News Release 1999-42 | May 6, 1999
OCC Issues Guidance on a National Bank Acting as a Certification Authority for Digital Signatures
WASHINGTON, D.C. — The Office of the Comptroller of the Currency (OCC) issued guidance today to national banks acting as certification authorities. A certification authority functions as an on-line notary, a trusted third party that confirms the identities of parties sending electronic payments or other communications.
"This activity is a gateway for national banks into electronic commerce" said Clifford A. Wilke, Director of Bank Technology at the OCC. "We know many national banks are considering this activity; we wanted to provide guidance at this early stage on the risks of acting as a certification authority."
"Today's guidance outlines the risks of operating certification authority systems to help bankers make informed decisions about this evolving industry," Wilke said. "As the industry develops and matures, more specific guidance regarding risk management techniques will follow."
A certification authority system includes two basic functions:
- issuing digital certificates to individuals or
- businesses; and
- confirming the validity of certificates previously issued.
A certification authority system is valuable to the participants if those individuals that receive digitally signed messages are confident of the identity of the individual who sent the message. If a bank issuing digital certificates has inadequate procedures for establishing correct identity, the bank may be exposed to legal action or a loss of business. Likewise, the risk exposure of a bank that confirms the validity of existing certificates depends on the quality of procedures used to maintain a current list of valid certificates.
The OCC guidance distinguishes between the risks of open and closed certification authority systems. A bank using a certification authority system for secure internal email is an example of a closed system that poses minimal risk to the system operator. In an open system, on the other hand, in which the certification authority system confirms identities for electronic commerce transactions between businesses or individuals with no previous contact, the system operator may be exposed to greater risk.
National banks need to be aware of the legal framework for a certification authority. At this time, digital signatures are not recognized under federal law as the equivalent of hand written signatures for binding parties contractually in a commercial transaction. Some states have passed laws establishing the legality of digital signatures. A law enacted last year, the Government Paperwork Elimination Act, addresses electronic authentication but it applies only to federal government agencies.
Today's guidance may be obtained by writing to Comptroller of the Currency, Public Information Room (Mail Stop 1-5), Washington, D.C. 20219; faxing a request to (202) 874-4448; retrieving the document from the OCC web page at http://www.occ.treas.gov; ordering by phone (202) 874-5043; or visiting the OCC's Public Information Room at 250 E Street, S.W. in Washington, D.C. (9 a.m.-noon and 1-3:30 p.m., Monday-Friday).