E-Signatures The Community framework on e-signatures (Directive 1999/93/EC) Dr Ioannis Iglezakis Visiting Lecturer University of Thessaloniki, Greece.

Slides:



Advertisements
Similar presentations
WTO, Trade and Environment Division
Advertisements

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
KSTCD Branch/HRD Section/TrainForTrade & STICT Branch/ ICT Analysis Section1 Module 2 Legal validity of data messages.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
EDUCATION Directive 2002/14/EC of 11 March 2002 establishing a general framework for informing and consulting employees in the European Community.
1 Global Real Estate Valuation Policy Update: the European Perspective The principle: the EU Treaty does not provide the European institutions with direct.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
PROJECT ON DIGITAL SIGNATURE Submitted by: Submitted to: NAME: Roll no: Reg.no. :
INFORMATION TECHNOLOGY LAW LECTURE 3- ELECTRONIC SIGNATURE Dr. Kadir Bas.
Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.
PAPERLESS BUSINESS in GEORGIAN FINANCIAL SECTOR NANA ENUKIDZE - Advisor to the Governor.
M.Sc. Hrvoje Brzica Boris Herceg, MBA Financial Agency – FINA Ph.D. Hrvoje Stancic, assoc. prof. Faculty of Humanities and Social Sciences Long-term Preservation.
S4: Market Surveillance Physikalisch-Technische Bundesanstalt Session 4: Market surveillance Peter Ulbig, Harry Stolz Belgrade, 31 October.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Legal Issues on PKI & qualified electronic certificates. THIBAULT VERBIEST Attorney-at-law at the Brussels and Paris Bar Professor at the Universities.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
DIGITAL SIGNATURE AND ELECTRONIC DOCUMENTS IN ITALY Prof. Pierluigi Ridolfi AIPA Authority for Information Technology in the Public Administration V. Solferino,
Some initiatives of the Belgian government in order to stimulate E-government Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg.
MEDIA LAW Copenhagen University SESSION 10 Dirk VOORHOOF Ghent University (->contact)
EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
1. 2 ECRF survey - Electronic signature Mr Yves Gonner Luxembourg, June 12, 2009.
Cyber Law & Islamic Ethics
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
Dr. Diganta Biswas School of Law Christ University, Bangalore.
National Smartcard Project Work Package 8 – Security Issues Report.
S3: Module D Physikalisch-Technische Bundesanstalt Session 3: Conformity Assessment Module D Peter Ulbig, Harry Stolz Belgrade, 31 October.
1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.
Several different ways to indicate person by electronic signature 1.typing the signer's name into the signature area 2.pasting in a scanned version of.
"certification service provider" Electronic Signatures
COPYRIGHT GRANTS AND THE E-SIGN ACT Jeanne M. Hamburg Norris, McLaughlin & Marcus, P.A. 875 Third Avenue New York, New York (212)
IBT- Electronic Commerce The Legal Infrastructure Victor H. Bouganim WCL, American University.
© OECD A joint initiative of the OECD and the European Union, principally financed by the EU Σ SIGMA E-procurement in the European Union Directives on.
M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.
Cryptography, Authentication and Digital Signatures
Massella Ducci Teri Italian approach to long-term digital preservation Policies for Digital Preservation ERPANET Training Seminar.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Riccardo Genghini - Ws E-Sign Chairman – IETF PKIX San Francisco March Electronic Signature infrastructure for Europe Riccardo Genghini Cen/Isss.
UNECE – SIDA “ SOUTH EAST EUROPE REGULATORY PROJECT” FIRST MEETING OF REGULATORS FROM SOUTH EAST EUROPEAN COUNTRIES PRESENTATIONFROM THE REPUBLIC OF MACEDONIA.
EESSI June 2000Slide 1 European Electronic Signature Standardization Hans Nilsson, iD2 Technologies, Sweden.
Drs. Krishna and Webb October 31,  6  6.1  6.2  6.3  6.4  7.1, 7.2, 7.3, 7.4  7  7.3  7.4  LUNCH ANSI Training 2013: Webb/Krishna.
DIGITAL SIGNATURE.
Data protection as an integral part of OOP implementations: The Austrian approach Peter Kustor.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
1 TIR Application in the Community. 2 Basic Principles European Community law: –Council Regulation 2913/92 (the Customs Code): Article 91, paragraph 2.
REGULATION OF E- COMMERCE IN EU LAW Ioannis Iglezakis.
Week 12. Lecture 2. Health Law & the EU Cross-border healthcare: patients’ rights.
Content Introduction History What is Digital Signature Why Digital Signature Basic Requirements How the Technology Works Approaches.
1  Only 370 million of world’s 6 billion population know English as native language  70% content on web is in English but more than 50% of current internet.
Protection of Personal Information Act An Analysis on the impact.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
LAWS OF MALAYSIA ACT 658 ELECTRONIC COMMERCE ACT 2006.
M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 10 – Information society and media.
TAG Presentation 18th May 2004 Paul Butler
Electronic Transactions & Authentication
TAG Presentation 18th May 2004 Paul Butler
General Data Protection Regulation
Automated beef classification
The activity of Art. 29. Working Party György Halmos
Dashboard eHealth services: actual mockup
14. “(1) Unless otherwise agreed where the originator has stated that the electronic communication is conditional on receipt of acknowledgment, the electronic.
Website authentication E-registered delivery
Presentation transcript:

