Many people have heard the term “CA”, but are not exactly clear what it means or what a CA does.

In the world of information security, a CA is a “certification authority” who plays an important role in creating that ‘trust’.

The identification and authentication of the parties in cyberspace remains a challenge and poses threats to consumers and businesses simply because you don’t really know who they are: you cannot see them in the flesh and don’t know whether they are an impostor or not.

A CA is an organisation that issues digital certificates (the digital equivalent of an ID card used in conjunction with a public key encryption system).  It is a trusted third party who will only issue the digital certificate after verifying that a public key belongs to a certain user (company or individual).

In South Africa, a CA is referred to as “certification serivce provider” under the ECT Act. A certification serivce provider is one category of “authentication service provider” dealt with in chapter 6 of the ECT Act.

Chapter 6 of the ECT Act

Chapter 6 has established a government endorsed accreditation scheme for authentication service providers. This scheme is entirely voluntary. The South African Accreditation Authority (SAAA) has been created to accredit organisations who want to have their products or services accredited. The Department of Communications is the  SAAA.  The  SAAA only monitors the activities of authentication service providers within the Republic whose products or services have been accredited.

Chapter 6 also indirectly establishes a legal framework for the operation of public key infrastructures (PKIs) in South Africa.

The approach adopted by Government, is a 2-tier approach. This is one of 3 approaches, the other two being a “minimalist approach” (which aims to facilitate the use of electronic signatures generally) and a “prescriptive approach” (which establishes a legal framework for the operation of PKIs).

Chapter 6:

  • is technolgy neutral
  • recognises the various legal effects of the various types of services being provided in the context of public key cryptography
  • takes into account the current market driven standards in South Africa , international best practice and foreign legislation
  • creates a benefit in favour of those processes which have been accredited, that are recognised as particularly reliable, but also
  • reflects the need for flexibility in the use of “electronic signatures” and “advanced electronic signatures” and does not aim to discourage the use of other authentication techniques.