Digital signatures, digital certificates, and advanced electronic signatures are all types of electronic signatures that use cryptography to authenticate the identity of the person signing and to secure their electronic signature. They are all very reliable, but they each have different legal consequences in terms of South African law. Even if you know that you want a very reliable electronic signature, it is important to work out whether a digital signature, digital certificate, or advanced electronic signature is most appropriate or required for your business’ transactions.
How cryptography works
Cryptography lets someone (like me) send a written message (like a signature) to someone that they’ve never met (like you) over a public channel (like the Internet) while keeping the message hidden from others.
Public-key infrastructure (PKI) is a popular form of cryptography that digital signatures and digital certificates often use.
Here is a video explaining a common PKI algorithm in a simple and creative way using colours (it includes a description of the maths involved at the end, which isn’t essential for understanding how PKI works):
I have summarised the key points of the video below and explained the legal differences between digital signatures, digital certificates, and advanced electronic signatures.
Key points of PKI
PKI requires that the person that I am sending the message to (in this case, you) and the person sending the message (in this case, me) agree on a shared secret key that no one else knows. I then use this secret key to encrypt my message and you use the same secret key to decrypt my message – like a code.
Let’s say we both agree on the colour red and I encrypt my signature with that colour. Then, you and I each choose a private key that we don’t show to anyone else, including each other. For example:
- I choose blue
- You choose yellow
The trick is that we each mix the shared public key with our own private key to get another colour. This becomes each of our own public keys. We send our own public key colour to each other over a public channel (like the Internet). So:
- I mix red with blue, get purple, and send you purple over the public channel (which everyone else intercepts)
- You mix red with yellow, get orange, and send me orange over the public channel (which everyone else intercepts)
Next, we each mix the colour we received from the other party with our own private key to get another colour:
- I mix orange with blue and get brown
- You mix purple with yellow and also get brown
We both got brown, the same colour, without sending it over the public channel or anyone else being able to intercept it. That is how we agree on a shared secret key.
Whenever either of us sends a message to the other, we can use the shared secret to encrypt our transaction. The other will then use their private key to decrypt the transaction and read the message.
Only the shared public key, my mixed colour that I sent to you (my public key), and your mixed colour that you sent to me (your public key) are visible to third parties that intercepted them on the public channel (like the Internet).
My private key, your private key, and the shared secret key are not visible to third parties because no one ever sends them over the public channel.
This system is a one way function – it’s easy in one direction, but very difficult in the other direction. A one way function is secure in the same way a combination lock is secure – easy to lock, but difficult to unlock without the combination. You can break the combination eventually, but it will take time.
A third party may be able to work out that the shared secret in our scenario is brown, because there are only so many colours that both purple and orange can become when combined with other colours. But, they will have to try and work out what the shared secret is by trial and error.
PKI uses complex mathematical formulas instead of colours. These would take supercomputers billions of years to break by trial and error. This makes PKI like a combination lock with a lots and lots of possible combinations – and that makes it highly secure and a useful basis for digital signatures, digital certificates, and advanced electronic signatures.
Digital signatures are a type of ordinary electronic signature in terms of South African law.
They are more reliable than most other types of ordinary electronic signature because they use cryptography to authenticate the identity of the person signing.
You can use a digital signature whenever an ordinary electronic signature is sufficient in terms of South African law.
Digital certificates are also a type of ordinary electronic signature in terms of South African law. They are actually a digital signature tied to a certifying authority. A certifying authority is a trusted third party who has taken steps to check whether the a public key actually belongs to the person or organisation that claims it belongs to them. Lance Michalson explains in detail what a certifying authority is here.
Digital certificates are more reliable than digital signatures because the certifying authority takes additional steps to authenticate the identity of the person signing over and above the steps built into cryptography. This may include, email authentication, checking details of the person signing in public records, or contacting the person signing by phone.
You can use a digital certificate whenever an ordinary electronic signature is sufficient in terms of South African law.
Advanced electronic signatures
Advanced electronic signatures are not a type of ordinary electronic signature in terms of South African law. They are a special type of signature created by the ECT Act. They are technically also a digital signature tied to a certifying authority (a digital certificate), but the South African Department of Communications has to have accredited the certifying authority as following a specific authentication process and issuing a specific digital certificate product. So far, only Law Trust Party Services (Pty) Ltd (“Lawtrust”) and the South African Post Office Ltd (“Sapo Trust Centre”) are accredited certifying authorities.
Advanced electronic signatures are arguably more reliable that digital signatures or digital certificates because they not only use cryptography and a certifying authority, but the certifying authority also has to authenticate the identity of the person signing face-to-face. However, the accredited certifying authority doesn’t have to take other steps commonly taken by other certifying authorities. So in certain situations, an ordinary digital certificate may be more reliable.
You must use an advanced electronic signature whenever a signature is required by South African law. However, this is not as easy to work out as it sounds.
Electronic signature solutions
Do you need help deciding what kind of electronic signature you need for your business’ transactions? You can read about our electronic signature solutions here, including: