all digital signatures are created equal and some are more reliable or robust than others. For example, the manner in which a signer’s identity is verified before issuing their public key verification certificate, the type of token used to store the signer’s private signing key, the trustworthiness of the Certification Authority (CA) that issues the public key verification certificate and the digital signature algorithm and key length (among other things) collectively determine the reliability of the digital signature. | ||
+ | |||
+ | This is where the term “secure electronic signature” comes in. A secure electronic signature is also a digital signature but with specific characteristics as defined in Part 2 of PIPEDA as follows: | ||
+ | *the electronic signature resulting from the use by a person of the technology or process is unique to the person; | ||
+ | *the use of the technology or process by a person to incorporate, attach or associate the person’s electronic signature to an electronic document is under the sole control of the person; | ||
+ | *the technology or process can be used to identify the person using the technology or process; and | ||
+ | *the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document. | ||
+ | |||
+ | While Part 2 of PIPEDA does not actually use the term “digital signature”, the Secure Electronic Signature (SES) Regulations refine the definition using the term “digital signature”. Specifically, the SES Regulations state “a secure electronic signature in respect of data contained in an electronic document is a digital signature that results from completion of the following consecutive operations…” The SES Regulations also specify the technology or process that must be used to generate and verify secure electronic signatures. | ||
+ | |||
+ | In addition, the SES Regulations: | ||
+ | *prescribe a specific asymmetric algorithm to support digital signatures<sup><small>4</small></sup> | ||
+ | *specify that the issuing Certification Authority (CA) must be recognized by the Treasury Board of Canada Secretariat by verifying that the CA has “the capacity to issue digital signature certificates in a secure and reliable manner” | ||
+ | *include a presumption that, in the absence of evidence to the contrary, the electronic data has been signed by the person who is identified in the digital signature certificate or who can be identified through that certificate. | ||
+ | |||
+ | PIPEDA dates back to 2000 and the SES Regulations came into effect in 2005. It should be noted that PIPEDA Part 2 is based on an “opt-in” framework and the adoption rate of PIPEDA Part 2 within the federal government has been minimal. In addition, the SES Regulations are dated and need to be revisited. | ||
+ | |||
+ | In cooperation with key stakeholders, TBS is currently exploring possible improvements to the existing federal electronic signature legislation. | ||
+ | |||
+ | <div style="line-height: 1.5em; font-size: 175%; color:navy; font-family:'Helvetica Neue', 'Lucida Grande', Tahoma, Verdana, sans-serif;">'''A note on e-signature implementations within the GC'''</div> | ||
+ | |||
+ | Many departments are already deploying e-signature solutions to meet their business needs. A number of departments are using their GC myKEY credentials to digitally sign MS Office and PDF documents. This allows GC departments to leverage their existing investments in PKI technology and take advantage of digital signature features offered by MS Office products such as Word, PowerPoint and Excel as well as various PDF software products. SSC is one of the departments that have adopted this approach and they have shared their documentation (including getting started guides) that can help other departments enable this approach (please refer to https://gccollab.ca/file/group/976512/all#2466578 for additional information). | ||
+ | |||
+ | Although not defined within Canadian legislation, there are some additional terms that you may encounter when deploying these solutions. | ||
+ | For example, digitally signed MS Office documents conform to the [https://www.etsi.org/standards#page=1&search=XAdES&title=1&etsiNumber=1&content=1&version=0&onApproval=1&published=1&historical=1&startDate=1988-01-15&endDate=2020-06-01&harmonized=0&keyword=&TB=&stdType=&frequency=&mandate=&collection=&sort=1 XML Advanced Electronic Signature<sup><small>5</small></sup> (XAdES) standards]. When you examine the digital signature details of a digitally signed MS Office document, you may see the signature type identified as “XAdES-EPES”. This is one of the variants of the XAdES specification and according to Microsoft documentation is the default digital signature type for MS Office products. In addition, digitally signed PDF documents conform to the [https://www.etsi.org/standards#page=1&search=PAdES&title=1&etsiNumber=1&content=1&version=0&onApproval=1&published=1&historical=1&startDate=1988-01-15&endDate=2020-06-01&harmonized=0&keyword=&TB=&stdType=&frequency=&mandate=&collection=&sort=1 PDF AdES (PAdES) standards] so you may encounter variants of PAdES when working with PDF documents. However, please note that users are typically not required to understand this level of detail. | ||
+ | |||
+ | <div style="line-height: 1.5em; font-size: 175%; color:navy; font-family:'Helvetica Neue', 'Lucida Grande', Tahoma, Verdana, sans-serif;">'''Summary'''</div> | ||
+ | |||
+ | This post addresses electronic signature definitions relevant to the GC. In summary, an “electronic signature” or “e-signature” should be thought of as an umbrella term that applies to any type of signature that can be represented electronically and associated with a document, record or transaction. A “digital signature” is a type of e-signature that is created and verified using asymmetric cryptography and supporting PKI. A “secure electronic signature” is a digital signature that meets the specific requirements defined in PIPEDA Part 2 and the SES Regulations. | ||
+ | |||
+ | The [https://www.canada.ca/en/government/system/digital-government/online-security-privacy/government-canada-guidance-using-electronic-signatures.html Government of Canada Guidance on Using Electronic Signatures] document provides additional guidance regarding the use of e-signatures within the GC. Annex A of that document addresses e-signature terminology found in other jurisdictions including Provincial, the US and the European Union. | ||
+ | |||
+ | |||
+ | <div style="line-height: 1.5em; font-size: 175%; color:navy; font-family:'Helvetica Neue', 'Lucida Grande', Tahoma, Verdana, sans-serif;">'''Footnotes'''</div> | ||
+ | *1 - There are other variations including e-Signature, E-Signature and eSignature. | ||
+ | *2 - Both regulations came into force on 23 February 1998 and therefore pre-date PIPEDA. | ||
+ | *3 - There are a number of considerations that determine whether or not a digital signature is “valid” including the revocation status and validity period of the associated public key certificate. | ||
+ | *4 - The algorithm description in Section 2 of the SES Regulations is so specific that it is describing the Rivest-Shamir-Adleman (RSA) digital signature algorithm. | ||
+ | *5 - The European Union defines an [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG Advanced Electronic Signature in their Electronic Identification, Authentication and Trust Services (eIDAS) Regulation] – it is defined almost exactly the same as the SES definition found in PIPEDA Part 2. | ||
+ | |||
+ | <!-- FRENCH --> | ||
+ | @fr|__NOTOC__ | ||
+ | |||
+ | =Terminologie relative aux signatures électroniques au gouvernement du Canada (GC)= | ||
+ | |||
+ | '''Introduction''' | ||
+ | |||
+ | Des administrations partout dans le monde ont adopté des lois et des règlements qui reconnaissent la validité des documents électroniques et des signatures électroniques. Certaines administrations sont très adaptées à différentes technologies, alors que d’autres sont plus générales et neutres sur le plan technologique. De plus, les modalités concernant les signatures électroniques diffèrent d’une administration à l’autre, ce qui peut entraîner une certaine confusion. Un examen approfondi des termes et des définitions utilisés dans d’autres administrations est présenté à l’'''Annexe A de l’Orientation du gouvernement du Canada sur l’utilisation des signatures électroniques'''. | ||
+ | |||
+ | Pour le gouvernement fédéral du Canada, les termes « signature électronique », « signature numérique » et « signature électronique sécurisée » figurent tous dans les lois du gouvernement du Canada (GC). La présente annexe vise à préciser la définition de ces termes pour en permettre l’utilisation uniforme d’un bout à l’autre du gouvernement du Canada (GC). Cette publication est principalement fondée sur l’Orientation du gouvernement du Canada sur l’utilisation des signatures électroniques, mais fournit des directives plus condensées sur la terminologie. | ||
+ | |||
+ | '''Lois et terminologie relatives aux signatures électroniques du GC''' | ||
+ | |||
+ | La partie 2 de la ''Loi sur la protection des renseignements personnels et les documents électroniques'' (LPRPDE) définit le terme signature électronique de la façon suivante : | ||
+ | |||
+ | « Une signature constituée d’une ou de plusieurs lettres, ou d’un ou de plusieurs caractères, nombres ou autres symboles sous forme numérique incorporée, jointe ou associée à un document électronique ». | ||
+ | |||
+ | En fait, une signature électronique (aussi appelée SE<sup>1</sup>) peut être pratiquement toute forme de représentation électronique qui peut être liée ou rattachée à un document ou transaction électronique. Bien que ce ne soit pas une liste exhaustive, des exemples de signatures électroniques pourraient inclure : | ||
+ | |||
+ | · l’authentification de l’utilisateur à partir d’un clic de souris agissant comme un bouton de reconnaissance de l’intention (c’est-à-dire, « cliquez pour signer »); | ||
+ | |||
+ | · l’utilisation d’un stylet sur l’écran tactile d’une tablette pour écrire une signature à la main et la capturer sous forme électronique; | ||
+ | |||
+ | · un nom dactylographié ou un bloc de signature dans un courriel; | ||
+ | |||
+ | · une signature manuscrite numérisée sur un document électronique; | ||
+ | |||
+ | · un son comme une commande vocale enregistrée (par exemple, une confirmation verbale en réponse à une question); | ||
+ | |||
+ | · une signature numérique; | ||
+ | |||
+ | · une signature électronique sécurisée. | ||
+ | |||
+ | Veuillez noter que les signatures numériques et les signatures électroniques sécurisées sont considérées comme étant des signatures électroniques. | ||
+ | |||
+ | Dans le contexte du GC, les premières définitions de la signature numérique remontent à plus de deux décennies au moment de l’adoption du Règlement sur les demandes de paiement et de règlement et le Règlement sur le paiement électronique<sup>2</sup>. Les deux règlements définissent la signature numérique de la façon suivante : « le résultat de la transformation d’un message par un système cryptographique qui, au moyen de clés, permet à la personne qui reçoit le message initial de déterminer si : | ||
+ | |||
+ | · d’une part, la transformation a été effectuée au moyen de la clé qui correspond à celle du signataire du message; | ||
+ | |||
+ | · d’autre part, il y a eu modification du message après la transformation ». | ||
+ | |||
+ | Le Centre canadien pour la cybersécurité offre également une définition de la signature numérique dans l’ITSP.40.111, soit : « Transformation cryptographique des données qui fournit les services d’authentification, d’intégrité des données et de non-répudiation du signataire ». | ||
+ | |||
+ | En substance, une signature numérique est un type de signature électronique fondée sur la cryptographie asymétrique. Le signataire du message, du document ou de la transaction utilise sa clé privée de signature pour créer une signature numérique et toute personne ayant accès aux données signées et au certificat de clé de vérification publique du signataire peut vérifier la signature numérique<sup>3</sup>. | ||
+ | |||
+ | Cela étant dit, il n’est pas vrai que toutes les signatures numériques s’équivalent et certaines sont plus fiables ou solides que d’autres. À titre d’exemple, la façon dont l’identité d’un signataire est vérifiée avant l’émission de son certificat de clé de vérification publique, le type de jeton utilisé pour stocker la clé de signature privée du signataire, la fiabilité de l’autorité de certification (AC) qui émet le certificat de clé de vérification publique et l’algorithme de signature numérique, de même que la longueur de la clé, entre autres choses, permettent de déterminer collectivement la fiabilité de la signature numérique. | ||
+ | |||
+ | C’est là que le terme « signature électronique sécurisée » entre en jeu. La signature électronique sécurisée est une signature numérique qui présente, toutefois, certaines caractéristiques particulières, telles que définies dans la partie 2 de la LPRPDE : | ||
+ | |||
+ | · la signature électronique résultant de l’utilisation de la technologie ou du procédé est propre à l’utilisateur; | ||
+ | |||
+ | · l’utilisation de la technologie ou du procédé pour l’incorporation, l’adjonction ou l’association de la signature électronique de l’utilisateur au document électronique se fait sous la seule responsabilité de ce dernier; | ||
+ | |||
+ | · la technologie ou le procédé permet d’identifier l’utilisateur; | ||
+ | |||
+ | · la signature électronique peut être liée au document électronique de façon à permettre de vérifier si le document a été modifié depuis que la signature électronique a été incorporée, jointe ou associée au document. | ||
+ | |||
+ | Bien que le terme « signature numérique » ne figure pas dans la partie 2 de la LPRPDE, le Règlement sur les signatures électroniques sécurisées (SES) précise la définition de celui-ci par son utilisation du terme « signature numérique ». De façon plus particulière, le Règlement sur les SES énonce que « La signature électronique sécurisée à l’égard des données contenues dans un document électronique est la signature numérique qui résulte de l’exécution des opérations consécutives suivantes... ». Le Règlement sur les SES indique également les technologies et les processus devant être utilisés pour générer et vérifier les signatures électroniques sécurisées. | ||