E-Signatures The Community framework on e-signatures (Directive 1999/93/EC) Dr Ioannis Iglezakis Visiting Lecturer University of Thessaloniki, Greece

The need for secure electronic communication Security issues typical to open networks: messages can be intercepted and manipulated the validity of documents can be denied personal data can be illicitly collected identity fraud

The need for secure electronic communication Legal validity of electronic transactions Form requirements Evidence Trustworthy Third Parties

Functions of e-signatures Authentication Integrity Validation Non-repudiation

Technical description of e-signatures ONE KEY SYMMETRIC ALGORITHM Sender (knows the secret key) Plain text enciphered Encryption algorithm ΑbcΑbc œŠ Þß ΑbcΑbc Decryption algorithm Recipient (knows the secret key) enciphered plain text

Technical description of e-signatures ASSYMETRIC TWO KEYS ALGORITHM – PUBLIC –PRIVATE KEY ALGORITHM (PKI) Plain textEncrypted text œŠÞß ΑbcΑbc Private key ΑbcΑbc Public key Recipient (knows the public key) Plain text Encrypted text Sender (knows the public and private key)

Certification Verification of the authenticity and integrity of data does not necessarily prove the identity of the owner of the public key, since anyone can publish a public key under another name Authentication of a public key is performed by Certification Service Providers (CSPs) after verification of a public key, a certificate is issued containing this and other information. The certificate is digitally signed by the CSP.

Certificates Content of a certificate: Name or pseudonym of the signatory Name of the CSP Public key of the signatory Algorithm Type of key Profession Position within an organisation, qualifications Limits of liability Certification expire date

Legislations on e-signatures United States >>Utah Digital Signature Act 1995 ( The Utah Act was the first to authorize commercial use of digital signatures. It governed the use of public-private key pair encryption and certification authorities. Certification authorities had to be licensed by the Utah Department of Commerce. ) >>Electronic Signatures in Global and National Commerce Act 2000 European Legislation >>German Multimedia Law 1997, Italian law 1997 UNCITRAL Model law >>Article 7(1)(b) “that method is as reliable as was appropriate for the purposes for which the data message was generated..” EU Directive 1999/93/EC

Electronic Signatures Directive 1999/93 Main objective: to create a Community framework for the use of e-signatures, allowing the free flow of e-signature products and services across borders and ensure the legal recognition of e-signatures It does not address the conclusion and validity of contracts prescribed by national or EU law ->Article 9 of e-Commerce Directive (2000/31) enabling principle

Electronic Signatures Directive 1999/93 Definitions 1. ‘electronic signature’ means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication; 2. ‘advanced electronic signature’ means an electronic signature which meets the following requirements: (a) it is uniquely linked to the signatory; (b) it is capable of identifying the signatory; (c) it is created using means that the signatory can maintain under his sole control; and (d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable;

Directive 1999/93 Definitions 3. ‘signatory’ means a person who holds a signature-creation device and acts wither on his own behalf or on behalf of the natural of the natural or legal person or entity he represents 4. ‘signature-creation data’ means unique data, such as codes or private cryptographic keys, which are used by the signatory to create an electronic signature; 5. ‘signature-creation device’ means configured software or hardware used to implement the signature-creation data; 6. ‘secure-signature-creation device’ means a signature-creation device which meets the requirements laid down in Annex III; 7. ‘signature-verification-data’ means data, such as codes or public cryptographic keys, which are used for the purpose of verifying an electronic signature; 8. ‘signature-verification device’ means configured software or hardware used to implement the signature-verification data;

Directive 1999/93 Definitions 9. ‘certificate’ means an electronic attestation which links signature-verification data to a person and confirms the identity of that person; 10. ‘qualified certificate’ means a certificate which meets the requirements laid down in Annex I and is provided by a certification-service-provider who fulfils the requirements laid down in Annex II; 11. ‘certification-service-provider’ means an entity or a legal or natural person who issues certificates or provides other services related to electronic signatures;

Requirements for qualified certificates(ANNEX I) Qualified certificates must contain: (a) an indication that the certificate is issued as a qualified certificate; (b) the identification of the certification-service-provider and the State in which it is established; (c) the name of the signatory or a pseudonym, which shall be identified as such; (d) provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended; (e) signature-verification data which correspond to signature-creation data under the control of the signatory; (f) an indication of the beginning and end of the period of validity of the certificate; (g) the identity code of the certificate; (h) the advanced electronic signature of the certification-service- provider issuing it; (i) limitations on the scope of use of the certificate, if applicable; and (j) limits on the value of transactions for which the certificate can be used, if applicable.

Requirements for certification-service-providers issuing qualified certificates (Annex II) Certification-service-providers must: (a) demonstrate the reliability necessary for providing certification services; (b) ensure the operation of a prompt and secure directory and a secure and immediate revocation service; (c) ensure that the date and time when a certificate is issued or revoked can be determined precisely; (d) verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued; (e) employ personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided, in particular competence at managerial level, expertise in electronic signature techology and familiarity with proper security procedures; they must also apply administrative and management procedures which are adequate and correspond to recognised standards; (f) use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them; (g) take measures against forgery of certificates, and, in cases where the certification-service-provider generates signature-creation data, guarantee confidentiality during the process of generating such data;

Requirements for certification-service-providers issuing qualified certificates (h) maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance; (i) record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically; (j) not store or copy signature-creation data of the person to whom the certification-service-provider provided key management services; (k) before entering into a contractual relationship with a person seeking a certificate to support his electronic signature inform that person by a durable means of communication of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary accreditation scheme and procedures for complaints and dispute settlement. Such information, which may be transmitted electronically, must be in writing and in redily understandable language. Relevant parts of this information must also be made available on request to third-parties relying on the certificate; (l) use trustworthy systems to store certificates in a verifiable form so that: only authorised persons can make entries and changes, information can be checked for authenticity, certificates are publicly available for retrieval in only those cases for which the certificate-holder's consent has been obtained, and any technical changes compromising these security requirements are apparent to the operator.

Directive 1999/93 Requirements for secure signature-creation devices 1. Secure signature-creation devices must, by appropriate technical and procedural means, ensure at the least that: (a) the signature-creation-data used for signature generation can practically occur only once, and that their secrecy is reasonably assured; (b) the signature-creation-data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology; (c) the signature-creation-data used for signature generation can be reliably protected by the legitimate signatory against the use of others. 2. Secure signature-creation devices must not alter the data to be signed or prevent such data from being presented to the signatory prior to the signature process.

Directive 1999/93 Recommendations for secure signature verification During the signature-verification process it should be ensured with reasonable certainty that: (a) the data used for verifying the signature correspond to the data displayed to the verifier; (b) the signature is reliably verified and the result of that verification is correctly displayed; (c) the verifier can, as necessary, reliably establish the contents of the signed data; (d) the authenticity and validity of the certificate required at the time of signature verification are reliably verified; (e) the result of verification and the signatory's identity are correctly displayed; (f) the use of a pseudonym is clearly indicated; and (g) any security-relevant changes can be detected.

Standardisation of e-signature products Compliance with the requirements in Annex Ii and III is presumed when e-signatures products meet “generally recognized standards” EESSI (European Electronic Signature Standardization Initiative) established by CEN and ETSI produced relevant standards Commission Decision of 14 July 2003 on the publication of reference numbers of generally recognized standards: — CWA (March 2003): security requirements for trustworthy systems managing certificates for electronic signatures — Part 1: System Security Requirements — CWA (March 2002): security requirements for trustworthy systems managing certificates for electronic signatures — Part 2: cryptographic module for CSP signing operations — Protection Profile (MCSO-PP) — CWA (March 2002): secure signature-creation devices.

Directive 1999/93 Legal effects of electronic signatures Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure- signature-creation device: (a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and (b) are admissible as evidence in legal proceedings.

Directive 1999/93/EC Legal effects of e-signatures Implementation in national legislation through: legal presumptions concerning the authenticity and integrity of an electronically signed document; a legal fiction, according to which, documents with electronic signature are equated as to their effect to private documents. Most laws introduce legal presumptions concerning electronic signatures, e.g. Singapore Electronic Transactions Act 1998, s. 18 (2) (a), (b), Utah Digital Signature Act 1996 (Utah Code § 46-3), § 406 (3) (b).

Directive 1999/93 Legal effects of plain e-signatures Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is: — in electronic form, or — not based upon a qualified certificate, or — not based upon a qualified certificate issued by an accredited certification-service-provider, or — not created by a secure signature-creation device.

Other requirements not established by the Directive 1999/93 Archiving (storage) of electronically signed documents Example: UNCITRAL Model law - Article 10. Retention of data messages (1) Where the law requires that certain documents, records or information be retained, that requirement is met by retaining data messages, provided that the following conditions are satisfied: (a) the information contained therein is accessible so as to be usable for subsequent reference; and (b) the data message is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to represent accurately the information generated, sent or received; and (c) such information, if any, is retained as enables the identification of the origin and destination of a data message and the date and time when it was sent or received.

Directive 1999/93 Provisions for certification service providers (CSPs): Market access Country of origin principle Liability Recognition of non-EU CSPs Data protection

Directive 1999/93 Provisions for CSPs Market access (Art. 3) 1. Member States shall not make the provision of certification services subject to prior authorisation. 2. Without prejudice to the provisions of paragraph 1, Member States may introduce or maintain voluntary accreditation schemes aiming at enhanced levels of certification-service provision. All conditions related to such schemes must be objective, transparent, proportionate and non-discriminatory. Member States may not limit the number of accredited certification-service-providers for reasons which fall within the scope of this Directive.

Directive 1999/93 Provisions for CSPs Internal market principle (Art. 4) 1. Each Member State shall apply the national provisions which it adopts pursuant to this Directive to certification service-providers established on its territory and to the services which they provide. Member States may not restrict the provision of certification-services originating in another Member State in the fields covered by this Directive. 2. Member States shall ensure that electronic- signature products which comply with this Directive are permitted to circulate freely in the internal market.

Directive 1999/93 Provisions for CSPs Liability As a minimum, Member States shall ensure that by issuing a certificate as a qualified certificate to the public or by guaranteeing such a certificate to the public a certification service- provider is liable for damage caused to any entity or legal or natural person who reasonably relies on that certificate

Directive 1999/93 Provisions for CSPs International aspects Certificates which are issued as qualified certificates to the public by a certification service-provider established in a third country are recognised as legally equivalent to certificates issued by a certification- service provider established within the Community if: (a) the certification-service-provider fulfils the requirements laid down in this Directive and has been accredited under a voluntary accreditation scheme established in a Member State; or (b) a certification-service-provider established within the Community which fulfils the requirements laid down in this Directive guarantees the certificate; or (c) the certificate or the certification-service-provider is recognised under a bilateral or multilateral agreement between the Community and third countries or international organisations.

Directive 1999/93 Provisions for CSPs Data protection Member States shall ensure that certification-service providers and national bodies responsible for accreditation or supervision comply with the requirements laid down in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Directive 1999/93 Provisions for CSPs Data Protection Member States shall ensure that a certification-service provider which issues certificates to the public may collect personal data only directly from the data subject, or after the explicit consent of the data subject, and only insofar as it is necessary for the purposes of issuing and maintaining the certificate. The data may not be collected or processed for any other purposes without the explicit consent of the data subject. Without prejudice to the legal effect given to pseudonyms under national law, Member States shall not prevent certification service providers from indicating in the certificate a pseudonym instead of the signatory's name.

Impact of the Directive on other Legislation Directive 2001/115/EC Public Procurement Commission Decision on electronic and digitised documents (2004/563)