Certified authority?

PKI systems > PKI systems based on certified authority

All PKI solutions developed and invested in by Comda can have an authorized electronic signature attached.
(Authorized electronic signature = electronic signature issued by a Certificate Authority).

What is a Certificate Authority and why do we need it at all?

A Certificate Authority (CA) is an entity that issues electronic signatures which according to the law are equivalent to a handwritten signature. In order for any entity to be considered a Certificate Authority, it must meet strict standards and regulations of a Registered Authority (RA) in the Ministry of Justice.
ComSign, a Comda subsidiary, is the only entity in Israel today registered as a Certificate Authority authorized to issue authorized electronic signatures.

For an electronic signature to be called authorized as opposed to just any electronic signature (any squiggle on the electronic board for example), the few basic requirements must be met:

 It must be unique to the signatory.
 It must be identifiable as belonging to the signatory.
 It must be issued by way of a signature that can be controlled exclusively by its owner (from the moment it is issued).
 It must allow identifying any change, if and when it is made, to an electronic message after it is electronically signed.

However, how will we know if what we have purchased or received from somebody does in fact meet these criteria and that the signature we received is safe? How will the signature buyer or receiver know and rely on the fact that it is in fact safe, and not fall victim to a fraud or deception?

This is where legislature helps and offers a simple solution – certification (a certificate which accompanies the signature testifying that it is safe and fulfills the basic requirements of an authorized electronic signature).
What is this electronic certificate (certification) which accompanies an electronic signature? The Electronic Signature Law, 5761 – 2001 determines that a Certificate Authority will not issue a certificate (certification) to an electronic signature which is not safe, but only after ensuring that it is safe. In other words, if and when a Certificate Authority issues an electric certificate for a safe signature, legislature and the courts will definitely accept it as safe.

On the other hand, if any entity issues a certificate themselves (certification) testifying that their signature is safe, it is doubtful whether the courts will accept this, and if any objections are voiced by the other side, it is the responsibility of the entity claiming that its method is safe to prove as much, as opposed to the side claiming that injustice and damage was caused to them due to the fact that their control over their signature method was affected.

It is worth noting that, in practice, no reasonable PKI system creates a pair of keys (legally they are signature and signature authentication means) without creating an digital certificate to accompany them since any Certificate Authority (an organization’s internal CA or an external one) always creates a certificate (in X509 format) in response to a request for the pair of keys for authentication.

For this reason, many organizations establishing PKI systems issue formatted certification for themselves and joke that they can issue as many certificates as they want, but these certificates that various entities issue for themselves and the electronic means which they purchase have no legal status.
According to the law, no entity can issue legal certificates themselves which indicated that the signature is actually safe according to legal requirements, also if they are convinced thereof. The law makes no mention of certificates issued by entities for themselves.

The bottom line is that using authorized electric signatures provides customs insurance and full legal responsibility, and guarantees that a person using the authorized signature on the other side of the screen has been authenticated and is obligated to this document as if it was signed in his/her own handwriting.