Changes

no edit summary
Line 45: Line 45:  
*the technology or process can be used to identify the person using the technology or process; and
 
*the technology or process can be used to identify the person using the technology or process; and
 
*the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document.
 
*the electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document.
 +
 +
While Part 2 of PIPEDA does not actually use the term “digital signature”, the Secure Electronic Signature (SES) Regulations refine the definition using the term “digital signature”.  Specifically, the SES Regulations state “a secure electronic signature in respect of data contained in an electronic document is a digital signature that results from completion of the following consecutive operations…”  The SES Regulations also specify the technology or process that must be used to generate and verify secure electronic signatures. 
 +
 +
In addition, the SES Regulations:
 +
*prescribe a specific asymmetric algorithm to support digital signatures
 +
*specify that the issuing Certification Authority (CA) must be recognized by the Treasury Board of Canada Secretariat by verifying that the CA has “the capacity to issue digital signature certificates in a secure and reliable manner”
 +
*include a presumption that, in the absence of evidence to the contrary, the electronic data has been signed by the person who is identified in the digital signature certificate or who can be identified through that certificate.
 +
 +
PIPEDA dates back to 2000 and the SES Regulations came into effect in 2005.  It should be noted that PIPEDA Part 2 is based on an “opt-in” framework and the adoption rate of PIPEDA Part 2 within the federal government has been minimal.  In addition, the SES Regulations are dated and need to be revisited. 
 +
 +
In cooperation with key stakeholders, TBS is currently exploring possible improvements to the existing federal electronic signature legislation.
 +
 +
<div style="line-height: 1.5em; font-size: 175%; color:navy; font-family:'Helvetica Neue', 'Lucida Grande', Tahoma, Verdana, sans-serif;">'''A note on e-signature implementations within the GC'''</div>
 +
<br></br>
 +
Many departments are already deploying e-signature solutions to meet their business needs.  A number of departments are using their GC myKEY credentials to digitally sign MS Office and PDF documents.  This allows GC departments to leverage their existing investments in PKI technology and take advantage of digital signature features offered by MS Office products such as Word, PowerPoint and Excel as well as various PDF software products.  SSC is one of the departments that have adopted this approach and they have shared their documentation (including getting started guides) that can help other departments enable this approach (please refer to https://gccollab.ca/file/group/976512/all#2466578 for additional information). 
 +
 +
Although not defined within Canadian legislation, there are some additional terms that you may encounter when deploying these solutions.
 +
For example, digitally signed MS Office documents conform to the XML Advanced Electronic Signature  (XAdES) standards.  When you examine the digital signature details of a digitally signed MS Office document, you may see the signature type identified as “XAdES-EPES”.  This is one of the variants of the XAdES specification and according to Microsoft documentation is the default digital signature type for MS Office products.  In addition, digitally signed PDF documents conform to the PDF AdES (PAdES) standards so you may encounter variants of PAdES when working with PDF documents. However, please note that users are typically not required to understand this level of detail.
 +
 +
<div style="line-height: 1.5em; font-size: 175%; color:navy; font-family:'Helvetica Neue', 'Lucida Grande', Tahoma, Verdana, sans-serif;">'''Summary'''</div>
 +
<br></br>
 +
 +
This post addresses electronic signature definitions relevant to the GC.  In summary, an “electronic signature” or “e-signature” should be thought of as an umbrella term that applies to any type of signature that can be represented electronically and associated with a document, record or transaction.  A “digital signature” is a type of e-signature that is created and verified using asymmetric cryptography and supporting PKI.  A “secure electronic signature” is a digital signature that meets the specific requirements defined in PIPEDA Part 2 and the SES Regulations.
 +
 +
The Government of Canada Guidance on Using Electronic Signatures document provides additional guidance regarding the use of e-signatures within the GC.  Annex A of that document addresses e-signature terminology found in other jurisdictions including Provincial, the US and the European Union.