1. Identity Authentication
Confirming the identity of all parties to an electronic transaction is a prerequisite for smooth electronic transactions. Both parties conducting electronic transactions online must first identify the authenticity of the other party when conducting transactions. Credibility, this is the identity authentication (Authentication) system. The purpose of authentication mainly includes two aspects: one is to confirm the source of the information; the other is to confirm that the information has not been modified or replaced during the transmission process.
According to the existing authentication functions and authentication objects, electronic authentication can be divided into the following types: (1) Site authentication, that is, whether the encrypted data can be successfully transferred between two sites. Authentication for transmission; (2) Data information authentication, which is the authentication of the source, content, time and destination of electronic information; (3) Identity authentication, which is to identify legal and illegal users and prevent illegal Authentication of the personal identity of the party transmitting electronic information when a user accesses the system.
The person who undertakes the task of identity authentication on the Internet is called a certification authority (CA). According to Article 2 of the "Uniform Electronic Signature Rules" of the United Nations Conference on International Trade and Law, a certification authority refers to a Any unit or individual that issues identity certificates related to encryption keys for the purpose of verifying digital signatures. The provisions of the Uniform Electronic Transactions Act in the United States are similar to the above provisions. Based on past experience, certification agencies must establish their own trust and neutrality in society, so certification agencies are generally served by independent, non-profit third parties. Its main functions include: issuing and managing e-commerce certificates ;Generate and manage user keys, CA keys, etc. When parties participating in electronic transactions apply for an e-commerce certificate from a certification agency, they must submit relevant identity certificates for verification by the certification agency, and then issue a certificate. The items recorded on the certificate include the name of the holder, the validity period of the certificate, and his public key. When an electronic transaction is conducted, one party can submit a certificate to the other party to prove its identity, and the other party can request the certification agency to verify the identities of both parties.
Obviously, the important role of certification agencies is to ensure the security of electronic transactions. Judging from foreign experience, certification agencies should be professional, independent and non-profit organizations. Because of its professionalism, it can effectively provide services to customers; its completely independent and non-profit position puts it in a detached position as an independent third party, making it easier to gain the fair trust of both parties to the transaction.
The most famous certification agency in the United States is Versign, a company headquartered in Mountain View, California. The company was founded in April 1995. The digital certificate services it provides have spread to more than 60 countries and regions around the world. The number of corporate users receiving the company's digital certificate services has exceeded tens of thousands, and the number of individual users has exceeded one million. The earliest certification research carried out in our country was the online banking development project of Bank of China. In 1998, Bank of China cooperated with two ISPs, Century Internet and Ruide Online, to test online transactions. Customers first apply for CA certification from Bank of China and install the CA certification software on their computers to meet the conditions for online transactions. Then, the customer can enter the online store that has a cooperative relationship with the bank to make purchases, and the bank will pay the merchant. However, due to the lack of relevant national security standards and lack of experience in online transactions, this research has not yet entered the promotion stage.
Another important question about the certification agency is: If an electronic transaction fails due to the fault or negligence of the certification agency, should the certification agency bear legal responsibility? If so, what is the nature of the responsibility? Is it liability for breach of contract or statutory liability? Are there any scope restrictions? These are legal issues that we must address.
To study the nature and scope of legal responsibilities of certification agencies, we should start from studying the role of certification agencies. The certification body plays a similar role as a witness between the two parties in an electronic transaction. What it witnesses is the authenticity of the identities of both parties to the transaction. This is the basis for the parties to agree to conduct the transaction. Therefore, if the two parties to the transaction fail due to the fault of the certification body or technical issues, If defects lead to false certification results, the certification body shall be liable for compensation to the injured party. Since the responsibility of the certification body can arise from legal provisions, the source of this responsibility can be the responsibility arising from legal provisions; at the same time, because participation in certification is based on the agreement between the parties and the certification body, the source of responsibility can also be Liability arising from breach of contract.
It is worth emphasizing that since certification work is a new thing, there are many unpredictable technical factors. If the responsibilities imposed on the certification body are too heavy, it may hinder the development of electronic certification services, thus affecting electronic transactions. development. Therefore, the reasonable distribution of legal responsibilities between certification agencies and the parties involved in electronic transactions is very important for the development of the entire e-commerce. Judging from foreign legislative experience, this issue has been fully noted. For example, the "Digital Signature Act" of Utah, USA stipulates that the certification body has limited liability, and as long as the certification body complies with the obligations stipulated in the "Digital Signature Law", it can be exempted from liability for losses caused by false or forged digital signatures. .
The author believes that the current legislation should only stipulate the principle of attribution of legal liability of certification agencies, which is enough. As for the specific scope of liability and the degree of compensation, it can be left to the parties to agree on their own in the agreement between the two parties.
2. Electronic signatures and digital signatures
Whether it is the United Nations' "Model Law" or other important e-commerce regulations, there is no clear understanding of what an "electronic signature" is. clear definition. The UNCITRAL Model Law avoids this issue. The reason is probably that the experts who drafted the document believed that electronic signature technology was still in its early stages and would be complicated to implement and would be difficult to include in the Model Law, so it did not mention it.
From a technical point of view, electronic signature mainly refers to using a specific technical solution to give the party a specific electronic password to ensure that the password can prove the identity of the party and at the same time ensure the issuance of the signature. Security measures to ensure that the transaction information sent by the sender is not tampered with. The main purpose of electronic signature is to use technical means to confirm the identity of the sender of the data message and ensure that the content of the transmitted file has not been tampered with, and to solve problems such as the sender denying that the data has been sent or received.
The technical principle of electronic signature is: when each data message is sent, it will be accompanied by a data summary, usually 128 bytes in length. After being converted by a "key", the data appears to be a series of chaotic numbers. , actually represents the sender's identity information. The so-called key is actually equivalent to the "password" that everyone comes into contact with in daily life. The identity of the sender can be confirmed by using the "key" to decrypt and convert the data summary. During the transmission process, if a third party tamperes with the data message, he does not know the sender's private key. Therefore, the result obtained by verification and decryption must be different from the calculated result. This ensures the authenticity and integrity of electronic information.
Since the effectiveness of electronic signatures is closely related to the validity of the electronic contract itself, it is a key issue that must be solved in the legislation of electronic transactions in most countries. However, the actual operation methods vary. There are three main ways to do this:
①National legislation. For example, the U.S. Congress passed a bill to determine the minimum conditions for the legality of electronic signatures, while allowing state governments to modify the standards on their own. At the same time, many states in the United States have passed Electronic Signature Laws, among which Utah’s Electronic Signature Law is the most influential. Singapore's "Electronic Transactions Act" stipulates "electronic signatures" and "digital signatures". "Electronic signature" is defined as: "Any letters, alphanumeric or other symbols in digital form attached to or logically associated with an electronic record, and an electronic signature is executed or adopted for the purpose of certifying or approving the electronic record." "Digital signature" is defined as: "An electronic signature that transforms an electronic record through the use of an asymmetric encryption system and a hashing function so that any person holding both the original untransformed electronic record and the signer's public key A person can accurately determine: (1) whether the transformation was made using a private key that matches the signer's public key; (2) whether the original electronic record has been altered after the transformation." "This provides a secure way to confirm the identity of the sender."
②Party autonomy.
In view of the fact that whether an "electronic signature" is equivalent to a traditional written signature has been debated in the legal community for a long time, in order to solve the practical problem as soon as possible, the Information Security Committee under the American Bar Association took a different approach. After more than four years of hard work, it was released on August 1, 1996 "Electronic Signature Guide - A legal framework to effectively confirm and ensure the security of e-commerce" is a guiding document. This document provides basic legal guidance for electronic signatures and mentions that users can sign electronic signatures when signing an agreement. The status and function of the signature are confirmed. Section 17 of Singapore's Transactions Act 1998 provides: "By using a specified security procedure or commercially reasonable security procedures agreed to by the parties, if the electronic signature can be confirmed at the time of signing: (A) for the user The signature is unique; (B) can identify the user; (C) is generated in some way under the complete control of the user; (D) has such a connection with the electronic record that if the record is altered, the electronic signature will also become invalid; then the electronic signature can be regarded as a "reliable electronic signature". In this way, the digital signature can have the same function as a physical signature.
③ Adopt an expanded interpretation of what a "signature" is. For example, in 1989, when a Pennsylvania court accepted a real estate transaction case, it was determined that an official email could be regarded as a "signed written document", which was consistent with the legal provisions of the "Fraud Act". The decision explained: "This issue (whether official mail meets the requirements of the law) is new to Pennsylvania, but as businesses and individuals continue to use e-mail, telex, and fax machines to participate In their business negotiation activities, similar issues will arise one after another. The Court considers that the appropriate and realistic approach to these cases would be to examine the authenticity of the documents and not just the formal signatures. ". my country's "Contract Law" does not provide for the issue of digital signatures. Article 32 mentions the issue of signatures. That is, if the parties conclude a contract in writing, the contract is established when both parties sign or seal it. However, the above provisions are obviously For traditional transaction methods, many special issues of electronic signatures have not been taken into account. It seems that this gap can only be filled by future e-commerce laws.