3. Digital Signing of Electronic Instruments

NECS in NSW Consultation Papers A consultation process addressing transaction specification, business practice and implementation arrangements for the National Electronic Conveyancing System (NECS), and relevant requirements of industry and community members in NSW. 3. Digital Signing of Electronic Instruments being the signing and authentication of electronic registry instruments for NECS by Certifiers using digital signatures, and publication of registered instruments by the Land Registry. 27 November 2009 www.lpma.nsw.gov.au

About this Consultation Paper This paper is published by the Land and Property Information division (LPI) of the NSW Land and Property Management Authority (LPMA). It describes proposed changes in conveyancing practice, risk management and systems arrangements for the settlement of real property transactions and the lodgment and registration of real property registry instruments (dealings) in NSW. Its intention is to make widely known the detail of proposed changes under consideration and to invite feedback on them. It does not represent NSW Government policy. This Consultation Paper and the issues it raises need to be considered in the context of the intention of all jurisdictions and industry participant groups to achieve a single national system for electronic conveyancing in Australia. The paper forms part of a series of public consultation papers designed to ensure NSW based industry requirements are considered in the design, functionality and supporting arrangements of a National Electronic Conveyancing System. Your feedback, comments, suggestions and criticisms should be made available to Land and Property Information by one of the following means: Email: Letter: Telephone: NECSinNSW@lands.nsw.gov.au NECS in NSW Industry Consultation Feedback Land and Property Information GPO Box 15 SYDNEY NSW 2001 or DX 17 SYDNEY (02) 8236 7173 (8:30am to 4:30pm weekdays) Additional copies of this document can be downloaded free of charge in PDF file format from the LPMA website at http://necsnsw.lands.nsw.gov.au/industry_consultations/consultation_papers Comments and responses should be submitted by the dates specified in the Introduction of each consultation paper. Responses will be acknowledged and may be published on the LPMA website and/or referenced in report/s recording consultation findings unless you indicate in your submission that you wish for your comments to be confidential. Responses will not be used for any other purpose than to determine the preferred technology and business practice arrangements for implementation of NECS in NSW. Copyright in this paper is held by the Land and Property Information division of the Land and Property Management Authority. Division 3 of the Commonwealth Copyright Act 1968 recognises that limited further use of this material can occur for the purposes of fair dealing for example study, research or criticism. However, to make use of this material, other than as permitted by the Copyright Act, please write to Land and Property Information at GPO Box 15, Sydney NSW 2001. 2 NSW Land and Property Management Authority - November 2009

The Agency Privacy Statement provides an overview of how any personal information collected or stored by the agency is handled. The Privacy Statement can be viewed at www.lands.nsw.gov.au/privacy/landsprivacystatement. Further information Further information on the National Electronic Conveyancing System (NECS) proposals, and supporting information, analysis and specifications relevant to implementation of NECS in NSW is available at www.necs.gov.au and http://necsnsw.lands.nsw.gov.au/home. Publisher s Note The National Electronic Conveyancing System (NECS) is Australia s joint government and industry initiative to create an efficient and convenient way of completing property based transactions and lodging land title dealings for registration. The national work program to specify the legal framework, systems requirements and business practices for NECS is maintained and coordinated by the National Electronic Conveyancing Office (NECO). NECS documents and progress information are available at www.necs.gov.au. NECO is coordinating national consultations on a range of legislation, business practice and technology specification subjects during 2009. The principal NECS industry consultation mechanism is the National Project Team, a representative group comprising members drawn from industry and government, with its role to make recommendations on business requirements, supporting arrangements and implementation issues for NECS. Land and Property Information encourages participants in these NECS in NSW consultation arrangements to consider also forwarding responses and contributions on NECS technology specification, business practice and implementation arrangements to the attention of the NECS National Project Team, using contacts accessible through the NECS website at http://www.necs.gov.au/default.aspx?articleid=464#whoweare In the interests of consistency and transparency, where the National Project Team has reviewed or made recommendations on an issue relevant to a NECS in NSW Consultation Paper, those comments or recommendations will be made clear in the paper. Land and Property Information also undertakes to contribute outcomes and recommendations arising from NECS in NSW industry consultations to the relevant NECS processes, to assist in development of consistent national system requirements, risk management and business practice arrangements for NECS. Acknowledgment Land and Property Information acknowledges the ongoing engagement with and contribution by industry stakeholders to the NECS development program, in particular the NSW Law Society, Australian Institute of Conveyancers NSW Division, Information Brokers and Law Stationers Association and Australian Bankers Association; additionally, the assistance of Clayton Utz in the research and preparation of these NECS in NSW consultation papers. Disclaimer Land and Property Information has produced these consultation papers to provide general information relating to business practice, legislative and systems technology arrangements being considered in the development of a National Electronic Conveyancing System for Australia and for its implementation in NSW. LPI has used its best endeavours to ensure that the information contained in this paper is correct at the time of publication but takes no responsibility for any error, omission or defect herein. The contents do not constitute legal advice and should not be relied upon as such. LPI disclaims any liability to any person in respect of anything done or not done by any such person in whole or partial reliance upon the whole or part of the information in this paper. NSW Land and Property Management Authority - November 2009 3

Registrar General s Message In July 2008 the Council of Australian Governments (COAG) announced a commitment to implementation of a National Electronic Conveyancing System (NECS) 1. The NECS is to be a single national facility serving industry and government needs in all State and Territory jurisdictions and providing a convenient electronic means for legal practitioners, conveyancers, banks and mortgage processors to: prepare instruments and related documents to register changes in property ownership and interests; settle financial transactions, including payment of duties, taxes and disbursements; comply with the tax and duty requirements of the relevant State or Territory Revenue Office; lodge their instruments with the relevant State or Territory Land Registry; and receive confirmation of the lodgment and registration of instruments. In March 2009 the agreement was extended and confirmed through the National Partnership Agreement to deliver a Seamless National Economy 2, increasing the efficiency of the economy by reducing costs incurred by business in complying with unnecessary and inconsistent regulation across jurisdictions. A national electronic conveyancing system is specified for achievement in the agreement and implementation plan, with electronic conveyancing transactions to be achieved in jurisdictions not later than 2011. The initiatives described in this series of consultation papers represent a major development in the systems, procedures and practices of the conveyancing and mortgage financing industry in New South Wales. The Torrens land titling system as adopted in New South Wales has deservedly earned a reputation as being among the most efficient and reliable in the world. Introduced in 1863, the system served us well for 120 years as an entirely paper-based system requiring the noting of titles and interests using pens, stamps and typewriters. For the past 25 years an electronic register has provided faster recording and far easier access to title information crucial to many processes associated with land development, conveyancing and financing. NSW led the way in development and implementation of an electronic register, and it is now time to take the next step in improving the efficiency of processes associated with land development, conveyancing and financing. Electronic conveyancing will be introduced in NSW by 2011, and participation by NSW industry and community members in specification of technology, business practice and implementation arrangements will be vital to prompt take-up of electronic conveyancing, and to achievement of associated cost savings. Land and Property Information is conducting a thorough program of preparation to support implementation of NECS in NSW. An internal readiness program is developing the technology services required to service NECS transactions and efficiently examine and apply electronic interest and ownership changes to the register. A critical part of the program is determining the technology specification, business practice and implementation requirements for NECS of industry participants in NSW, to ensure that NECS is structured and implemented so as to facilitate prompt widespread adoption and use in NSW. The move to an electronic business environment for conveyancing represents a significant change in industry practices. The roles, relationships and responsibilities of many of the participants in the industry must be adapted to facilitate the new way of working. Legislation will be adjusted in the States and Territories, conveyancing business practices changed, and new requirements and controls introduced that will change existing risk allocations and mitigation responsibilities. New systems and technology arrangements must be implemented, to provide for creation and validation of electronic document cases suited to electronic settlement and lodgment for registration. 1 The announcement of COAG agreement on a national electronic conveyancing system may be viewed at http://www.pm.gov.au/node/5715. 2 The Seamless National Economy National Partnership Agreement and associated Implementation Plan including arrangements for national electronic conveyancing may be viewed through the COAG secretariat website at www.coag.gov.au/intergov_agreements/federal_financial_relations/index.cfm. 4 NSW Land and Property Management Authority - November 2009

In late 2008 LPI commissioned an independent Economic Appraisal of the implementation of NECS in NSW, to identify and confirm the potential economic benefits achievable through NECS. The study was conducted by KPMG and based on data confirmed with industry participants, quantifying savings achievable through business process and technology changes associated with NECS 3. The appraisal identified opportunity for industry to achieve substantial operational efficiencies, with findings including: a mature year saving of $49.8M pa in conveyancing costs in NSW; an average saving of $170 per property sale or refinance; general agreement by stakeholders that national electronic conveyancing will result in significant industry cost savings; and a positive Net Present Value of $164.1M over the period to 2020 for the estimated $30M NSW proportion of industry, government and NECS setup costs. The study identified that 62% of potential NECS cost savings arise in the settlement and lodgment stages of conveyancing activity, and include reduced duplicated data entry and re-work, courier and bank cheque savings, and Certificate of Title related savings. Qualitative benefits of NECS identified in industry responses included: faster lodgment of time-critical dealings earlier availability of cleared funds after settlement; automated business-to-business data exchange and compliance assurance; direct lodgment of dealings after settlement; and easier access to lodgment for rural and remote communities. The NSW economy can attain the greatest benefit from electronic conveyancing where NSW is ready for implementation of NECS as soon as an acceptable system is in place. The consultation papers issued in this series present an important opportunity for industry participants involved in conveyancing and property financing in NSW to contribute to the specification of practice, risk management and systems arrangements that will become the principal method of documenting, settling and registering changes to property interests in Australia in coming years. I am confident of continued industry support in NSW for these important reforms and I invite and encourage your consideration and feedback on the proposals raised in these consultations. Warwick Watkins Registrar General 3 The KPMG Economic Appraisal of NECS in NSW may be viewed and downloaded through the Lands website at http://necsnsw.lands.nsw.gov.au/publications. NSW Land and Property Management Authority - November 2009 5

About the National Electronic Conveyancing System 4 The National Electronic Conveyancing System (NECS) is a computer system and a set of supporting rules and business practices within a legal framework that provides a reliable means of completing conveyancing transactions electronically. These arrangements are intended to replace the existing paper-based processes in all jurisdictions for the approximate 70% of transactions that are relatively common and routine. The development of NECS is being co-ordinated by a National Electronic Conveyancing Office (NECO) through a National Project Team (NPT) and State Project Teams (SPT) overseen by a National Steering Committee (NSC) of government and industry representatives. The work is supported by the Council of Australian Governments (COAG) which has undertaken to establish permanent governance arrangements and provide establishment funding to support the system during implementation and take-up. The basis of NECS is set out in roadmap documents published by NECO at www.necs.gov.au in particular a National Business Model (NBM), National Implementation Strategy (NIS), NECS Operations Description (NOD) and NECS Requirements Definition (NRD). These documents provide essential background to the issues raised in this Consultation Paper. Also available on the NECO website are an independent risk assessment and a comprehensive regulatory review of the NBM, other expert advice on key issues and the papers on specific issues being considered by the NPT. These documents also provide essential background to the issues raised in this Consultation Paper. What NECS Will Do As a national facility to assist industry participants in more efficiently completing conveyancing and mortgage financing transactions, NECS will provide an electronic environment to: collect transaction information and have it checked and verified for completeness and compliance; prepare instruments and reports to register changes in property ownership and interests; settle financial transactions, including payment of duties, taxes and disbursements; comply with the tax and duty requirements of Revenue Offices; and lodge instruments with Land Registries and receive confirmation of their lodgment and registration. NECS is likely to be owned by government but operated as a corporation. NECS will be an industry facility available to all eligible industry participants to use in their delivering more efficient services to consumers. What NECS Will Not Do Inevitably, there are aspects of the total conveyancing process that will remain outside NECS and these include: disclosures required of vendors prior to sale; preparation and exchange of contracts for sale; pre-settlement investigations undertaken on behalf of purchasers; procurement of any insurances required by purchasers; creation of loan documentation by lenders; non-financial aspects of settlement; and processes for examining and registering instruments once lodged with the Land Registry. The realisation of NECS may, however, have consequential impacts in some of these areas as industry practices evolve and adjust to make best use of NECS. 4 This outline of the National Electronic Conveyancing System has been provided by the National Electronic Conveyancing Office as an information resource for inclusion in the NECS in NSW Consultation Documents. More detailed information about NECS is available from the NECS website www.necs.gov.au. 6 NSW Land and Property Management Authority - November 2009

Key Roles in NECS The major change to current conveyancing practice that is necessary to move to an electronic business environment is that, with some exceptions, Transacting Parties will no longer sign the instruments that instruct the Land Registry in each jurisdiction how to update its Torrens Title Register. In most instances an independent party will certify to the correctness of instruments and sign them on behalf of the Transacting Party or Parties. This change necessitates prescription of several key business practices which, in the interests of achieving a single national system, need to be consistent across all jurisdictions. The key roles in NECS that are involved in securing a safe and reliable electronic conveyancing environment are: Transacting Parties are the individual vendors, purchasers, mortgagors or mortgagees dealing in property. They are persons and corporations. Clients who are the collection of Transacting Parties acting together in engaging a Subscriber to complete their transaction. They may be joint tenants or tenants in common and there may be any number of them provided they are acting collectively with a common purpose. Subscribers who are engaged by their Clients to use NECS in completing conveyancing transactions. They are legal and conveyancing practices, financial institutions, mortgage processors and government agencies. Users who are employees or contractors of a Subscriber authorised by the Subscriber to use NECS on the Subscriber s and the Subscriber s Client s behalf Certifiers who are Users authorised by a Subscriber to certify compliance and sign instruments and other documents in NECS. The compliance certifications are as to the Subscriber having complied with all prescribed business practice requirements and the signings are as to the intention of the Subscriber s Client Land Registries and Revenue Offices that prescribe required business practices to secure community confidence and receive instruments for registration of property interests and reports for ensuring compliance with duty and tax requirements and duty payments. Other roles include Licensed Service Providers and a Financial Settlement Manager that provide support services. NECS Design Principles The functions and features of NECS are intended to conform to the following design principles: financial settlement practice consistent and compatible with, and making maximum use of, established financial payments industry procedures and infrastructure; registry instrument 5 preparation and lodgment practices independent of any Land Registry but accommodating of the requirements of all Land Registries; duty and tax payment practices independent of any Revenue Office but accommodating of the requirements of all Revenue Offices; a common standard for the electronic authentication of users whose certifications and signatures have to be relied upon in financial settlements and instrument registrations; a common format for the transmission of data to and from users, Land Registries and Revenue Offices; a single point of access and a common support infrastructure for users; and provision for users of varying sophistication, experience, technical competence and access requirement. These principles are intended to secure the maximum possible utility, robustness and acceptance for NECS in an environment characterised by long-standing practices, competing interests, market diversity, legislative constraints and public policy variations. 5 A registry instrument is also known as a dealing in NSW conveyancing NSW Land and Property Management Authority - November 2009 7

NECS Development Strategy NECS is being developed with the intention of: minimum change to the long-standing concepts behind existing paper-based conveyancing and mortgage financing processes; maximum adoption of relevant and compatible concepts in existing jurisdiction business models; maximum adoption of relevant and compatible features and functions in the Victorian ECV system; maximum adoption of relevant and successful concepts from other electronic business environments; maximum utilisation of the common characteristics of relevant industry conditions and practices; maximum involvement of key stakeholder representatives in developing policies, systems and procedures; and avoidance of any concept, function or feature likely to preclude any jurisdiction or industry group from participating. This approach is expected to secure maximum industry support and use by minimising the amount of change needing to be dealt with by jurisdictions and by industry participants in adopting NECS as their preferred way of completing conveyancing transactions and in readying their own facilities and practices to make maximum use of it. Consistent Business Practices in NECS The move to the electronic business environment of NECS represents the most significant change in industry practices in the last 150 years. The most significant of these changes is that in the main Transacting Parties will no longer sign the registry instruments that will change their registered interests in property. To accommodate this and other changes, the roles, relationships and responsibilities of many industry participants will need to evolve to facilitate the new way of working. It is essential to the success of NECS that changes to legislation, business practices, risk allocations and controls are coordinated across all jurisdictions so that the outcomes deliver consistent business practices in all States and Territories. The business practice change presented and discussed in this Consultation Paper is one critical to the effective deployment of NECS in NSW. 8 NSW Land and Property Management Authority - November 2009

1.3 Commentingonthispaper...8 NECSinNSWConsultationPaper Contents 1.2 ContextofthisConsultationPaper...6 2. ExecutiveSummary...9 2.1 Overview...9 2.2 Backgroundtodigitalsigning(Section4)...9 1. 2.3 Introduction...3 HowaredigitalsignaturesusedinNECS?(Section6)...10 11 2.4 1.1 Riskmanagement(Section7.1and7.2) Signingofregistryinstruments...3...11 1.2 2.5 ContextofthisConsultationPaper...6 Attributionofdigitalsignatures(Section7.3)...11 14 2.6 1.3 Managingtheriskofrepudiationofadigitalsignature(Section7.4) Commentingonthispaper...8...12 16 2. 2.7 ExecutiveSummary Securityofprivatekeyandsigningprocess...13...9 17 3. 2.1 SpecificQuestionsforStakeholders Overview...9...14 22 4. 2.2 BackgroundtoDigitalSigning...17 Backgroundtodigitalsigning(Section4)...9 25 2.3 4.1 HowaredigitalsignaturesusedinNECS?(Section6)...10 Theroleofsigningandsignatures...17 25 2.4 4.2 Riskmanagement(Section7.1and7.2) Whatisadigitalsignature?...18...11 26 4.3 2.5 PKIandGatekeeper theframeworkforimplementingdigitalsignatures Attributionofdigitalsignatures(Section7.3)...11...19 27 2.6 4.4 Managingtheriskofrepudiationofadigitalsignature(Section7.4) WhatisaDigitalSignatureCertificate?...20...12 28 5. 2.7 NationalProjectTeamPositiononDigitalSigning Securityofprivatekeyandsigningprocess...13...22 30 3. 6. SpecificQuestionsforStakeholders UseofDigitalSignaturesinNECS...23...14 31 4. 6.1 BackgroundtoDigitalSigning...17 Thedocumentsigningandauthenticationprocesses...23 31 4.1 6.2 Theroleofsigningandsignatures...17 HowwillaSubscriberobtainasigningkeyandDSCforeachofitsCertifiers?...24 32 4.2 6.3 Whatisadigitalsignature? WhatkindofDSCisrequired?...18...25 33 4.3 6.4 PKIandGatekeeper theframeworkforimplementingdigitalsignatures HowwillsigningrightsbemanagedinNECS?...26...19 34 6.5 4.4 NECSinNSWConsultationPaper SigningofInstruments...28 WhatisaDigitalSignatureCertificate?...20 36 5. 6.6 NationalProjectTeamPositiononDigitalSigning Validationofsigneddocuments...31...22 39 NSWLandandPropertyManagementAuthority November2009 1 6. 6.7 UseofDigitalSignaturesinNECS Providingcopiesofelectronicregistryinstruments...23...34 42 7. 6.1 RiskManagement...36 Thedocumentsigningandauthenticationprocesses...23 7.1 6.2 Digitalsignaturesassistinmanagingtworisks...36 HowwillaSubscriberobtainasigningkeyandDSCforeachofitsCertifiers?...24 7.2 6.3 Contentintegrity...36 WhatkindofDSCisrequired?...25 6.4 7.3 HowwillsigningrightsbemanagedinNECS? Signeridentityauthentication,attributionandnon repudiation...36...26 6.5 7.4 SigningofInstruments...28 ManagingtherisksofrepudiationofadigitalsignaturebyaCertifierorSubscriber organisation...39 NSWLandandPropertyManagementAuthority November2009 1 7.5 Securityofprivatekeyandsigningprocess...42 NSW Land and Property Management Authority - November 2009 9 8. GlossaryofTerms...43

NECSinNSWConsultationPaper NECS in NSW Consultation Paper 6.6 Validationofsigneddocuments...31 6.7 Providingcopiesofelectronicregistryinstruments...34 7. RiskManagement...36 44 7.1 Digitalsignaturesassistinmanagingtworisks...36 44 7.2 Contentintegrity...36 44 7.3 Signeridentityauthentication,attributionandnon repudiation...36 44 7.4 ManagingtherisksofrepudiationofadigitalsignaturebyaCertifierorSubscriber organisation...39 47 7.5 Securityofprivatekeyandsigningprocess...42 50 8. GlossaryofTerms...43 51 9. SourceMaterials...50 58 10. Appendices...51 59 A. AppendixA:DigitalSignatures APrimer...51 59 B. C. AppendixB SelectionofthetypeofDigitalSignatureCertificateforuseinNECS...54 62 AppendixC OperationalRolesinNECS...57 65 D. AppendixD Managingrisksofsignatureuseanddocumentintegrityforelectronic conveyancing...59 67 NSWLandandPropertyManagementAuthority November2009 2 10 NSW Land and Property Management Authority - November 2009

1. Introduction Digitalsigningisusedforauthorisingandauthenticatingactionsinanumberoffunctionsfor electronicconveyancingusingthenecs.thesigningrequirementsforanumberofthesefunctions arestillunderdiscussioninthenationalforum.thisconsultationpaperfocusesonthedigitalsigning requirementsforregistryinstrumentsthatwillbepresentedforlodgmentandregistrationatthe LandRegistry. 1.1 Signing of registry instruments Intheelectronicconveyancingenvironment,itisintendedthatdigitalsignatureswillbeusedon electronicregistryinstrumentsforthesamepurposethat wetsignatures areusedonpaper based registryinstruments.assubscriberssigninnecsonbehalfofthetransactingparty,thedigital signatureonanelectronicinstrumentismadebyacertifierandgivenonthesubscriber sbehalf. Thesigningprocessalsorequiresthatcertificationsareprovidedastothecorrectnessand complianceofasignedinstrument,includingthecorrectnessandcomplianceofanysupporting evidencerequiredfortheinstrument. Signingofdocumentsisapracticethathasdevelopedovercenturiesasprovidinganacceptedlevel ofconfidenceinthecontentofthedocumentbyauthenticatingitscontentasunchangedsince signingandindicatingthesignatory scommitmenttothatcontent.thenswsigningrequirementfor realpropertytransactionsisdefinedins23cofthenswconveyancingact1919whichstatesthat Nointerestinlandcanbecreatedordisposedofexceptbywritingsignedbythepersoncreatingor conveyingthesame,orbytheperson sagentthereuntolawfullyauthorisedinwriting,orbywill,or byoperationoflaw 1.Aregistryinstrumentisthedocument 2 thatgiveseffecttocreatingor disposinganinterestinlandwhichisrecordedasachangeonthetorrensregister. Onpaper basedregistryinstruments,signingistheactofapplyingasignaturetothedocument beingexecuted.signature(fromlatinsignare,"tosign")isamark,sealorhandwritten(and sometimesstylized)depictionofsomeone'sname,nicknameorevenasimple"x"thataperson writesondocumentsasaproofofidentityandintent.awrittensignatureisoftenreferredtoasa wetsignature inrecognitionofthemethodbywhichthesignatureisappliedtohard copy documents. Surprisinglythereisrelativelylittleresearchonwhatasignatureisfromalegalperspective 3.Their usehasdevelopedovercenturiesasameansofprovidingconfidencetorelyingpartiesonthe authenticityofthedocumentandcommitmentofthesignertothedocument.thistrustcomesfrom thecharacteristicsofsignaturesthatprovideevidenceof: bindingtheidentityofthesignatorytothecontentsofthedocument asignatureassociatedwithadocumentauthenticatesthegenuinenessofthedocument 1 S23CNSWConveyancingAct1919 2 Unders.36(11)oftheNSWRealPropertyAct1900aregistryinstrument uponregistrationisgiveneffectasa deeddulyexecutedbythepartieswhosignedit. 3 KeyreferencesourcesusedbyNSWLandRegistryinresearchingtherequirementsforsigningofregistry instrumentsareelectronicsignatures:understandthepasttodevelopthefuturebyadrianmccullagh,peter Little,WilliamCaellipublishedinUNSWLawJournal1998/56,andWhatisaSignaturebyProfessorChrisReed publishedinukjournalofinformationlawandtechnology31october2000. NSW Land and Property Management Authority - November 2009 11

thesignatoryhasputtheirmindtotheactofsigningthedocumentinordertobebound. Signaturesusedforhard copydocumentsarenotsuitableforuseonelectronicregistryinstruments. Inplaceof wetsignatures NECSwillrequireuseofdigitalsigningwhichprovidesequivalent characteristicstothoseofferedbyconventionalsignatures.intheelectronicenvironmentadigital signatureisappliedtoanelectronicdocumenttogetherwithadigitalsignaturecertificate(dsc)that identifiesthenaturalpersonwhoistheowner 4 ofthesignatureandtheorganisationtheyrepresent inapplyingthedigitalsignature. Eachdigitalsignatureisuniquetothedocumentbeingsigned.Theuniquenesscomesfromthe digitalsignaturebeingsystemgenerated,withthesignaturedeterminedbyacombinationofthe signer sprivatekeyandthedigitalcontentofthedocumentbeingsigned. InNECSthereareseveralrolesthatrequiretheuseofdigitalsigning.Thedevelopmentof requirementsandspecificationofnecsarestillinprogressandmanydetailsremaintobe determinedinconsultationwithindustry.thispaperlooksatdigitalsigningasitappliestothe Certifierrolesigningelectronicregistryinstrumentsthatsupporttheregistrationofinterestsinland atthelandregistry. Importantconceptsandtheirdefinitionsusedinthispaper: Thissectionintroducesanddefinesanumberofconceptsthatareusedintheconsultationpaper.A morecomprehensiveglossaryisprovidedinsection8. Digitalsignaturesinvolvethedocument(1)signingand(2)authenticationprocessesusingPublicKey Infrastructure. (1) Theelectronicdocumentsigningprocessrequiresthesignertobeakey holderwithan electronickeypair(whichcomprisesofaprivatekeyandapublickey)andtousethe privatekeywithsigningsoftwaretoproduceadigitalsignaturethatisassociatedwiththe digitallysigneddocument. (2) Thedocumentauthenticationprocessfacilitatesthereceiverofthesigneddocument authenticating(ordisproving)thedocumentandsignaturebyusingauthenticationsoftware, theoriginaldocumentassigned,thedigitalsignatureandassociateddigitalsignature Certificate(DSC)forthekey holder. Theapplicationprocessforobtainingthekey pairanddscinvolvestheauthorisedofficerforthe Subscribergeneratingacomplyingelectronickeypairfortheiruseasakey holder.theprivatekey mustberetainedbythekey holderasasecurelymanagedsecret.thepublickeyissenttoa CertificationAuthoritywithanapplicationforaDSCtobeissuedthatwillbeusedtoidentifythe key holderandauthenticatetheelectronicdocumentwithadigitalsignatureproducedusingthe key holder sprivatekeyanddigitalsigningsoftware. ToissuetheDSC,theCertificationAuthorityrequiresaRegistrationAuthoritytoverifytheidentity oftheauthorisedofficerdsckey holderapplicantbyaface to faceinterviewandcheckofevidence ofidentity(eoi)documentationforitscompliancewithgatekeepereoipolicy.forissueofa 4 Ownerheremeansthenaturalpersonidentitythatwasverifiedandlinkedtotheprivatekeythatcreatedthe digitalsignature. 12 NSW Land and Property Management Authority - November 2009

GatekeeperAuthorisedOfficerDSCBoththeCertificationAuthorityandRegistrationAuthoritymust begatekeeperaccredited. AfterissueoftheAuthorisedOfficerDSC,obtainingaDSCforeachCertifierfortheSubscriber involvesarepeatofthesamedscapplicationprocess,exceptthat(dependingonthetypeofdscto beobtained)verificationofidentitymaybeprovidedbytheauthorisedofficerinsteadofthe RegistrationAuthority. Definitionsofthetermsinbolditalicsinthetextabovearegivenbelow. CertificationAuthorityisaserviceproviderthatdigitallysignsX.509v3DigitalSignatureCertificates (whichmayormaynotincludekeygeneration)usingthecertificationauthority sprivatekey. Digitalsignatureistheuniqueelectroniccodeproducedwhendigitallysigningadocumentwitha privatekeyandsigningsoftware. DigitalSignatureCertificate(DSC)isanelectronicdocumentsignedbytheCertificationAuthority which: (a) identifieseitherakey holderand/orthebusinessentitythathe/sherepresents;oradeviceor applicationowned,operatedorcontrolledbythebusinessentity (b) bindsthekey holdertoakeypairbyspecifyingthepublickeyofthatkeypair (c) containstheinformationrequiredbythedscprofile. EvidenceofIdentity(EOI)isevidence(e.g.intheformofdocuments)issuedtosubstantiatethe identityofthepresentingparty,usuallyproducedatthetimeofregistration(i.e.when authenticationcredentialsareissued). GatekeeperistheCommonwealthGovernmentstrategytodevelopPublicKeyInfrastructureto facilitategovernmentonlineservicedeliveryande procurement. Key holderisanindividualwhoholdsanduseskeysanddscsonbehalfofanorganisation,orin his/herownrightinthecaseofindividualdigitalsignaturecertificates. KeypairisapairofasymmetriccryptographicKeys(e.g.onedecryptsmessageswhichhavebeen encryptedusingtheother)consistingofapublickeyandaprivatekey. Privatekeyistheelectronicsigningkeyinasymmetrickeypairthatmustbekeptsecrettoensure confidentiality,integrity,authenticityandnon repudiation. Publickeyistheelectronickeyinanasymmetrickeypairwhichmaybemadepublicandwhichis usedinthedocumentandsignatureauthenticationprocesses. PublicKeyInfrastructure(PKI)isthecombinationofhardware,software,people,policiesand proceduresneededtocreate,manage,storeanddistributekeysanddscsbasedonpublickey Cryptography. RenderedRegistryInstrumentmeansahumanreadablepresentation(similartoapaper instrument)ofanelectronicregistryinstrumentinareadily understoodformthatincludesdetailsof digitalsignaturesandtheirvalidationbynecs.arenderedregistryinstrumentmaybecompiled NSW Land and Property Management Authority - November 2009 13

frommultiple counterparts comprisingthecompleteinstrument,eachcounterpartbeingthesetof datainaregistryinstrumentsignedbyonesubscriber. RegistrationAuthorityisaserviceproviderthat: isresponsiblefortheregistrationofapplicantsfordscsbycheckingeoidocumentation submittedbytheapplicantforitscompliancewithgatekeepereoipolicy; isresponsiblefortheprovisionofacompletedandauthorisedapplicationformincluding copiesofthesubmittedeoidocumentstotherelevantcertificationauthority;and mayberesponsibleforthesecuredistributionofsigneddscstosubscribers Signistocreateadigitalsignatureforamessage,ortoaffixasignaturetoadocument. Thisconsultationpaperprovidesanintroductiontodigitalsigningandseekscommenton implementationissuesassociatedwiththeapplicationofdigitalsigningtoelectronicregistry instruments. 1.2 Context of this Consultation Paper Land and Property Information is developing and publishing a number of consultation papers and supporting information during 2009 and 2010, as part of a NECS in NSW Readiness Program, to prepare and implement business practices, operational systems, legislation and stakeholder communication in NSW to support implementation of national electronic conveyancing by 2011. Consultation papers and supporting information may be downloaded from the Lands website at http://necsnsw.lands.nsw.gov.au/home. The following NECS transaction specification, business practice and implementation arrangement topicsareexpectedtobeaddressedinthe NECSinNSW consultationprogram: ClientAuthorisation AgreementforuseofNECS beingtherequirementsofsubscriberstoobtainwritten authoritytorepresentapartytoatransactioninthenecs InstrumentCertifications beingthenatureandextentofcertificationsrequiredof CertifierssigninginstrumentspreparedusingtheNECSand intendedforlodgmentwithalandregistry DigitalSigningofElectronic Instruments beingthesigningandauthenticationofelectronicregistry instrumentsfornecsbycertifiersusingdigitalsignatures, andpublicationofregisteredinstrumentsbytheland Registry SubscribersandCertifiers OperationalRolesand Responsibilities beingtherequirementsfortherolesofsubscriberand CertifiersetoutintheNationalBusinessModel(NBM)for thenecs 14 NSW Land and Property Management Authority - November 2009

CertificatesofTitleand ControloftheRighttoDeal beingthemeansbywhichtherighttodealinalandtitleis evidencedbythecontrollingpartyforatransactioninthe NECS ClientIdentityVerification practices beingtherequirementsforsubscriberstoidentifyparties toanecstransaction SupportingEvidence Requirements beingthedocumentationrequiredtobeobtainedby Subscribersinsupportofregistryinstrumentsprepared usingthenecs LandRegistrytransaction servicesforconveyancing beingdetailsofthelandinvolvedinthetransaction, sourcedfromthelandregistry,andworkspacevalidation, verificationandlodgmentacceptabilityadviceservicesto beavailableforthenecsandtheiradequacyforassuring readinessofworkspacesfortransactioncompletion NECSRoleRelationships Thefollowingdiagramshowstherolesandrelationshipsmostdirectlyaffectedbytheconsultation papertopics: Figure3:NECSRoleRelationships NSW Land and Property Management Authority - November 2009 15

1.3 Commentingonthispaper Commentsareinvitedonanymatterinthispaper.Commentsarespecificallyinvitedon theissueslistedinsection3. CommentsonthispapershouldbesenttoLandandPropertyInformationbyoneofthe followingmeans: Email: Letter: NECSinNSW@lpma.nsw.gov.au NECSinNSWIndustryConsultationFeedback LandandPropertyInformation GPOBox15 SYDNEYNSW2001 or DX17 SYDNEY Telephone: (02)82367173(8:30amto4:30pmweekdays) Commentsonthispaperareduebythe29 th ofjanuary2010 16 NSW Land and Property Management Authority - November 2009

2. Executive Summary 2.1 Overview InNECS,digitalsignaturesfordigitaldocumentssuchasregistryinstrumentswillbetheequivalent ofhandwrittenor'wet'signaturesonpaperdocuments. Thispaperdiscusses: howdigitalsignatureswillbecreatedinnecsusingprivatekeys; howasubscriberrelyingonadigitallysigneddocumentcanvalidatethedigitalsignature usingadigitalsignaturecertificate(dsc); thetypesofdscthatwillbeusedinnecs; howdigitalsignaturetechnologyhelpstostronglyattributeadigitalsignaturetoa CertifierandSubscriber;and managementoftheriskofacertifierorsubscriberattemptingtorepudiateresponsibility foradigitalsignature. 2.2 Background to digital signing (Section 4) Digitalsignaturesareaformofelectronicsignaturewhichprovideslegalandfunctional characteristicsforsigningelectronicdocumentsanalogoustothoseprovidedbyahandwrittenor wetsignatureonapaperdocument. DigitalsigningisatechnologyspecifiedforuseinNECSthatpermits: apersonwithacomplyingsigningkeyanddigitalsignaturecertificateandsigningaccess rightstoelectronicallysignanelectronicdocument(suchasaregistryinstrumentprepared inanecsworkspace);and apersonwhoreliesonthatdocument(e.g.necsorthelandregistry)tousesoftwareto verifywhosignedthedocumentandtoverifythatthedocumenthasnotbeenalteredsince itwassigned. Toundertakedigitalsigning,apersonmustfirstobtainacomplyingpairofcryptographicKeys(a privatekeyandapublickey)andobtainadigitalsignaturecertificate(dsc).thesearegenerated viaatightlycontrolledprocessandthedscisobtainedfromacertificationauthority 5 afterthe identityofthepersontobelinkedtothesigningkeyanddigitalsignaturecertificatehasbeen determinedandverifiedbytheregistrationauthority 6. 5 VerisigniscurrentlythemajorissuerofGatekeeperDigitalSignatureCertificates. 6 SuchasAustraliaPostthatactsasaRegistrationAuthorityforVerisignGatekeeperDigitalSignature Certificates. NSW Land and Property Management Authority - November 2009 17

TheinfrastructureofCertificationAuthority,RegistrationAuthority,signingandverificationiscalled apublickeyinfrastructure.australiangovernmentsrequirethatdigitalsignaturesanddscsused withgovernmentcomplywiththegatekeeperstrategy,administeredbytheaustraliangovernment InformationManagementOffice. Adigitalsignatureisencodedinformationthatisaddedtoanelectronicdocumentonsigningbythe systeminwhichanelectronicdocumentisbeingsigned.forthetypeofsigningproposedfornecs, theinformationincludes: adigitalsignaturewhichisacodethatisproducedbyastandardsoftwareapplicationthat usestheprivatekeyofthepersonsigningandthecontentofthedocumentbeingsigned. Thismeansthatthedigitalsignatureisuniqueforeachdifferentdocument. adigitalsignaturecertificate(dsc)whichisasetofinformationthatidentifiestheperson associatedwiththesignature,(anorganisationdscalsoidentifiestheorganisationthe signerisactingfor)andthepublickeyforthesignerthatallowsthereceivertocheckifthe documenthasbeenchangedsinceitwassigned. Forthosereaderswhoarenewtodigitalsigning,amoredetailedexplanationDigitalSigning A PrimerisattachedatAppendixA.Thisincludesalistingofdigitalsigningtermswiththeirdefinitions. MoreinformationaboutDSCsisgiveninsection4.4ofthispaper. 2.3 How are digital signatures used in NECS? (Section 6) InelectronicconveyancingthesignerofaregistryinstrumentwillbeaCertifierforaSubscriber,who maybeactingforaclientorforthemselves. TotransactusingNECSandsignregistryinstrumentsaSubscriberneedstobesignedupwithNECS andhave: anauthorisedofficerwhoisanecsuserandholderofakeypairandagatekeeper compliantauthorisedofficerdsc,and UsersregisteredwithNECSasCertifiersfortheSubscriberandpossessingakeypairand GatekeeperStandardDSC. TheprocessforgeneratingthekeypaidandobtainingaDSCisdescribedinmoredetailinsection 6.2. OfthedifferenttypesofGatekeeperDSCsavailable,theNationalProjectTeam(NPT) 7 has recommendedthatorganisationdscsbeusedwhichnamethesubscriberorganisationandthe individualemployedbyorcontractedtothesubscriberwhocandigitallysignasacertifieronthe Subscriber'sbehalf.(Seesection5.) 7 TheNationalProjectTeam(NPT)isagroupofkeyNECSstakeholdersconvenedbyNECOwithmembers representingfinancialinstitutions,legalpractitioners,licensedconveyancers,non banklenders,information brokers,mortgageprocessors,liabilityinsurers,landregistriesandrevenueoffices. 18 NSW Land and Property Management Authority - November 2009

AnAuthorisedOfficerfortheSubscriberwouldobtainthefirstorAuthorisedOfficerOrganisation DSC 8 forthesubscriberafterundergoingeoichecksataregistrationauthority.thereafterthe AuthorisedOfficercouldrequestStandard 9 OrganisationDSCstobeissuedtootherindividualsinthe SubscriberOrganisation.ThoseindividualswouldnotundergoEOIchecksataRegistrationAuthority butthesubscriberwouldberesponsibleforverifyingtheiridentity. NSWLandRegistrysupportsastrongconnectionbetweentheCertifierandtheSubscriber.Asa consequenceindividualdscswillnotbeauthorisedforuseinnecs.itispossiblethatorganisation DSCsusedinNECScouldalsobeusedforotherapplicationsandcommentissoughtonthis(section 6.3). SigningrightsinNECSwillbemanagedbypre registrationofsubscribersandtheirauthorised OfficersandCertifierswithNECS.NECSwillcheckthesigningrightsofUserswhentheysignregistry instrumentsforatransactioninnecs.commentissoughtonwhetherindustryrequiresdouble signingorspecificsigningscopepermissions(seesection6.4). Section6.5discussesthedigitalsigningofregistryinstrumentsindetail,includingsigningadigital transferincounterparts. Section6.6discussesindetailthevalidationofhowdigitalsignatures,whenthiswilloccurandhow theresultsofavalidationcheckshouldberecorded. Section6.7asksinwhatformindustrywouldwanttohavedigitallysignedinstrumentsprovided whencopiedfromaworkspaceandwhenobtainedthroughadocumentcopysearch. 2.4 Risk management (Section 7.1 and 7.2) Digitalsignaturesareusedtomitigatetwoimportantrisks: (a) theapparentsignerofadocumentassertingtheydidnotsign(signeridentity authentication);and (b) theapparentsignerassertingthatthedocumentwasalteredaftersigning(content integrity). AnassuranceofcontentintegrityisanessentialrequirementfortheLandRegistrythatwillneed assurancepriortoregistrationthattheregistryinstrumentisunalteredsincesigningbythecertifier. 2.5 Attribution of digital signatures (Section 7.3) Arelyingpartywhoreceivesorintendstorelyonadigitally signeddocumentwillwantto authenticatethesignaturebyobtainingevidencethattheapparentsignerofthedocumentdidin 8 OftenreferredtoasparentOrganisationDSCs 9 Oftenreferredtoas child OrganisationDSCs NSW Land and Property Management Authority - November 2009 19

factsignit(attribution)andbeingsatisfiedthattheapparentsignerislegallyresponsibleforand cannotlegallyrepudiatethesignature(non repudiation). "Attribution"canbethoughtofastheassessmentofevidenceavailabletotherelyingpartyasto whosignedthedocument."non repudiation"canbethoughtofasthelegalconsequenceof whetherandwhenapersontowhomthesignatureisattributedcanrepudiateanylegal responsibilityforthesignature. Digitalsignaturesprovidestrongattributionevidencethatadigitalsignatureonadocumentwas createdbythecertifier(keyholder)onbehalfofasubscriber(bothnamedintherelevantdsc). TheGatekeeperPKIframeworkalsosupportsstrongattributionofadigitalsignaturetothekey holdernamedinthedscand(inthecaseoforganisationdscs)totheorganisationnamedinthe DSC. StrongattributionofdigitalsignaturestoaCertifierandSubscriberalsosupportstheattributionof thedigitalsignaturetoaclientonwhosebehalfarepresentativesubscriberpurportstosign. AttributiontotheClientalsorequiresavalidClientAuthorisationsupportedbyaClientIdentity VerificationandevidencedbyInstrumentCertifications. WithoutthisstrongattributionfeatureofdigitalsignaturestheLandRegistrywouldnotrelyon signaturesandcertificationsmadebycertifiersforasubscriberinelectronicinstrumentsin acceptingdigitallysignedinstrumentsforlodgmentandexaminingforregistration. NSWLandRegistryisalsooftheviewthatanyparticipatingSubscriberinaNECSworkspaceshould beabletorelyondigitallysignedinstrumentsinthatworkspacebeforetheyarelodgedwithland Registry. 2.6 Managing the risk of repudiation of a digital signature (Section 7.4) Strongattributionevidencewillmeanthattheattributedsignerisusuallylegallyresponsibleforthe signature.howeverinsomecasesacertifier,subscriberorclientmayseektorepudiatelegal responsibilityforanattributeddigitalsignature. 10 Arelyingpartywouldprefernotonlystrongattributionevidence(providedbyPKIdigitalsignatures) butalsoastrongnon repudiationlegalposition.nswlandregistryrequiresastrongnonrepudiationlegalpositiontojustifyitsacceptanceofdigitallysignedregistryinstrumentsfor lodgment,examinationandregistration. Thenon repudiationlegalpositionisdeterminedbytheapplicablelegalrulesastowhenapersonis boundbyadigitalsignature.therearecommonlawprinciplesfordeterminingthisbasedonthelaw ofagencyandvicariousliabilitybutthoseprinciplesinvolveconsiderablegreyareas. 10 TheNECSRiskAssessment(seehttp://www.necs.gov.au/Risk Management 2/default.aspx)identifieda numberofriskscenarioswhereaprivatekeyanddsccouldbeusedfraudulently.thenecsriskassessment describesrelevantriskmanagementstrategiesnecessaryforthedscissuingauthorityandsubscriber organisationtotreattheserisks. 20 NSW Land and Property Management Authority - November 2009

Thecommonlawrulesmaybesupplementedorreplacedbycontractualorstatutoryattribution(or non repudiation)ruleswhichdeterminewhenapersoncanlegallyrepudiateadigitalsignature whichappearstobetheirsormadeontheirbehalf. Theissueofanattribution(ornon repudiation)ruleinnecsisdiscussedindetailinthenecslegal FrameworkFourthConsultationPackage 11 whichrecommendstherebeastrongattribution(ornonrepudiation)rulebindingtheapparentsigningcertifierandsubscribertoadigitalsignature. NSWLandRegistryagreesthatNECSneedsastrongattribution(ornonrepudiation)rulewhich protectsrelyingparties(includingrelyingsubscribersandlandregistries)fromrepudiationby signingcertifiersandtheirsubscribers.commentsaresoughtonthisissue. 2.7 Security of private key and signing process Thesecurityregimefordigitalsigningisacombinationof: 1. TheUserlogonaccesscontrolstotheSubscribersysteminwhichsigningoccurs 2. TheUserlogonaccesscontrolstoNECS 3. UsersigningattributesandrulesimplementedinandappliedbyNECS 4. TheSubscribersecuritycontrolsenforcedfortheprivatekeysuchas: thephysicalanditsecurityaroundtheprivatekey,forexample,isthekeystoredona harddriveoronportablestoragemedia,isitencryptedorpasswordprotected? Thepasswordandotherinformationrequiredtoactivatethesigningkeytocreatea digitalsignature. NSWLandsRegistryseekscommentontheappropriatesecuritycontrolsfordigitalsigningandthe privatekey. 11 Availableatwww.necs.gov.au NSW Land and Property Management Authority - November 2009 21

3. Specific Questions for Stakeholders Comment is invited on any matter in this paper. Comment is specifically invited on the following issues,whicharerepeatedintheirrelevantcontextinthebodyofthispaper. Issue 1 - Types of Digital Signature Certificate for use in NECS 1.1 ArethereanyscenarioswheretheproposedrequirementtouseOrganisationDSCsin NECSisnotappropriateforthepracticesofindustryentitiesthatwillbeparticipatingin electronicconveyancing? 1.2 Whatotherbusinessactivitiesarebeingconsideredwhereindustrywouldliketousethe samegatekeeperdscsasusedforelectronicconveyancing? 2.1 IsthereanyreasonwhytheCertificatePolicyforDSCsusedforNECSshouldbeelectronic conveyancingspecific? (Refertosection6.3WhatkindofDSCisrequired?) Issue 2 Signing requirements 2.2 ArethereanyscenariosthatwillrequiredigitalsigningbytwoCertifiersonbehalfofa Subscriberinoneroleinatransaction? 2.3 IsitnecessaryfordoublesigningrequirementstobeenforcedinNECSorisitsatisfactory forthistobeleftwithsubscribers. 2.4 ArethereanyscenarioswhereSubscriberswillneedtodetermineorconfigurespecific signingscopepermissionsorsigninglevelsfortheircertifiersinnecs(e.g.afinancial institutionactingasmortgagee)? (Refertosection6.4HowwillsigningrightsbemanagedinNECS?) 22 NSW Land and Property Management Authority - November 2009

Issue 3 Validation of signed documents 3.1DoesvalidationandverificationbyNECSofadigitalsignatureassociatedwithasigned documentattimeofsigningprovidesufficientcomplianceassuranceconfidenceto Subscribersparticipatinginanelectronicconveyancingtransaction?Ifnot,whynotand whatisrequiredtoprovidethenecessaryassurance? 3.2Shouldtheresultofthecompliancecheckatdigitalsigningbeincludedaspartofthe renderedinstrumentcounterpart? 3.3Doesindustryrequirecopiesofsignedregistryinstrumentsthatcontainthedigital signatureforvalidationpurposes?willindustrywantthesignedxmldocument,a renderedcopyofthesignedinstrument,orboth? 3.4Aretherescenarioswhereadditionaldigitalsignaturecompliancecheckswillbe requiredaftersigningandbeforelodgment?ifso,whatarethesescenariosandwhatare thenecessarycompliancechecks? (Refertosection6.6Validationofsigneddocuments) Issue 4 Registry instrument copy requirements 4.1WhatinstrumentcopysearchproductsneedtobeprovidedbytheLandRegistryfora registeredelectronicregistryinstrument: (a)xmldatacontainingthecounterpartsassigned,theassociateddigitalsignatures, signingandlodgmentinformation; (b)arenderedsummaryoftheinstrumentcompiledfromthecounterpartsand associatedsigningandlodgmentinformation; (c)othersuggestedformat? 4.2Whatisindustry spreferredformatforreceivingcopiesofregisteredinstruments? (Refertosection6.7Providingcopiesofelectronicregistryinstruments) Issue 5 Attribution and reliance 5.1Arethereanyreasonswhystrongattributionofadigitalsignaturetotheholderofthe PrivateKeynamedintherelevantDSC(bothindividualCertifierandSubscriber organisation)shouldnotprovidethebasisforstakeholderriskmanagementthatwill provideconfidenceinelectronicconveyancing? 5.2Isthereanyreasonwhyanystakeholderinarealpropertytransactionshouldnotbe abletorelyonadigitalsignatureassociatedwithasigneddocument? (Refertosection7.3Signeridentityauthenticationandnon repudiation) NSW Land and Property Management Authority - November 2009 23

Issue 6 Repudiation 6.1IsthereanyreasonwhyNECSshouldnotprovideastrongframeworkfornonrepudiationofdigitallysignedregistryinstruments(whetherthroughjurisdictionenabling legislationorparticipationrules)? (Refertosection7.4ManagingtherisksofrepudiationofadigitalsignaturebyaCertifier orsubscriberorganisation) Issue 7 Security for digital signing 7.1Dothecontrolsdescribedprovideadequateriskmanagementfortheelectronic signingkeyholder?ifnothowshouldtheybeenhanced? 7.2Shouldtherebeanagreedindustrypracticestandardsetforriskmanagementof securityofdigitalsigningkeys?ifso,howshouldthatstandardbedevelopedandwhat shouldbethegovernancearrangementsforthatstandard? 7.3Whatoptionswouldbeacceptabletoindustryfromariskmanagementperspective forreducingthetimerequiredforsigningdocumentsinelectronicconveyancing(i.e. withoutnegativeaffecttoattributionandnon repudiationoutcomes)? (Refertosection7.5Securityofprivatekeyandsigningprocess) 24 NSW Land and Property Management Authority - November 2009

4. Background to Digital Signing 4.1 The role of signing and signatures Inthepaper basedbusinessenvironment,signaturesarelegallyacceptedasameansofproviding confidencetorelyingpartiesaboutthegenuinenessofadocument. Fromalegalperspective,asignatureprovidesevidenceof: bindingtheidentityofapersontoadocument authenticationofthegenuinenessofthedocument;and aperson,inordertobeboundbythecontentsofadocument,musthaveputhis/hermind totheactofsigningthedocument. Thesignaturecanbeverifiedatsigning,orifatalaterstageaquestionordisputeaboutthe authenticityofthedocumentarises,thesignaturehasvalueforforensicpurposes.thishasresulted insignaturesprovidingaleveloftrustforcommerceandthejudiciarywhendealingwithsigned documents.thisleveloftrustmustbeachievedwithdigitallysignedelectronicdocumentstobe usedinelectronicconveyancing. Analysisofthetraditionalsignatureforhardcopydocumenthasshownitiscapableofperforminga numberoffunctions 12.Itcan: identifythesignatory; providecertaintyastothepersonalinvolvementofaparticularpersonintheactofsigning; associateaparticularpersonwiththecontentsofthedocument; attesttotheintentionofapersontobeboundbythecontentsofthedocument; attesttoauthorshipofthedocumentbythesignatory;and attesttosomewrittenagreementwhichmayhavebeenwrittenbysomethirdpartywhois notapartytothebindingagreement. Thegeneralphysicalcharacteristics 13 ofthetraditionalsignaturearethatthey: canbeeasilyproducedbythesameperson; areeasilyrecognisedbythirdparties; arerelativelydifficulttoforgebythirdparties; becomeboundtothedocumentsuchthatthephysicalobjectanditscontentsandthe signaturebecomeonecompositephysicalthing; involveaphysicalprocess(e.g.inktopaper); arecomparativelystandardforalldocumentssignedbythesameperson;and 12 UNSWLawJournal:ElectronicSignatures:UnderstandthePasttodeveloptheFuturebyAdrianMcCullagh, PeterLittleandWilliamCaellifoundathttp://www.austlii.edu.au/au/journals/UNSWLawJl/1998/56.html, viewed16november2009. 13 UNSWLawJournal:ElectronicSignatures:UnderstandthePasttodeveloptheFuturebyAdrianMcCullagh, PeterLittleandWilliamCaellifoundathttp://www.austlii.edu.au/au/journals/UNSWLawJl/1998/56.html viewed16november2009. NSW Land and Property Management Authority - November 2009 25

arerelativelydifficulttoremovewithouttrace. Toachieveanequivalentleveloftrustinelectronicconveyancing,adigitalsignaturemustanddo provideequivalentlegal,functionalandphysicalcharacteristicsforelectronicdocumentsthatis providedbyawitnessed wet signature forahard copydocument. 4.2 What is a digital signature? DigitalsignaturesareanimportantpartofNECS'in builttechnicalandlegalmeasurestoprovide confidenceinelectronicconveyancing,andinparticulartheintegrityofdigitallysignedelectronic documents.aneffectiveregimefordigitalsignaturesmitigatestheriskofacertifier(orthe SubscriberforwhomtheCertifieracts,andanyClientrepresentedbytheSubscriber)repudiatinga signedelectronicdocumentoranypartofitscontentsbyclaimingthatthecertifierdidnotsignthe documentorthatthedocumentwasalteredafterthecertifiersignedit. Gatekeeper 14 digitalsigningisatechnologyspecifiedforuseinnecsthatpermits: apersonwithacomplyingsigningkeyanddigitalsignaturecertificateandsigningaccess rightstoelectronicallysignanelectronicdocument(suchasaregistryinstrumentprepared inanecsworkspace);and apersonwhoreliesonthatdocument(e.g.thelandregistry)tousesoftwaretoverifywho signedthedocumentandtoverifythatthedocumenthasnotbeenalteredsinceitwas signed. ThetechnologyusesPublicKeyInfrastructure(PKI)toachievetherequirementsnecessaryfordigital signing.pkiisexplainedinmoredetailinthenextsection. Toundertakedigitalsigning,apersonmustfirstobtainacomplyingpairofelectronicsigningKeys andadigitalsignaturecertificate(dsc).theseareobtainedviaatightlycontrolledprocessfroma CertificationAuthority 15 aftertheidentityofthepersontobelinkedtothesigningkeyanddigital SignatureCertificatehasbeendeterminedandverifiedbytheRegistrationAuthority 16. Adigitalsignatureisencodedinformationthatisaddedtoanelectronicdocumentonsigningbythe systeminwhichanelectronicdocumentisbeingsigned.forthetypeofsigningproposedfornecs, theinformationincludes: adigitalsignaturewhichisacodethatisproducedbyastandardsoftwareapplicationthat usestheprivatekeyofthepersonsigningandthecontentofthedocumentbeingsigned. Thismeansthatthedigitalsignatureisuniqueforeachdifferentdocument,butidenticalif thesamedocumentissignedagain. 14 GatekeeperistheAustralianGovernment'sstrategyfortheuseofPublicKeyInfrastructure(PKI)asan importantenablerforthedeliveryofonlinegovernmentservices.seehttp://www.finance.gov.au/egovernment/security and authentication/gatekeeper/index.htmlviewed16november2009. 15 VerisigniscurrentlythemajorissuerofGatekeeperDigitalSignatureCertificates. 16 SuchasAustraliaPostthatactsasaRegistrationAuthorityforVerisignGatekeeperDigitalSignature Certificates. 26 NSW Land and Property Management Authority - November 2009

adigitalsignaturecertificate(dsc)whichisasetofinformationthatidentifiestheperson associatedwiththesignature(anorganisationdscalsoidentifiestheorganisationthesigner isactingfor)andthepublickeyforthesignerthatallowsthereceivertocheckifthe documenthasbeenchangedsinceitwassigned. Everytimethesignerdigitallysignsadocument,adefinedmathematicalalgorithminaspecial softwaremodule 17 inthesigner scomputersystemthatmeansthesignatureisidenticaleachand everytimethesignatureisproducedforaspecificdocumentusingthesameprivatekey.thedsc createdandcertifiedbythecertificationauthoritycontainstheidentityofthekey holder(signature owner),asdeterminedbytheidentityverificationconductedaspartofthedscissueprocess.this identityandotherinformationiscontainedinthedsccanbevalidatedwiththecertification Authority.TheidentityinformationintheDSCistheequivalentofaone timewitnessingofthe digitalsignaturethatcanbere usedforeverysigningusingtheprivatekeyandpublickeypairlinked tothatdsc. Forthosereaderswhoarenewtodigitalsigning,amoredetailedexplanationDigitalSigning A PrimerisattachedatAppendixA.Thisincludesalistingofdigitalsigningtermswiththeirdefinitions. MoreinformationaboutDSCsisgiveninsection4.4ofthispaper. InNECSthereareseveralrolesthatwillusedigitalsigning.Thisconsultationpaperfocusesondigital signingasitappliestothecertifierrolesigningelectronicregistryinstrumentsthatsupportthe registrationofinterestsinlandatthelandregistry. 4.3 PKI and Gatekeeper the framework for implementing digital signatures PublicKeyInfrastructure(PKI)isasystemofcryptographictechnologies,standards,management processesandcontrolsgoverningtheuseofdscs.thegatekeeperstrategygovernstheuseofpkiin governmentfortheauthenticationofexternalclients(organisations,individualsandotherentities). TheStrategyensuresawhole of governmentframeworkthatdeliversintegrity,interoperability, authenticityandtrustforagenciesandtheirclients. GatekeeperistheAustralianGovernment'spolicyandaccreditationframeworkfortheuseofPKIby AustralianGovernmentagenciesandwasdevelopedbytheCommonwealthGovernmenttoincrease confidenceintheonlineeconomybyprovidingagovernmentendorsedonlinetrustframework usingpublickeytechnology. TheNationalBusinessModel 18 fornecsrequirestheuseofgatekeeper accredited 19 DSCsinNECSon thebasisoftheirbeingmadeavailableunderagovernment regulatedframeworkthatassuresa minimumstandardofsecurityandintegrityforelectronictransactions.thecommonwealth 17 InAustraliatheopensourceandfreeCommonUserSigningInterface(CSI)isavailableat http://csi.business.gov.au/pages/default.aspx 18 TheNationalBusinessModelforNECSisavailableathttp://www.necs.gov.au/NECS Roadmap Documents/default.aspx 19 FordetailsofGatekeeperaccreditationanditsimplementation,seehttp://www.finance.gov.au/egovernment/security and authentication/gatekeeper/index.html NSW Land and Property Management Authority - November 2009 27

GovernmentandallStateandTerritorygovernmentshavemandatedtheuseofGatekeeperDSCsin privatesectordealingsconductedelectronicallywithgovernmentagencies 20. TheGatekeeperStrategywasintroducedin1999andhasbeenunderreviewanddevelopmentsince thattime.thegatekeeperpkiframeworkupdatedearlyin2009providesanupdatedstructureof categories 21 ofdsc.gatekeepercompliantdscsarewidelyusedinaustraliainhealthcare,customs andtaxationactivitiesandbusiness to governmentenvironments. ThedigitalsigningriskmanagementrequirementsforNECShavebeenidentified 22 andfourdsc optionsdocumentedinthenationalissuespapertypeofdigitalsignaturecertificatetoberequired fornecs 23.AdescriptionoftherelevanttypesofDSCandtheoptionsfortheiruseinNECSissetout inappendixb. 4.4 What is a Digital Signature Certificate? ADigitalSignatureCertificate(DSC),alsoknownasdigitalcertificate,bindsanidentitytoapairof electronickeysthatcanbeusedtoencryptandsigndigitalinformation.usedinconjunctionwith encryptionusingthedigitalsigningkeys,dscsprovideasecuritysolution,assuringtheidentityof signingpartiesinvolvedinatransaction. ADSCisadigitalfilethatidentifiessomeoneorsomethingandcontainsapublickey.ADSChasa specificformatandcontent.ofparticularimportanceisthenameoftheentitythecertificateis issuedto(whoisidentifiedbythedsc),thecertificationauthoritythatissuedthedsc,andany restrictions(businessortechnical)ontheusethatcanbemadeofthecertificate,orwhatanother personreceivingacertificate(arelyingparty)canassume. 20 TheGatekeeperStrategywasadoptedasthegovernmentbusinessPKIframeworkatthe10 th meetingofthe NationalOnlineandCommunicationsCouncilOfficialsinNovember2000. 21 CategoriesofDSCbasedontheAustralianGovernmentNationale AuthenticationFramework(NeAF) http://www.finance.gov.au/e government/security and authentication/docs/neaf executive summary.pdf 22 TheRiskAssessmentofNECScanbefoundathttp://www.necs.gov.au/Risk Management 2/default.aspx 23 IssuepaperTypeofDigitalSignatureCertificatetobeRequiredforNECSisavailableat http://www.necs.gov.au/issue Papers/default.aspx. ForrisksassociatedwithDigitalSignatureCertificatesandNECS,seeClaytonUtz,"RiskAssessmentofthe NationalElectronicConveyancingSystem"(2007)locatedat <http://www.necs.gov.au/articledocuments/final%20report%20of%20clayton%20utz%20 %203%20Volumes%20%20(Risk%20Assessment).pdf.aspx>viewedon20November2009. 28 NSW Land and Property Management Authority - November 2009

ADigitalSignatureCertificatetypicallycontains 24 : DSCcontent Signatureowner'spublickey Signatureowner'sname Organisationtowhichthesignature ownerandthesignatureislinked Expirationdateofthepublickey Nameoftheissuer(theCAthatissued thedigitalsignaturecertificate SerialnumberoftheDigitalSignature Certificate Signaturealgorithms Digitalsignatureoftheissuing CertificationAuthority Purpose Thepublickeyforthesigner skeypairthatprovidesthe meansfortherelyingpartytoauthenticatethatsigned documenthasnotbeenchangedsinceitwassigned Thenameofthenaturalpersonwhoisthekey holderfor theprivatekey Thenameoftheorganisationaccountableforall transactionssignedusingthesigningkeylinkedtothedsc ThedatathatindicatesthevalidityperiodfortheDSC subjecttothedscnotbeinglistedonthecertificate revocationlistforthecertificationauthority ThenameoftheCertificationAuthoritythatissuedtheDSC andisaccountableforthelifetimemanagementofthe validityofthedsc AuniquereferenceforvalidationoftheDSC Thealgorithmsusedtocreatethesignature(i.e.the cryptographichashfunction thatproducesthedigestof thedocumentbeingsignedandthesigningalgorithmused tocreatethedigitalsignaturefromthedigestusingthe signer sprivatekey) Themeansbywhichtheauthenticityandintegrityofthe DSCcanbeverified. Forthepurposesofelectronicconveyancing,twocategoriesofGatekeeperDSCwereproposedfor electronicconveyancing anorganisationdscandanindividualdsc.havingconsideredthenational issuespapertypeofdigitalsignaturecertificatetoberequiredfornecs,thenptdecidedtoadopt theorganisationdscforuseinnecs.therearetwotypesoforganisationdsc anauthorised OfficerDSCandaStandardDSC.WhenapplyingforanOrganisationDSCtheorganisationmust appointatleastoneauthorisedofficer.authorisedofficersarerequiredtoundergoanindependent personalidentificationcheckbytheregistrationauthority,andareissuedwithanauthorisedofficer DSC.AnAuthorisedOfficerforanorganisationhastheauthoritytorequestaCertificationAuthority toissuestandarddscstoothermembersoftheirorganisation. 24 MoreinformationontheCertificateProfilecanbefoundathttp://www.finance.gov.au/egovernment/security andauthentication/gatekeeper/docs/general_business_certificate_policy_specification.pdf NSW Land and Property Management Authority - November 2009 29

AStandardcertificateisthesameasanAuthorisedOfficerDSC;however,applicantsarenot requiredtoundergoanindependentpersonalidentificationcheck.anorganisation'sauthorised Officerisresponsibleforvalidatinganapplicant'sidentitybeforerequestingtheCertification AuthoritytoissueaStandardDSCtotheapplicant. IndividualDSCsaredifferenttoOrganisationDSCsinthatanindividualDSCisissuedtoanatural person,andthepersonhastheiridentityindependentlyverifiedbyaregistrationauthority.the certificatetheyareissuedwithisnotlinkedtoanyorganisation.thesedscscanbeusedgenerally bythekey holdertoidentifythemselveselectronicallybutnottoevidencetheirconnectionwithany organisation. 5. National Project Team Position on Digital Signing On10February2009,theNationalProjectTeam(NPT)consideredfouroptionsfortheDigital SignatureCertificateTypeforuseinNECS 25.Thefouroptionshadbeendevelopedfromtherisk assessmentadvicepreparedbyclaytonutzandpresentedtothenptforconsiderationintheissue papertypeofdigitalsignaturecertificatetoberequiredfornecs. ThefouroptionsintheNPTissuepaperwere: ParentOrganisationDSCs 26 OrganisationDSCswithSubscribersrequiredtoconductprescribedEvidenceofIdentity(EOI) checksonchildcertificateholders 27 IndividualDSCswithNECSrequiredtoindependentlyverifyauthoritytorepresent Subscribers OrganisationandIndividualDSCswithEOIandauthorisationchecks 28. TheNPTmeetingdiscussedtheoptionsandexpressedtheviewthatflexibilityandastrongrisk managementregimewereimportanttoindustry.theuseoforganisationdscswithspecific responsibilityonsubscriberstoundertakeprescribedeoichecksonchild 29 certificateholderswas identifiedasthepreferredoptionandthemeetingresolvedthatthisoptionshouldbemandatedfor NECS. 25 TheNationalProjectTeamconsideredoptionspresentedinIssuepaperTypeofDigitalSignatureCertificate toberequiredfornecsisavailableathttp://www.necs.gov.au/issue Papers/default.aspx.TheNPT determinationisrecordedinnptminutes(unpublished),reference2009;nationalprojectteammeeting 2009/1. 26 Theterm ParentDSC asusedintheissuepaperpresentedtothenptreferstowhatisnowknownasan AuthorisedOfficerDSC. 27 Theterm ChildDSC asusedintheissuepaperpresentedtothenptreferstowhatisnowknownasa StandardDSC. 28 Theproposalfor OrganisationandIndividualDSCswithCIVandauthorisationchecks referstoan independentcivchecktoamandatedstandardbeingappliedtotheapplicantforall(organisation)standard DSCs. 29 LPMAunderstandsthattheNPTrecommendationinrelationtoaChildcertificateisthattheSubscriber OrganisationberesponsiblefortheCIVchecktobeappliedtotheapplicantforan(Organisation)Standard DSC. 30 NSW Land and Property Management Authority - November 2009

6. Use of Digital Signatures in NECS 6.1 The document signing and authentication processes Thedataintegrityandsecurityprovidedbydigitalsigningofelectronicdocumentsisachievedviatwo processes: 1. Thedocumentsigningprocesswhichrequiresthesignertosignusingtheirprivatekeyand signingsoftwaretocreateadigitalsignaturethatisassociatedwiththesigneddocumentand providedwiththedocumenttoarelyingparty(suchasalandregistry)toauthenticatethe signeddocument. 2. Thedocumentauthenticationprocessiswherearelyingpartycanuseauthenticationsoftware, thedigitalsignatureassociatedwiththesigneddocumentandthesigner sdsctoauthenticate thedocumentto: verify(ordisprove)attributionofthesignaturetothepartyidentifiedinthedsclinked tothesignature,and confirmintegrityofthedocumentasbeingexactlywhatwassignedandhasnotbeen changed. InelectronicconveyancingthesignerofaregistryinstrumentwillbeaCertifierforaSubscriber,whomay beactingforaclientorforthesubscriberastransactingparty(e.g.asmortgagee). TotransactusingNECSandsignregistryinstrumentsaSubscriberneedstobesignedupwithNECSand have: anauthorisedofficerwhoisanecsuserandholderofakeypairandagatekeepercompliant AuthorisedOfficerDSC,and UsersregisteredwithNECSasCertifiersfortheSubscriberandpossessingakeypairand GatekeepercompliantStandardDSC. Thesecurityofthedigitalsigningandauthenticationprocessesdependonthestandardofprescribed requirementsofcomponentsofthepkiframeworkandtheeffectivenessofimplementationofthose components.forexamplethestandardofevidenceofidentityprescribedandappliedinensuringthe identityofthekey holderandtheeffectivenessofkey holdercontrolofsecurityenforcedfortheprivate keyaretwocriticalcomponentsofthepkiframework. TheNationale AuthenticationFramework(NeAF) 30 istheframeworkthatcoverstherulestobeapplied byagenciestotheauthenticationofexternal(i.e.non CommonwealthGovernment)entitieswhen dealingwiththemonline.theframeworkprovidesariskmanagementapproachtoauthenticationthat alignsbusinessneedandprocesseswithappropriateauthenticationsolutionsandtechnologies TheGatekeeperDigitalSignatureCertificatesrecommendedbytheNPTandLandRegistriesalignswith Level3assuranceinthisframework.Itisimportantthatallcomponentsoftheelectronicconveyancing riskmanagementframeworksuchasbusinesspracticesandsignatureattributionrulesupport achievementofthelevel3assurance. 30 AnexplanationoftheNationale AuthenticationFrameworkcanbefoundathttp://www.finance.gov.au/egovernment/security and authentication/authentication framework.html NSW Land and Property Management Authority - November 2009 31

AmorecomprehensivedescriptionoftheDocumentSigningandAuthenticationprocessesiscoveredin AppendixA DigitalSignatures APrimer. 6.2 How will a Subscriber obtain a signing key and DSC for each of its Certifiers? ToobtaintheirDSC,eachSubscriber 31 willhaveanauthorisedofficer 32 andsubsequentlyeach Certifier 33 (applicant)enrolswithagatekeepercertificationauthoritywhichwillrequireidentity verificationoftheapplicanttoanagreedstandardbeforeissuingthedsc.theapplicantforthe AuthorisedOfficerDSCwillberequiredtohavetheiridentityverificationperformedbyan independentgatekeeperaccreditedregistrationauthority.essentially,theprocessinvolves: (a)awrittenoronlineagreement 34 withthecertificationauthoritytoobtainadsc. (b)akeygenerationprocesswherebytheapplicant'scomputer(usingthenominated electronickeycreationalgorithm)willgenerate2mathematicallyrelatedkeys(longdata strings).onekey(publickey)willbeforpublicuseandissenttothecertificationauthorityto beincludedinthedsc.theotherkey(privatekey)mustbekeptsecretandsafebythe applicanteitherinsoftwareontheirharddriveoronaseparatetokensuchasasmartcard. (c)theapplicant 35 musthavehisorheridentityindependentlyverifiedbyagatekeeper AccreditedRegistrationAuthority.Thestandardofidentityverificationusedistobein accordancewiththeregistrationauthority'sgatekeeperaccreditation.dependingonthe certificatetype,theidentityoftheorganisationonwhosebehalftheapplicantwillcreate digitalsignaturesmaybeverified,alongwiththeauthorityfromthatorganisationtothe applicant.theapplicant'sname(andwhererelevanttheorganisation'snameandidentifier suchasabn)willbeincludedinthedsctogetherwiththepublickey. (d)thecertificationauthoritywillcreatethedscwhichwillincludetheidentityofthekeyholderandtheissuingcertificationauthority,theexpirydateofthedscandothernecessary informationforvalidationofdigitalsignaturesproducedbythelinkedprivatekey.acopyof thedscissenttotheapplicantandthedscispublishedbythecertificationauthorityinan onlinedirectory. 31 TheapplicationandregistrationprocesstobeaSubscriberinNECSisindependentofapplyingforaNECS compliantdsc.however,completeelectroniconlineapplicationforregistrationasasubscriberwillrequire theapplicantfirsttoobtainagatekeepercompliantdscforuseintheelectronicapplication. 32 ThefirstDSCissuedforanorganisationhastobeanAuthorisedOfficerDSC. 33 TheexpectedpracticetobefollowedbySubscribersisthatCertifiersarelikelytobeissuedwithStandard DSCsthatareChildDSCsissuedwithidentityauthorisationprovidedbytheAuthorisedOfficerforthe organisation. 34 TheagreementforanAuthorisedOfficerDSCwillhavetobeexecutedbyanofficeroftheorganisationwith thelegalauthoritytocommittheorganisationtotheliabilityassociatedwiththeissueanduseofan AuthorisedOfficerDSC. 35 AnapplicantforanAuthorisedOfficerDSCissubjecttoindependentidentityverificationbytheRegistration AuthoritytotheGatekeeperidentitystandard.TheidentityverificationforapplicantsforChildDSCscanbe providedbytheauthorisedofficerfortheorganisation. 32 NSW Land and Property Management Authority - November 2009

AGatekeepercompliantDSCsforlevel3 36 assuranceisvalidforaperiodoftwoyears(unlesssubject torevocationpriortoexpiry)afterwhichithastoberenewed.renewalinvolvesarenewal applicationprocess(whichrequiresupdatedidentityverificationonthesecondrenewali.e.after4 years)andissueofanewdsccontainingthenewvalidityperiod. For solepractitioner legalandconveyancingpractices,thepractitionerbecomesanecssubscriber, andintermsoftheorganisationdscswillbetheauthorisedofficer andinnecstermsthecertifier. AstheAuthorisedOfficer, thepractitionercompletestheenrolmentprocesseswiththecertification andregistrationauthoritiesandisissuedwithanorganisationdscforuseinnecs. 6.3 What kind of DSC is required? Gatekeeper 37 compliantdigitalsignaturecertificatesarerequiredintermsofthenationalbusiness ModelforNECS.Gatekeeperisthegovernment regulatedframeworkthatassuresaminimum standardofsecurityandintegrityforelectronictransactions.thegatekeeperstrategyensuresa whole of governmentframeworkthatdeliversintegrity,interoperability,authenticityandtrustfor Agenciesandtheirclients. WithintheGatekeeperframework,thereremainsdiscretionforeachindustryenvironmentimplementing DSCarrangementstodeterminethecertificatetypesanduserulestobecompliedwithinthat environment. TheNSWLandRegistryseeksindustryfeedbackonDSCuserequirementsthatneedtobesatisfiedfor effectiveimplementationofelectronicconveyancing. SuitabilityoftypeofDSC: TheNSWLandRegistrysupportsstrongassuranceontheidentityoftheCertifierandconnectionwiththe Subscriberonwhosebehalftheyarecertifyingregistryinstruments. TheresolutionoftheNPTisto usegatekeeperorganisationdscswithspecificresponsibilityon SubscriberstoundertakeprescribedidentityverificationchecksonChildcertificateholdersasthe preferredoptionforthetypeofdsctobeusedfornecs. Underthisproposal,itisnecessarythatindustrypractitionersacquireanOrganisationDSCforusein NECS.IndividualDSCsarenotproposedtobeauthorisedforuseinNECS.Theexclusiveadoptionof OrganisationDSCsmayimpactonexistingpracticesusedbysomeindustrystakeholders.Forexample, arelocumindustrypractitioners,notdirectlyemployedbyaconveyancer,usedoncontractforshort periodstocoverforpractitionersinaconveyancingbusinesstakingleave?theadoptionoforganisation DSCs(ratherthanIndividualDSCs)willmeanplanningwellinadvanceoftheleavetoacquirean OrganisationDSCforthelocumpractitioner,andtheneitherrevokingtheDSC,ormakingarrangements tosecurelystorethesigningkeysothatitcannotbeuseduntilsuchtimeasthelocumpractitioneris againrequiredbytheconveyancingorganisation. 36 NeAFassurancelevel,seehttp://www.finance.gov.au/e government/security andauthentication/docs/neaf framework.pdffordetails 37 FordetailsofGatekeeperaccreditationanditsimplementation,seehttp://www.finance.gov.au/egovernment/security and authentication/gatekeeper/index.html. NSW Land and Property Management Authority - November 2009 33

MultiplepurposeuseofDSC: EachGatekeeperDigitalSignatureCertificateisissuedunderaCertificatePolicy 38 maintainedbythe relevantcertificationauthority(towhicheachdscrecipientgivesacompliancecommitment)that definesthetermsandconditionsforuseofthedsc.thiscertificatepolicycanpotentiallybecustomised tosuitaspecificapplicationorbusinessenvironmentforwhichitmaybeissued. ShouldtheCertificatePolicytobeappliedtoDSCsforNECSbetailoredforuseinelectronicconveyancing only,orshouldthedschaveacertificatepolicythatallowsthedsctobeusedinabroadrangeof applicationsinvolvinggovernmentagenciesorothercommercialapplications?useofanonapplication specificcertificatepolicywouldprovideindustrywithflexibilityinusingtheirpkiinfrastructure investmentintransactingwithgovernmentagenciesandimprovethebusinesscasefortheinvestment requiredforelectronicconveyancing.forexample,thelegalframework 39 beingdevelopedforelectronic conveyancingisbeingdoneinamannerthatdoesnotexcludethepossibilityoftherebeingmultiple ElectronicLodgmentNetworkOperators(ELNO)forajurisdiction(NECSwillbethefirstandmaybeonly ELNO). Issue 1 - Types of Digital Signature Certificate for use in NECS 1.1 ArethereanyscenarioswheretheproposedrequirementtouseOrganisationDSCsin NECSisnotappropriateforthepracticesofindustryentitiesthatwillbeparticipatingin electronicconveyancing? 1.2 Whatotherbusinessactivitiesarebeingconsideredwhereindustrywouldliketousethe samegatekeeperdscsasusedforelectronicconveyancing? 1.3 IsthereanyreasonwhytheCertificatePolicyforDSCsusedforNECSshouldbeelectronic conveyancingspecific? 6.4 How will signing rights be managed in NECS? NECSwillmaintainaregisterofSubscribers,theUsersfortheSubscriberandthesigningrightsfor theusersregisteredascertifiersforthesubscriber.onregistration,necswillissuethesubscriber withaccessrightstonecsforitsusers.eachuserwillhavetheirindividualaccessidentifierand permissionforthenecssystem. ForaDSCholdertocertifyatransactioninNECS,theorganisationidentifiedintheDSCmustbe registeredasasubscriberinnecs.thedscholdermustberegisteredasuserforthesubscriberand assignedauthorisedofficerand/orcertifierrightsforthesubscriber.thedscwillberecordedin NECSashavingbeenissuedfortheUser.TheuseoftheDSCwillbesubjecttosigningrights 38 ACertificatePolicyisanamedsetofrulesthatindicatestheapplicabilityofacertificatetoaparticular businessenvironmentand/orclassofapplicationswithcommonsecurityrequirements.examplesof GatekeepercomplyingCertificatePoliciescanbefoundathttps://gatekeeper.esign.com.au/repository/ 39 http://www.necs.gov.au/redesign Legal Framework 2/default.aspx 34 NSW Land and Property Management Authority - November 2009

dependingonthenecsregisteredattributesfortheuser(e.g.registeredasindustrycertifier 40 )and thesubscriber 41 onwhosebehalftheytransactinnecs. TherolesandresponsibilitiesforNECSparticipantsarestillbeingrefinedthroughtheNPT consultationprocess 42.TheNationalBusinessModelagreedto dateindicatesthatthecategoryof SubscriberanddifferentoperationalroleswilldeterminethesigningrightsfortheDSCholderin NECS.Consequently,signingrightswillneedtobemanagedthroughtheNECSregisterofSubscribers andtheirusers. Toensurethisrequirementissatisfied,theNSWLandRegistryproposesthatapplicationand enforcementofthenationallyagreedsigningrightsruleswillbeaconditionofthelicencetoprovide andoperateanelectroniclodgmentnetworkinnsw. AtthetimeofpreparingthisPracticeConsultationpaper,theproposednationalsigningrulesareas includedforreferenceinappendixc. TheNSWLandRegistryisawarethatsomeindustrypractitioners(suchasmortgagees)aspartof theirinternalriskmanagementpracticesrequiretwosignatoriesforsometypesofregistry instrument(e.g.dischargeofmortgage).wherethepractitionerrequirestwosignatories,theymay requiretwolevelsofauthorisationforthosesignatories,withthesecondsignaturehavingahigher levelofauthorisation.thenswlandregistryisinterestedinfeedbackon: Doublesigning:whetherthereareanyriskmanagementscenarios 43 whereanindustry practitioner(subscriber)willrequiretwosignaturesforoneroleinaregistryinstrumentas partoftheriskmanagementrequirementsfortheclient(orsubscriber),orwhetherthis doublesigningriskmanagementrequirementcanbeadequatelysatisfiedintheindustry practitioner ssystemswithoutaddingcomplexitytothenationalelectronicconveyancing system. Subscriberdeterminedsigninglevels:inadditiontothenationallyagreedsigningrules,will SubscriberswanttohavetheoptionofassigningdifferentsigningauthoritiestoUsers registeredwithsigningrightsforthesubscriberpreparingtransactionswithinnecs. Forexample,dofinancialinstitutionshaveriskmanagementrequirementsthatmeantheywantto applymortgagevalueortransactiontype(suchasrestrictingthosewhocancertifydischargeof mortgages)limitstotheircertifiersigningrights.otherusesofsigning(suchassigninginformation ReportsandSettlementStatements)usingadigitalsignatureareunderdiscussionforelectronic conveyancingusingnecs.theseusesarestillunderdiscussioninthenationalconsultationforum, buttheymayalsoprovidescenarioswheresigninglevelsarerequiredtobeconfiguredby Subscribers. 40 IndustryCertifiersisarelegalpractitionersorlicensedconveyancerswhoareemployeesoforcontractedto SubscriberswhorepresentClientsinatransactionandareauthorisedbytheSubscribertocertifyandsign registryinstrumentsonbehalfofsubscribersandtheirclientsastransactingparties 41 SeeAppendixCforproposalsbeingconsideredforOperationalRolesatthetimeofpreparationofthis consultationpaper. 42 CopiesofpapersonconsultationissuessuchasOperationalRolesareavailableat http://www.necs.gov.au/issue Papers/default.aspx 43 Scenariossuchasahighvaluemortgageordischargeofmortgage NSW Land and Property Management Authority - November 2009 35

Issue 2 Signing requirements 2.1 ArethereanyscenariosthatwillrequiredigitalsigningbytwoCertifiersonbehalfofa Subscriberinoneroleinatransaction? 2.2 IsitnecessaryfordoublesigningrequirementstobeenforcedinNECSorisit satisfactoryforthistobeleftwithsubscribers. 2.3 ArethereanyscenarioswhereSubscriberswillneedtodetermineorconfigurespecific signingscopepermissionsorsigninglevelsfortheircertifiersinnecs? 6.5 Signing of Instruments Thedigitalsignatureproducedwhensigningaregistryinstrumentisuniquetothecontentofthe instrumentandtheprivatekeyusedtocreatethedigitalsignature.thedscforthesignermustbe validatthetimeofsigningthedocument,andthedigitalsignaturemustbevalidforthedocument. ThisvalidationmustbecarriedoutandrecordedbyNECSatthetimetheregistryinstrumentwas signed.thisisbecauseitmaynotbepossibletoretrospectivelydeterminewithcertaintywhether thesignaturewasvalidattimeofsigning. Dependingonthetypeofregistryinstrument,therecanbeone(relinquishing)ortwotransacting roles(relinquishingandreceiving)requiredtosigntheinstrument.forexample,adischargeof mortgagerequiresonlytheoutgoingmortgagee(relinquishingrole)tosignthedischarge.however, innsw,atransferinstrumentrequiressigningforboththevendor(relinquishingrole)andforthe purchaser(receivingrole).theoutcomeofthenecssigningarrangementsisasignedregistry instrumentcounterpartforeachtransactingroleintheregistryinstrument,eachcontaining transactiondatacontent(muchofwhichiscommontobothcounterparts),andeachsignedbythe respectivecertifierforthesubscriberfortheclientineachtransactingrole. Theconceptofcommondataforatwocounterpartregistryinstrumentisshownintheschematicin thefollowingpages.therelinquishingcounterpartisshownasyellow,thereceivingcounterpartas blue,andthecommondataasgreen(theoverlayofblueandyellow)intheschematic. ThecounterpartswillbepresentedforlodgmentwiththeLandRegistry.Foratwocounterpart registryinstrumentsuchasatransfer,thetwosignedcounterpartsmakingupthecomplete instrumentwillbelodgedwiththelandregistryforregistration. EachcounterpartwillberequiredtocontainthedigitalsignatureandtheDSCforauthenticatingthe documentandprovingthatithasnotbeenalteredsinceitwassigned. Whenthecounterpartsforamultiplecounterpartregistryinstrumentarelodged,theNSWLand RegistrywillassigntheinstrumentasingleDealingnumberthatwillapplytobothcounterpartsfor thatinstrument. 36 NSW Land and Property Management Authority - November 2009

AregistryinstrumentcounterpartisasetoftransactiondatasignedbytheCertifier.Thesetofdata includesthejurisdictionregistryinstrumenttemplateusedincompilingandrenderingthe instrument.registryinstrumenttemplatesareelectronicformscontainingastheirsubstantive components 44 : Atemplatepurposeidentifier Fixedwords 45 thatdeterminethelegalcontextofincludedtransactiondata Datafieldsembeddedatspecificpointsinthefixedwords Specificcertificationwordingsdeterminedbythetemplatepurpose ProvisionforthedigitalsignaturecertificateofaCertifier. Whentheregistryinstrumentoritscounterpartsarerenderedforpublication,thereferenced templateneedstobeusedintherenderingofthedocumentforpublication. ThenextpageshowsaschematicofthedatacontainedinNSWregistryinstrumentcounterparts. 44 ReferFunctionJ1RegistryInstrumentTemplatesinsection6.5.4.1.1oftheNECSRequirementsDefinition thatcanbefoundathttp://www.necs.gov.au/necs Roadmap Documents/default.aspx 45 Thefixedwordsmayincluderecitals,datafieldlabelsandoperativewordsasnecessarytoassuremeaning andpurpose. NSW Land and Property Management Authority - November 2009 37

38 NSW Land and Property Management Authority - November 2009

Aswithpaper basedtransactions,thedetailsoftheresponsiblesubscriber(lodgingparty)arenot partofthesignedregistryinstrumentdata,astheresponsiblesubscribermaynotbedetermined untillateinthepreparationofthetransaction.currently,innsw,81%ofpaper basedregistry instrumentshavetheresponsiblesubscriber(lodgingparty)detailseitheraddedorchangedafter signingoftheregistryinstrument. LockingtheResponsibleSubscriberdetailsineachregistryinstrumentcounterpartwouldmeanthat counterpartswouldhavetobere signediftheresponsiblesubscriberchangesaftersigningofany instruments.however,theresponsiblesubscriberinformation(showninthelowerpinksectionof theschematic)needstobesubmittedtothelandregistryaslodgmentinformation(certifiedby NECSfortheworkspace)forthecaseasawholeforlodgment,toberecordedbytheLandRegistry withthelodgmentcase.theresponsiblesubscriberwillberesponsibleforpaymentoflodgment fees,satisfyinganyrequisitionsandwillbeshownonpublishedcopiesofregisteredregistry instruments. Inthesamewaysigninginformationisrecordedaspartofthedigitalsigningoftheregistry instrumentcounterpart.thesigninginformationincludesthekey holder(signatory)details,the organisationthesignatoryrepresents,atimestampandcomplianceresultforthesignaturewhen receivedbynecs.thisinformationneedstoberecordedbynecsforeachdigitalsignaturefora CounterpartandprovidedaspartoftheNECSvalidatedregistryinstrumentinformationinthe LodgmentCase. AtsomestageinthedevelopmentofthescopeoftransactionssupportedbyNECS,theremaybe scenariosinvolvingtwoclients 46 (i.e.twosubscribers)inthesametransactionrole(forexamplea divorcesettlementwhereeachpartytoajointtenancyinsistonseparatesubscriberstoactforeach oftheminthesaleofthejointlyhelpproperty).thiswouldrequireacertifierforeachsubscriber representingclientintheroleeachtosignacounterpartforthecommontransactionrole.inthe examplegiven,itisprobablethattwocounterpartsfortherelinquishingrolewouldberequired,to besignedrespectivelybyeachsubscriberforeachrelinquishingjointtenanttheyrepresent. Thecommondatasharedbetweenregistryinstrumentcounterpartsmeansthatalldataforan instrumenthastobepopulatedintheworkspacebeforeeithercounterpartcanbesigned.ifone Subscriberdeterminesthatadataitemisincorrectaftersigning,thenbothcounterpartsintheNECS Workspacehavetobe unsigned andre signedbyacertifierforeachsubscriber.industrypreferred practicesandfunctionalrequirementsforun signingandsigning 47 arebeingdeterminedthrough consultationwiththenpt. 6.6 Validation of signed documents RegistryinstrumentssignedforelectronicconveyancingusingNECSwillbelodged,retainedand archivedbytherelevantlandregistryandinstrumentsregisteredbythelandregistrybecomepart 46 Clientisacollectivetermforthetransactingpartyorpartiesspecifiedinaregistryinstrumentcounterpart andwhoarerepresentedbythesamesubscriber. 47 TherelevantNPTIssuePaperis DocumentSigningRevisited towhichisappendedallpreviousdigital signingissuepapersathttp://www.necs.gov.au/issue Papers/default.aspx NSW Land and Property Management Authority - November 2009 39

ofthepublicregister.necswillretainanauditrecordoftheworkspaceactivityinpreparingthe lodgeddocuments. Thetechnicalimplementationdetailsfordigitalsigningwillbedeterminedduringthefinal specificationofnecs.however,itisimportanttonotethatthedigitalsigningtakesplaceinthe Subscriber sowncomputersystem.thisisnecessarytoensurethesecurityoftheprivatekeyheld bythecertifier. TheregistryinstrumenttobesignedisvalidatedandverifiedasreadyforsigningbyNECSand transmittedtothecertifierforthemtodigitallysignintheirsystemusingtheirprivatekeyandthe appropriatesigningsoftware.thedigitallysigneddocumentisreturnedtothenecsworkspacefor signingvalidationbeforethedocumentisacceptedassignedbynecs. ACertifier sdigitalsignatureonaregistryinstrumentmustbevalidattimeofsigning.tobevalid, thesignaturemustcomplywiththefollowingrequirements: thedscmustbevalidandnotrevoked thesignaturemustbeproducedwiththeprivatekeythatisthepairofthepublickeyinthe DSC theorganisationlinkedtothedscmustbeavalidcategoryofsubscriberinnecsforthe typeoftransaction thesigneridentifiedinthedscmustbeacertifierregisteredwithnecsforthesubscriber thecertifiermusthavesigningrightsthatcomplywiththesigningrulesforthetypeof transaction. Theverificationprocesstobeappliedtoanysigneddocument,byNECS,involvestwoaspectsof complianceverification.thesearecomplianceinrespectof NECSsigningrulesandsigningrightsintheNECSregisterofSubscribersandCertifiers thepublickeyinfrastructurerequirements. CompliancecheckingthesigningrightsoftheCertifiertosigntheregistryinstrumentmustbedone bynecsusinginformationinthenecssubscriberregister.determiningthevalidityofthedscand signatureassociatedwithasigneddocumentinvolvesnecsverificationofthedscwiththe CertificationAuthority,andvalidatingthatthesignaturewasproducedwiththesigneddocument andkeypairlinkedtothedscforthecertifier. Validationandverificationofthesigningofregistryinstrumentcounterpartsmustthereforeoccur immediatelyuponsigningwhenthesigneddocumentisreceivedbynecs,becauseitmaybe difficulttoretrospectivelyprovethatthedigitalsignaturewasvalidatthetimeofsigning. ItisquitepossiblethataCertifier snecssigningrightsmaynotbecurrentatthetimeoflodgment foravarietyofreasons.examplesmaybethat,asatthetimeoflodgment: acertifiermaynolongerhavesigningrightsforthesubscriberforwhomtheysigned; acertifiermayhavelefttheorganisationforwhichthecertifier sorganisationdscwas issued; thesubscriberorcertifiermayhaveceasedtobearegisteredsubscriberorcertifierfor NECS. 40 NSW Land and Property Management Authority - November 2009

Itisalsoquitepossiblethatintermsofpublickeyinfrastructurerequirements,theDSCvaliditymay nolongerbecurrentasatthetimeoflodgmentinscenarioswhere thedschasnotbeenrenewedinatimelymanner; thecertifiernolongerholdsthedscforanyreason; thecertifierhaslefttheorganisationforwhichthecertifier sorganisationdscwasissued adschasbeenrevokedduetomisuseoftheprivatekey. ThesescenarioswhereaDSCisnolongercurrentatthetimeoflodgmentarenotlikelytoprovide groundsforrefusaloflodgmentorregistration. ThereareothercircumstanceswhereaDSCnolongerbeingcurrentatthetimeoflodgmentislikely toprovidegroundsforrequisitionofthetransaction.forexample,itispossiblethatthedschas beenrevokedbecause: theprivatekeywaslost thesecurityoftheprivatekeyassociatedwiththedscwascompromisedrequiringthedsc tobecancelledtopreventthekeyholderortheorganisationassociatedwiththedsc(i.e. thesubscriber)incurringliabilityforanyfraudulentuseofthesignature. NECSholdstheregisterofSubscribersandCertifiers,soNECShastheinformationsourcefor assuringthevalidityofthenecsregistrationsubscriberandcertifieratthetimeofsigning. TheNECSsigningrulesshouldpreventacceptingthedigitalsigningofadocumentifthesigningdoes notcomplywiththesigningrules.consequently,thenswlandregistryhastheviewthata date/timestampforthesigningandtheoutcomeofthecompliancecheckofthedigitalsignature, DSCatthetimeofsigningisanecessarypartoftherecordofsigninginanyelectronicregistry instrument.thenswlandregistryisoftheopinionthatthisrecordshouldformpartofthe counterpartthatcanberenderedforviewingsothatitcanprovideassurancetoallstakeholdersin thetransactionthatthedigitalsignaturewasvalidatthetimeofsigning. TheNSWLandRegistrysuggeststhatNECSshouldprovidefunctionalityforSubscriberstoobtain reportsonregistryinstrumentssignedbyaspecificcertifierusingaspecificprivatekey.this functionalitycanbeusedintheeventthatthesecurityofasigningkeyiscompromisedtoreviewall instrumentssignedwiththatprivatekeytoensurethatthesigningofthedocumentsarevalidfor thesubscriber.thesubscribershouldtakeactiontoun signorremoveanyregistryinstrumentsthat areinvalidorfraudulentlysigned.thesubscriberadvisestherelevantlandregistryofanysuch transactionsthathavebeenlodgedforregistration. BecauseofthenaturalturnoverinCertifiersemployedbyanorganisation,thiswillrequiretheDSC toberevokedwhenacertifierleavestheemploymentofasubscriber.itwillthereforenotbeviable forthelandregistrytorequisitionallregistryinstrumentssignedwithadscthathasbeenrevoked. TheLandRegistryviewisthatatightattributionrule 48 isrequiredtoensurethatsubscribers correctlyadministerandenforcethevalidityofdscsfortheircertifiers. 48 Seesection7inthisconsultationpaperformoreinformationaboutattributionofasignature. NSW Land and Property Management Authority - November 2009 41

Asatthetimeofcompilationofthisconsultationpaper,NSWLandRegistryconsidersthatitis necessarythatthelandregistrycheckthattheintegrityofaninstrumenthasnotbeen compromisedsincesigning,aspartoftheexaminationprocess. Fromariskmanagementperspective,theNSWLandRegistryseeksindustryviewsonwhether,asa resultoftightattributionforasignature,thereisajustifiableindustryrequirementforanadditional verificationofthedigitalsignature(s)priortosettlementorlodgment,andifthereareanynoncompliancescenariosthatshouldresultinanalertthatasubscriberorotherstakeholdercould justifiablyusetopostponethesettlementorlodgment. Issue 3 Validation of signed documents 3.1DoesvalidationandverificationbyNECSofadigitalsignatureassociatedwithasigned documentattimeofsigningprovidesufficientcomplianceassuranceconfidenceto Subscribersparticipatinginanelectronicconveyancingtransaction?Ifnot,whynotand whatisrequiredtoprovidethenecessaryassurance? 3.2Shouldtheresultofthecompliancecheckatdigitalsigningbeincludedaspartofthe renderedinstrumentcounterpart? 3.3Doesindustryrequirecopiesofsignedregistryinstrumentsthatcontainthedigital signatureforvalidationpurposes?willindustrywantthesignedxmldocument,a renderedcopyofthesignedinstrument,orboth? 3.4Aretherescenarioswhereadditionaldigitalsignaturecompliancecheckswillbe requiredaftersigningandbeforelodgment?ifso,whatarethesescenariosandwhatare thenecessarycompliancechecks? 6.7 Providing copies of electronic registry instruments Stakeholdersinelectronicconveyancingwillwanttheabilitytoarchiveandrendercopiesofdigitally signedelectronicregistryinstruments.thesestakeholdersinclude: thenswlandregistry,thatwillneedtoarchiveaspartofthetorrensregistertheoriginal registryinstrumentssubmittedforregistrationinthelodgmentcaseandsubsequentlyto publishcopiesoftheseregistryinstrumentsinresponsetosearchrequestsfromindustry andthegeneralpublic ParticipatingSubscriberswhomaybeexpectedtoneedtoretaincopiesofsigned instrumentsasdocumentedevidenceoftransactionsinwhichtheywereinvolved. TheNSWLandRegistrywillbereceivingtheregistryinstrumentdatasetsthatwillincludethe originalsignedregistryinstrumentcounterpartsaspartofthelodgmentcaselodgedfor examinationandregistration.thelandregistryexpectstoreceivetheregistryinstrument counterpartdataassignedwiththevalidatingcertifier sdigitalsignatureanddsc,sothatthesigned instrumentscanbeauthenticatedasbeingwhatwassignedbythecertifier. 42 NSW Land and Property Management Authority - November 2009

EachregistryinstrumentwillbeaccompaniedbytheassociatedsigningInformationforeachofthe Counterpartsigned,andtheResponsibleSubscriberinformation.AtlodgmenttheLandRegistry assignsadealingnumbertotheregistryinstrumenttosignifyitslodgment. Whenacopyofaregisteredregistryinstrumentispublished,theDealingnumber,signingand ResponsibleSubscriberinformationandrelevantregistryinstrumenttemplatewillneedtobe includedinthecopyoftheregisteredinstrumentprovidedbythelandregistry. TheLandRegistryhastheopportunitytoeither: archiveandpublishthexmldocumentcontainingthecounterparts,assigned,identifying theseparatesignedcounterpartdatawiththeassociateddigitalsignatures,signingand ResponsibleSubscriberinformation,instrumenttemplateandLandRegistryDealingnumber. compilethecounterpartsintoarenderedsingleinstrumentwithassociatedresponsible Subscriberandsigninginformation,butnodigitalsignaturetovalidatetheoriginal documentsignedbythecertifieronbehalfofthesubscriber,or provideboththesesearchproductsforthepublicregister. TheLandRegistryiscurrentlyoftheopinionthatitwillneedtoarchivetheoriginalregistry instrumentcounterpartswiththedigitalsignatureanddscastheverifiabledocumentthatwas digitallysignedbythecertifierforthesubscriber. TheNECSRoadmapdocumentsproposethatcopiesofsignedregistryinstrumentcounterpartswill beavailableinapdfformattosubscribersparticipatinginanecsworkspace.thepdfformat copiesavailabletoparticipatingsubscribersfromnecsareexpectedtocontaininformationtaken fromthesigner sdscsuchasthesigner snameandthesubscriber sorganisationandthecurrency ofthedscatthetimeofsigning.itmaynotcontaintheencodeddigitalsignaturedsc,butwillrely onnecsenforcementofsigningrulesandvalidationofthedigitalsignature. Issue 4 Registry instrument copy requirements 4.1WhatinstrumentcopysearchproductsneedtobeprovidedbytheLandRegistryfora registeredelectronicconveyancinginstrument: (a)xmldatacontainingthecounterpartsassigned,theassociateddigitalsignatures, signingandlodgmentinformation (b)arenderedsummaryoftheinstrumentcompiledfromthecounterpartsand associatedsigningandlodgmentinformation (c)othersuggestedformat? 4.2Whatisindustry spreferredformatforreceivingcopiesofregisteredinstruments? NSW Land and Property Management Authority - November 2009 43

7. Risk Management 7.1 Digital signatures assist in managing two risks Digitalsignaturesareusedtomitigatetwoimportantrisks: a) theapparentsignerofadocumentassertingtheydidnotsign(signeridentity authentication);and b) theapparentsignerassertingthatthedocumentwasalteredaftersigning(content integrity). 7.2 Content integrity Documentsintheformofdigitalfilesarereadilyamendable.Apartyreceivingorrelyingonasigned digitaldocumentneedstohaveconfidencethatthecontentofthedocumenthasnotbeenaltered sinceitwassigned.digitalsignaturesmanagethisrisk. Ifadigitalsignatureassociatedwithadocumentisverified(includingbyvalidatingtherelevantDSC) thentherelyingpartycanhaveaveryhighdegreeofconfidencethatthecontentofthesigned documentreceivedisthesameasthecontentofthedocumentasthetimeitwassignedwiththat digitalsignature.(verifyingatthetimeofsigningwillturnonothermatterssuchasincludingatime anddatestampinthesigneddocument.) InNECS,thisisanessentialrequirementfortheLandRegistrythatwillneedassurancepriorto registrationthattheregistryinstrumentisunalteredsincesigningbythecertifier. 7.3 Signer identity authentication, attribution and non-repudiation To"authenticate"somethingistoprovethatitisgenuine.Toauthenticatesigneridentityistoprove thattheassertedidentityofthesignerofadocumentisgenuine.signeridentityauthenticationis thereforeaprocessusuallyperformedbyapersonwhoreceivesorwantstorelyonthesignatureon asigneddocument. 49 "Attribution"ofadigitalsignaturetoapersonand"non repudiation"ofadigitalsignaturebya personarerelatedbutnotidenticaltermsandareuseddifferentlybydifferentauthors. Arelyingpartywhoreceivesorintendstorelyonadigitally signeddocumentwillwantto authenticatethesignaturebyobtainingevidencethattheapparentsignerofthedocumentdidin factsignit(attribution)andbeingsatisfiedthattheapparentsignerislegallyresponsibleforand cannotlegallyrepudiatethesignature(non repudiation). 49 Dependingonthecontext,authenticatingasignaturemayinvolvemorethanauthenticatingsigneridentity, forexampleitmayinvolveauthenticatingtheintentofthesignerinsigning(e.g.tobeboundbyalloronlypart ofthedocument).forthepurposeofthispaperitisassumedthatauthenticatingasignaturemeans authenticatingtheidentityofthesigner. 44 NSW Land and Property Management Authority - November 2009

"Attribution"canbethoughtofastheassessmentofevidenceavailabletotherelyingpartyasto whosignedthedocument."non repudiation"canbethoughtofasthelegalconsequenceof whetherandwhenapersontowhomthesignatureisattributedcanrepudiateanylegal responsibilityforthesignature. Inthecontextofdigitalsignatures,therelyingparty'ssoftwarewilluseaDSCtoverifytoaveryhigh degreeofconfidencewhethertheprivatekeyassociatedwiththedscandthekeyholderand SubscriberorganisationnamedintheDSCwasusedtocreatethedigitalsignature.Tothatevidence canbeaddedtheevidencethatthekeyholderandsubscriberorganisationnamedinthedscare undercontractualobligationstokeeptheprivatekeysecure,notletanyotherthanthekeyholder useitanduseitonlyforapprovedpurposesaspermittedbythesubscriberorganisation.therewill usuallybeothercontextualevidencee.g.thatthisdocumentwasexpectedtobesignedbythe namedkeyholderonbehalfofthesubscriberorganisationinacommercialtransactionbasedon priorcommunications.togetherthisevidenceallowstherelyingpartyto"attribute"thedigital signaturetothenamedkeyholderandsubscriberorganisationandassumetheyareboundbyit. Thatattributionevidenceisstrongbutnotirrefutable. Forexample,thekeyholder/apparentsignermayseektorepudiatethesignature,onthegrounds thatsomeotherpersonusedthekeytocreatethedigitalsignaturewithouttheauthorityofthekey holder. Thenextsectiondealswiththeriskofrepudiationclaimsandmanagingthatriskbyalegallybinding attributionrulethatmakestheapparentsigningcertifierandsubscriberlegallyresponsibleformost usesoftheprivatekeyassociatedwithavaliddscnamingthecertifierandsubscriber. TheGatekeeperframeworksupportsstrongattributionofadigitalsignaturetothekeyholder namedinthedscand(inthecaseoforganisationdscs)totheorganisationnamedinthedsc,by requiringcertificatepoliciesofcertificationauthoritiesto: strictlyprohibitanydisclosureoftheprivatekeybytheholderofthedsc; limituseoftheprivatekeybytheholderofthedsctopurposesauthorisedbythe CertificatePolicy; requiretheholderofthedsctoensurestrongprotectionsfortheprivatekey; requireandfacilitatetheholderofthedsc(andanauthorisedofficerofthesubscriber organisation)toinstructrevocationofthedscifthesecurityofthesigningkeyis compromisedortherelevantdscholderleavetheorganisationornolongerneedsto digitallysigndocuments. AlloftheseprovisionsintheCertificatePoliciesprovidefurtherevidenceinfavourofattributionof thesignaturetothekeyholdernamedinthedscandreinforcetheinferencethatonlythekey holdershouldhavebeenabletocreatethedigitalsignature. IntheorythissupportforstrongattributioncouldbevariedbytheCertificatePolicyassociatedwith thedscpermittingdisclosureanddelegateduseoftheprivatekeybutthatwouldundermineakey NSW Land and Property Management Authority - November 2009 45

featureofpkisystems(keepingprivatekeyssecret)andishighlyunlikelytobeapprovedfor implementationingatekeeper(seeappendixd). TheNSWLandRegistryrequiresthatstrongattributionberetainedtoensureSubscriberand Certifieraccountabilityforuseofprivatekeys. StrongattributionofdigitalsignaturestoaCertifierandSubscriberalsosupportstheattributionof thedigitalsignaturetoaclientonwhosebehalfarepresentativesubscriberpurportstosign. AttributiontotheClientalsorequiresavalidClientAuthorisationsupportedbyaClientIdentity VerificationandevidencedbyInstrumentCertifications. WithoutthisstrongattributionfeatureofdigitalsignaturestheLandRegistrywouldnotrelyon signaturesandcertificationsmadebycertifiersforasubscriberinelectronicinstrumentsin acceptingdigitallysignedinstrumentsforlodgmentandexaminingforregistration. Onceaninstrumenthasbeenregistered,anypartysearchingtheTorrensTitleRegisterisentitledto relyontheregisterandanyinstrumentcopysourcedfromtheregister. TheNSWLandRegistryseeksfeedbackonwhetherthereisanyreasonthatthisstrongattribution principlefordigitalsigningshouldnotapplytoregistryinstrumentsbeforeanydocumentisare lodgedforregistration.thelandregistryviewisthatanyparticipatingsubscriberinanecs workspaceshouldbeabletorelyondigitallysignedinstrumentsinthatworkspacebeforetheyare lodged. Forexample,priortosettlementandsigningofasettlementstatement,apractitionerwouldbe expectedtoviewallotherdocumentstoconfirmtheyareinorderbeforesigningtocommitthe purchaser sfundstothesettlement.ifasignedinstrumentinnecsisalteredandre signed,all participatingsubscribersshouldbeinformedthattheinstrumenthasbeenchangedandre signed. Afurtherdiscussionofissuesrelatingtothesigneridentityauthenticationandcontentintegrityrisks isincludedatappendixd. Issue 5 Attribution and reliance 5.1Arethereanyreasonswhystrongattributionofadigitalsignaturetotheholderofthe PrivateKeynamedintherelevantDSC(bothindividualCertifierandSubscriber organisation)shouldnotprovidethebasisforstakeholderriskmanagementthatwill provideconfidenceinelectronicconveyancing? 5.2Isthereanyreasonwhyanystakeholderinarealpropertytransactionshouldnotbe abletostronglyrelyonadigitalsignatureassociatedwithasigneddocument? 46 NSW Land and Property Management Authority - November 2009

7.4 Managing the risks of repudiation of a digital signature by a Certifier or Subscriber organisation Strongattributionevidencewillmeanthattheattributedsignerisusuallylegallyresponsibleforthe signature.howeverinsomecasesacertifier,subscriberorclientmayseektorepudiatelegal responsibilityforanattributeddigitalsignature. 50 ACertifier(keyholder)actingforaSubscribermayseektorepudiateadigitaldocument(aregistry instrument,settlementstatementorreport)whichappearstohavebeendigitallysignedbythat Certifieronthegroundsthat: thecertifierwasnotthepersonwhousedtheprivatekeytocreatethesignatureonthe document;or thecertifier,althoughnamedaskeyholderinthedsc,nevergeneratedthekeypairor appliedforthedsc(i.e.thedscwasobtainedbyanimpersonator). TheSubscriberorganisationmayseektorepudiatethesignature,forexample,onthegroundsthat: althoughtherealcertifier(keyholder)usedtheprivatekey,heorshewasnotauthorisedby thesubscribertomakethatuseofit;or someotherpersonusedthekeytocreatethedigitalsignaturewithouttheauthorityofthe Certifier(keyholder)ortheSubscriber. AClientofarepresentativeSubscribermightalsoseektorepudiatelegalresponsibilityforadigital signatureonaregistryinstrumentwhichisapparentlythatofacertifierforthesubscriber.the ClientmightdothisonthegroundsthattheSubscriberwasnotauthorisedtosigntheinstrumenton behalfoftheclient.thattypeofrepudiationriskisnotdealtwithdirectlybydigitalsignature attributionbutthroughtherequirementsforclientauthorisation 51 andtheinstrument Certifications 52 andclientidentityverificationwhicharecoveredinothernecsinnswconsultation papers. Arelyingpartywouldprefernotonlystrongattributionevidence(providedbyPKIdigitalsignatures) butalsoastrongnon repudiationlegalposition.nswlandregistryrequiresastrongnonrepudiationlegalpositiontojustifyitsacceptanceofdigitallysignedregistryinstrumentsfor lodgment,examinationandregistration. 50 TheNECSRiskAssessment(seehttp://www.necs.gov.au/Risk Management 2/default.aspx)identifieda numberofriskscenarioswhereaprivatekeyanddsccouldbeusedfraudulently.thenecsriskassessment describesrelevantriskmanagementstrategiesnecessaryforthedscissuingauthorityandsubscriber organisationtotreattheserisks. 51 SeeNSWpracticeconsultationpaper1.ClientAuthorisationforuseinNECSavailableat http://necsnsw.lands.nsw.gov.au/industry_consultations/consultation_papers 52 SeeNSWpracticeconsultationpaper2.InstrumentCertificationavailableat http://necsnsw.lands.nsw.gov.au/industry_consultations/consultation_papers NSW Land and Property Management Authority - November 2009 47

LegalRulesonNon Repudiation Thenon repudiationlegalpositionisdeterminedbytheapplicablelegalrulesastowhenapersonis boundbyadigitalsignature.therearecommonlawprinciplesforthisbasedonthelawofagency andvicariousliability 53 butthoseprinciplesinvolveconsiderablegreyareas.(forexample,the liabilityofasubscriberforanemployee'sfraudulentuseofaprivatekeyseemstodependon whethertheusewasmadewithintheactualorapparentauthorityoftheemployee.thestandardof careforasubscriber'sliabilityforthenegligenceofacontractorcertifierwithaprivatekeyis unclear.) Thecommonlawrulesmaybesupplementedorreplacedbycontractualorstatutoryattribution(or non repudiation)ruleswhichdeterminewhenapersoncanlegallyrepudiateadigitalsignature whichappearstobetheirsormadeontheirbehalf. Thistypeofruleiscommonincommercialcontracts.Forexample,manyelectronicbanking contractscontainaprovisionmakingbusinesscustomerslegallyresponsiblefortransactions authorisedbytheuseofapasswordortokenissuedtothecustomerwhetherornotthecustomer actuallyusedorauthorisedtheuseofthepasswordortokenforthattransaction. Theissueofanattribution(ornon repudiation)ruleisdiscussedindetailinthenecslegal FrameworkFourthConsultationPackage 54 whichrecommendstherebeastrongattributionrule bindingtheapparentsigningcertifierandsubscribertoadigitalsignature.thisrulemightbe contractual(intheparticipationrules)orstatutory.thefollowingdiscussionisamodifiedversionof thatinthefourthconsultationpackage 55 Theinterestofpersonswhorelyonthedigitalsignature(RelyingPartiessuchasNECS, LandRegistryandotherSubscribersintheworkspacewhoarerelyingonthesigned document)istohaveastrongattributionrulepresumptivelybindingtheholderofthe privatekey(certifier)andtheirsubscribertoeveryuseofthatkey(andthroughthem bindinganyclienttheyrepresent).withoutastrongattributionrulearelyingsubscriber (e.g.oneactingforatransfereeormortgageewhoisrelyingonthedigitalsignatureofthe signingcertifierforthetransferorormortgagor)mayneedtomakefurtherinquiriesasto whetherthesigningcertifierandsigningsubscriberwereinfactauthorisedtoactinthe transactionanddidinfactcreatethedigitalsignature.thatwouldbetimewastingand inefficient. TheinterestofthesigningCertifier(privatekeyholder)andSubscriberwhomthey representistohaveaweakerattributionruleallowingthemtorepudiatelegal responsibilityforvariousunauthorisedorunintendedusesoftheprivatekeytocreate digitalsignatures. Subscribershaveconflictinginterestsastotheattributionrulebecausetheywillbeboth effectivelysignersofandrelyingpartiesondigitallysigneddocuments. 53 TheseprinciplesarelargelycodifiedindefaultattributionrulesintheElectronicTransactionsAct2000 (NSW)section14 thedefaultrulescanbedisplacedbycontraryagreement. 54 Availableatwww.necs.gov.au 55 Atp.29oftheFourthConsultationPackagefortheNECSLegalFramework. 48 NSW Land and Property Management Authority - November 2009

InordertopromoteconfidenceindelegatedsigninginNECS,NECSshouldadoptastrong attributionrulewhichfavoursrelyingparties(includingrelyingsubscribersandland Registries)oversigningCertifiersandtheirSubscribers.Thismeanstheonuswillbeon thesigningcertifierandtheirsubscribertocarefullymanagesecurityandbusiness processcontrolsovertheuseoftheprivatekey. TheSubscriberusingthesigningCertifiershouldbeliableforalltheactsandomissionsof itsemployeesandagents(includingitsnominatedcertifier)whetherthoseactsor omissionswereactuallyauthorisedornot.subscribersshouldberesponsibleforthe physicalsecurityofthesystemandmediaonwhichtheprivatekeyisstored(evenifthis isoutsourcedbythesubscriberorcertifiertoathirdparty).todolessistoallow significantscopeforarepudiationofdigitalsignaturesinnecswhichwouldsubstantially undermineconfidenceofparticipantsinnecsandinthequalityandauthenticityof instrumentslodgedasaresultofanecstransaction.induecourse,aweakattribution ruleislikelytoforcerelyingsubscriberstomakeout of NECSinquiriesastothe genuinenessandauthorityfordigitalsignaturesondocumentstheyreceiveand/orforce LandRegistriestomakesuchinquiriesbeforeregistering.Boththoseoutcomeswould underminethehoped forefficienciesinnecs. Theonusofproofofanypermittedgroundstorepudiateadigitalsignaturemustbeon thesigningcertifierandsubscriberandnotontherelyingparties.thisisalsoan economicallyefficientrulebecausealloftheevidencerelatingtowhetheranygroundsof repudiationareestablishedwillbewithintheknowledgeandcontrolofthesigning CertifieranditsSubscriberandnottheRelyingParties. TheFourthConsultationPackagealsocontainstwodetailedscenariosexploringtheseissues. NSWLandRegistryagreeswiththeviewthatNECSneedsastrongattributionrulewhichfavours RelyingParties(includingrelyingSubscribersandLandRegistries)oversigningCertifiersandtheir Subscribers. Issue 6 Repudiation 6.1IsthereanyreasonwhyNECSshouldnotprovideastrongframeworkfornonrepudiationofdigitallysignedregistryinstruments(whetherthroughjurisdictionenabling legislationorparticipationrules)? NSW Land and Property Management Authority - November 2009 49

7.5 Security of private key and signing process Thesecurityregimefordigitalsigningisacombinationof: 1. TheUserlogonaccesscontrolstotheSubscribersysteminwhichsigningoccurs 2. TheUserlogonaccesscontrolstoNECS 3. UsersigningattributesandrulesimplementedinandappliedbyNECS 4. TheSubscribersecuritycontrolsenforcedfortheprivatekeysuchas: thephysicalanditsecurityaroundtheprivatekey,forexample,isthekeystoredona harddriveoronportablestoragemedia,isitencryptedorpasswordprotected? thepasswordandotherinformationrequiredtoactivatethesigningkeytocreatea digitalsignature. NSWLandsRegistryseekscommentontheappropriatesecuritycontrolsfordigitalsigningandthe privatekey. Issue 7 Security for digital signing 7.1Whatsecuritycontrolsforthedigitalsigningprocessandtheprivatekeyareneeded toprovideadequateriskmanagement? 7.2Shouldtherebeanagreedindustrypracticestandardsetforriskmanagementof securityofdigitalsigningkeys?ifso,howshouldthatstandardbedevelopedandwhat shouldbethegovernancearrangementsforthatstandard? 7.3Whatoptionswouldbeacceptabletoindustryfromariskmanagementperspective forreducingthetimerequiredforsigningdocumentsinelectronicconveyancing(i.e. withoutnegativeeffectonattributionandnon repudiationoutcomes)? 50 NSW Land and Property Management Authority - November 2009

8. Glossary of Terms TERM DEFINITION AGIMO Authentication AuthorisedOfficer AustralianGovernmentInformationManagementOfficeisabusiness groupwithinthedepartmentoffinanceandderegulationwhichworks acrossgovernmenttomaintainaustralia'spositionasaleaderinthe productiveapplicationofinformationandcommunicationstechnologiesto governmentadministration,informationandservices. Theprocessoftestingorverifyinganassertion,inordertoestablishalevel ofconfidenceintheassertion sreliability. Amemberofaclassofpersonswithaclearcapacitytocommitan OrganisationandtoappointaCertificateManager.Personswhoare membersofthisclassinclude(butarenotlimitedto): (a) ChiefExecutiveOfficer (b) CompanyDirector (c) Trustee (d) Partner;or (e) CompanyOwner. Binding Certifier Certificate CertificateApplicant CertificateLife CertificatePolicy(CP) Theprocessoflinkingacredentialtoanidentityinanassuredmanner. WithrespecttoEOIitistheprocessofestablishingalinkagebetweenan individualorentityandtheirclaimedordocumentedidentityinanassured manner. AUserwhoisemployedorcontractedtoaSubscriberandauthorisedto certifyandsignregistryinstruments,settlementstatementsand informationreportsonbehalfofthesubscriberortheclientrepresented bythesubscriber. SeeDigitalSignatureCertificatebelow. ApersonwhohasappliedtobecomeaKeyHolder,priortothetimeat whichkeysandcertificatesareissuedtoandacceptedbythatperson. ThemaximumdurationforwhichaDigitalCertificatecanremainvalid whichundergatekeeperisderivedfromthestrengthofthecryptographic algorithmthatisusedtogeneratethedigitalcertificate skeys. RFC3647definesaCertificatePolicyas Anamedsetofrulesthatindicates theapplicabilityofacertificatetoaparticularcommunityand/orclassof applicationswithcommonsecurityrequirements. NSW Land and Property Management Authority - November 2009 51

TERM CertificateRenewal CertificateRevocation List(CRL) CertificationAuthority (CA) Client ClientAuthorisation ClientAuthorisation Agreement ClientIdentity Verification(CIV) ClosedPKI CoreObligationsPolicy Dataintegrity Digest DigitalCertificate DEFINITION TheprocesswherebyaDigitalCertificateisre issuedtothekeyholder priortoitsexpiry. ThepublisheddirectorywhichlistsrevokedDigitalCertificates.TheCRL mayformpartofthecertificatedirectoryormaybepublishedseparately. AServiceProviderthatdigitallysignsX.509v3DigitalCertificates(which mayormaynotincludekeygeneration)usingitsprivatekey. AcollectivetermfortheTransactingPartyorpartiesspecifiedinaregistry instrumentcounterpartandwhoarerepresentedbythesamesubscriber. TheauthorisationbyaClientofaSubscriberasagentoftheClientto arrangethecertificationandsigningofregistryinstruments,information reportsandsettlementstatementsbyacertifier,financialsettlementand thelodgmentofregistryinstrumentsandthedeliveryofinformation reportsontheclient sbehalf. AwrittenagencyagreementinprescribedformbywhichaClientgivesa ClientAuthorisationtoaSubscriber. AprescribedprocedurecarriedoutbyaSubscriberortheirdelegateto verifytheclaimedidentityofeachtransactingpartyrepresentedbythe SubscriberandofanyrepresentativeofaTransactingParty. ClosedPKIdeploymentsrestricttheuseofDigitalCertificatestoaknown setofrelyingpartieswherethesepartiesareusuallycontractuallybound. PolicythatspecifiesthecoreobligationsoftheparticipantsinGatekeeper PKIdeployments.Theobligationsareinaccordancewiththeparticipant s particularroleswithinapkideploymentinrelationtotheapplication, generation,issuanceandon goingmanagementofkeysanddigital Certificates. Theconditionthatexistswhendataisunchangedfromitssourceandhas notbeenaccidentallyormaliciouslymodified,alteredordestroyed. Amessagedigestisafixed sizeoutput,calledadigest(orhash)produced fromadocumentbyamessagedigestalgorithm(orhashfunction). Messagedigestalgorithmsareusedtoproduceuniqueandreliable identifiersofdata.thedigestsaresometimescalledthe"digital fingerprints"ofdata. SeeDigitalSignatureCertificate(DSC)below. 52 NSW Land and Property Management Authority - November 2009

TERM DigitalSignature Certificate(DSC) EvidenceofIdentity (EOI) Gatekeeper Gatekeeper Accreditation GatekeeperAccredited GatekeeperCompetent Authority HostOrganisation HostedCertificate IndustryCertifiers InformationReport InstrumentCertification DEFINITION AnelectronicdocumentsignedbytheCertificationAuthoritywhich: (a) IdentifieseitheraKeyHolderand/orthebusinessentitythathe/she represents;oradeviceorapplicationowned,operatedorcontrolled bythebusinessentity (b) bindsthekeyholdertoakeypairbyspecifyingthepublickeyofthat KeyPair (c)containstheinformationrequiredbythecertificateprofile. Evidence(e.g.intheformofdocuments)issuedtosubstantiatethe identityofthepresentingparty,usuallyproducedatthetimeof Registration(i.e.whenauthenticationcredentialsareissued). TheCommonwealthGovernmentstrategytodevelopPublicKey InfrastructuretofacilitateGovernmentonlineservicedeliveryandeprocurement. MeansformalrecognitionofaServiceProvidergrantedbytheGatekeeper CompetentAuthoritywhichsignifiesthattheServiceProvideris competenttocarryouttheoperationsdescribedintheapproved Documents. SeeGatekeeperAccreditationabove. TheentitywhichapprovestheApplicant'sapplicationforGatekeeper Accreditation(includingtheApprovedDocumentsandanychangesto them)asmeetingthecriteriaforgatekeeperaccreditationorrecognition. TheCompetentAuthorityfortheGatekeeperPKIistheAustralian GovernmentChiefInformationOfficer,AGIMO,CommonwealthDeptof Finance. Anorganisationthatstores,manages,andusesthesigningkeysandDigital SignatureCertificatesonbehalfofaSubscriber. ADigitalSignatureCertificatewhichismanagedbyaHostOrganisationon behalfofthesubscriber. Arelegalpractitionersorlicensedconveyancerswhoareemployeesofor contractedtosubscriberswhorepresentclientsinatransactionandare authorisedbythesubscribertocertifyandsignregistryinstrumentson behalfofsubscribersandtheirclientsastransactingparties. Adocumentthatcontainstransactioninformationrequiredbygovernment taxing,valuingandratingauthoritiesaboutatransaction.thecontentofa reportisdeterminedbythereceivingauthority. Theactofalegalentityacknowledgingthatacertificationstatementona NSW Land and Property Management Authority - November 2009 53

TERM DEFINITION (IC) Key KeyGeneration KeyHolder KeyPair KnownCustomer KnownCustomer Organisation LandRegistry(LR) NationalBusiness Model(NBM) Nationale Authentication Framework(NeAF) registryinstrumenthasbeencompliedwith. AKeyisastringofcharactersusedwithacryptographicalgorithmto encryptanddecrypt. TheprocesswheretheSubscribersPrivateKeysarecreated.Theprocess maybeconductedbytheissuer,anraesorthesubscriber. AnindividualwhoholdsandusesKeysandCertificatesonbehalfofan Organisation,orinhis/herownrightinthecaseofIndividualCertificates. ApairofasymmetriccryptographicKeys(e.g.onedecryptsmessages whichhavebeenencryptedusingtheother)consistingofapublickeyand aprivatekey. Referstoanindividual/Organisationthathaswithintheprecedingfive yearsundergoneaneoicheckwhichcomplieswithgatekeepereoipolicy; andhasatransactionhistorywiththeknowncustomerorganisationfor notlessthan12monthsimmediatelyprecedingthattime. AnOrganisationListedbyanappropriateCommonwealthregistration authorityashavingcompliedwiththegatekeeperknowncustomerlisting requirements.aknowncustomerorganisationisabletorequestthe issuanceofgeneralcertificatesforitsclients. Ajurisdiction basedcustodianofthetorrenstitleregisteroflandtitles andinterestsforthepropertiesbeingdealtwithintransactions. DescribestheoverallbusinesscontextforNECS,therolesand responsibilitiesoftheaffectedindustryparticipants,andthecommercial arrangementsandriskmanagementregimenecessarytomakeitviable.it isthefoundationuponwhichallofthesubsequentdocumentsarebased. Thisdocumentispublishedatwww.necs.gov.au. TheframeworkthatcoverstherulestobeappliedbyAgenciestothe authenticationofexternal(i.e.non CommonwealthGovernment)entities whendealingwiththemonline. TheFrameworkprovidesariskmanagementapproachtoauthentication thatalignsbusinessneedandprocesseswithappropriateauthentication solutionsandtechnologies. NationalElectronic ConveyancingSystem (NECS) ThecentralfacilityprovidingSubscriberswiththemeansforcreating transactionworkspaces,forpreparingregistryinstruments,information reportsandsettlementstatements,forassemblingtheinstructionsand otherrequirementsforelectronicsettlementofthefinancialaspectsof 54 NSW Land and Property Management Authority - November 2009

TERM DEFINITION transactions,andfortransmittingregistryinstrumentstoalandregistry andinformationreportstoarevenueofficeand/orvaluingandrating authorities. NECSParticipationRules ThecontractualtermsandconditionsthatapplytoaSubscriber suseof thenationalelectronicconveyancingsystem. Non repudiation OpenPKI Organisation PrivateKey PrivateSigningKey PublicKey PublicKey Authentication Framework(PKAF) PublicKey Infrastructure(PKI) PublicKeyTechnology Evidence,verifiablebyathirdpartythataTransactionhasbeen sent/authorisedbythepurportedsender. OpenPKIdeploymentsanticipatethewidespreadacceptanceofDigital CertificateswhereRelyingPartiesmaynotbeknownandwheretheparties arenotgenerallycontractuallybound. Relatestoanentitythathasauthorisedoneormoreofitsemployeesto holdandusekeysandcertificatesonitsbehalf.anorganisationmayor maynotbeabusinessentity. ThePrivateKeyinasymmetricKeyPairthatmustbekeptsecrettoensure confidentiality,integrity,authenticityandnon repudiation,asthecase maybe. APrivateKeyusedbyaKeyHoldertoDigitallysignmessagesonbehalfof anorganisation. TheKeyinanasymmetricKeyPairwhichmaybemadepublic. APublicKeyAuthenticationFrameworkisanAustralianstandard(AS/NZS 4539)thatprovidesastructureforthegeneration,distributionand managementofpublickeycertificates. Thecombinationofhardware,software,people,policiesandprocedures neededtocreate,manage,storeanddistributekeysandcertificatesbased onpublickeycryptography. Technologybasedonpublickeycryptography,thatenablesamessageto beencryptedwithonekey,anddecryptedwithanotherkey.alsoknown aspublickeycryptography(pkc). PKIisdistinguishedfromsecret key(orsymmetric)technologies,whichuse asinglekeythatbothpartiesmustpossess,andthatthereforehastobe communicatedfromwhomevercreatesittowhomeverneedsit,and thereforehastobeexposedtotheriskofinterception. Withpublickeytechnologies,ontheotherhand,oneofthekeypaircanbe keptsecurelybyoneparty,andneverexposedtotheriskofinterception NSW Land and Property Management Authority - November 2009 55

TERM DEFINITION byathirdparty. Recipient(ofaDigital Signature) RegistrationAuthority (RA) RegistryInstrument(RI) RegistryInstrument Counterpart Relationship Organisation RelyingParty Repudiation ResponsibleSubscriber RestrictedCertifiers Aperson/OrganisationwhoreceivesaDigitalSignatureandwhoisina positiontorelyonit,whetherornotsuchrelianceoccurs. AServiceProviderthat: isresponsiblefortheregistrationofapplicantsfordigitalcertificates bycheckingevidenceofidentity(eoi)documentationsubmittedby theapplicantforitscompliancewithgatekeepereoipolicy; isresponsiblefortheprovisionofcompletedandauthorised applicationformincludingcopiesofthesubmittedeoidocumentsto therelevantca;and mayberesponsibleforthesecuredistributionofsigneddigital CertificatestoSubscribers. AlegalinstrumentinaformprescribedbytheLandRegistryasnecessary toeffectanychangetothelandregistry storrenstitleregister. Thesetofinformationinaregistryinstrumentthatdocumentsthe transactionforapartyrelinquishingorapartyreceiving,including transactioninformationthatissharedbythoseparties. TheOrganisationwithin(orcomprising)aCommunityofInterestthathas anestablishedrelationshipwithitsclientsconsideredadequateforthe issuanceofdigitalcertificates. ArecipientofadocumentwithasignatureandDSCwhoactsinrelianceon thatdscand/ordigitalsignaturesverifiedusingthatdsc. Repudiationisthedenialorattempteddenialofinvolvementbyapartyin allorpartofanelectronictransaction. ThepartythattheLandRegistryconsiderstoberesponsiblefora LodgmentCaseandtheonetheywouldcontactinrelationtomatterssuch aslodgmentfeesandrequisitionsaboutregistryinstrumentsinthe LodgmentCase. EmployeesorcontractorsofSubscriberswhoareactingforthemselvesand notrepresentingclientsinthetransaction.restrictedcertifiersneednot belegalpractitionersorlicensedconveyancersandarerestrictedto certifyingandsigningregistryinstruments,informationreportsand settlementstatementsonbehalfoftheiremployerorcontractor Subscriber.RestrictedCertifiersareprincipallyassociatedwithFinancial InstitutionSubscribers. 56 NSW Land and Property Management Authority - November 2009

TERM DEFINITION Revoke Sign Signature Signer SigningInformation ThreatandRisk Assessment Organisation(TRO) TimeStamp Users ValidCertificate Verify X.509andX.509v3 ToterminateaCertificatepriortotheendofitsoperationalperiod. TocreateaDigitalSignatureforamessage,ortoaffixasignaturetoa document. Adistinctivemark,orcharacteristic,indicatingidentity. ApersonwhoaffixestheDigitalSignaturetohisorherinformationto enableathirdpartytoconfirmthattheinformationwassentbythat person. Asetofinformationcontainingsigningkey holderdetails,theorganisation thesignatoryrepresents,atimestampandcomplianceresultforthe signaturewhenreceivedbynecs. AnOrganisationListedbyFinanceashavingundergoneanindependent ThreatandRiskAssessmentofitsinternalEvidenceofIdentityprocesses whichhasbeenacceptedbythegatekeepercompetentauthority. Arecordthatindicates(atleast)thecorrectdateandtimeofanaction (expresslyorimplicitly)andtheidentityofthepersonordevicethat createdthenotation. EmployeesorcontractorsauthorisedbyaSubscribertocreateand completetransactionworkspacesforthepreparationofregistry instruments,settlementstatementsandinformationreportsunder supervision.onlyuserswhoarealsocertifierscancertifyandsign instruments,statementsandreports. ACertificateissuedbyaCAandacceptedbytheSubscriberlistedinitthat hasnotbeenrevokedorsuspendedandremainsoperational. Todetermineortesttheaccuracyofsomethingwithreferencetoa source oftruth. TheinternationalstandardfortheframeworkforPublicKeyCertificates andattributecertificates.itispartofwidergroupprotocolsfromthe InternationalTelecommunicationUnion TX500DirectoryServices Standards. NSW Land and Property Management Authority - November 2009 57

9. Source Materials DocumentDescription AustralianGovernment:DepartmentofFinanceandDeregulation:AustralianGovernment ManagementInformationOffice,(February2009) GatekeeperPKIFramework:X.509CertificateandCertificateRevocationListProfiles. GatekeeperPKIFramework:CoreObligationsPolicy GatekeeperPKIFramework:CorporateCertificatePolicySpecification GatekeeperPKIFramework:DeviceCertificatePolicySpecification GatekeeperPKIFramework:GatekeeperPublicKeyInfrastructureFramework GatekeeperPKIFramework:GeneralCategoryIndividualCertificatePolicySpecification GatekeeperPKIFramework:Glossary GatekeeperPKIFramework:GeneralCertificateGuidebook ClaytonUTZ,NationalElectronicConveyancingOffice NECS:ReportonConsistentBusinessPractice Issues(26August2008). ClaytonUTZ,RiskAssessmentoftheNationalElectronicConveyancingSystem(9February2007). McCullagh,A.,Little,P.,Caelli,W.,ElectronicSignatures:UnderstandthePasttodeveloptheFuture, UNSWLawJournal(452:56;1998,21(2)). Reed,C.,WhatisaSignatureUKJournalofInformationLawandTechnology(31October2000). NationalElectronicConveyancingOffice,NECSNationalBusinessModel(version10,15June2007). NSWDepartmentofLands,Draft:TowardsConsistentJurisdictionPracticesforNECS'(version4,15 October2007). NationalElectronicConveyancingOffice,NECSNationalRequirementsDefinition(version6,3 September2008). NationalElectronicConveyancingOffice,TypeofDigitalSignatureCertificatetobeRequiredfor NECS,IssuePaper(14November2008). NationalElectronicConveyancingOffice,ClientAuthorisationAgreement,IssuePaper(23December 2008). NationalElectronicConveyancingOffice,DocumentSigningRevisited,IssuePaper(31July2009). NSWDepartmentofLands,InstrumentCertificationPaperforSPT'(v6,15October2007). NSWLandandPropertyManagementAuthority,ClientAuthorisationforuseofNECS(12August 2009). NSWLandandPropertyManagementAuthority,InstrumentCertifications(2November2009). 58 NSW Land and Property Management Authority - November 2009

10. Appendices A. Appendix A: Digital Signatures - A Primer 1. NECSprocedures InNECS,documentssuchasregistryinstruments(forexampleatransferoramortgage)willbe createdinthenecsworkspacefortherelevanttransactionanddigitallysignedbyeachrelevant CertifieractingforeachrelevantSubscriber.ThosesignedinstrumentswillremainintheNECS WorkspaceandcanbeviewedanddownloadedtolocalsystemsbyCertifiersandotherUsers andwillultimatelybelodgedwithlandregistry. WhereNECSparticipants(includingLandRegistry)relyonasignedelectronicdocument ("RelyingParties"),theyneedtomitigatetheriskthataCertifierwhoapparentlysignedthat documentonwhichtheyproposetorelymayseektorepudiatethedocumentoranypartofits contentsbyclaimingthecertifierdidnotsignitorthatitwasalteredafterthecertifiersignedit. NECShasidentifieddigitalsignaturesandDSCsasthetechnicallyandcommerciallyviableoption formitigatingtheriskofrepudiationoraninstrumentoranypartofitscontentsbytheapparent signerofthatinstrument.thisoptionreliesonwhatisknownas"publickeycryptography". 2. Whatis"publickeycryptography"? Publickeycryptographyisacodesystemthatrelieson"asymmetric"codes.Whatthismeansis thatthesystemisbasedontheuseoftwodifferent"codes"or"keys"insteadofjustonecodeor key.thetwokeysareknownastheprivatekeyandthepublickey.eachnecssubscriberand Certifierwillbeallocatedapublickeyaswellasaprivatekey. PrivateKey:ThiskeymustbeknownonlybytheSubscriberorCertifiertowhomthe keyisallocated. Publickey:Thiskeyisknowntoeveryone(itispublic). Mathematicalrelationbetweenbothkeys:Whatonekeyencrypts,onlytheother keycandecrypt. InNECS,theCertifier'sprivatekeyisusedtocreateandattachtheCertifier'sdigitalsignatureto adocumentfromthenecsworkspace 56.ARelyingPartycanusetheCertifier'spublickey (publiclyavailableinadscnamingthecertifierissuedbyacertificationauthority)toverifythat thedigitalsignatureattachedtothedocumentmusthavebeencreatedusingthecertifier's privatekey.thatverificationbytherelyingpartymitigatestheriskofrepudiationofthat documentoranypartofitscontentsbytheapparentsigner(i.e.thenamedcertifier). 56 ThesigningactuallytakesplaceintheSubscriber scomputersystemwiththedocumentprovidedbynecsto besignedbythesubscriber.thisensuresthatthesecurityofthesigningkeyisnotcompromisedinthesigning process. NSW Land and Property Management Authority - November 2009 59

3. Theprocessof"digitallysigning"and authenticating anelectronic document SupposethatalawfirmSubscriberactsforaClientwishingtoselllandusingNECS.Apartnerin thatlawfirmhascarriageofthematterandisalsoacertifierinnecs. AspartoftheprocessofbeingissuedwithaDSCasaCertifier,a"privatekey"anda"publickey" willhavebeengeneratedinrespectofthatpartner. ThepartneroranotherUserinthelawfirmwillprepareadigitaltransferoflandintheNECS Workspace.Whentheelectronictransferinstrumenthasbeencreatedintheworkspaceand thefieldsnecessarytocompletethetransferhavebeenpopulatedbythepartnerorotheruser inthefirm(forexample,nameofthetransferorandconsideration)andthecorresponding Subscriberinthetransaction,thepartner(asCertifier)canrequestthepresentationofthe digitaldocumentonscreenafterwhichheorshecanusesigningsoftwaretoinitiatethedigital signingprocessasfollows. Step1 Thedocumentsigningprocess NECSprovidestheelectronicdocumenttobesignedtotheCertifierforsignature. TheCertifier'ssoftwarewillautomaticallycreateasummaryofthelandtransferdocument (knownasthe"digest",essentiallyauniquedigital"thumbprint"or"shorthandversion"ofthe document)whichwouldthenbeencrypted(i.e.encoded)usingtheprivatekeyofthecertifier. TheresultingencrypteddigestiscalledtheCertifier's"digitalsignature". TheCertifier'ssoftwarewillattachtheCertifier'sdigitalsignaturetothedocumentinNECSand thesigneddocumentisthenavailableforviewinganddownloadsbyothernecsparticipants (RelyingParties)withaccesstotheNECSWorkspace. Step2 Thedocumentauthenticationprocess NECSwillautomaticallycheckthevalidityoftheCertifier'sdigitalsignatureusingtheCertifier's publickeyfromthecertifier'scurrentdsc.anyotherparty,suchasalandregistry,canalso checkthevalidityofthedigitalsignatureinthesamewayiftheyhaveaccesstotheoriginal signeddataanddigitalsignature. ARelyingParty(suchasNECS)wouldtakethefollowingstepstomitigatetheriskofrepudiation ofthetransferdocumentbytheapparentsigner(i.e.thenamedcertifier)byverifyingthedigital signature: a) TheRelyingParty'ssoftwareseparatelygeneratesadigestofthelandtransferdocument fromtheunencryptedlandtransferdocumenttowhichthecertifierattacheditsdigital signature("relyingparty'sdigest"). b) TheRelyingParty'ssoftwareusestheCertifier'spublickeytodecrypttheCertifier'sdigital signaturetorevealthedigestgeneratedbythecertifierwhen"signing"thelandtransfer document. 60 NSW Land and Property Management Authority - November 2009

c) Next,theRelyingParty'ssoftwarewillcomparethedecrypteddigestgeneratedbythe Certifierwhen"signing"themessagewiththeRelyingParty'sdigestseparatelygeneratedby therelyingparty.ifbothdigestsareidentical,thiswouldmeanthat: (i) (ii) thedigitalsignatureofthelandtransferdocumentwascreatedusingthecertifier's privatekeyand,byinference,bythecertifier(ontheassumptionsthattheprivate keywasactuallyallocatedtothecertifierandnotsomebodyelseimpersonatingthe CertifierandthatthesecurityoftheCertifier'sprivatekeyhasnotbeen compromised)(thefactthatbothdigestsareidenticalconfirmsthatwhatthe RelyingPartydecryptedusingtheCertifier'spublickeywasencryptedusingthe Certifier'sprivatekey);and thelandtransferdocumenthasnotbeenalteredafterthecertifier'sdigitalsignature wasattachedtoit. Theaboveprocessissummarisedinthefollowingdiagram: NSW Land and Property Management Authority - November 2009 61

B. Appendix B - Selection of the type of Digital Signature Certificate for use in NECS TypesofDigitalSignatureCertificateforuseinNECS TheNationalBusinessModelrequirestheuseofGatekeeper accredited57dscsinnecsonthebasis oftheirbeingmadeavailableunderagovernment regulatedframeworkthatassuresaminimum standardofsecurityandintegrityforelectronictransactions.thecommonwealthgovernmentand allstateandterritorygovernmentshavemandatedtheuseofgatekeeperdscsinprivatesector dealingselectronicallywithgovernmentagencies. Insummary,theGatekeeperframeworkprovidesfortwopossibletypesofDSCsforuseinNECS: OrganisationDSCs WheretheparentDSCisissuedtotheOrganisation,andwhereonepersoninanorganisation hastheiridentityindependentlyverified(e.g.byaregistrationauthority)andthenvouches fortheidentityofothermembersoftheorganisation.themember(ormembers)whohave hadtheiridentityindependentlyverifiedisissuedwitha parent certificatewhichtheycan usetorequesttheissueof child certificatestoothermembersoftheorganisation. Membersforwhom"child"certificatesarerequesteddonotundergoindependentidentity verification;insteadthe"parent"certificateholdervouchesfortheiridentityonbehalfofthe organisation.boththeparentandthechildcertificatesarelinkedtotheorganisationthrough inclusionoftheorganisation snameandaustralianbusinessnumber(abn)inthecertificate. TheseDSCsprovideevidenceoftheidentityofthepersonnamedintheDSC,ofthe organisationnamedinthedscandoftheorganisation'sauthorisationofthepersonnamedin thedsc. IndividualDSCs WheretheindividualDSCisissuedtoanaturalpersonandthepersonhastheiridentity independentlyverifiedbyaregistrationauthority.thecertificatetheyareissuedwithisnot linkedtoanyorganisation.thesedscscanbeusedgenerallybytheholdertoidentify themselveselectronicallybutnottoevidencetheirconnectionwithanyorganisation. OptionsforTypesofDSCsinNECS TherearefouroptionsforDSCstoberequiredforuseinNECSthatprovideacceptablemitigationof falseidentityandfalseauthorisationrisk: ParentOrganisationDSCsonly.TheparentDSCisissuedtotheOrganisation,andnochild certificatesareissued.thistypeofcertificateprovidesassurancetootherparticipantsina transactionoftheholder sidentityhavingbeenindependentlyverifiedandoftheirauthorityto representthesubscriber. OrganisationDSCsonly,withprescribedidentityverificationobligationsonSubscribersissuingchild certificatestotheiremployeesandcontractors.theidentityverificationofchildcertificateholdersis 57 FordetailsofGatekeeperaccreditationanditsimplementation,see<http://www.finance.gov.au/egovernment/security andauthentication/gatekeeper/index.html>and<http://www.verisign.com.au/gatekeeper/> 62 NSW Land and Property Management Authority - November 2009

necessarytoassureotherparticipantsinatransactionthattheholdersofchildcertificateshavehad theiridentityverifiedtoanadequatestandard.thesecertificatesareofmostvaluetosubscribers dealingwiththeirowninterests 58. IndividualDSCsonly,withauthorisationchecksbyNECStoensuretheholderisentitledtorepresent thesubscriber.theauthorisationcheckisnecessarytoassureotherparticipantsinatransaction thatholdershavebeenauthorisedtorepresentthesubscriber.thesecertificatesareofmostvalue tolegalpractitionersandlicensedconveyancersasindustrycertifierswhenrepresentingmultiple Subscribers. OrganisationandIndividualDSCs,withprescribedidentityverificationobligationsonSubscribers issuingchildcertificatesandauthorisationchecksbynecsonholdersofindividualdscs.thisoption combinestherequirementsoftheotheroptions,retainstheirbenefitsandavoidstheir disadvantages. Someofthebenefitsanddisadvantagesofeachoptionare: Option DSCType Benefits Disadvantages 1 Parent Organisation DSCsonly 2 Organisation DSCsonlywith prescribed identity verification checksby Subscribersfor childcertificates 3 IndividualDSCs onlywith authorisation checkbynecs assuranceofindependent identityverification assuranceofsubscriber authority assuranceofsubscriber authority convenienceforsubscribers inhavingachildcertificate readilyissuedtoanew employee assuranceofindependent identityverification convenienceforsubscribers inbeingabletoreadilyuse locumindustrycertifiers convenienceforindustry Certifiersinbeingableto readilyservicemultiple Subscriberswiththesame certificate convenienceforindustry inconvenience,additionalcostandadditional riskexposureforindustrycertifiersbeing requiredtomaintainmultiplecertificates whenprovidingcontractservicestomore thanonesubscriber inconvenienceandadditionalcostfor IndustryCertifiersbeingrequiredtoobtaina newcertificatewhenchangingemployers inconvenienceandadditionalcostfor Subscribersissuingchildcertificatesto employeesbeingrequiredtoconduct prescribedidentityverificationchecks inconvenienceandadditionalcostfor IndustryCertifiersbeingrequiredtoobtaina newcertificatewhenchangingemployers inconvenienceforsubscribersandcertifiers indelayfromnecshavingtoindependently checksubscriberauthorisationbefore allowingfirstuseofcertificateforeach Subscriber additionalcostfornecsincarryingout authorisationchecks 58 I.e.,caseswheretheClientisalsoconcurrentlyaNECSSubscriber,anddealingwiththeirowninterests.In thecaseoflendinginstitutionsforexample,inthepaperenvironmentauthorisedemployeesofmortgagees signmortgageanddischargeinstrumentsfortheinstitution.innecsthepracticewouldcontinue,withthe financialinstitutionsubscriberauthorisingspecifiedofficerstosignfortheinstitutionassubscriberandclient, withoutaclientauthorisationbeingrequired NSW Land and Property Management Authority - November 2009 63

Option DSCType Benefits Disadvantages Certifiersinnothavingto obtainanewcertificatewhen changingemployers 4 Organisation andindividual DSCswith prescribed identity verification checksby Subscribersfor childcertificates and authorisation checksbynecs forindividual certificates convenienceforsubscribers inbeingabletouselocum IndustryCertifiers convenienceforprincipal Subscribersinbeingableto usechildcertificatesfor employees convenienceforindustry Certifiersinbeingabletouse samecertificateonbehalfof multiplesubscribers convenienceforindustry Certifiersinnothavingto obtainnewcertificatewhen changingemployers additionalcostsforsubscribersincarrying outprescribedidentityverificationchecks whentheychoosetheconvenienceofissuing childcertificatestotheiremployees additionalcostsfornecswhentheauthority ofindividualdscholdersneedstobe checked WhichoftheseoptionsisbestsuitedtoNECSisalsodependentupontheirutilitytoUsersinterms oftheirconvenienceandflexibilitybenefitsandtheircostandinconveniencedisadvantages. RiskstobeconsideredinrelationtotypesofDSCs TherearethreekeyriskstoconsiderinrelationtothechoiceoftypeofDSCs: 1. TheriskthatanAuthorisedOfficerorCertifierisissuedwithaDSCandregisteredwith NECSunderafalseidentity.(Thisriskcanbemitigatedbyhavinganindependent evidenceofidentitycheckontheapplicantforthecertificate) 2. TheriskthatanAuthorisedOfficerorCertifierwhopurportstobeauthorisedbya SubscriberorganisationisissuedwithaDSCandregisteredwithNECSasauthorisedby thesubscribertousethedscandactforthesubscriberinnecswhenthereisnosuch authorisation.(thisriskcanbemitigatedbyhavinganindependentcheckthatthe Subscriberorganisationhasauthorisedandcontinuestoauthorisetheapplicant which couldbeconductedbyaregistrationauthorityorbythenecsoperator.) 3. TheriskthataCertifierisissuedwithaDSCandregisteredwithNECSwhentheyarenota currentlyqualifiedandlicensedlawyerorconveyancer.thisrisk(ofafalsequalificationor attribute)couldbemitigatedbyanindependentassuranceofthelicensingbodyoran independentcheckbyaregistrationauthorityorthenecsoperatorwithalicensing body. 64 NSW Land and Property Management Authority - November 2009

NECSinNSWConsultationPaper C. Appendix C - Operational Roles in NECS 59 TheoperationalrolesidentifiedandagreedinconsultationviatheNPTtoNovember2009 60 are summarisedbelow. Recommendations:Itisrecommendedthat: 1. AllSubscriberstoberequiredtoholdprofessionalindemnityandfidelityinsurancewiththe exceptionofadisregulatedbyapraandgovernmentagencies(departments,statutory authoritiesandbusinessenterprisesonly) 2. CertifierswhoarecontractorstoSubscribersrepresentingthemselvestoberequiredtobe industrypractitioners(i.e.industrycertifiers) 3. InformationReportsandSettlementCertificationstorequiresigningwithadigitalsignature 4. SubscriberstobeabletouseRestrictedCertifierstosignInformationReportsand SettlementCertifications. TheserecommendationswithrespecttoOperationalRolescanbesummarisedasfollows: RoleType RoleCategory Eligibility Requirements Capabilities Representative Subscriber Insured RepresentindependentTransacting Partiesoractforitself Subscriber PrincipalSubscriber Insuredifnotafinancial institutionorgovernment agency Actforitselfonly AuthorisedOfficer AuthorisedOfficer Authorisedbypositionor specialinstrumentto commitsubscriber CommitaSubscribertothe ParticipationRules SubscriberAdministrator None(canbeeitheran employeeoracontractor) Administersystemaccessanduseon behalfofasubscriber Certifier IndustryCertifier Industrypractitioner empoweredbyoneormore Certifyandsignalldocumenttypesfor Subscribersinallcircumstances 59 Thematerialfollowingidentifieskeyrisksandtreatmentoptionsrelevanttodigitalsigningofelectronic instrumentsfornecs,fromthenswlandregistryperspective.managementarrangementsfortherisksand treatmentsidentifiedherewillincludethecertificatepolicyfordscsforelectronicconveyancing,necs ParticipationRules,jurisdictionenablinglegislationforelectronicconveyancing,practiceandpractitioner fidelityandindemnityinsuranceprovisions,andpracticesmaintainedbynecs,necssubscribers,certifiers.it willbenecessarythatnecsnationalconsultationarrangementsdeterminepoliciesandenforcement arrangementsforacceptablepractices.thematerialispresentedhereasaninformationresourcesupporting considerationoftheissuesraisedinthisdigitalsigningofelectronicinstrumentsconsultationpaper. 60 SeeNECOIssuePapersathttp://www.necs.gov.au/Issue Papers/default.aspx NSWLandandPropertyManagementAuthority November2009 57 NSW Land and Property Management Authority - November 2009 65

RoleType RoleCategory Eligibility Requirements Capabilities anemployeeora contractor) User RestrictedCertifier Delegatedemployeeofa Subscriber None(canbeeitheran employeeoracontractor) Certifyandsignalldocumenttypesfor aprincipalsubscriberandfora RepresentativeSubscriberactingfor itself,andinformationreportsand settlementcertificationsfora RepresentativeSubscriber representinganindependent TransactingParty.Cannotcertifyand signregistryinstrumentsfora RepresentativeSubscriberwhoisnota legalorconveyancingpracticewhen representinganindependent TransactingParty. PrepareworkspacesforaSubscriber TheserecommendationswithrespecttoDocumentSigningcanbesummarisedasfollows: DocumentType SubscriberType Circumstances Abletobecertifiedandsigned by RegistryInstrument Representative Representingindependent TransactingParty IndustryCertifierorRestricted CertifierwhenSubscriberisalegalor conveyancingpractice.restricted Certifiercannotcertifyandsign registryinstrumentswhensubscriber isnotalegalorconveyancingpractice. Actingforself IndustryorRestrictedCertifier Principal Actingforself IndustryorRestrictedCertifier InformationReport Both All IndustryorRestrictedCertifier Settlement Certification Both All IndustryorRestrictedCertifier Thesesigningrulesareproposedtoapplytoregistryinstruments.Thesigningrequirementsfor othernecselectronicdocumentssuchasinformationreportsandsettlementstatementsare currentlybeingconsidered. 66 NSW Land and Property Management Authority - November 2009

D. Appendix D - Managing risks of signature use and document integrity for electronic conveyancing 61 Digitalsignaturesareusedtomitigatetwoimportantrisks: a) theapparentsignerofadocumentassertingtheydidnotsign(signeridentity authentication);and b) theapparentsignerassertingthatthedocumentwasalteredaftersigning(content integrity). SignerIdentityAuthentication Signeridentityauthentication(risk a above)involvesmathematicalproofthatthedocumentwas signedbythesigningkeyforwhichthekey holderisresponsible.afundamentalpurposeofpublic KeyInfrastructure(PKI)istoprovidestrongevidencewhenadocumenthasbeensignedbya particularprivatekey,topreventtheidentifiedkey holderforthatprivatekeyfromeffectively repudiatingthesignature.theidentifiedkey holderisstronglypresumedtobethesignerofthe electronicdocumentdigitallysignedwiththatprivatekey. Reallywhatisestablishedfromatechnicalperspectiveisthataspecificprivatekeywasusedtosign thedocument.throughthekey holderregistrationprocessbytheregistrationauthority,itcanbe establishedthatatthetimeadsccontainingthecorrespondingpublickeywasissuedbya CertificationAuthority,theCAwassatisfiedthattherelevantprivatekeywascontrolledbyaspecific individualororganisationnamedinthedsc. ThestrongpresumptionthattheindividualororganisationnamedintheDSCappliedtheprivatekey tocreatethedigitalsignatureassumesthatindividualororganisationhasretainedexclusivecontrol overtheuseoftheprivatekeysincethedscwasissuedandisthereforeresponsibleforitsuse. ThephysicalandITsecurityprotectingtheprivatekeycontrolledbythekey holderisgenerallythe weakestlinkintheoverallsecurityofapki(indeedofanyelectronicauthenticationsolution).the securityoftheprivatekeycanbecompromisedbythekeyholdereitherknowingly,orunknowingly providingathirdpartywithaccesstotheirprivatekey,orthesubscriberorganisationitsecurity beinginadequateandallowingmalwaretoaccessthekey. ItisimportantthatSubscriberorganisationsensuretheirphysical,ITandnetworksecurityis adequateandthattherearebusinessprocessesandpoliciesinplacetomanagethesecurityof privatesigningkeysandtheirusetocreatedigitalsignatures. 61 Thematerialfollowingidentifieskeyrisksandtreatmentoptionsrelevanttodigitalsigningofelectronic instrumentsfornecs,fromthenswlandregistryperspective.managementarrangementsfortherisksand treatmentsidentifiedherewillincludethecertificatepolicyfordscsforelectronicconveyancing,necs ParticipationRules,jurisdictionenablinglegislationforelectronicconveyancing,practiceandpractitioner fidelityandindemnityinsuranceprovisions,andpracticesmaintainedbynecs,necssubscribers,and Certifiers.ItwillbenecessarythatNECSnationalconsultationarrangementsdeterminepoliciesand enforcementarrangementsforacceptablepractices.thematerialispresentedhereasaninformation resourcesupportingconsiderationoftheissuesraisedinthisdigitalsigningofelectronicinstruments consultationpaper. NSW Land and Property Management Authority - November 2009 67

Regardlessofwhetherthereisinternalorganisationalapprovalforathirdpartytousetheprivate key,suchusewillbeabreachofthecertificatepolicyunderwhichthedscisissued.acertificate PolicyunderGatekeeperrequiresthepersontowhomaDSCwasissuedtoprotectthesecurityof thecorrespondingprivatekeyandtoonlyuseitwithinthescopeforwhichitwasissued. WhetherthekeyholderhasanIndividualDSCoranOrganisationDSC,anyuseoftheprivatekeyby apartyotherthanthekeyholderrepresentsabreachofthecertificatepolicyunderwhichthe certificatewasissued 62. TheonlysituationunderGatekeeperwhereathirdpartycanapplyakeyholder sprivatekeyiswith respecttohostedcertificates 63.Thisisacomplexandriskyarrangement,introducedtosatisfya particularagencybusinessrequirement.useofhostedcertificatesisrestrictedtoclosed communitiesofinterestandisnotwidelypromotedlargelyduetotheinherentrisksassociatedwith allowingthirdpartiestomanageanduseprivatekeysonbehalfofthekeyholder.allowingathird partytouseyourprivatekeyisequivalenttoallowingathirdpartytosignyournameonalegal document. TheNSWLandRegistrydoesnotsupporttheuseofHostedCertificatesforNECS. To legally allowthekeyholdertodelegatetheuseoftheirkeysandcertificatetoanotherperson withinthesamesubscriberorganisationwouldrequirethedraftingofacertificatepolicythat specificallyallowsitaswellasveryrigorousbusinessrulestomanagetherisks. ItishighlyunlikelythataGatekeeperCertificationAuthoritywouldsupportsuchanendeavour one delegationcanleadtoothersandthentoother informal arrangements allofwhichincreasethe riskstothesubscriberorganisation(andthustorelyingparties). TheNSWLandRegistrydoesnotsupportanyalloweddelegateduseofaprivatekeyforelectronic conveyancing. TheGatekeeperCoreObligationsPolicystatesthataSubscriber(keyholder)must: onlyusekeysanddscswithinthelimitsspecifiedinthecertificatepolicyunderwhichthe DSCwasissued; takeallreasonablemeasurestoprotecttheirprivatekey(s)fromcompromiseandtakeall necessaryprecautionstopreventloss,disclosure,modification,orunauthoriseduseoftheir PrivateKey(s); ensurethatallinformationprovided,andanyrepresentationsmadetoagatekeeper AccreditedRegistrationAuthority,aRelationshipOrganisation,aKnownCustomer OrganisationoraThreatandRiskOrganisationarecompleteandaccurate; 62 NotethattheNationalProjectTeamhasrecommendeduseoforganisationDSCsonlyforelectronic conveyancing. 63 SeeDepartmentofFinanceandDeregulation,AustralianGovernmentInformationManagementOffice, GATEKEEPERPKIFRAMEWORK,HOSTEDCERTIFICATEPOLICYSPECIFICATION,February2009, http://www.finance.gov.au/e government/security andauthentication/gatekeeper/docs/hosted_certificate_policy_specification.pdf,viewed20november2009. 68 NSW Land and Property Management Authority - November 2009

performanyadditionalrequirementsasspecifiedinthecertificatepolicyunderwhichthe DSCwasissued; promptlynotifythecertificationauthorityintheeventthattheyconsiderorsuspectthere hasbeenacompromiseoftheirprivatekeys;and promptlynotifytherelevantregistrationauthority,relationshiporganisation,known CustomerorThreatandRiskOrganisationintheeventthattheyconsidertheEvidenceof Identityinformationprovidedbythemisormaybeincorrect. NSWLandRegistryconsidersthatintheelectronicconveyancingenvironment,confidenceindigital signingmaybeincreasedbyenforcingan intentconfirmationcheck atthetimethekeyholder signs,totheeffect Youarenowabouttosignforlegaleffect doyouwishtocontinueyes/no? Thisformofintentconfirmationcheckwouldhavetheeffectofreinforcinginthemindofthekey holderthesignificanceofwhattheyaredoing,andmayalsoassistwiththeevidencetosupportnonrepudiationofthetransaction i.e.therewasaclearintentonthepartofthekeyholdertosignthe specifictransaction. SignerIdentityauthenticationappliesbothinrelationtothedocumentbetween there and here (i.e.,tothesenderandreceiver)aswellasbetween now and then (i.e.,whenitwassignedand whenitwasreliedupon). ItisintendedinNECSthatwhereaCertifieristhenamedkeyholderinanOrganisationDSCwhich alsonamesthesubscriberorganisation,boththecertifierandthesubscriberorganisationwouldbe liableforapplicationofthecorrespondingprivatekeytocreatedigitalsignatures. ThereshouldtherebenoexceptionstotherulethataSubscriberorganisationisresponsibleand liablefortheuseofprivatekeyswhichcorrespondtovaliddscsnamingthesubscriberorganisation oritsemployeesoragents(attributionrule).thisissowhethertheuseoccursthroughmisuseby thekey holderorasaresultofthirdpartyfraud(i.e.,viapersonwhoisnotthekey holder).a Subscriberorganisationremainsliablefortheactivitiesofitskeyholders i.e.,thoseindividualsthat aredirectlylinkedeitherbyemploymentorcontractandwhocanhavetheirnameandthatofthe Subscriberorganisationlinkedwithinthecertificate. GeneralpracticeisthatakeyholdermustbeboundtotheSubscriberorganisationbyemployment orcontract.thenswlandregistryviewisthatforacontractortolegallysignaregistryinstrument onbehalfofasubscribertheindividualwhoisthecontractormustbeanindustrycertifierandthis relationshipwiththesubscribermustbeintheformofawrittenagreement. Non employeesshouldnotbeissueddscsthatbindthemtothesubscriberorganisation(i.e.the certificatemustnothavetheindividual snameandthenameoftheorganisationinit)unlessthe non employeeindividualsatisfiestheindustrycertifierandwrittenagreementcontractor requirement.thisshouldbetherequirementbothwithrespecttoindividualsandfirmsactingas agentsforthesubscriberorganisation. Thelegalrelationshipswillhavetobesettledbyreferencetoaservicesagreementbetweenthe agentandthesubscriberorganisation.thechallengewillbetoestablishwhatactionsanagentkey holderisauthorisedtotakeonbehalfofthesubscriberorganisation(perhapsevenmorecomplex withrespecttoagentsandothernon employees). NSW Land and Property Management Authority - November 2009 69

ContentIntegrity WithrespecttoContentIntegrity(risk b above),contentintegritymaybemathematicallyprovenif thedigitalsignatureisverified.thegreatervariableinrelationtotheintegrityofasigneddocument istheinfrastructure,rulesandpracticesmaintainedandenforcedfordigitalsigningofelectronic instruments,inparticularbysubscribers. Eachdigitalsignatureisuniquetotheprivatesigningkeyusedandthecontentofthedocument signed.thedigitalsignatureismathematicallycreatedbythesigningsoftware,andvalidation softwareusesthesamemathematicalconceptstovalidatethesignaturewiththecontentofthe document.allofthishappens behindthescenes i.e.istransparenttotheuser andproves contentintegrityfromthetimeofdigitalsigning. VariabilityarisesprincipallyfromtheSubscriber spracticesandprotocols.forexample,the Subscriberistoberesponsibleforapplyingtheprescribedstandardandpracticeofidentity verificationforapplicantstobecomethekey holderofa child organisationdsc,andenforcing organisationprotocolsonkeysecurity.whereinadequateidentificationisconducted,orinadequate protocolsallowed,adigitalsignaturemightnotinfactbecreatedbytheapparentsigner/key holder, butthesubscriberorganisationshouldberesponsibleforthesignature. 70 NSW Land and Property Management Authority - November 2009

Land and Property Management Authority Head office 1 Prince Albert Road Queens Square SYDNEY NSW 2000 T 13000 LANDS 61 2 8236 7173 www.lpma.nsw.gov.au November 2009 Land and Property Management Authority