Friday, June 20, 2008

A review on a post on internet security from E-blog

DIGITAL SIGNATURE LEGISLATION IN EUROPE

1. Introduction

Many legislatures in the world are trying to decide whether they should regulate or not digital signatures, and some countries have decided that some type of regulation is desirable and have either issued or are about to issue appropriate legislation. The legal issues posed by digital signatures are quite a few and not easy to address, also considering the speed at which the digital world moves and the inherent interplay between legislation and technology developments.

2. Handwritten Signatures v. Digital Signatures

Handwritten signatures are handwriting our name at the bottom of a contract we accept the terms of the document and also indicate that the document is produced by whoever signed it, with all legal implication attributed to such an act by applicable law. Our signature can be used for many other purposes such as issuing an order, to file a request, to sign a love letter, etc. and the legal implications of each signature is rather different, however the concept of signature is basically the same. We can have different handwritten signatures for various purposes, we may initial certain documents and use full signature in other documents, however the process and the result is not different. In the paper world we basically have one definition of signature, which attributes the document to the signing party, and whose effect depends on the type of document, applicable law, etc. As soon as writing became common, handwritten signatures became the main method of attributing a document to an individual. Signing in writing a contract has become the primary procedure to evidence that each party to a contract was in agreement with it. A special set of rules has been developed in every country to deal with issues such as authentication of signatures. We have to identify what is the best method for attributing the digital document to a person. For example, I normally type my name when sending an e-mail, however this is not sufficient to prove undoubtedly that the e-mail comes from me, as anybody else may type in my name.

3. Definition of Digital Signature

EU Directive 1999/93 on digital signature is generically defined as data in electronic form attached to, or logically associated with, other electronic data and which serves as method of authentication. German Digital Signature Law, issued in 1997 , provides meaning for digital signature that is a seal on digital data created with a private signature key, which seal allows, by use of the associated public key to which a signature key certificate of a certifier. Italian legislation defines a digital signature as the result of a digital procedure (certification) based on a system of double asymmetric keys, one being a public key and the other a private key, which allows the signer, by virtue of the private key, and the recipient, by virtue of the public key, respectively to manifest and to ascertain the provenience and integrity of a digital document or of a group of digital documents.

4. Certification Authorities

The use of digital signatures does not require, per se, the existence of certification authorities, as the parties may contractually agree to some type of certification procedure ensuring the authenticity of the document. However, the use of certification authorities makes it possible to rely on digital documents between parties which do not have any prior contractual arrangement or that are not in the position of establishing a standard practice between them. As a consequence, it does not come as a surprise that the role, the duty and the obligations of certification authorities normally constitute a key point in most current legislation on digital signature. The main problem posed by legislation on certification authorities is that, unlike most other activities, it is very difficult to restrict it to one country. It is not by chance that one of the most widely ratified international treaties is The Hague Convention for the abolition of legalization that, through the instrument of Apostille, was able to consent the recognition of documents signed and notarized abroad. It is quite clear that the same path cannot be followed with reference to digital signatures. On the other hand, it is not easy to agree on an international treaty to insure the validity of an electronic signature certified abroad, however the solution of the problem is vital for the success of e-commerce. The problem was almost ignored by the German and Italian legislation which have preceded the issuance of the EU Directive. This issue was immediately apparent, however, as soon as the legislative effort moved to a supranational level, i.e. at the EU level. In practice, however, it may be very difficult for the public to ascertain whether a specified certification service provider meets the minimum standards required by the Directive to issue certificates having the effect of validating the signature as Advanced Electronic Signature, and the Directive therefore provides for a voluntary accreditation scheme and for a supervision system. Regarding the free-across the border circulation of the digital signature (with certification), the Directive establishes the important principle of recognition of certifications issued in another Member State, if in conformity with the provisions of the Directive. It is not possible, however, to limit the digital world to the EU, also considering the large presence of USA companies on the market, and Article 7 of the Directive deals with this issue by providing that the certificates issued by a company established outside the EU are recognized within the EU provided that:

a) the certification service provider fulfills the requirements of the Directive and has been accredited under a voluntary accreditation scheme in any of the EU Member States, or
b) the certificate is counter-guaranteed by an EU service provider; or
c) the certificate or the certification service provider is recognized under a bilateral or multilateral treaty.

Member States shall ensure that by issuing a certificate to the public or by guaranteeing such a certificate the certification service provider is liable for damage caused to any party which relied on such a certificate :
a) as regards the accuracy at the time of issuance of all information contained in the qualified certificate and as regards the fact that the certificate contains all the details prescribed for a qualified certificate;
b) for assurance that at the time of issuance of the certificate, the signatory identified in the qualified certificate held the signature creation data corresponding to the signature verification data given or identified in the certificate;
c) for assurance that the signature creation data and the signature verification data can be used in a complementary manner in cases where the certification service provider generates them both, unless the certification service provider proved that he has not acted negligently;
d) in the event the certification service provider did not promptly register the revocation of the certificate.

5. Conclusions

The complexity of the issues dealt with by the Directive clearly indicates the difficulty of legislating on Digital Signatures. Namely, it is simply impossible to limit the legislative intervention to granting an equivalence between digital and handwritten signatures, given the inherent differences between them. The different approach used in national and EU legislation also indicates the difficulty of dealing with some issues at national level and the importance of the rules for the international recognition of digital signatures.

2 comments:

Fantastic Four said...

missing words again... :)

Tee Chess said...

Nice review. I find this article very informative. I am currently studying about various techniques that are used for internet security. In this article a nice introduction about digital signature has been posted. Thanks.
digital signatures