Letter in response to an IT article seeks to reassure users of ARTL of the system's integrity and security

I read with interest the article entitled “Beyond chip and PIN” by Laura Reid and Michael Bromby (Journal, July, 50).

I am heartened to see evidence that the appetite for electronic business within the Society’s membership is growing, thanks, perhaps, in no small part to the introduction of ARTL. However, I would like to take the opportunity to clarify a couple of points about ARTL raised in the article and assure the users of ARTL that the system’s security and integrity is of paramount importance to the Keeper.

At Registers of Scotland we are confident that the digital signatures created through ARTL meet the standards for advanced electronic signature as set out in the Electronic Communications Act 2000. The use of a strong, secure PIN, such as is enforced by the ARTL system, provides the necessary level of authentication to give the required element of non-repudiation. By non-repudiation I refer, in this context, to the concept of ensuring that a party who has digitally signed an ARTL digital deed cannot repudiate or refute the validity of the signature.

In this day and age no business computer user should be in the habit of leaving their PC unattended while logged on. As the article correctly points out, this is a major security risk where the private key associated with the digital certificate is stored in the computer’s software. In the ARTL signing solution the private key is stored on a smartcard. The smartcards are configured to require the user to authenticate themselves, by way of the correct entry of the PIN, whenever a signing operation is performed. The public and private keys are actually generated on the smartcard, which, apart from storage space, has enough computational capacity to perform the signing function as well, so even when signing a deed within ARTL the private key never actually leaves the secure device.

The issue of liability is nearly as hot a topic within the PKI community as it is within the legal profession. To reduce any potential exposure of the Keeper’s indemnity, prospective users of the ARTL PKI must have their identity verified in line with UK Government standards similar to those for money laundering before they are issued with a digital certificate. The uses for which ARTL digital certificates are authorised are restricted for the same reason. To assure ourselves and our users that the PKI element of ARTL is effective and applies recognised best practice, we have recently achieved accreditation for both tScheme (www.tscheme.org), which is an independent, industry led scheme set up to approve providers of trust services, and the technical standard ISO27001 (en.wikipedia.org/wiki/ISO_27001). The tScheme and ISO27001 assessments covered not only the quality of the technical solution provided by ARTL but also the policies and procedures put in place to manage it, the administrators and the users within it.

Three or four years ago, when ARTL was being designed, Registers of Scotland explored the possible use of a biometric element (fingerprint, iris scan, etc) to control access to the private key. Unfortunately, the technology at the time did not appear to be mature enough. It has of course improved since then. Registers of Scotland is monitoring current developments in the field. We anticipate that from time to time in the future ARTL (including its PKI) may be upgraded to keep it in line with the latest industry best practice.

The Author
Kevin Ramsay, ARTL Technical Manager, Registers of Scotlandd
Share this article
Add To Favorites