PKI in Singapore: Govt is biggest user

Singapore has passed legislation that affirms the validity of electronic documents, as well as digital signatures, but uptake of PKI is still slow in the private sector

Singapore has passed legislation that affirms the validity of electronic documents, as well as digital signatures, but uptake of PKI is still slow in the private sector

The Singapore Electronic Transactions Act 1998 declares that information "shall not be denied legal effect, validity or enforceability solely on the ground that it is in the form of an electronic record".

The same legality applies to signatures - provided that there is a security procedure that sufficiently verifies the party. That's where PKI comes in, but uptake has not been as fast in the private sector.

The Electronic Transactions (Certification Authority) Regulations 1999 provide for a voluntary licensing of CAs and gives the Controller of Certification Authorities (CCA) the authority to regulate and license CAs. The position of CCA is held by the Director-General (Telecommunications) of the Infocomm Development Authority (IDA) of Singapore, which acts as a statutory board in the areas including telecoms, technology and e-commerce.

Singapore established its first public CA in Netrust, formed in 1997 as a joint venture between Keppel T&T and NETS, before any regulation pertaining to PKI technology was established.

Netrust is pushing ahead with new products tie-up, the most recent being representing Odyssey Technologies' T-Shell, a vendor-independent PKI-based system. Currently, Netrust is a distributor of Entrust PKI systems.

Earlier this year, Netrust signed up eXtended Enterprise Systems (XES) to issue certificate-based authentication to its customers for use in high-value e-commerce transactions. Other clients include government organizations and corporate businesses such as CitiCommerce (Citibank) and BeXcom.

The second CA, ID.Safe, was set up last year between local security services firm CISCO Computer Security and Singapore Post, and only recently was awarded the first CA license from IDA.

Voluntary CA licensing
Since a license is not legally compulsory, the voluntary licensing provides CAs with preferential treatment in the areas of:

  1. Evidentary presumption - Disputing parties will have the burden of proof on them to prove that the digital signature is not authentic, rather than on the CA, which is the norm for unlicensed CAs.
  2. Limited liability - The licensed CA will not be liable for any loss caused by reliance on a false or forged certificate, and is also not liable in excess of the reliance limit amount specified.

The license is renewable annually upon passing a review. The actual licensing process includes complying with IDA-approved security policies and procedures, a third-party audit of the CAs financial standing, as well as an analysis into the CAs key management policies.

According to a spokesperson from ID.Safe, the CA went through two rounds before successfully being awarded the license - a process which took between 3-4 months.

Local PKI applications
The government seems to be the lead mover in local PKI usage, utilizing the technology for use with the public's access to the Central Provident Fund, a social-security savings scheme. Over the Internet, PKI allows secure communications for users to request for statements, submit CPF contributions, and transfer funds from one type of account to another.

It's also used in conjunction with local government procurement portal GeBiz (Government Electronic Business Partner), where the public can submit quotations, invoices, receive purchase orders, as well as view the status of payments.

Other PKI-enabled applications include tying up with the Integrated Land Information Service (INLIS), where users can download digital maps from the Land Office and Survey Department. The Urban Redevelopment Authority is also working on a system to allow the submission of textual information and CAD drawings for approval. An online e-patent transaction and search is also in the works.

The early adoption of PKI at the commercial enterprise level involved share trading, allowing users to securely manage portfolios and accounts, view share holdings, download monthly trading records, monitor live quotes - between different brokerage firms.

Read more about PKI in Asia.