Want CNET to notify you of price drops and the latest stories?

Utah grants first certificate authority

The state entrusts a banking subsidiary to store and authenticate digital signatures, a license that it claims is the world's first.

3 min read
Under a program that aims to make electronic communication and transactions more secure, the state of Utah has entrusted a banking subsidiary to store and authenticate digital signatures.

The license to be a "certificate authority" is the first of its kind to be granted by a state or federal body, according to license holder Digital Signature Trust (DST), a subsidiary of Zions Bancorporation (ZION). Granted two weeks ago, it was certainly the first under Utah's Digital Signature Program.

Digital signatures ensure a higher level of security and privacy for electronic messages or transactions. Using encryption algorithms, the sender encodes and then "signs" his message, and the receiver can only decode and read it with a corresponding secret code, or "key." The signature lets the receiver know the message hasn't been tampered with or forged. Many observers feel that adoption of such schemes, coupled with strong encryption, is necessary for mass use of the Internet for electronic commerce.

The Utah legislation that created the digital signature program does not require that users of digital certificates participate in the program, but it contends that participation--and the government's stamp of approval--confers a greater air of legitimacy to the user. (Many companies and organizations already act as certificate authorities, such as the U.S. Postal Service, AT&T, IBM, and VeriSign.)

Many other states have passed or are considering legislation to govern the use of digital signatures. A Clinton administration official in October warned Congress not to enact any law aiming to unify the various laws, saying that not enough is known yet about the technology and how it might advance.

Some federal officials have proposed that users may only have their digital signatures certified with authorities that agree to give agencies such as the Federal Bureau of Investigation wiretap-like access to the user's private keys, and thus real-time access to their electronic messages. One such proposal, sponsored this year by Sen. John McCain (R-Arizona) and Sen. Bob Kerrey (D-Nebraska), never made it to a full Senate vote.

Many believe, however, that law enforcement doesn't need access to a user's digital signature, said David Banisar, staff counsel at the Electronic Privacy Information Center.

It is therefore unlikely that the Utah law that established the state's digital signature program in 1995 allows or requires law-enforcement access to users' private keys. A 1996 amendment to the law appears to forbid surrender of a user's private key without the user's express consent: "If a certification authority holds the private key corresponding to a public key listed in a certificate which it has issued, the certification authority holds the private key as a fiduciary of the subscriber named in the certificate and may use that private key only with the subscriber's prior, written approval unless the subscriber expressly grants the private key to the certification authority and expressly permits the certification authority to hold the private key according to other terms."

An employee of DST's parent company emphatically denied that any enacted or proposed legislation would affect a digital signature user's privacy.

"Government access is not an issue with digital signatures," said Mike Smith, manager of advanced technology research for Zions Bancorporation.

The only way a law agency would want a user's signature key is if the same key is also used for the encryption of messages. Some but not all products on the market use such a scheme, but it is unclear if DST will support such products. DST officials were not immediately available for comment.