What is a Certificate Authority?
Presently, ComSign is the only company in Israel authorized to issue authorized digital signatures.
(Authorized digital signature = digital signature issued by a Certificate Authority.)
What is a Certificate Authority and why is it needed at all?
A Certificate Authority is an entity which issues digital signatures that are equivalent to handwritten signatures in accordance with the law. In order for any entity to be considered a Certificate Authority, it must fulfill the stringent Justice Ministry CA Registrar standards and regulations.
ComSign, Comda’d subsidiary, is registered as the only Certificate Authority in Israel (presently) authorized to issue authorized digital signatures.
For a digital signature to be called “protected” as opposed to just any digital signature (any scribble on a digital board for example), a few basics are required:
It must be unique to the signatory.
It must allow apparent authentication of the signatory.
It must be issued by signing means which can be controlled by the signatory exclusively (from the moment of issue).
It must allow identifying any changes, if and when they are made, to a digital message after it was signed.
However, how will we know that what we have purchased or received from somebody does in fact fulfill these criteria and that the signature we have received is in fact safe? How can signature buyers and receivers know and rely on the fact that it is actually safe and not fall victim to a scam or deception?
Here the legislator helps by offering a simple solution: Certification (a certificate accompanying the signature which testifies that the signature is in fact safe and fulfills the basic requirements of a safe signature).
What is this digital certification that accompanies the digital signature? The Electronic Signature Law 5761-2001 determines that a certificate authority cannot issue a certificate (certification) for a digital signature which is not protected, but only after verifying that it is in fact protected. In other words, if and when a certificate authority has issued a digital certificate for a protected signature, the legislators and courts will accept it as a verified protected signature.
On the other hand, if any entities issue a certificate (certification) themselves testifying that the signature at their disposal is protected, it is doubtful that the courts will accept this. Should any objections be raised by the other party, the entity claiming that their signature is protected is responsible to prove it as opposed to the side claiming that injustice and damage were caused to them because their control over the signature at their disposal was affected.
Many people establishing PKI systems in organizations issue certifications themselves in format, and joke that they can issue as many certificates as they like. However, these certificates, which are issued by various entities themselves via electronic means that they purchased, have no legal standing.
According to the law, no entity whatsoever can issue legal digital certificates themselves indicating that the signature in their possession is in fact protected in accordance with the law, even if they are convinced of it. The law makes no mention of certificates which entities themselves have issued.
The bottom line: Using an authorized digital signature provides clients total “insurance’ and legal guarantee that the person using the authorized certificate on the other side of the screen has been authenticated and is obligated to this document as if it were signed in his/her handwriting.