Quebec certification centre

The Quebec Certification Centre is a public key infrastructure (PKI) developed by Notarius, which was founded for this purpose by the Chambre des notaires du Québec (professional order of notaries in Quebec). This infrastructure guarantees its members and other clients absolute security and confidentiality in their electronic transactions and communications. One of the main responsibilities of the Quebec Certification Centre is the issuance of certificates containing previously verified information confirming the identity of the key and certificate holder. Among other tasks and responsibilities related to PKI implementation and management, Notarius is responsible for distributing and managing keys and certificates to users whose identity have been adequately verified.

What is a public key infrastructure (PKI)?

The increasing popularity of the Internet and the advent of electronic transactions on open networks have raised numerous concerns. Are transactions confidential? How can the identity and quality of the sender and recipient be verified? Can tampering and falsification of transactions be prevented?

The solution to these concerns is a public key infrastructure (PKI), comprising a certification authority, policies, management services, cryptography software using public key cryptography and digital signature certificates. PKI mechanisms offer technical and legal guarantees:

  • confidentiality of the electronic transaction: the transaction is encoded in such a way that only the recipient can decode it with her or his private key.
  • integrity and completeness of the transaction: the recipient is assured that the transaction has not been altered and that it is complete.
  • the sender's identity: the recipient can verify the sender's identity and the validity of her or his certificate by consulting the Certification Centre's directory and certificate revocation list, which are maintained by Notarius. This directory allows clients to verify the validity of the sender's identity certificate and confirm that it has not been revoked or suspended. The recipient can thus verify whether the conditions required for the validity of the transaction have been met.

What is a certification authority?

A certification authority is one of the main components of a public key infrastructure. It is a trusted third party responsible for issuing digital certificates and managing them for the duration of their validity period. Digital certificates are electronic files containing the user's public key and specific identifying information. The certification authority certifies that the person who has been issued a digital certificate is indeed who he or she claims to be.

Technical and legal security

The key and certificate system requires users to sign and encrypt transmitted information so that only authorized recipients can read it, thus ensuring data confidentiality. This procedure also guarantees that the slightest alteration of the document at the time of transmission will be immediately apparent, because even the tiniest modification renders decryption impossible. With this guarantee, it is certain that transmitted and received information will be identical. This procedure is based on internationally recognized standards and the algorithms used to generate the keys, the directories and the certificates are all based on X.500 and X.509 standards.

From the legal standpoint, certification of the identity of a document's signer is ensured by verification of the holder's identity at the time of the initial application. Thereafter, throughout the certificate's life cycle, the Québec Certification Centre is responsible for maintaining the same level of trust. Information that has been verified in this way is contained in the certificates associated with the holder's private and public keys.

How a digital signature works

Public and private keys

Each holder is issued a pair of public keys and a pair of private keys. Public keys are also available to other holders in the database of the X.500 directory. They are used to protect the confidentiality of a document and to verify the signature of another holder.

Private keys are accessible solely to the holder. One is used to sign electronic documents and the other is used to decrypt a document in order to verify its integrity.

To check the validity of a signature, recipients must consult the certificate revocation list published by the Québec Certification Centre (QCC). The certificate revocation list may be consulted automatically on-line with Entrust software or a product that has integrated this technology.

Keys and certificates issued by the QCC are valid for a period of two years. They may be automatically renewed on-line, roughly two months before expiration, using the QCC client software or a product that has integrated this technology.

In addition, users' certificates are signed by the certification authority (QCC). A user can thus verify the validity and integrity of a certificate issued by the certification authority by using his or her public verification key and consulting certificate revocation lists published by certification authorities.

Certificates

Certificates are issued in conformity with the X.509 standard and are signed by the Québec Certification Centre as a guarantee of their integrity. They contain the following basic elements:

  • holder's name;
  • name of the certification authority;
  • date of issuance and expiration of the certificate;
  • the certificate's unique serial number;
  • signature of the certification authority;
  • signature verification key or the public encoding key;
  • X.509 version employed;
  • distinguished name of the corresponding certificate revocation list;
  • relevant policies.

Certificate Revocation Lists (CRL)

Certificate revocation lists published by the Québec Certification Centre contain the serial numbers of revoked certificates. They also indicate the date and time of revocation and are signed with the certification authority's digital signature to validate their integrity. They are updated by the certification authority at least once every four hours.

Cross or reciprocal certification

System interconnectivity inevitably leads to users of different PKIs needing to communicate with each other. Reciprocal certification allows clients of two separate certification authorities to interact securely. Because certification standards may vary from one PKI to another, before establishing a cross certification process, the two PKIs should compare policies to ensure an equivalent degree of trust exists between the two PKIs. Cross certification is based on the conclusion of reciprocal agreements by certification authorities responsible for PKIs, guaranteeing that the chain of validity and security will not be compromised.