Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic of Lithuania
Electronic Signature Law (1) Came into force on 11 July, 2000 and is based on the Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures Changes of Electronic signature law were made on 6 June, 2002
The law regulates the creation, verification, and validity of electronic signature, signature users’ rights and obligations, establish the certification services and requirements of their providers and the rights and functions of the institution of electronic signature supervision Technological neutrality principle is held and several general principles of PKI are defined Electronic Signature Law (2)
Secure-electronic signature created by a secure-signature creation-device and based on a qualified-certificate which is valid, shall have the same legal force that a hand- written signature in written documents has and shall be admissible as evidence in court If parties agree - electronic signature will have the same force that a hand-written signature in written documents has and shall be admissible as evidence in court (amendment of Electronic signature law on July 6, 2002) Electronic Signature Law (3)
Electronic signature supervision institution By the Resolution Nr. 568 the Government of the Republic of Lithuania on April 27, 2002 has transferred function of Electronic signature supervision institution to the Informational Society Development CommitteeBy the Resolution Nr. 568 the Government of the Republic of Lithuania on April 27, 2002 has transferred function of Electronic signature supervision institution to the Informational Society Development Committee The Informational Society Development Committee organises and coordinates processes related to the development of information societyThe Informational Society Development Committee organises and coordinates processes related to the development of information society
Directive 1999/93/EC The law on electronic signatures June 11, 2000 (amended on June 6, 2002) Legislative functions Registration of service providers Voluntary accreditation Supervision body (Information Society Development Committee) April 23, 2002 ETSI, (EESSI ) standards
Legal Acts Regulating Electronic Signature Acts within competence of Government : Requirements for certification service providers issuing qualified certificates Requirements for electronic signature creation devices The procedure for registration of certification service providers issuing qualified certificates The order of supervision of electronic signature
Acts within competence of supervision institution: Requirements for electronic signature verification procedure Requirements and the order for voluntary accreditation of certification service providers The order of supply of supplementary certification services (time-stamping, directory services, consultancy services) Legal Acts Regulating Electronic Signature in Lithuania (Follow-up)
Levels of standardization and regulation E.g. Germany, Italy: EU DirectiveNational implementation Level 1 Level 1 Level 2 Level 2 Level 3 Level 3 Level 4 Level 4 Source: European Electronic Signature Standardization Initiative (EESSI) Final report of the EESSI expert team 20 July, 1999 Signature Law Ordinance Technical Rules Standards Directive Annexes Supervision Conformity assessment National legislation National decree (high-lev reqs) International functional and quality standards International interoperability standards
Lithuanian standards regulating electronic signature infrastructure LST ETSI TS – Policy requirements for certification authorities issuing qualified certificates LST ETSI TS – Electronic signature formats LST ETSI TS – Time stamping profile LST ETSI TS – Qualified certificate profile LST ETSI TS – Policy requirements for time-stamping authorities LST ISO – IEC – Information technology – Code of practice for information security management LST CWA – Secure signature-creation devices “EAL4” LST CWA – Security requirements for signature creation applications LST CWA – Procedures for electronic signature verification
LST CWA – Security requirements for trustworthy systems managing certificates for electronic signatures – Part 1: System security requirements LST CWA Security requirements for trustworthy systems managing certificates for electronic signatures – Part 2: Cryptographic module for CSP signing operations – Protection profile (MCSO-PP) LST CWA Security requirements for trustworthy systems managing certificates for electronic signatures – Part 3: Cryptographic module for CSP key generation services LST ISO 9001:2001 – Quality managements systems. Requirements LST ISO/IEC – Information technology – Security techniques – Evaluation criteria for IT security Part 1: Introduction and general model Part 2: Security functional requirements Part 3: Security assurance requirements Lithuanian standards regulating electronic signature infrastructure (follow-up)
Requirements for Certification Service Providers Issuing Qualified Certificates Based on the Annex II of the Directive 1999/93/EC Functions of service providers: – –Registration – –Creation of qualified certificates – –Managing of certificate's data and it’s revocation Requirements for internal administration : – –Approved and publicly promulgated certification regulations – –High education and qualified specialists – –Civil liability assurance – –Recommended quality management systems LST ISO 9001:2001
Requirements on service providing: – –Purvey information about certificates any time – –Record date and time of certificate's creation, suspension and revocation – –Reserve information set by certificate's rules Liability of service providers: – –Registration can be suspended or revoked – –Damage shall be compensated according to the procedure established by laws Reference to LST ETSI TS standard Requirements for Certification Service Providers Issuing Qualified Certificates (Follow-up)
Requirements for Electronic Signature Devices Sets requirements for devices used by service providers: – –Measures and components for certification service only – –Sheltered from unauthorized changes – –Secure technical and crypto graphical safety of executable functions – –Control every action that can influence work of certificate’s operating system – –Trustworthy system which is assured to EAL4 or higher – –Manufacturer’s declaration or conformity certificate of accredited authority – –Reference to Lithuania standards LST CWA and LST CWA
Sets requirements for signature creation devices: – –Secure signature creation device, ensured by password and/or biometrical data – –Trustworthy crypto graphical and data formative algorithms – –Manufacturer’s declaration or conformity certificate of accredited authority – –Trustworthy system which is assured to EAL4 or higher – –Reference to Lithuania standards LST CWA and LST CWA Based on Directive 1999/93/EC Annex 3 Sets requirements for signature verification devices: – –Trustworthy verify electronic signature – –Any security-relevant changes can be detected – –Reference to Lithuania standards LST CWA Based on Directive 1999/93/EC Annex 4 Requirements for Electronic Signature Creation Devices (Follow-up)
The Procedure for Registration of Certification Service Providers Issuing Qualified Certificates Objective of service providers registration – collect information about service providers to ensure supervision of electronic signature – –Sets procedure of application submission – –Terms Data and documents of service provider – –Order of application examination – –Ability to correct or renew data and documents – –Notice in writing about possible suspension of registration – –Suspension of registration, in case, notified defects are not removed – –Revocation of registration, in case, notified defects are not removed in additional terms
The Order of Supervision of Electronic Signature Defines relations between the Committee and certification service providers Object of supervision – certification service providers issuing qualified certificates or which purvey facilities related to qualified certificates Objectives of supervision: – –Take part in implementation of national policy in electronic signature – –Coordinate activities of qualified service providers – –Supervise how service providers observe determined requirements – –Pursue compatibility of electronic devices in national and international scale Measures of supervision: – –Preparation of legal acts – –Registration and accreditation of service providers – –Succession of certificate’s data when service provider stops activities – –Reports to parliament and government Sets objectives andSets objectives and
Thank You Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic of Lithuania Gedimino pr. 11 LT-2039 Vilnius Lithuania Ph.: (370 2) Fax.: (370 2) WEB: