BANDAR SUNWAY – With the extended movement control order (EMCO) just announced, Malaysian organisations are now increasingly reliant on exchanging digital documents. While digital PDFs are great for e-mail exchanges, documents that are serious in nature require stricter oversight.
The terms “digital signatures” and “e-certificates” are often interchangeably used, but both are different technologies serving separate purposes.
When receiving confidential documents, how do I ensure that the signature has not been forged? How can I validate if the document has not been tampered with? Digital signatures are processes aimed at resolving these problems by verifying the authenticity of a document, message or transaction.
Digital signatures aim to serve three functions:
Although most documents come paired with metadata, the information may not entirely be accurate. Digital signatures are able to authenticate the source of these messages.
Document recipients must have great confidence that the document is untampered with upon being received. For example, important financial information could be modified after it is issued, leading to unwarranted financial leakages.
Non-repudiation is a legal concept where a party can not deny the validity of something. For example, a vendor is unable to deny sending out a particular invoice if a digital signature is attached.
How do they work?
Digital signatures employ many different methods to develop trust between customers, business partners and vendors:
Some employ hash functions — generating a string of characters unique to the file. A computed hash cannot be reversed to find other files that may have the same hash value.
e-Certificates, on the other hand, functions similarly to identification cards, passports and driving licenses. Its main role is to enable identification of the holder, securely exchange information amongst trusted institutions.
Generally, digital certificates are issued by government authorities, but some private institutions employ similar technologies in some parts of the world. When someone requests a certificate, the authority verifies the identity of the requester, certifies them if all requirements are met, and issues the certificate. The e-certificate is then used to verify the identity of its owner.
e-Certificates generally consists of the following features:
Role in the pipeline
Although digital signatures and e-certificates are different, they are part and parcel during the document exchange process.
A signer digitally signs a document using a certificate, and other parties trust the digital signature because the Certification Authorities have gone through the process of verifying the identity of the signer.
In short, certificates are used to certify the trustworthiness of a person, while digital signatures are used to verify the trustworthiness of the data being sent. Another way to verify the trustworthiness of a person is by undergoing a process known as e-know your customer (e-KYC). You can find more information about e-KYC by visiting the link here: bit.ly/3wk1Qie