image not found image not found
image not found
image not found

Trust Sovereignty – Part 2: Realising the Benefits of Digital Signatures

07 June 2020 | Scott Rea

In part one of this series, we introduced the concept that business occurs at the speed of Trust. We highlighted the need for some adjustments to the UAE's eSign Law, ensuring Digital Signatures (as a type of electronic signature) could be considered equivalent to wet ink signatures in a court of law. Also, we discussed how eSign would play a crucial role in the UAE Digital Economy. In part two, we will take a closer look at how those Digital Signatures can operationally deliver on the promised benefits of the Digital Economy and ensure Trust Sovereignty for the nation.

In 2018, the UAE, under an initiative by the Telecommunications Regulatory Authority (TRA), with partners Smart Dubai and Abu Dhabi Digital Authority, introduced a national platform to enable UAE citizens, residents and visitors to Register and Authenticate themselves using a Digital identity (Digital ID). The platform also allows users to Digitally Sign Documents and Transactions with a high level of assurance to enable Trust. The system (known as the UAEPASS) is a foundational platform to accelerate the transformation towards a Digital Based Economy and Digital Society for the nation following long term UAE Vision 2021 and UAE Centennial 2071 strategies.

A vital enabler of the Trust that can be invoked by the use of the UAEPASS is the Digital ID at the heart of the service. The strength of assurance that relying parties can have in the Digital ID of the UAEPASS is bound up in many aspects, and NIST Special Publication 800-63-3 provides a framework for evaluating that assurance. Primarily, there are three elements to consider:

  • Digital Identity Proofing and Enrollment
  • Authentication and Credential Lifecycle Management
  • Supporting Federated Assertions (if any)

A Digital ID can be defined as the unique representation of a subject engaged in an online transaction. The process used to verify a subject's association with their real-world identity is called Identity Proofing. The TRA publishes a guide to how Digital IDs will be classified based on the strength of enrollment processes and Identity Proofing procedures (among other things) in the UAE National PKI Certification Policy (UAE NPKI CP). This policy governs how UAE Trust Service Providers operate and provide artefacts that ensure Trust Sovereignty in the UAE Digital Economy.

In the case of the UAEPASS, an Emirates ID is the primary source of identity utilised to issue a UAEPASS Digital ID. The Emirates ID is a Level 4 credential (the highest assurance) under the UAE NPKI CP because it requires face to face or in-person verification of the subject before issuance. Biometrics are captured and verified as part of the process and is cryptographically bound to keys stored on a tamper-evident token that requires an additional PIN to use it. A UAEPASS Digital ID can also be issued with the strongest levels of assurance (Level 4 under the UAE NPKI CP) when a user visits a UAEPASS kiosk. When visiting a kiosk, an individual must insert their Emirates ID, proving they are the owner with a biometric check against the ID (this also satisfies the in-person requirement). The resulting Digital ID is cryptographically bound to the asserted identity using a Digital Certificate issued under the policies of the UAE NPKI CP, and stored in the Hardware Security Modules of the UAEPASS platform, and only usable when the secret PIN is entered.

Trust Service Providers' adherence to the requirements of the UAE NPKI CP when issuing Digital IDs is critical in the ability to guarantee at a national level, especially when determining what Digital IDs are suitable for being recognised as equivalent to wet ink signatures. For example, a Level 1 Digital ID has no identity binding. If it were used to apply a Digital Signature, that signature could be repudiated by any of the parties involved, even though it was cryptographically bound. The UAEPASS adopts an EU classification model based on eIDAS for determining which Digital IDs have handwritten signature equivalence – where only those applied by a Qualified Certificate have legal enforceability in a court of law with non-repudiation.

The personal Digital IDs issued for UAEPASS meet the criteria for Qualified Certificates under eIDAS in terms of Identity Proofing and Enrollment, Authentication & Credential Lifecycle Management, and the consistency of Assertions across the broad national platform to ensure Federation. Therefore, these too can be expected to be trusted for transactions with non-repudiation and accepted the same as handwritten signatures in a court of law. This is one of the anticipated updates (ensuring the use of Qualified Certificates) to be made to the eSign Law by the TRA in the coming days.

The scope of the Qualified Certificates issued to individuals as a Digital ID under UAEPASS, is limited to the subject (or person) who is identity proofed. But many of the transactions in a Digital Economy, will not be executed by an individual in an individual capacity. Instead, they will be performed by someone acting in a role on behalf of a company or business entity. That person typically has to provide proof of their Power of Attorney (PoA) to act on behalf of the business entity to the other party when entering into a business transaction with them. So if we accept that UAEPASS Digital IDs are Qualified Certificates, and can legally bind individuals in a business transaction, what about the more common scenario where a business entity rather than an individual are among the parties involved? What would be required in that case, is essentially an Organisational Qualified Certificate, where not only is a subject highly authenticated, but also their PoA to act on behalf of the Organization is also guaranteed.

Today it is possible to get an eSeal for an Organization, for use in UAEPASS transactions. Rather than an individual holding a PoA for the Organisation, this credential is bound to a service on behalf of the Organisation. It is possible to be issued an Organisational Qualified Certificate from a certified Trust Service Provider in the UAE that binds an individual with a PoA to act on behalf of an Organisation. Still, these are currently not generally available for use by individuals within the UAEPASS system.

One other aspect of the UAEPASS system that could pose a barrier to the adoption of a Digital Economy is that the platform does not currently provide a document workflow system – it has strong authentication and digital signature capabilities. Still, it relies upon integration with company workflow systems to provide the assignment, management, and curation of documents needing digital signatures.

DigitalTrust, a subsidiary of Digital14, and the operator of the UAE National PKI for the TRA as well as the System Integrator for UAEPASS has now launched a new Software-as-a-Service (SaaS) called DTSigner, that provides document workflow capabilities to individuals and organisations. DTSigner is integrated with UAEPASS, allowing individuals to strongly authenticate to the service with their Digital ID, and to use their Digital ID for executing digital signatures that will have legal enforceability for individuals under the updated eSign Law. As part of the service, individuals may also apply for an Organizational Qualified Certificate that will be managed within DTSigner, that can represent (for instance) a PoA that they may hold on behalf of a given Organization. This will allow individuals to electronically conduct routine business transactions with the Organizational Digital Identity using UAEPASS and DTSigner. The advent of this service, addresses both the workflow and role-based organisational Digital ID aspect gaps in the current UAEPASS ecosystem, making it possible to provide a complete digital analogue of current business transactions with the necessary Trust needed to support the UAE Digital Economy.

A government should always be in control of what constitutes legality within its borders, and not dependent on external entities for this sovereign right. It is therefore vital when establishing a Digital Economy, that there be government laws and regulations established to oversee the creation, issuance and management of Digital IDs capable of producing legally binding Digital Signatures. In the UAE, the TRA is responsible for the update of eSign Law that governs digital signatures. It's also responsible for issuance of the UAE NPKI CP that regulates the issuance and management of Qualified Certificates (whether Organisational or Individual) that are necessary to be used in digital signatures to enable legal enforceability within the UAE. The UAE, through the TRA, is therefore well placed to address all aspects of Trust Sovereignty necessary to enable the Digital Economy.

Visit DigitalTrust.ae today to learn more about our DTSigner solution, advisory services, and advancing your trust services.

We Are Digital14

Connect with us

© Digital14. All rights reserved.