Many people have heard the term certification authority or “CA”, but are not exactly clear on what it means or what a CA does. In information security and cyberspace, certainty over the identification and authentication of the parties to a transaction remains a challenge and poses threats to consumers and businesses alike. When you have online transactions, you don’t know who the other party is – you cannot see them in the flesh and don’t know whether they are an impostor. A certification authority plays a vital role in creating that ‘trust’.

How does a certification authority work?

A CA is an organisation that issues digital certificates (the digital equivalent of an ID card used in conjunction with a public key encryption system).  It is a trusted third party who will only issue the digital certificate after verifying that a public key belongs to a certain user (company or individual).

In South Africa, a CA is referred to as “certification service provider” under the ECT Act. A certification service provider is one category of “authentication service provider” dealt with in chapter 6 of the ECT Act.

Chapter 6 of the ECT Act

Chapter 6 has established a government endorsed accreditation scheme for authentication service providers. This scheme is entirely voluntary. The South African Accreditation Authority (SAAA) has been created to accredit organisations who want to have their products or services accredited. The Department of Communications & Digital Technologies (DCDT) is the SAAA. The SAAA only monitors the activities of authentication service providers within South Africa whose products or services have been accredited.

Chapter 6 also indirectly establishes a legal framework for the operation of public key infrastructures (PKIs) in South Africa.

The approach adopted by Government, is a 2-tier approach. This is one of three approaches, the other two being a “minimalist approach” (which aims to facilitate the use of electronic signatures generally) and a “prescriptive approach” (which establishes a legal framework for the operation of PKIs).

Chapter 6:

  • is technology neutral
  • recognises the various legal effects of the various types of services being provided in the context of public key cryptography
  • takes into account the current market-driven standards in South Africa, international best practice and foreign legislation
  • creates a benefit in favour of those processes which have been accredited, that are recognised as particularly reliable, but also
  • reflects the need for flexibility in the use of “electronic signatures” and “advanced electronic signatures” and does not aim to discourage the use of other authentication techniques.

Actions you can take