Digital signature and certification: tight or let go?

The decree on digital signatures and certification of digital signatures will be as detailed as possible so that when issued can be deployed immediately, limiting to the minimum the issuance of additional guiding documents. The drafting agency has solved many problems, but some contents are not consistent.

No need for virtual seals

At the end of August 2006, the Ministry of Post and Telematics took the final comment on the draft decree to prepare for submission to the Government. For digital signatures (CKS), the Ministry proposes: authorized persons in agencies, organizations (CQ, TC) to be granted CKS equivalent to positions and when trading only need to sign once without 'closing' sign '(CQ, TC signed for the second time). That is, this signature is equivalent to the hand signature plus the organization's seal. Currently, countries like Japan and South Korea do the same. In terms of technology, experts all sign once as safe, because CKS has been secured by certification authorities (CA - Certification Authority).

Illustration of Wikipedia.org about the process of creating and authenticating digital signatures

Although agreed with the plan once, but many people still wonder. Mr. Le Manh Hung, Deputy Director of IT Department of the State Bank of Vietnam asked: In case of a person concurrently holding many positions or being authorized, how to do it? Does that person personally use his or her own signature when making a personal transaction? If this problem cannot be solved, one person may have 3-4 CKS. Mr. Vu Hoang Lien, director of VDC company asked: ' Signed once, when something happens, is the individual responsible or the agency responsible? '. Particularly Mr. Le Manh Ha, director of Ho Chi Minh City Department of Post and Telecommunications, disagrees with the one-time plan. He said: ' From a managerial perspective, signing twice more closely, because it is the official document of the organization, not the individual's text, and the problem is not just a signature verification. Signing twice also conforms to the State's seal management regulations .

However, according to Le Thi Ngoc Mo, deputy director of the Telecommunications Department (Ministry of Post and Telematics), the head of the drafting team, who has the authority to sign any position, will have information on that position in the document. So, the signer represents CQ, TC, and that text is the text of that CQ, TC. In case these individuals sign as individuals, use another CKS.

Promoting competition but must be tightly controlled

Regarding the organization of providing digital signature certification services (CA), the draft proposes to build a common CA for the country (Root CA), below the branches, which are divided into 2 categories: public CA ( used to deal with organizations and individuals in society and business) and private or specialized CAs (for transactions between members of an agency or organization; between two or more units affiliated with each other through rules or legal regulations, for internal, institutional and non-profit transactions.

In order to be provided with a public CA service, the object must be an enterprise (to promote competition), have a license and a digital certificate issued by the national CA, must comply with the personnel and financial conditions, Technical, security . Especially, enterprises must have legal capital of about VND 40 billion and deposit VND 5 billion or insurance if any. According to the drafting group, such capital regulation is aimed at ensuring safety for customers, especially when enterprises are dissolved (must continue to maintain obligations after dissolution).

This content of the draft caused many reactions. Many people do not know what the 40 billion figure is based on and why it must be so high (restricting many businesses to participate). Meanwhile, the legal capital of banks is only at 10-20 billion dong. According to the explanation of Mr. Vu Duc Dam, Deputy Minister of Post and Telematics, if the business can be maintained and the service is long-term and stable, the CA must be very professional and very large. Otherwise, the CA will not be able to create customer trust and may be pointed out by the CA or foreign customers. In addition, there are security rules not only about codes, such as locations, guarding, bombing, bullets, earthquakes . So CAs need to have high legal capital. Another expert also said that the level of using CA in Vietnam will be gradual, not rushing, so only a good number of CAs can meet. According to Le Thi Ngoc Mo, the chief editor of the draft team, even Korea - a country with quite developed technology - only has about 6-7 CAs, so Vietnam does not need to use much.

For private CAs, the question is whether to manage, manage, or develop freely? The term dedicated or specialized CA also caused controversy. In the Law on Education and Training, only two types of CA are listed as 'public' and 'specialized'. The last draft of the Decree divided into 2 types, 'special specialties' and 'special-use specialties'. This draft includes two types of 1 making some things in the Decree not clear. It is suggested that these two types of CAs are only similar in that they are not related to economic activities and profitability, while processes, jobs, organizations . are very different.

Therefore, many people believe that CA needs to distinguish between 2 types, including specialized types (in the Party, Government, military, security and some special sectors such as finance, banking) and type of use own (in other companies, schools, organizations). According to the Ministry of Post and Telematics, agencies and organizations such as the Party, Government, security and defense will have their own CAs, not registered with the Ministry of Post and Telematics, not the object of this draft.

Regarding the remaining CAs, especially private ones (popular), it is suggested that these are only internal CAs, and that the CQ, TC use themselves to be responsible, do not need the State management. . On the contrary, some people, including representatives of the Ministry of Post and Telematics, should not encourage them because every place is developed, which will lead to difficulties in managing and producing 'dark areas' that the agency management does not catch. Therefore, the draft proposal for specialized / private CAs, CQ, TC, enterprises that want to use must register by notifying the Ministry of Post and Telematics.

The standard for national CA is also a matter of debate. Currently, the Ministry of Post and Telematics has not released a detailed set of standards for CA. According to Mr. Hoang Quoc Khanh, technical director of NacenComm, the standard building cannot be avoided. Enterprises that want to provide CAs must rely on standards to get permission and licensing agencies must have standards to see if licensing is available and to assess whether the company is doing good service or not.

However, Mr. Vu Duc Dam said, the development of standards may take years and years because of the reference to thousands of foreign standards. Therefore, the construction of a national CA can only guarantee the minimum conditions to meet the actual needs (the national CA should not be too slow compared to the CAs in the industry). The standards will continue to be built later. And in order to avoid legal consequences due to lack of standards, licensing will be strictly implemented.

Thuy Anh