+ | |||
+ | De plus, le Règlement sur les SES : | ||
+ | |||
+ | · prescrit un algorithme asymétrique spécifique pour appuyer les signatures électroniques<sup>4</sup>; | ||
+ | |||
+ | · spécifie que l’autorité de certification (AC) émettrice doit être reconnue par le Secrétariat du Conseil du Trésor du Canada qui vérifiera que l’AC a « la capacité de délivrer les certificats de signature numérique de façon sécurisée et fiable »; | ||
+ | |||
+ | · comprend une présomption selon laquelle, les données électroniques sont présumées, en l’absence de preuve contraire, avoir été signées par la personne identifiée dans le certificat de signature numérique ou au moyen de celui-ci. | ||
+ | |||
+ | La LPRPDE date de 2000, alors que le Règlement sur les SES est entré en vigueur en 2005. Il convient de noter que la partie 2 de la LPRPDE est fondée sur un cadre d’acceptation volontaire et qu’au sein du gouvernement fédéral, le taux d’adoption de la partie 2 de la LPRPDE est minime. En outre, le Règlement sur les SES est désuet et doit être revu. | ||
+ | |||
+ | En collaboration avec les principaux intervenants, le Secrétariat du Conseil du Trésor (SCT) examine actuellement différentes améliorations possibles aux actuelles lois fédérales sur la signature électronique. | ||
+ | |||
+ | '''Remarque sur la mise en œuvre des solutions de signatures électroniques au sein du GC''' | ||
+ | |||
+ | De nombreux ministères ont déjà recours à des solutions de signature électronique pour répondre à leurs besoins opérationnels. Un certain nombre de ministères utilisent leurs justificatifs d’identité MaClé du GC afin d’apposer leur signature numérique sur des documents de MS Office et des documents PDF. Cela permet aux ministères du GC de mettre à profit leurs investissements actuels dans les technologies d’infrastructure à clé publique (ICP) et de tirer parti des fonctions de signature numérique que comportent différents produits de la suite Microsoft Office, comme Word, PowerPoint et Excel, ainsi que divers logiciels PDF. Services partagés Canada (SPC) est l’un des ministères ayant adopté cette approche et a partagé ses documents (y compris ses guides de démarrage) pouvant être utiles à d’autres ministères désirant aller dans la même voie (veuillez consulter le site <nowiki>https://gccollab.ca/file/group/976512/all#2466578</nowiki> pour de plus amples renseignements). | ||
+ | |||
+ | Bien que ces derniers ne soient pas définis par les lois canadiennes, il se pourrait que vous tombiez sur certains termes supplémentaires pendant la mise en œuvre de ces solutions. À titre d’exemple, les documents Microsoft Office portant une signature numérique conforme aux normes de signature électronique avancée XML<sup>5</sup> (XAdES) (en anglais). En examinant en détail la signature numérique d’un document Microsoft Office portant une signature numérique, vous remarquerez peut-être que le type de signature est désigné comme étant « XAdES-EPES » (XML Advanced Electronic Signatures - Explicit Policy-based Electronic Signature (signature électronique avancée de format XML - signature électronique basée sur une politique formelle). Il s’agit là d’une des variantes de la spécification XAdES et, selon les documents de Microsoft, il s’agit du type de signature numérique utilisé par défaut dans les produits Microsoft Office. En outre, les documents PDF portant une signature numérique sont conformes aux normes AdES pour documents PDF (PAdES) (en anglais) il est donc possible que vous tombiez sur des variantes des PAdES dans le cadre de votre utilisation des documents PDF. Veuillez toutefois noter que les utilisateurs ne sont généralement pas tenus de comprendre ce niveau de détail. | ||
+ | |||
+ | '''Sommaire''' | ||
+ | |||
+ | Cette publication aborde les définitions de signature électronique qui sont pertinentes pour le GC. En résumé, le terme signature électronique devrait être considérée comme un terme générique s’appliquant à tout type de signature pouvant être représentée électroniquement et associée à un document, à un enregistrement ou à une transaction. La « signature numérique » est un type de signature électronique créé et vérifié au moyen de la cryptographie asymétrique et prise en charge par l’ICP. La « signature électronique sécurisée » est une signature numérique qui répond aux exigences spécifiques qui sont énoncées dans la partie 2 de la LPRPDE et dans le Règlement sur le SES. | ||
+ | |||
+ | L’Orientation du gouvernement du Canada sur l’utilisation des signatures électroniques fournit des directives supplémentaires sur l’utilisation des signatures électroniques au GC. L’Annexe A de ce document aborde la terminologie relative aux signatures électroniques dans d’autres administrations, y compris les provinces, les États-Unis et l’Union européenne. | ||
+ | |||
+ | |||
+ | '''Notes de bas de page''' | ||
+ | |||
+ | · 1 On retrouve également l’acronyme SN. | ||
+ | |||
+ | · 2 - Les deux règlements sont entrés en vigueur le 23 février 1998 et sont, par conséquent, antérieurs à la LPRPDE. | ||
+ | |||
+ | · 3 - Un certain nombre d’éléments doivent être pris en considération afin de déterminer si une signature numérique est « valide » ou non, y compris le statut de révocation et la période de validité du certificat de clé publique connexe. | ||
+ | |||
+ | · 4 - La description de l’algorithme figurant à l’article 2 du Règlement sur les SES est si précise qu’elle présente une description de l’algorithme de signature numérique Rivest-Shamir-Adleman (RSA). | ||
+ | |||
+ | · 5 - L’Union européenne définit la signature électronique avancée dans son règlement sur l’identification électronique et les services de confiance pour les transactions électroniques – la définition donnée est presque identique à la définition des SES énoncée dans la partie 2 de la LPRPDE. | ||
− | + | </multilang> |
Latest revision as of 17:28, 13 January 2022
Home |
Jurisdictions throughout the world have adopted laws and regulations that recognize the validity of electronic documents and electronic signatures. Some jurisdictions are very technology specific, others are much more general and technology neutral. In addition, the terms and definitions surrounding electronic signatures tend to differ from one jurisdiction to another and this can lead to some degree of confusion. A more thorough examination of the terms and definitions used in other jurisdictions is provided in Appendix A of the Government of Canada Guidance on using Electronic Signatures.
At the Canadian federal government level, the terms electronic signature, digital signature and secure electronic signature are all present in Government of Canada (GC) legislation. The purpose of this post is to help clarify these terms so that they can be used consistently throughout the GC. This post is primarily based on the Government of Canada Guidance on using Electronic Signatures but provides a more condensed tutorial on the terminology.
Part 2 of the Personal Information Protection and Electronic Documents Act (PIPEDA) defines an electronic signature as follows:
“a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document.”
Essentially, an electronic signature (also denoted as “e signature” for short1 ) can be virtually any form of electronic representation that can be linked or attached to an electronic document or transaction. Although not intended to represent an exhaustive list, examples of e-signatures include:
- user authentication combined with a mouse click on some form of acknowledgment button to capture intent (i.e., “click to sign”)
- using a stylus on a tablet touchscreen to write a signature by hand and capture it in electronic form
- a typed name or signature block in an email
- a scanned hand-written signature on an electronic document
- a sound such as a recorded voice command (for example, a verbal confirmation in response to a question)
- a digital signature
- a secure electronic signature
Notice that both digital signatures and secure electronic signatures are considered to be a form of an e-signature.
In the context of the GC the earliest definitions for digital signature date back over two decades with the introduction of the Payments and Settlements Requisitioning Regulation and the Electronic Payments Regulation2. Both regulations define a digital signature exactly the same as follows: “the result of the transformation of a message by means of a cryptosystem using keys such that a person having the initial message can determine:
- whether the transformation was created using the key that corresponds to the signer’s key, and
- whether the message has been altered since the transformation was made.”
The Canadian Centre for Cyber Security also provides a definition for digital signature in ITSP.40.111: “a cryptographic transformation of data which provides the service of authentication, data integrity, and signer non-repudiation.”
In essence, a digital signature is a type of e-signature based on asymmetric cryptography. The signer of the message, document or transaction uses their private signing key to create a digital signature and anyone with access to the signed data and the signer’s public key verification certificate can verify the digital signature3.
However, not all digital signatures are created equal and some are more reliable or robust than others. For example, the manner in which a signer’s identity is verified before issuing their public key verification certificate, the type of token used to store the signer’s private signing key, the trustworthiness of the Certification Authority (CA) that issues the public key verification certificate and the digital signature algorithm and key length (among other things) collectively determine the reliability of the digital signature.
This is where the term “secure electronic signature” comes in. A secure electronic signature is also a digital signature but with specific characteristics as defined in Part 2 of PIPEDA as follows:
- the electronic signature resulting from the use by a person of the technology or process is unique to the person;
- the use of the technology or process by a person to incorporate, attach or associate the person’s electronic signature to an electronic document is under the sole control of the person;
- the technology or process can be used to identify the person using the technology or process; and
- the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document.
While Part 2 of PIPEDA does not actually use the term “digital signature”, the Secure Electronic Signature (SES) Regulations refine the definition using the term “digital signature”. Specifically, the SES Regulations state “a secure electronic signature in respect of data contained in an electronic document is a digital signature that results from completion of the following consecutive operations…” The SES Regulations also specify the technology or process that must be used to generate and verify secure electronic signatures.
In addition, the SES Regulations:
- prescribe a specific asymmetric algorithm to support digital signatures4
- specify that the issuing Certification Authority (CA) must be recognized by the Treasury Board of Canada Secretariat by verifying that the CA has “the capacity to issue digital signature certificates in a secure and reliable manner”
- include a presumption that, in the absence of evidence to the contrary, the electronic data has been signed by the person who is identified in the digital signature certificate or who can be identified through that certificate.
PIPEDA dates back to 2000 and the SES Regulations came into effect in 2005. It should be noted that PIPEDA Part 2 is based on an “opt-in” framework and the adoption rate of PIPEDA Part 2 within the federal government has been minimal. In addition, the SES Regulations are dated and need to be revisited.
In cooperation with key stakeholders, TBS is currently exploring possible improvements to the existing federal electronic signature legislation.
Many departments are already deploying e-signature solutions to meet their business needs. A number of departments are using their GC myKEY credentials to digitally sign MS Office and PDF documents. This allows GC departments to leverage their existing investments in PKI technology and take advantage of digital signature features offered by MS Office products such as Word, PowerPoint and Excel as well as various PDF software products. SSC is one of the departments that have adopted this approach and they have shared their documentation (including getting started guides) that can help other departments enable this approach (please refer to https://gccollab.ca/file/group/976512/all#2466578 for additional information).
Although not defined within Canadian legislation, there are some additional terms that you may encounter when deploying these solutions.
For example, digitally signed MS Office documents conform to the XML Advanced Electronic Signature5 (XAdES) standards. When you examine the digital signature details of a digitally signed MS Office document, you may see the signature type identified as “XAdES-EPES”. This is one of the variants of the XAdES specification and according to Microsoft documentation is the default digital signature type for MS Office products. In addition, digitally signed PDF documents conform to the PDF AdES (PAdES) standards so you may encounter variants of PAdES when working with PDF documents. However, please note that users are typically not required to understand this level of detail.
This post addresses electronic signature definitions relevant to the GC. In summary, an “electronic signature” or “e-signature” should be thought of as an umbrella term that applies to any type of signature that can be represented electronically and associated with a document, record or transaction. A “digital signature” is a type of e-signature that is created and verified using asymmetric cryptography and supporting PKI. A “secure electronic signature” is a digital signature that meets the specific requirements defined in PIPEDA Part 2 and the SES Regulations.
The Government of Canada Guidance on Using Electronic Signatures document provides additional guidance regarding the use of e-signatures within the GC. Annex A of that document addresses e-signature terminology found in other jurisdictions including Provincial, the US and the European Union.
- 1 - There are other variations including e-Signature, E-Signature and eSignature.
- 2 - Both regulations came into force on 23 February 1998 and therefore pre-date PIPEDA.
- 3 - There are a number of considerations that determine whether or not a digital signature is “valid” including the revocation status and validity period of the associated public key certificate.
- 4 - The algorithm description in Section 2 of the SES Regulations is so specific that it is describing the Rivest-Shamir-Adleman (RSA) digital signature algorithm.
- 5 - The European Union defines an Advanced Electronic Signature in their Electronic Identification, Authentication and Trust Services (eIDAS) Regulation – it is defined almost exactly the same as the SES definition found in PIPEDA Part 2.