Thursday, December 8, 2011

2.0 Policy and Legislative Framework

2.1 NITA-U Act

NITA- U was established by the National Information Technology Act 2009. The purpose of the Act is to provide for the establishment of the National Information Technology Authority, Uganda, and to provide for its objects, functions, composition, management, finances and other related matters. The NITA-U’s objects, spelt out in the NITA-U Act, are -

(a) to provide high quality information technology services to Government;

(b) to promote standardization in the planning, acquisition, implementation, delivery, support and maintenance of information technology equipment and services, to ensure uniformity in quality, adequacy and reliability of information technology usage throughout Uganda;

(c) to provide guidance and other assistance as may be required to other users and providers of information technology;

(d) to promote co-operation, co-ordination and rationalisation among users and providers of information technology at national and local level so as to avoid duplication of effort and ensure optimal utilization of scarce resources;

(e) to promote and be the focal point of co-operation for information technology users and providers at regional and international levels; and

(f) to promote access to and utilisation of information technology by the special interest groups.

NITA-U’s functions are, amongst others to -

1. Co-ordinate, supervise and monitor the utilisation of information technology in the public and private sectors;

2. Set, monitor and regulate standards for information technology planning, acquisition, implementation, delivery, support, organization, sustenance, disposal, risk management, data protection, security and contingency planning;

3. Regulate the electronic signature infrastructure and other related matters as used in electronic transactions in Uganda;

4. Promote and provide technical guidance for the establishment of e-Government, e- Commerce and other e- transactions in Uganda; and

5. Protect and promote the interest of consumers or users of information technology services or solutions.

After the promulgation of the NITA-U Act, the Uganda Law Reform Commission, through its Commercial Justice Reform Project, undertook a review and formulation of laws to regulate ICT related matters in Uganda. In the result, three ICT laws were enacted in 2011 to supplement the NITA-U Act, namely the ESA, as well as the Electronic Transactions Act, and the Computer Misuse Act.

The Consultancy Team has been engaged to draft regulations in relation to digital signatures, and in particular as required by the ESA, read with the NITA-U Act.

2.2 Terminology of Electronic Signatures

Definitions

As you might have noticed, already we have used the terms, digital signature and electronic signature. Before proceeding, it is important to understand the terminology used generally, and specifically as set out in the ESA.

“Electronic signature" is a general term referring to the various methods by which a person can sign an electronic data record. Electronic signatures can be created using a lot of different types of technologies and can manifest in various ways. Examples of electronic signatures include a name typed at the end of an e-mail message, a digitised image of a hand-signed signature attached to an electronic document, a secret code (foe example, those used with ATM cards and credit cards), a biometric identifier, such as a fingerprint or a retinal scan, and finally, also a digital signature (created through the use of public key infrastructure / cryptography).

"Digital signature", on the other hand, is a more specific term referring to a signature using public key infrastructure / cryptography.

In the ESA, there are various terms referred to and defined, including the most generic, “signature” to the more specific, “advanced electronic signature” and “secure signature”.

Signature” is defined to include any symbol executed or adapted or any methodology or procedure employed or adapted, by a person with the intention of authenticating a record, including an electronic or digital method.

Electronic signature” is defined as data in electronic form affixed to or logically associated with a data message, which may be used to identify the signatory in relation to the data message and indicate the signatory’s approval or the information contained in the data message, including an advance electronic signature and the secure signature.

Digital signature” is defined as a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine (a) whether the transformation was created using the private key that corresponds to the signer’s public key; and (b) whether the message has been altered since the transformation was made.

Advanced electronic signature” is defined as an electronic signature, which is (a) uniquely linked to the signatory; (b) reliably capable of identifying the signatory; (c) created using secure signature creation device that the signatory can maintain; and (d) linked to the data to which it relates in such a manner that any subsequent change of the data or the connections between the data and the signature are detectable.

Secure signature”, although not defined, is referred to in section 11, which provides that it is one that is completed through a prescribed security procedure or a commercially reasonable security procedure agreed by the parties (with other criteria also having been met).

The importance of digital signatures, as set out in the ESA, is that they are accepted as signatures, where a rule of law requires a signature. The ESA also makes clear that they satisfy the requirement of signatures, written documents and original documents.

The ESA creates a legal presumption in favour of secure and advanced electronic signatures, the effect of which is to place the burden of coming forward with evidence and of persuading a court, on the person challenging the genuineness of the signature.

Public Key Infrastructure (PKI)

A big part of the ESA concerns Public Key Infrastructure (PKI). A large portion of the regulations that will have to be created also concern PKI. Therefore, it is important to understand some key aspects of PKI.

PKI is the basis for digital signatures. In each signed transaction there is a pair of keys, a private key and a public key. The private key is used only by the signer. The public key is available to anyone and used by anyone who needs to validate the signer’s electronic signature. PKI involves various components which includes electronic signature products (hardware and/or software), certification service providers, and rules for granting and revoking keys and certificates.

PKI Enabled Applications

  • Electronic Fund Transfer (EFT), Telegraphic Transfer (TT), RTGS
  • e-Government (e-Tax, e-Filing, Internet and Mobile Banking, etc)
  • Secure e-Mail Communication
  • Electronic Fund Transfer Point of Sales (EFTPOS) in business establishments
  • e-Commerce (Amazon, eBay, Auto shops, etc)

Roles of Trusted Third Parties in PKI environment

  • Authentication of e-Signatures
  • Issuance of Digital Certificates
  • Others
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)