Government of Canada / Gouvernement du Canada
Symbol of the Government of Canada

Search

Version of document from 2011-03-10 to 2024-10-30:

Secure Electronic Signature Regulations

SOR/2005-30

CANADA EVIDENCE ACT

PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

Registration 2005-02-01

Secure Electronic Signature Regulations

P.C. 2005-57 2005-02-01

Whereas the Governor in Council is satisfied that the technology or process prescribed in the annexed Secure Electronic Signature Regulations can be proved to meet the requirements set out in paragraphs 48(2)(a) to (d) of the Personal Information Protection and Electronic Documents ActFootnote a;

Therefore, Her Excellency the Governor General in Council, on the recommendation of the Treasury Board, pursuant to subsection 48(1) of the Personal Information Protection and Electronic Documents Acta and paragraph 31.4(a)Footnote b of the Canada Evidence Act, hereby makes the annexed Secure Electronic Signature Regulations.

Interpretation

 The following definitions apply in these Regulations.

Act

Act means the Personal Information Protection and Electronic Documents Act. (Loi)

asymmetric cryptography

asymmetric cryptography means a cryptographic system that relies on key pairs. (système de chiffrement à clé publique)

certification authority

certification authority means a person or entity that issues digital signature certificates and that is listed as such on the website of the Treasury Board Secretariat. (autorité de certification)

digital signature certificate

digital signature certificate, in respect of a person, means an electronic document that

  • (a) identifies the certification authority that issued it and is digitally signed by that certification authority;

  • (b) identifies, or can be used to identify, the person; and

  • (c) contains the person's public key. (certificat de signature numérique)

entity

entity includes any federal department, branch, office, board, agency, commission, corporation or body for the administration of the affairs of which a minister of the Crown is accountable to Parliament. (entité)

hash function

hash function means an electronic one-way mathematical process that converts data contained in an electronic document into a message digest that is unique to that data in a way that, were that data changed, it would, on conversion, result in a changed message digest. (fonction de hachage)

key pair

key pair means a pair of keys held by or for a person that includes a private key and a public key that are mathematically related to, but different from, each other. (biclé)

private key

private key means a string of data that

  • (a) is used in asymmetric cryptography to encrypt data contained in an electronic document; and

  • (b) is unique to the person who is identified in, or can be identified through, a digital signature certificate and corresponds only to the public key in that certificate. (clé privée)

public key

public key means a string of data contained in a digital signature certificate that

  • (a) is used in asymmetric cryptography to decrypt data contained in an electronic document that was encrypted through the application of the private key in the key pair; and

  • (b) corresponds only to the private key in the key pair. (clé publique)

  • SOR/2011-71, s. 1(E)

Technology or Process

 For the purposes of the definition secure electronic signature in subsection 31(1) of the Act, a secure electronic signature in respect of data contained in an electronic document is a digital signature that results from completion of the following consecutive operations:

  • (a) application of the hash function to the data to generate a message digest;

  • (b) application of a private key to encrypt the message digest;

  • (c) incorporation in, attachment to, or association with the electronic document of the encrypted message digest;

  • (d) transmission of the electronic document and encrypted message digest together with either

    • (i) a digital signature certificate, or

    • (ii) a means of access to a digital signature certificate; and

  • (e) after receipt of the electronic document, the encrypted message digest and the digital signature certificate or the means of access to the digital signature certificate,

    • (i) application of the public key contained in the digital signature certificate to decrypt the encrypted message digest and produce the message digest referred to in paragraph (a),

    • (ii) application of the hash function to the data contained in the electronic document to generate a new message digest,

    • (iii) verification that, on comparison, the message digests referred to in paragraph (a) and subparagraph (ii) are identical, and

    • (iv) verification that the digital signature certificate is valid in accordance with section 3.

  •  (1) A digital signature certificate is valid if, at the time when the data contained in an electronic document is digitally signed in accordance with section 2, the certificate

    • (a) is readable or perceivable by any person or entity who is entitled to have access to the digital signature certificate; and

    • (b) has not expired or been revoked.

  • (2) In addition to the requirements for validity set out in subsection (1), when the digital signature certificate is supported by other digital signature certificates, in order for the digital signature certificate to be valid, the supporting certificates must also be valid in accordance with that subsection.

  •  (1) Before recognizing a person or entity as a certification authority, the President of the Treasury Board must verify that the person or entity has the capacity to issue digital signature certificates in a secure and reliable manner within the context of these Regulations and paragraphs 48(2)(a) to (d) of the Act.

  • (2) Every person or entity that is recognized as a certification authority by the President of the Treasury Board shall be listed on the website of the Treasury Board Secretariat.

Presumption

 When the technology or process set out in section 2 is used in respect of data contained in an electronic document, that data is presumed, in the absence of evidence to the contrary, to have been signed by the person who is identified in, or can be identified through, the digital signature certificate.

Coming into Force

 These Regulations come into force on the day on which they are registered.


Date modified: