Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Digital Signatures for evidence

From: Bill Royds <Bill_Royds () PCH GC CA>
Date: Sat, 9 Sep 2000 20:34:02 -0400
You asked about use of PGP for signing logs etc.
Canada passed new legislation last April that makes this much easier. Here is an
extract from the new Personal Information Protection and Electronic Documents
Act  that pertains to electronic documents.  I think the US and EU also have
recent legislation with similar wording.


    First a definition of electronic signature from the act.

===========================================================================
 PART 2


 ELECTRONIC DOCUMENTS


 Interpretation

Definitions
 31. (1) The definitions in this subsection apply in this Part.


``data''
« données »
 ``data'' means representations of information or concepts, in any form.


``electronic document''
« document électronique »
 ``electronic document'' means data that is recorded or stored on any medium in
or by a computer system or other similar device and that can be read or
perceived by a person or a computer system or other similar device. It includes
a display, printout or other output of that data.


``electronic signature''
« signature électronique »
 ``electronic signature'' means a signature that consists of one or more
letters, characters, numbers or other symbols in digital form incorporated in,
attached to or associated with an electronic document.


``federal law''
« texte législatif »
 ``federal law'' means an Act of Parliament or an instrument, regardless of its
name, issued, made or established under an Act of Parliament or a prerogative of
the Crown, other than an instrument issued, made or established under the Yukon
Act, the Northwest Territories Act or the Nunavut Act.


``responsible authority''
« autorité responsable »
 ``responsible authority'', in respect of a provision of a federal law, means



 (a) if the federal law is an Act of Parliament, the minister responsible for
that provision;


 (b) if the federal law is an instrument issued, made or established under an
Act of Parliament or a prerogative of the Crown, the person or body who issued,
made or established the instrument; or


 (c) despite paragraph (a) or (b), the person or body designated by the Governor
in Council under subsection (2).

``secure electronic signature''
« signature électronique sécurisée »
 ``secure electronic signature'' means an electronic signature that results from
the application of a technology or process prescribed by regulations made under
subsection 48(1).


Designation
 (2) The Governor in Council may, by order, for the purposes of this Part,
designate any person, including any member of the Queen's Privy Council for
Canada, or body to be the responsible authority in respect of a provision of a
federal law if the Governor in Council is of the opinion that it is appropriate
to do so in the circumstances.
===========================================================================

Then is a provision for determining which technology can be used for electronic
signatures.
======================================================================

 Regulations and Orders

Regulations
 48. (1) Subject to subsection (2), the Governor in Council may, on the
recommendation of the Treasury Board, make regulations prescribing technologies
or processes for the purpose of the definition ``secure electronic signature''
in subsection 31(1).


Characteristics
 (2) The Governor in Council may prescribe a technology or process only if the
Governor in Council is satisfied that it can be proved that



 (a) the electronic signature resulting from the use by a person of the
technology or process is unique to the person;


 (b) the use of the technology or process by a person to incorporate, attach or
associate the person's electronic signature to an electronic document is under
the sole control of the person;


 (c) the technology or process can be used to identify the person using the
technology or process; and


 (d) the electronic signature can be linked with an electronic document in such
a way that it can be used to determine whether the electronic document has been
changed since the electronic signature was incorporated in, attached to or
associated with the electronic document.

Effect of amendment or repeal
 (3) An amendment to or repeal of any provision of a regulation made under
subsection (1) that has the effect of removing a prescribed technology or
process from the regulation does not, by itself, affect the validity of any
electronic signature resulting from the use of that technology or process while
it was prescribed.


Amendment of schedules
 49. For the purposes of sections 38 to 47, the responsible authority in respect
of a provision of a federal law may, by order, amend Schedule 2 or 3 by adding
or striking out a reference to that federal law or provision.


Regulations
 50. (1) For the purposes of sections 41 to 47, the responsible authority in
respect of a provision of a federal law may make regulations respecting the
application of those sections to the provision.


Contents
 (2) Without restricting the generality of subsection (1), the regulations that
may be made may include rules respecting any of the following:



 (a) the technology or process that must be used to make or send an electronic
document;


 (b) the format of an electronic document;


 (c) the place where an electronic document is to be made or sent;


 (d) the time and circumstances when an electronic document is to be considered
to be sent or received and the place where it is considered to have been sent or
received;


 (e) the technology or process to be used to make or verify an electronic
signature and the manner in which it is to be used; and


 (f) any matter necessary for the purposes of the application of sections 41 to
47.

Minimum rules
 (3) Without restricting the generality of subsection (1), if a provision
referred to in any of sections 41 to 47 requires a person to provide another
person with a document or information, the rules set out in the regulations
respecting the application of that section to the provision may be that



 (a) both persons have agreed to the document or information being provided in
electronic form; and


 (b) the document or information in electronic form will be under the control of
the person to whom it is provided and will be readable or perceivable so as to
be usable for subsequent reference.

Incorporation by reference
 (4) Regulations may incorporate by reference the standards or specifications of
any government, person or organization, either as they read at a fixed time or
as they are amended from time to time.


Effect of striking out listed provision
 51. The striking out of a reference to a federal law or provision in Schedule 2
or 3 does not affect the validity of anything done in compliance with any
regulation made under section 50 that relates to that federal law or provision
while it was listed in that Schedule.


==========================================================================

Later on in the same act amendments are made to the Canada Evidence Act :

=======================================================================


Authentication of electronic documents
 31.1 Any person seeking to admit an electronic document as evidence has the
burden of proving its authenticity by evidence capable of supporting a finding
that the electronic document is that which it is purported to be.


Application of best evidence rule - electronic documents
 31.2 (1) The best evidence rule in respect of an electronic document is
satisfied



 (a) on proof of the integrity of the electronic documents system by or in which
the electronic document was recorded or stored; or


 (b) if an evidentiary presumption established under section 31.4 applies.

Printouts
 (2) Despite subsection (1), in the absence of evidence to the contrary, an
electronic document in the form of a printout satisfies the best evidence rule
if the printout has been manifestly or consistently acted on, relied on or used
as a record of the information recorded or stored in the printout.


Presumption of integrity
 31.3 For the purposes of subsection 31.2(1), in the absence of evidence to the
contrary, the integrity of an electronic documents system by or in which an
electronic document is recorded or stored is proven



 (a) by evidence capable of supporting a finding that at all material times the
computer system or other similar device used by the electronic documents system
was operating properly or, if it was not, the fact of its not operating properly
did not affect the integrity of the electronic document and there are no other
reasonable grounds to doubt the integrity of the electronic documents system;


 (b) if it is established that the electronic document was recorded or stored by
a party who is adverse in interest to the party seeking to introduce it; or


 (c) if it is established that the electronic document was recorded or stored in
the usual and ordinary course of business by a person who is not a party and who
did not record or store it under the control of the party seeking to introduce
it.

Presumptions regarding secure electronic signatures
 31.4 The Governor in Council may make regulations establishing evidentiary
presumptions in relation to electronic documents signed with secure electronic
signatures, including regulations respecting



 (a) the association of secure electronic signatures with persons; and


 (b) the integrity of information contained in electronic documents signed with
secure electronic signatures.

Standards may be considered
 31.5 For the purpose of determining under any rule of law whether an electronic
document is admissible, evidence may be presented in respect of any standard,
procedure, usage or practice concerning the manner in which electronic documents
are to be recorded or stored, having regard to the type of business, enterprise
or endeavour that used, recorded or stored the electronic document and the
nature and purpose of the electronic document.


Proof by affidavit
 31.6 (1) The matters referred to in subsection 31.2(2) and sections 31.3 and
31.5 and in regulations made under section 31.4 may be established by affidavit.



Cross-examin ation
 (2) A party may cross-examine a deponent of an affidavit referred to in
subsection (1) that has been introduced in evidence



 (a) as of right, if the deponent is an adverse party or is under the control of
an adverse party; and


 (b) with leave of the court, in the case of any other deponent.

Application
 31.7 Sections 31.1 to 31.4 do not affect any rule of law relating to the
admissibility of evidence, except the rules relating to authentication and best
evidence.


Definitions
 31.8 The definitions in this section apply in sections 31.1 to 31.6.


``computer system''
« système informati-
que »
 ``computer system'' means a device that, or a group of interconnected or
related devices one or more of which,



 (a) contains computer programs or other data; and


 (b) pursuant to computer programs, performs logic and control, and may perform
any other function.

``data''
« données »
 ``data'' means representations of information or of concepts, in any form.


``electronic document ''
« document électroni-
que »
 ``electronic document'' means data that is recorded or stored on any medium in
or by a computer system or other similar device and that can be read or
perceived by a person or a computer system or other similar device. It includes
a display, printout or other output of that data.


``electronic documents system''
« système d'archivage électroni-
que »
 ``electronic documents system'' includes a computer system or other similar
device by or in which data is recorded or stored and any procedures related to
the recording or storage of electronic documents.


``secure electronic signature''
« signature électronique sécurisée »
 ``secure electronic signature'' means a secure electronic signature as defined
in subsection 31(1) of the Personal Information Protection and Electronic
Documents Act.
Previous By Date Next
Previous By Thread Next

Current thread: