Section 12(1) of the Library and Archives Canada Act states that no record under the control of a government institution may be destroyed without the consent of the Librarian and Archivist of Canada. Even if institutions do not actively dispose of electronic records through the deletion of data or the destruction of recording media, de facto disposal of records in electronic form can occur if access to the content and the structure of the document is lost by the creating institution.
To facilitate the development of electronic communication at all levels, the federal government has implemented a Public Key Infrastructure (PKI), which enables documents in electronic form to be encrypted and to carry a digital signature. All such electronic documents potentially can be designated records(1) within the meaning of the Library and Archives Canada Act, and therefore be identified for transfer to Library and Archives Canada at the end of their operational retention period. To explain its position and assist institutions in the management and disposal of records created under a Public Key Infrastructure using encryption and digital signatures, Library and Archives Canada has prepared the following guidelines.
Encryption can be used to increase the security of electronic documents in storage and during transmission. It enhances the confidentiality of the content of the document and limits access to that content. In the case of stored documents, encryption is analogous to physical security measures and as such, is external to the document itself.
Encryption of documents during transmission provides the function of a traditional paper envelope. Because this "envelope" is not an integral part of the document, and because envelopes have not traditionally been appraised as having archival value, Library and Archives Canada will not preserve the encrypted version of records in electronic form. In addition, external notations relating to the encryption history of a document will not be required, but they could, at the discretion of the institution, be included within an electronic records management system.
Library and Archives Canada will not accept any records encrypted using the technology currently available through the federal PKI system (i.e. in the .ent file structure). Records deemed to be archival will have to be un-encrypted prior to transfer to Library and Archives Canada. It is important to note that loss of the ability to un-encrypt an encrypted record may de facto constitute destruction of the record under the terms of Section 12(1) of the Library and Archives Canada Act.
Library and Archives Canada will also not preserve any records encrypted using any prior encryption technologies.
Digital Signature (3):
Digital signatures confer three qualities on an electronic document. These are data integrity, authentication and non-repudiation. Successful verification of a digital signature ensures the recipient that the "document received" is identical to the "document sent" (data integrity) and confirms the identity of the sender (authentication). It also prevents any subsequent denial by the sender that the document originated with them (non-repudiation). The importance of these assurances is paramount at the time the document is received but diminishes once the recipient's decision to act on the document is made. For Library and Archives Canada purposes, the integrity and authenticity of records will continue to be inferred from their placement within an organization's record-keeping system during the normal course of business, and from proof of that organization's reliance on records kept within their record-keeping system.
Library and Archives Canada will not attempt to maintain the capacity to re-verify a digital signature after transfer to its control, nor to preserve the traces of a digital signature generated under the current federal PKI system. Further, Library and Archives Canada will not accept records made unintelligible by the presence of a digital signature, but will accept records where the content, context and structure of the document, exclusive of its digital signature, remain intelligible and their integrity and authenticity can be inferred from their placement within an organization's record-keeping system. It is important to note that loss of the ability to render an intelligible electronic record may de facto constitute destruction of the record within the meaning of Section 12(1) of the Library and Archives Canada Act.
Records generated by non-PKI electronic signature technologies will be evaluated on a case-by-case basis during the archival appraisal process.
For further information, please contact us at:
Government Information Management Office
Library and Archives Canada
The digital signature technology being implemented as part of the federal government's Public Key Infrastructure (PKI) is based on the issuance of key pairs to users. Each pair is made up of a private and a public key. Key pairs currently have a life span of 1 hour to 3 years, at which time the original key pair expires and a new key pair is issued to the user by a Certification Authority (CA), in the form of a certificate. Library and Archives Canada has considered various technical approaches to the preservation of digital signatures but concluded they could not be implemented at this time.
Authentication of Digital Signatures
To ensure authenticity, one must be able to verify and even re-verify a digital signature. The re-verification process requires two things: first, access to the public signing key of the sender (which is included in the signed document); and second, access to the public signing key of the relevant Certification Authority. This approach would require Library and Archives Canada to acquire and maintain access to every public signing key in a CA's operational lifetime. It is too early in PKI implementation to know exactly how many keys this would involve. The number of CA's could range from a single one to support all government activity, to more than one CA per department. Furthermore, the re-verification process is dependent upon proprietary software, which would also have to be kept operational for as long as the re-verification of a digital signature is required.
Finally, the digital signature currently depends on a "hash", the result of a mathematical algorithm. The hash must be successfully duplicated for the signature to be verified. For the hash to calculate identically, the document must be identical in its content and its structure. Migration (i.e., conversion from obsolete logical file formats) would permanently prevent the calculation of an identical hash, thus destroying the digital signature during archival preservation.
One attempt to extend the lifetime of a digital signature beyond the current maximum 3-year horizon (set by the lifespan of the key pair) has revolved around the concept of "authentication servers". This would expand the verification of a digital signature to include the gathering of "snapshots" of the data which supported the process. Beyond simply verifying the signature, the process would, for example, capture the Certification Authority's Revocation List, to document the fact that the relevant key pair was valid at the time signature verification occurred (i.e., was not included on the Revocation List).
While an important development for organizations needing better documentation of the signature verification process, it does not appear that this approach will address the long time-frames required by archival institutions. The "digital objects" captured by this enhanced verification process will also display software dependencies which will require the development of migration strategies in the future.
2. Cryptography is a method to provide security to telecommunications by converting information to a form unintelligible to an unauthorized interceptor and by reconverting information to its original form for authorized recipients. (Introduction to Cryptography and its Applications, Communications Security Establishment, November 4, 1997)
3. A digital signature is defined as "the result of a transformation of a message by means of a cryptographic system using keys such that a person who has the initial message can determine: (a) whether the transformation was created using the key that corresponds to the signer's key; and (b) whether the message has been altered since the transformation was made". (Policy for Public Key Infrastructure Management in the Government of Canada, draft version 1.0, January 29, 1999)