Search
News subjects
DOCUMENTS
22.04.2014
-
• Decision of the Government of the Russian Federation No. 909 of September 10, 2012 on the Official Site of the Russian Federation in the Information and Telecommunicate Network Internet for Information on Tenders and on the Amendments to Certain Acts of t
-
Method for Authentication Provision in Cross Border Interaction
SHORT SUMMARY
Electronic interaction plays a great role in the life of a modern society. At first, it is an electronic document flow (and, therefore, an electronic digital signature, as a document by its definition can’t exist without a signature) and electronic services requiring certain personal identification.
To provide all opportunities for interaction in a distant mode it’s necessary to exclude anonymity of participants of the process and have a reliable system of authentication.
Different means are used to solve this problem: from simple “login-password” to PKI-systems based on application of asymmetric key cryptography with public and private keys provided by qualified electronic signature certificates (related to a specific person and issued by the certification-service providers authorized by the corresponding state power authorities). Thereafter, trust level for each authentication system is different.
In a case when more reliable mean of authentication is required and advanced or qualified certificates are used to provide this, a necessity to verify these certificates to the moment of electronic digital signature creation or application to the certification-service provider appears.There are no difficulties to get such legally valid verification only in one case – if all participants of electronic interaction are operating in the “common environment” of the certification service provider that has issued and supports the verified certificate. If this condition is not fulfilled there are some problems appeared. The problems depend on whether the process participants and the CA are operating within the same jurisdiction or in different jurisdictions. The main point of these problems is in essential differences in the sphere of standards, technologies, legislative bases applied by different countries and jurisdictions.
The present Method contains the analysis of principal problems of authentication in the sphere of electronic document circulation and electronic interaction between parties applying different jurisdictions based only on PKI-technologies; describes a universal approach to solve these problems and a principle of interaction between the parties of the authentication verification process – at first, from the technological and organizational point of view – as the interaction process description, and secondly, from the juridical point of view – as the method of verification of legitimacy of electronic digital signature or certificate while examining the question in courts of different jurisdictions.Since the present Method in the proposed solutions takes into consideration the most complicated case of incompatibilities – the whole range of technological, standard, communication and legal incompatibilities, so, in a case of its admissibility, it can be supposed that it could be applied for solution of only several of mentioned problems of incompatibility, for example, in one country or one region.
Ways of application of these solutions from the technical point of view for the present Method are secondary, because they can be applied on the base of the available local or international standards and recommendations.
The Method is prepared on the base of the analysis of reports, publications, discussion materials, UN recommendations, original texts of legislative acts in the sphere of electronic signature and electronic authentication, best world practices in the implementation of solutions for the designated problems, practical experience of the International Association “e-Signature Without Borders”. While preparing the Method only integrated conclusions were used, therefore no copyrights were violated.
The Method is intended for specialists in the sphere of PKI-technologies and legislation who have knowledge and experience in related spheres. The Method is applied only for advanced and qualified electronic signature key certificates. Simple signatures were not examined by the Method.
The Method has been discussed and approved by the board of the International Association “e-Signature without Borders”.
For the first time the Method principles were presented at the International conference “PKI-Forum 2010” in September 2010 in Saint Petersburg.
All copyrights reserved. The material may not be published, broadcast, rewritten, used and copied in whole or part without the express written permission.
- TERMS AND DEFINITIONS
The present Method uses the following terms and definitions:
- Authenticity – conformity of announced and actual (person, information);
- Authentication – conformity of identity;
- Electronic signature (ES) – information in electronic form linked with an electronic document (other information in electronic form) in such a way that the identity of the signer and the integrity of the data can be verified;
- Electronic signature verification key certificate (SVC) – an electronic or a paper document that was issued by a Certification Authority or CA trusted party and is used to verify that a public key belongs to a holder of the electronic signature verification key certificate;
- Qualified electronic signature verification key certificate (qSVC) (qualified certificate) – an electronic signature verification key certificate that is issued by the accredited Certification Authority or the accredited CA trusted party or a federal executive power body authorized in the sphere of electronic signatures application (authorized federal body);
- A holder of an electronic signature verification key certificate – a person who gets an electronic signature verification key certificate in the order determined by the current Federal law;
- Electronic signature key or private key – a unique combination of symbols for electronic signature creation;
- Electronic signature verification key or public key – a unique combination of symbols linked with a private key and meant for electronic signature verification, signed with an electronic signature by the Certification Authority that has issued SVC;
- Certification Authority (CA) – a legal entity or an individual entrepreneur that creates and issues electronic signature verification key certificates and fulfills other functions provided by the current Federal law;
- Electronic signature devices (ESD) – encryption (cryptographic) devices used for one of the following functions: electronic signature creation, electronic signature verification, public and private keys creation;
- Certification Authority devices (CAD) – soft- and (or) hardware devices used to fulfill the functions of a Certification Authority;
- Participants of electronic interaction – public authorities, local self-governed authorities, organizations and citizens realizing electronic information exchange;
- Corporate information system (CIS) – information system with a certain group of participants of electronic interaction;
- Public access information system (PIS) – information system for public use that cannot deny to provide a service or to provide support to a public process;
- Hashing - the transformation of a string of characters into a usually shorter fixed-length value or key (hash) without an opportunity of reverse transformation;
- Electronic signature creation procedure – a complex mathematical process that calculates the hash of a document and encrypts the hash with a signing key (an electronic signature key of a signatory). The document, the encrypted hash and the electronic signature verification key certificate are attached to the document or linked with it in some other way – depending on the technology used;
- Validity verification of electronic signature verification key certificate – a procedure when a message recipient gets a strong proof of validity of a verified SVC at the moment of its creation. Information on validity of SVC can be obtained from the CA that issued electronic keys and electronic signature certificate to the signatory. Information can be provided in the online mode (by OCSP or VPKC protocols), usually only for contractual customers of CA. If there is no opportunity to check the certificate validity in the online mode, it can be checked via the Certificate Revocation Lists (CRL) that are published by each CA. CRLs update intervals are different. That is why, in order to get reliable information on certificate validity at the moment of electronic signature creation it’s necessary to check the certificate in the CRL on the date later than the date of creation of ES. The interval may vary from several hours to several days. Therefore, such type of verification is not always compatible with the processes that should be initiated while receiving a message (for example, a payment order) and can be accepted only after the next CRL update – in other words, in uncertain period of time. Such type of verification can hardly be considered as the efficient one, that is why only SVC validation in the online mode is acceptable.
- Validity verification procedure of electronic signature – consists of two processes: validity verification of SVC and mathematical verification – the encrypted hash of the contents is decrypted by using a signatory’s public key. The decrypted hash is compared to a new hash of the data content. A signature is valid if the hashes match.
- Legitimacy – compliance with laws, rules and technologies in a certain jurisdiction.
- Validation – confirming that a verified product is authentic (obtained by a certain person) and valid (at a certain period of time).
- PROBLEM DEFINITION
THEORETICAL PRECONDITIONS.
While developing the concept of the present Method, the following was taken as basic data:
- A personal authentication for electronic services provision is connected with an applicant’s SVC validity verification. Besides this procedure, validity verification of ES is related to mathematical verification of ES. The present Method examines questions and solutions related to validity verification of ES. Since the questions related to personal authentication are a part of this procedure, then it’s not reasonable to examine these questions separately in the present Method.
- The Functions of ES applications are:
- Affiliation of a document;
- Provision of integrity and invariability of a document in a transmission process;
- Fixing the time of document signing;
- Provision of non-repudiation of authorship and content of a document.
All these functions of an ES can be implemented both at a time and separately. However, after an electronic signature validity verification and (with a positive validation result) obtaining the confirmation of authorship, integrity and invariability of a document and time of its signing, in the future one may face a problem of NON-REPUDIATION. And this problem may appear after the signed document has been executed (for example, a payment order). On this basis, the present Method examines not only questions of getting momentary confirmations of electronic signature validity, but also provision of sufficient conditions for successful dispute resolutions in a court concerning repudiation of one’s signature, if such problem appears in the future.
- Analysis of the present legislation of different countries in the sphere of electronic signature application shows that different countries legitimize different technologies, algorithms and rules both for ES creation (hashing and encryption) and for a document connection with a signature (S/MIME, PKCS 7, CMS, CAdES, XML-dsig, Xades, Pades, etc.). Besides, there are considerable differences in the rules of registration and application of electronic signature verification key certificates (SVCs). In some countries, SVC has to contain only identification data of a holder. By signing a document, a holder of a certificate is the one who defines his role in the situation and, accordingly, is responsible for this (for example, in Estonia). In other countries, SVC should also contain the authorities of a holder of SVC that makes it necessary to have separate SVCs – depending on the role played by a signer (a natural person, an accountant, a director, an authorized person, a property owner, etc.) – as, for example, in Russia.
The analysis of the current legislation of different countries in the sphere of electronic signatures recognition (a source: http://e-swb.com/req.html) shows that the list of conditions for recognition differs from one country to another: simple recognition; recognition guaranteed by a country resident; availability of accreditation of a foreign CA; availability of intergovernmental or international agreement, etc. Such essential and fundamental differencies in the question of foreign ES legitimacy in one jurisdiction make the problem more complicated. The experience of the European Union, where the attempts to unify the conditions and requirements to electronic signature creation and recognition by other EU countries have been undertaken for several years, confirms the conclusion that the way of implementing unified rules by way of various directives or agreements is not really efficient.
The analysis of the question of possible export of electronic signature devices shows that the problem-solving approach is incomplete.
Firstly, the question of export or import can be impeded by restrictive measures from the state (as, for example, in Russia). Bypassing these restrictions automatically makes the exported or imported electronic signature devices illegal, and consequently, electronic signatures created by these devices will be illegal as well. That makes the principle of NON-REPUDIATION unrealizable.
Secondly, electronic document circulation (EDC) presupposes documents circulation in both directions. At the same time, all tasks entrusted to ES application have to be equally implemented for all participants of the process. In other words, in a case of a dispute on ES application, both parties should have equal opportunities of successful dispute resolution in a court, including their own jurisdiction. However, use of „foreign“ technology considerably limits the opportunities of the party which goes to law in his own jurisdiction using „foreign“ technology.
CONCLUSION: In a case when it’s really necessary to implement a possibility of legal application of electronic signature in cross border EDC – it’s necessary to proceed from the available legal and technological base, unique for each jurisdiction, and take into consideration these peculiarities without imposing your own rules and technologies.
- The analysis of the available judicial practice on disputes concerning repudiation of own signature in different jurisdictions shows that even in the conditions when all parties of EDC act in one jurisdiction, while examining cases with similar circumstances – a court decisions are different. Even the agreements on mutual recognition of ES (including agreements concluded between different CAs), that is allowed by the civil legislation of different jurisdictions, don’t solve the problem. As a rule, such agreements provide only an opportunity to confirm to third parties (customs, tax service and others) presence of legal relations between parties, but in a case of repudiation of one party of its own signature, a dispute can be resolved only in a court. The same principle is effective for documents formed on paper: third parties can be even showed a paper copy, but in a case of repudiation of one party of its own signature, such possible repudiation can be “blocked” either by availability of a witnessed authorized signature or by agreement notarization, in general. In the last case, the notary can appear in court as a witness of a fact of autographic signing, that completely excludes a possibility of repudiation.
As a rule, while examining such cases, a court has to engage experts (because of the peculiarities of the question) that give evaluation of the implementation of technical requirements to creation and verification of ES, which is a matter of dispute. Even in the frameworks of one country, because of insufficient elaboration of laws, allowing various interpretations of laws, different experts can give different conclusions on the same facts. If parties of EDC act in different jurisdictions and use different ES devices, the situation with expert evaluation becomes more complicated.
This statement also concerns cases when a signed document content is disputed in court. For example, an Author of a document (a payment order) affirms that he gave a commission to a bank to transfer 1 thousand dollars from his bank account on the account of the Payee X. The bank has transferred 1 million euros from the Author’s bank account on the account of Payee Y and it affirms that such was the Author’s commission. In this case, it is the Author who has to prove in court that he has made a commission different from the one executed by the Bank.CONCLUSION: To increase the possibility to resolve the dispute on electronic signature repudiation fairly, it’s reasonable to focus the main attention not on experts, but on witnesses – participants of the validity verification process of ES or SVC. It is them who confirm the fact of signing by a concrete person on a concrete document with a concrete hash. And the hash conformity with the document content can be confirmed by an expert based on mathematical technique that could be hardly disputed or by a court judge using standard hash-calculators.
- An attempt of some participants of EDC to verify ES by direct address to the foreign CA doesn’t solve the problem in general. It can be a single variant for authentication validation problem solution.
Firstly, these possibilities could be limited by the country legislation of a foreign CA, because such possibility should be provided by free export of ES devices implementing the validation function.
Secondly, few CA provide such service of verification of issued SVCs in a public mode. As a rule, they provide such service only for their clients. However, even the agreement doesn’t solve the problem because of the reasons mentioned below.
Thirdly, the most important factor: confirmation by the foreign CA of validity of a signer’s ES or SVC, while examining a dispute in court, not always can be recognized as legitimate because with the existent technologies of verification of ES and electronic signature certificates (based on international recommendations (RFC 3029 – Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols (DVCS); RFC 2560 – Online Certificate Status Protocol - OCSP. RFC 3161 – Time-Stamp Protocol (TSP)), there is exchange of requests and receipts that should be signed always by a respondent and very often by a requester. In other words, in the first case, the Requester of validation (the Recipient) should have an opportunity to verify a signature of CA on the receipt, and in the second case, the verifying CA should have an opportunity to verify a signature of the Requester.
Meanwhile, neither of the examined laws on electronic signature recognition (source: http://e-swb.com/req.html) make difference between the electronic signature of a natural person and the electronic signature of a CA. Both of them are foreign signatures from a legal point of view and conditions of their validation are equal. In other words, if a signature of a foreign natural person is not legitimate on the territory of the other country, therefore an electronic signature of a foreign CA on the receipt confirming the validity of ES or SVC of this natural person is not legitimate as well! Consequently, the validity verification result by direct address to the foreign CA is not legitimate. This is true both in a case of interaction between a natural person and a foreign CA and in a case of interaction between two CAs of different jurisdictions.
Recognition of foreign electronic signature via the accreditation of a foreign CA on the base of intergovernmental agreements may partly solve the problem. But only in each separate case.CONCLUSION: such scheme cannot be a universal solution for the posed problem, with the exception of separate cases when a foreign CA is recognized as legitimate by the foreign jurisdiction.
- In a case of a dispute between the parties of EDC on ES validity in a document, when the ES was created by rules of one of the parties, a corresponding claim can be brought. If the claim is examined in the jurisdiction of a petitioner, then even a positive court decision (from a petitioner’s point of view) may be executed only if the jurisdictions of a petitioner and a respondent have a proper agreement on mutual recognition of court decisions. If the case is examined in the jurisdiction of a respondent, it is unlikely that a court decision is positive for a petitioner. Firstly, because, court may not accept the claim at all, and, secondly, court is generally regulated by internal laws, and it’s hard enough to prove a fact of the other jurisdiction law violation.
Therefore, it’s necessary to build such a scheme of interaction where each separate stage of ES validity verification is legitimate in its own jurisdiction.
TOTAL CONCLUSION:
Independent validity verification of ES by a separate participant of EDC is hardly probable – from a technical point of view, and in the most cases won’t be legitimate – from a legal point of view. Such verification can be implemented only with participation of a third party – a Trusted Third Party. Meanwhile, to provide the principle of non-repudiation, all stages of validity verification process should be legitimate in the jurisdiction where this stage of verification is fulfilled. The evidences of ES authenticity should be also legitimate in a case of a court dispute.- PRINCIPLES OF THE METHOD
Summarizing the whole information mentioned above in the Method, aimed to make the whole process of authentication provision in the cross-border electronic document circulation legally valid, it’s lawfully to provide the following principles:
- Electronic documents have to be signed by an author’s electronic signature that is fully legitimate in his own jurisdiction. This condition should also cover such specific cases when a resident from one country is an authorized person of a legal entity from another country. In this case his authorities should be properly confirmed to third parties by this legal entity (by his own ES). However, the authorized person carries on business relations with third parties by applying his own personal ES, though by option of the legal entity’s head managers, the situation is possible when legal entity’s head managers authenticate all documents signed by the authorized person – of course, after the validity verification of the authorized person’s electronic signature.
- The ES validity verification process should be completely legitimate both for the jurisdiction of an author of a document and for the jurisdiction of a recipient.
- The verification process should be acceptable both for corporate information systems and for information systems of public access.
- Verification can be made both for a presented original document (in this case an Author and a Recipient should understand that the text of a document will be available for all persons participating in the verification process), and WITHOUT AN ORIGINAL DOCUMENT PROVISION but using only a hash of the document. On the one hand, it eliminates a necessity to submit the original document (which may contain confidential information) for third parties – participants in the verification process; on the other hand, it increases the objectivity of participants of the verification process. At the same time, obtaining the confirmation of ES validity concerning the hash of a document the initiator of the verification process should take a final decision on ES validity concerning the whole document – based on the full identity of the decrypted and independently calculated hashes.
- There are two types of Verification:
Full verification of ES: validity verification of SVC; decryption by a verification key (contained in SVC) of the encrypted hash and its comparison to the hash presented by a verifying party. The confirmation of identity of decrypted and original hashes is a reason to consider the ES on a document as valid;
Validity verification of SVC on which ES was made – at the moment of ES creation. It may be applied in a case when a Recipient has a technical possibility to conduct the independent mathematical verification of ES (a proper electronic signature device is available). At the same time, it’s applied for authentication to provide an access to secure information systems.
- Verification result must provide the maximum information for a verifying party: a mathematical verification result (a signature under the document is authentic and valid); or the information about SVC (a type of SVC; its validity; expiration date; a signatory role; status of CA that has issued SVC; limitations of use, etc.) – in a case of only SVC validity verification with the further independent mathematical verification (if a verifying party has all necessary electronic signature devices).
- A Final decision (based on the information on verification results) on ES acceptability as a property providing legal validity to a document that provides authenticity of a specific document – should be taken by a verifying party. Verification process participants should be ready at any moment to confirm the facts and the results of their activities during the verification procedure.
Note: Sometimes a Requester wants to get not only a signature verification of validity but also verification of Author’s authorities. Of course, if a SVC contains such information and it is confirmed by the Author’s CA – it would be provided to the Requester (Verifying Party). But if SVC doesn’t contain the information, how is it possible to get such confirmation? And what to do in a case when the Author defines his role independently before signing and then signs a document (Estonia, Belgium, Germany)? Undoubtedly, it’s possible to establish a service on authorities verification via the corresponding registers and registries, but it would be a separate service.
- THE ESSENCE OF THE METHOD
Taking into consideration the principles mentioned above, it’s logically to suppose the following Method for electronic documents authenticity provision in cross-border document circulation:
- Participants of a process and initial conditions:
- An author of a document. Uses a public and a private key, SVC and electronic signature devices, legitimate in his own jurisdiction.
- A Recipient of a Document (Addressee). Uses a public and a private keys, SVC and electronic signature devices, legitimate in his own jurisdiction.
- CA-1 – a certification authority in the Recipient’s jurisdiction that has contractual relations with the Recipient and that has issued SVC and electronic signature devices to the Recipient. By the Recipient’s request provides the Author’s ES verification on the contractual base. During this procedure CA-1 is a Trusted Third Party in relation to the document Recipient.
- CA-2 – a certification authority in the Author’s jurisdiction that has contractual relations with the Author and that has issued SVC and electronic signature devices to the Author and is a holder of the SVC register.
- A Verification Coordinator – a structure that has pais of keys and SVC of CA-1 and CA-2 on legitimate conditions which are also used by these certification authorities. Interacts with CA-1 and CA-2 on secure channels. By CA-1’s request, provides the Author’s ES verification on the contractual base. During the verification procedure the Verification Coordinator is a Trusted Third Party in relation to CA-1 (there is more information about a status and characteristics of the Coordinator below).
As it was mentioned above, there should be proper legal relations with the defined mutual rights and obligations and responsibilities between all participants of the process.
- The Principle of participants interaction
It’s necessary to divide the interaction principle in two modes: usual and extreme.
A task of the usual mode is to provide a verifying party with agruments confirming the fact of the Author’s electronic signature validity and authenticity and the fact of integrity and invariability of the content in the signed document. The task of the extreme mode is to provide evidences of verification results in a court on which the verifying party made a conclusion on authenticity and validity of the Author’s signature.
Usual mode:
The author of the document signs it with his own ES, legitimate in his own jurisdiction.
- The document is sent to the Recipient. A transmission channel (secure information system, electronic mail, Skype, etc.) is of no importance.
- The Recipient gets the document with ES and addresses the CA-1 with a request of ES validity verification or SVC validity verification at the moment of ES creation (in a case when the Recipient has an opportunity to carry on the mathematical verification of the Author’s ES on his own). At the same time, the Recipient has to provide either a document hash and SVC (in the first case) or SVC (in the second case) to the CA-1. The request is processed under the rules of the CA-1. The request is signed with the Recipient’s ES using ES devices from the CA-1.
- CA-1 verifies the Author’s signature validity under the request, creates a proper request under the technology legitimate for this certain jurisdiction and sends it to the Verification Coordinator. The request is signed with the CA-1 ES.
- The Verification Coordinator verifies ES validity under the CA-1’s request with the devices got from the CA-1 and starts its processing. During the processing the request is „taken apart“ and on the ground of its component parts a corresponding request on the Author’s SVC validity verification in the CA-2 is created. This request must be created under the rules and technologies of the CA-2 and must be signed with the Coordinator’s ES created on SVC issued by the CA-2. Because the Coordinator is a client of the CA-2, the request can be carried on in the „online“ mode (for example, on OCSP protocol).
- The CA-2 gets the Coordinator’s request, verifies its ES validity, makes out a receipt on the request results under its own rules and technologies. The receipt is signed with the CA-2 ES.
- The Verification Coordinator verifies the CA-2 ES validity under the verification receipt and based on the results of the response from the CA-2 and depending on the type of request:
- makes out its own receipt on the Author’s SVC validity at the moment of ES creation under the rules of the CA-1 and sends it to the CA-1 – if only the Author’s SVC validity is verified;
- or starts the mathematical verification of ES – if the electronic signature is verified and under the verification results makes out a receipt on the ES validity concerning the hash.
Both variants of receipts are made out under the rules of the CA-1 and are signed with the Coordinator’s ES, ES keys and devices issued by the CA-1.
- The CA-1 receives the receipt from the Coordinator, verifies the validity of its ES and sends its own receipt on verification results to the Recipient.
All receipts are correspondently signed with „a time stamp“ provided by the CA cooperating at this stage.
It goes without saying, that all participants of the interaction process should take part in the process voluntarily, have proper legal relationships between each other signed by agreements defining all mutual rights, obligations and responsibilities.
Thereby, as a result of the usual verification mode the verification initiator (the Recipient) gets a legitimate confirmation of the Author’s signature validity, as a result of which the verification of the document’s authorship, integrity, invariability and time of its signing is provided.
The Extreme Mode:
In a case of a dispute between the parties in respect of repudiation of his own electronic signature under the document and bringing the case to court, all participants of the verification process (CA-1, CA-2, Coordinator) take part in the legal process as witnesses and provide their own evidences of the verification results got in the usual mode.
If it’s necessary these evidences can be properly legalized – in respect to the rules of specific jurisdictions where the dispute is adjudicated. For example, in one case a notarization would be enough (if there are corresponding government agreements), in the other case – apostil is required (if both states are the Hague Convention Member states), in the third case – a consular assurance is required.
Of course, all these participants of the verification process and the Recipient who is the initiator of the verification process should provide proper documentation of their activities during the ES verification process and their storage. These obligations as well as the responsibilites in a case of their violation, should be stated in the corresponding agreements between the parties: the Recipient and the CA-1, the CA-1 and the Coordinator, the Coordinator and the CA-2 or should be specified in a public offer of the CA-2.
Thereby, all stages of ES verification under the requests and receipts don’t arise technical and juridical problems (they are carried on according to the international standards and recommendations and on legitimate ES devices). The complete legitimacy of the whole verification procedure is provided by the legitimacy of its each separate stage.
As a result, NON-REPUDIATION of an electronic signature under the document is provided. And, based on the present judicial opinion, - this mechanism can operate regardless of the conditions for recognition of a foreign electronic signature by a specific jurisdiction.
A role and a status of the Coordinator should be examined separately. Taking into consideration that in order to provide the legitimacy to the verification process, the Coordinator’s activities should be legitimate in each separate jurisdiction that is involved into the interaction, the Coordinator must have a status of an international structure. A commercial structure can hardly fulfill this condition, because a branch or representative office registration outside the jurisdiction of the company registration is a pretty complicated process. Therefore, it’s more reasonable to use a NONprofit structure for these purposes – an international association that has its own members in different countries and that could be presented within different jurisdictions – via its representative offices and via its own members (preferably certification authorities but ordinary companies are also allowed). The relationships inside this association should be regulated by the Code providing such legal relations that allow the whole structure to act as the Coordinator. Taking into consideration the whole information mentioned above, it’s logically to suppose that there is a demand for such International Association of Certification Authorities. Relations with Certification Authorities that are not the members of the association should be regulated by corresponding agreements that can be concluded by the Association itself or by another party in the same jurisdiction.
Mutual responsibility between all participants of the verification process should be provided by the Code, corresponding agreements and available liability insurance of each participant of the verification process.
- THE IMPLEMENTATION PRACTICE OF THE METHOD
In order to implement the Method, a public organization the International Association „e-Signature Without Borders“ undertakes the functions of the Coordinator. The Association is a transboundary structure and is legally presented within different jurisdictions via the Assocation members or representative offices. Relations between the Association and Certification Authorities of different jurisdictions are regulated either by the Code of the Association (if a CA is a member of the Association) or by an agreement.
The Association has developed a hardware/software complex that fulfills all the tasks assigned to the Verification Coordinator (according to the Method).
The work of the hardware/software complex has been tested by verifying the validity of an electronic signature created on the Estonian qualified SVC that is included into the national ID-card – an official personal identification document of a resident of Estonia served by the Estonian Certification Authority „AS Sertifitseerimiskeskus“.
The tests (using the laboratory sample) showed that the time spent on:
- creation of a DVC-request on ES verification from a side of the Russian partner – „National Certification Authority“ (NCA);
- validity verification of ES under the request by the Coordinator;
- creation of a OSCP-request to „AS Sertifitseerimiskeskus“;
- obtaining the OCSP-receipt from „AS Sertifitseerimiskeskus“;
- validity verification of ES under the receipt by the Coordinator;
- mathematical verification of the verified ES;
- creation of DVC-receipts to the „National Certification Authority“ by the verification results;
- validity verification of the Coordinator’s ES under the receipt by the NCA
makes from 0,8 to 1,4 seconds.
Test protocol can be found here:
http://e-swb.com/sa/Protokol_NUC.PDF
- CONCLUSION
The present Method is able to solve the problems of authenticity during cross-border interaction.
The present Method can be applied as for an electronic signature verification, so for the authenticity definition in electronic interaction.
The present Method can be used both in the frameworks of the corporate information systems and in the information systems of public access.
Simultaneous fulfillment of the following conditions could be the alternative for the present Method in order to achive the same goals (an opportunity to provide authenticity in cross-border interaction):
- Creation of the World Certification Authority (for example, under the United Nations) that will issue root certificates for all national CAs and will be recognized by all countries.
- Unification of the legislations of all countries in the sphere of recognition of foreign electronic signatures.
- Implementation of full unification for the technology of ES creation and verification that violates the principles of „technologies neutrality“ currently in force.
The present Method will not be relevant only when these conditions are fulfilled.
Moreover, on the base of the present Method it seems quite promising to develop other services defined in the international recommendations X.842, such as: a service of non-repudiation, a service of evidences storage, a service of arbitration, a service of evidences provision, a service of notariat and others.
Nikolay Ermakov
Board Member of
the International Association
„e-Signature Without Borders“
Board Member of the judicial office
„Business Low Consult Service OU“Konstantin Romanov
Director of
the law office „Romanov & Partners“
Member of the Chamber of Advocates
of Saint Petersburg The main objective of the Directive on eSignature is to create a Community framework for the use of electronic signatures. It allows electronic signature products and services to flow freely across borders and ensures the legal recognition of electronic signatures.
The Directive addresses three forms of electronic signatures:
1. Basic electronic signature: understood in the simplest and broadest sense of electronic signature i.e. as a means to identify and authenticate data. It can be as simple as signing an e-mail message with a personal name.
To be a signature the authentication must relate to data and not be used as a method or technology only for entity authentication. For instance, when a person uses a PIN code to identify himself in order to get access to an electronic bank account, it is not an electronic signature. However, entering the same code in order to confirm a financial transaction and, in doing so authenticating this transaction, is an electronic signature. There are many applications making use of electronic signature technology, which do not qualify as electronic signatures according to the Directive when they are only used for entity authentication.
It should also be noted that the notion of signature used in the Directive refers to a legal concept and not to a technical one. This means that the definition is intended to cover all current and future technologies for electronic signatures as well as all possible interpretations of the term signature in the law of the Member States.
2. Advanced electronic signature(as defined by the Directive). This second form of signature has to meet the requirements defined in Article 2.2 of the Directive. In particular, this form of electronic signature is capable to be uniquely linked to the signatory and to identify the signatory, is created using means that are under the signatory's sole control and is linked to the data in such a way that any subsequent change in the data can be detected. The Directive does not favour a particular technology but in practice, this definition refers mainly to electronic signatures based on a public key infrastructure (PKI). This technology uses encryption technology to sign data, which requires a public and a private key.
3. "Qualified electronic signature": this third form is mentioned in Article 5.1 and consists of an advanced electronic signature based on a qualified certificate and created by a secure signature creation device which need to comply with the requirements in Annexes I, II and III.
http://ec.europa.eu/information_society/policy/esignature/eu_legislation/index_en.htm
Law on the Electronic Signature
(published in the Official Gazette of Romania no. 429/31.07.2001)
CHAPTER ONE
General ProvisionsSECTION ONE
General PrinciplesArt. 1. This law regulates the legal status of the electronic signature, of the documents in electronic form as well as the requirements for electronic signatures certification service provision.
Art. 2. This law shall be complemented by the legal provisions on the conclusion of legal documents, on their validity and effects.
Art. 3. No provision herein may be construed as constraining the independent will and contractual freedom of the parties.
SECTION TWO
Definitions
Art. 4. For the purpose of this law:
Data in electronic form means information supplied in a conventional form appropriate for creating, processing, sending, receiving or storing that information by electronic means.
Document in electronic form means a collection of logically and operationally interrelated data in electronic form that reproduces letters, digits or any other meaningful characters in order to be read through software or any other similar technique.
Electronic signature means data in electronic form, which are included in, attached to or logically associated with a document in electronic form and serve as a method of identification.
Extended electronic signature means an electronic signature which meets all the conditions specified below:
a. it is uniquely linked to the signatory;
b. it allows the identification of the signatory;
c. it is created using means that the signatory can maintain under his sole control;
d. it is linked to the data in electronic form to which it relates in such a manner that any subsequent change of that document is detectable.
Signatory is a person who holds a signature-creation device and acts either on his own behalf or on behalf of a third party he or she represents.
Signature-creation data means unique data in electronic form, such as codes or private cryptographic keys, which are used by the signatory to create an electronic signature.
Signature-creation device means configured software and/or hardware, used to implement the signature-creation data.
Secure-signature-creation device means a signature-creation device which meets all the requirements below:
a. the signature-creation data used for signature generation can practically occur only once and their confidentiality can be ensured;
b. the signature-creation data used for signature generation cannot be derived;
c. the signature is protected from forgery by technological means currently available at the time it is generated;
d. the signature-creation data used for signature generation can reliably be protected by the signatory against their unauthorised use;
e. it must not alter the data in electronic form to be signed or prevent these data from being presented to the signatory prior to the completion of the signing process.
Signature-verification data means data in electronic form, including codes or public cryptographic keys, which are used for the purpose of verifying an electronic signature.
Signature-verification device means configured software and/or hardware, used to implement the signature-verification data.
Certificate means a collection of data in electronic form that attests the link between a person and the signature-verification data, confirming the identity of that person.
Qualified certificate means a certificate that meets the requirements specified in Art. 18 and is issued by a certification service provider which complies with the provisions of Art. 20.
Certification service provider means a Romanian or foreign person that issues certificates or provides other electronic signature-related services.
Qualified-certification service provider is a certification service provider that issues qualified certificates.
Electronic signature related product means any software or hardware which are intended to be used by a certification service provider for the provision of electronic signature-related services or for the creation or verification of electronic signatures.
CHAPTER TWO
The Legal Status of the Documents in Electronic Form
Art. 5. A document in electronic form that incorporates an electronic signature or has an electronic signature attached to or logically associated with it, based on a qualified certificate not suspended or not revoked at that time, and generated using a secure-signature-creation device is assimilated, in as much as its requirements and effects are concerned, to a document under private signature.
Art. 6. A document in electronic form that includes an electronic signature or has an electronic signature attached to or logically associated with it, acknowledged by the party the respective document is opposed to, has the same effects as an authentic document, between those who signed it and between those who are representing their rights.
Art. 7. Should the written form be required as proof or validity condition of a legal document in such cases as the law may provide, a document in electronic form shall satisfy to this condition if an extended electronic signature, based on a qualified certificate and created using a secure-signature-creation device was incorporated to, attached to or logically associated with it.
Art. 8. (1) If a party does not recognize a document in electronic form or an electronic signature, the court will always direct that the verification shall be made by expertise.
(2) For this purpose, the expert or specialist shall require qualified certificates and any other documents necessary, according to the law, for the identification of the author of the document in electronic form, the signatory or of the certificate titular.
Art. 9. (1) The party that claims in court an extended electronic signature must prove that it meets the requirements of Art. 4, 4th paragraph.
(2) An extended electronic signature based on a qualified certificate issued by an accredited certification service provider is presumed to satisfy the requirements of Art. 4, 4th paragraph.
Art. 10. (1) The party that claims in court a qualified certificate shall prove that the certification service provider which issued that certificate meets the provisions of Art. 20.
(2) An accredited certification service provider is presumed to meet the provisions of Art. 20.
Art. 11. (1) The party that claims in court a secure-signature-creation device shall prove that the device meets the provisions of Art. 4, 8th paragraph.
(2) A secure-signature-creation device that was homologated according to this law is presumed to meet the provisions of Art. 4, 8th paragraph.
CHAPTER THREE
Certification Service ProvisionSECTION ONE
Common Provisions
Art. 12. (1) Certification service provision is not subject to prior authorisation and shall be performed in agreement with the principles of free and fair competition, and in compliance with the legal provisions in force.
(2) Certification service provision by service providers established in the Member States of the European Union shall be made under the requirements of the European Accord, establishing an association between Romania and the European Communities and their Member States.
Art. 13. (1) Any person that contemplates providing certification services shall notify the specialised supervisory and regulatory authority of the start-up of activity no later than 30 days before the date of commencement.
(2) Along with the notification provided in the 1st paragraph, certification service providers shall supply exhaustive information about the security and certification procedures they use and any further information the specialised supervisory and regulatory authority may request.
(3) Certification service providers have the obligation to notify any intention of changing the security and certification procedures to the specialised supervisory and regulatory authority, with at least 10 days in advance, indicating the date and hour when the change enters into force, as well as the obligation to confirm in 24 hours the change effected.
(4) In emergency cases, where the security of certification services is affected, certification service providers can effect changes of the reported security and certification procedures and shall notify in 24 hours the specialised supervisory and regulatory authority of the changes effected and of their justification.
(5) Throughout their activity, certification service providers shall observe their reported security and certification procedures notified according to 2nd, 3rd and 4th paragraphs above.
Art. 14. (1) A certification service provider shall ensure access to any information necessary for the proper and safe use of its services. Such information shall be made available before entering into a contractual relation with the applicant for a certificate or on request from a third party that invokes a certificate.
(2) The information provided in the 1st paragraph shall be worded in writing, in a readily accessible language and sent by electronic means, provided it can be stored and reproduced.
(3) The information provided in the 1st paragraph shall include at least:
the procedure to be followed for electronic signature creation and verification;
the fee rate charged;
the concrete ways and requirements for the use of certificates, including the limitations of their use, provided that such limitations are recognisable to third parties;
the obligations incurred by the certificate holder and certification service provider under this law;
reference to the accreditation, if applicable;
the contractual provisions under which the certificate was issued, including the limited liability of the certification service provider, if applicable;
dispute settlement;
any other information established by the specialised supervisory and regulatory authority.
(4) The certification service provider shall send to the applicant a copy of the certificate.
(5) After the applicant has agreed to the certificate, the certification service provider shall enter the certificate in the register provided in Art. 17.
Art. 15. (1) The natural persons that provide certification services in their own name and the personnel employed by a certification service provider, whether the latter is a natural or legal person, shall keep the secrecy of the information entrusted to them in their professional activity, except for such information the certificate holder may agree to be made public or to be communicated to third parties.
(2) The unauthorised breach of the obligation provided in 1st paragraph is tantamount to professional secrecy disclosure, which is an offence punishable under Art. 196 of the Criminal Code.
(3) Supplying information to a public authority, when this authority acts in performance of its legal tasks and within the limits provided by law may not amount to professional secrecy disclosure.
(4) The obligation provided in the 1st paragraph shall apply also to the personnel of the specialised supervisory and regulatory authority and to any person empowered by it.
Art. 16. (1) The specialised supervisory and regulatory authority and certification service providers are bound to comply with the legal provisions for processing of personal data.
(2) Certification service providers may collect personal data only from the applicant for a certificate, or, subject to the explicit agreement of the applicant, from third parties. Data may be collected to the extent they are required for certificate issuance and conservation. For any other purposes, data collection and use is subject to explicit agreement of the applicant.
(3) Whenever a pseudonym is used, the real identity of the holder may not be disclosed by the certification service provider unless the holder has agreed or except in such cases as provided at Art. 15, 3rd paragraph.
Art. 17. (1) Certification service providers shall open and keep an electronic register of the certificates they issue.
(2) The electronic register of certificates shall specify:
the accurate date and time of issuance of a certificate;
the accurate date and time of expiry of a certificate;
the accurate date and time of suspension or revocation of a certificate, if applicable, including the causes thereof.
(3) The register shall be available for consultation at any time, including in the on-line system.
SECTION TWO
Qualified-Certification Service Provision
Art. 18. (1) A qualified certificate shall contain:
an indication that the certification was issued as a qualified certificate;
the identification data of the certification service provider as well as its citizenship if natural person, or nationality if legal person;
the name of the signatory or a pseudonym, identified as such, and any other specific attributes thereof, provided they are relevant for the purpose for which the qualified certificate is intended;
the signatory�s personal identification code ; the signature-verification data corresponding to the signature-creation data under the exclusive control of the signatory;
the period of validity of the qualified certificate;
the qualified certificate identification code;
the extended electronic signature of the certification service provider issuing the certificate;
limitations of the scope of use of the qualified certificate or limits on the value of transactions for which the certificate can be used, if applicable;
any other information established by the specialised supervisory and regulatory authority.
(2) The certification service provider shall assign each signatory a personal code for the purpose of uniquely identifying the signatory.
(3) The generation of the personal identification code of the signatory and the qualified certificate identification code shall be generated according to a methodology defined through regulations issued by the specialised supervisory and regulatory authority.
(4) Further information other than required in the 1st paragraph may be supplied by a certification service provider in the certificate upon request of the holder, provided such information is not contrary to the law, moral standards and public order, subject to prior checking for accuracy.
(5) The qualified certificate shall expressly indicate that a pseudonym is used, if such is the case.
Art. 19. (1) Certification service providers shall check the identity of applicants on the exclusively basis of their identification papers before issuing them with qualified certificates.
(2) When issuing a qualified certificate, the certification service providers shall issue two copies of the certificate, on paper, out of which one is delivered to the holder and the other one shall be kept by the provider for no less than 10 years.
Art. 20. To issue qualified certificates, certificate service providers shall:
have the financial, material, technological and human resources appropriate to guarantee the security, reliability and continuity of the certification services offered;
ensure the operation �of a prompt and secure registration service to record the information provided at Art. 17, especially the prompt and secure operation of a suspension and revocation service;
ensure the posibility to accurately determine the date and time of issuance, suspension or revocation of a qualified certificate;
verify, by appropriate means and in accordance with the law, the identity and, if applicable, any specific attributes of the applicant for a qualified certificate;
employ personnel who possess the expert knowledge, experience and qualifications necessary for the provision of the above specified services, particularly competence at managerial level, expertise in electronic signature technology and enough practice in proper security procedures; they must also apply administrative and management procedures which are adequate and correspond to recognised standards;
use electronic signature related products that are highly reliable, protected against modification and which ensure the technical and cryptographic security of the electronic signature certification process;
take measures against forgery of certificates and, in cases where the certification service provider generates signature-creation data, guarantee confidentiality during the process of generating such data;
keep all the information about a qualified certificate for at least 10 years after the validity of that certificate has expired, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings, should a dispute occur;
not store, reproduce or disclose to third parties the signature-creation data, except in such cases as the signatory may require;
use reliable systems to store qualified certificates in a format that would meet the following requirements: only authorised persons can make entries and changes; the information may be checked for accuracy; qualified certificates may be consulted by third parties only if their holders have agreed; any technical change that may compromise these security requirements may be detected by authorised persons;
any other conditions established by the specialised supervisory and regulatory authority.
Art. 21. Qualified certification service providers shall use only secure-signature-creation devices.
Art. 22. (1) Qualified certification service providers shall have sufficient financial resources to cover the damage they may cause by their electronic signature certification-related activities.
(2) To ensure against such risks, they may subscribe an insurance policy issued by an insurance company or have a letter of guarantee issued by a specialty financial institution, or proceed in any other way established by decision of the specialised supervisory and regulatory authority.
(3) The sum for which the insurance policy or the letter of guarantee is issued shall be determined by the specialised supervisory and regulatory authority.
SECTION THREE
Suspension and Expiry of Validity of Certificates
Art. 23. (1) Any certification service provider shall suspend a certificate in 24 hours from the moment it learns, or it should and could have learnt about one of the following situations:
a request of the signatory, after checking his identity;
a court ruling so instructs;
the information contained in the certificate is no longer valid, if the revocation of the certificate is not mandatory;
any other circumstances that require suspension of the certificates under the security and certification procedures notified by the provider under Art. 13.
(2) Any certification service provider shall revoke a certificate in 24 hours from the moment it learns, or it should and could have learnt about one of the following situations:
a request of the signatory, after checking his identity;
the death of the signatory or its interdiction;
a non-contestable court ruling so instructs;
should it be proved beyond reasonable doubt that the certificate was issued on the basis of faulty or fake information;
if the essential information contained in a certificate is no longer valid;
whenever the confidentiality of the signature-creation data has been violated;
a fraudulent use of a certificate;
any other circumstances that require revocation of the certificates under the security and certification procedures notified by the provider under Art. 13.
(3) The certification service provider shall forthwith notify the holder of the suspension or revocation of the certificate and give the reasons for such a decision.
(4) The certification service provider shall make an entry regarding the suspension or revocation decision in the electronic register provided at Art. 17, in 24 hours from the moment it learns, or it should and could have learnt that the decision to this effect is made.
(5) The suspension or revocation shall be opposable to third parties as soon as it is recorded in the electronic register.
Art. 24. (1) Should a certification service provider plan to cease its electronic signatures certification-related activities or learn that it will no longer be able to provide them, it shall notify the specialised supervisory and regulatory authority at least thirty days in advance of its intention and about the appearance and nature of the circumstances that prevent it from continuing its activities.
(2) It is the duty of the certification service provider to notify the specialised supervisory and regulatory authority, if it can no longer engage in electronic signatures certification-related activities and could not foresee this at least thirty days before actually halting operations, in 24 hours from the moment it learnt or it should and could have learnt about the circumstances preventing it from continuing its activities. The notice shall specify about the appearance and nature of the circumstances that make further operation impossible.
(3) A certification service provider may transfer all or part of its activities to another certification service provider subject to the following requirements:
the certification service provider shall notify every holder of valid certificates no less than thirty days in advance of its intention to transfer its electronic signatures certification-related activities to another certification service provider;
the certification service provider shall state the identity of the certification service provider it plans to transfer its activities to;
the certification service provider shall state to every certificate holder that the latter may choose not to accept the transfer, and set a time limit and the terms of refusal; should an explicit agreement of a certificate holder not be received within the time specified by the certification service provider, the latter shall revoke the certificate.
(4) Should any of the cases provided in paragraphs (1) and (2) be applicable to a certification service provider, and its activities not be taken over by another certificate service provider, it shall revoke the certificates within thirty days of notifying their holders and take appropriate action to ensure conservation of its archives and personal data processing in compliance with the law.
(5) For the purpose of this article, dissolution or liquidation, whether voluntary or judicial, bankruptcy and any other cases of cessation of operation, except for the enforcement of penalties provided by paragraphs (2) and (3) of Art. 33, shall be construed as cases of cessation of electronic signatures certification-related activities.
CHAPTER FOUR
Monitoring and Control
SECTION ONE
Specialised supervisory and regulatory authority
Art. 25. The specialised supervisory and regulatory authority has the responsibility for applying the provisions of this law and of the related regulations.
Art. 26. (1) In no more than 18 months from the publication of this law in the Official Journal of Romania, a specialised public authority shall be established, with supervisory and regulatory tasks in the meaning of this law.
(2) Until the authority provided in the 1st paragraph is established, the specialised supervisory and regulatory authority provided herein shall be the Ministry of Communication and Information Technology.
Art. 27. The Ministry of Communication and Information Technology may delegate all or part of its responsibilities as specialised supervisory and regulatory authority provided herein to another public authority in its coordination.Art. 28. (1) By the same time of the entry into force of this law, it shall be established the Certification Services Providers Register, named Register as follows, which is opened and updated by the specialised supervisory and regulatory authority. As the specialised public authority provided in Art. 26 is established, the Register will be taken over and updated by this authority.
(2) The Register represents an official situation of the certification services providers:
which have the headquarters in Romania;
which have the domicile or headquarters in another state and issue qualified certificates that are recognised according to Art.40.
(3) The Register ensures, by making the records provided by this law, the stocking of the identification data and of some information related to the activities of the certification service providers, as well as the public information regarding the data and information stocked.
(4) The content and structure of the Register are established through regulations issued by the specialised supervisory and regulatory authority.
Art. 29. (1) The recording of the identification data and of the information related to the activities of the certification services providers mentioned in Art. 28 2nd paragraph in the Register provided in Art. 28 should be made on a personal application base, which must be submitted to the specialised supervisory and regulatory authority no later than the date of commencement of provider�s activity. (2) The mandatory content of the application and the necessary documentation will be established through regulations issued by the specialised supervisory and regulatory authority.
Art. 30. (1) The Register is public and permanently updated.
(2) The requirements for keeping the Register, for the access to the information which it contents, for the information that may be given to the applicant are established through regulations issued by the specialised supervisory and regulatory authority.
SECTION TWO
Supervision of Certification Service Provider OperationsArt. 31. (1) The specialised supervisory and regulatory authority may, ex officio or upon request of any interested person, check compliance of a certification service provider�s activities with the provisions of this law or of the regulations issued on the basis thereof, or order that such compliance be checked. (2) The control functions of the specialised supervisory and regulatory authority as provided in the above paragraph shall be performed by purposefully empowered
personnel.
(3) In order to perform their control functions, the control personnel is entitled to:
free permanent access, according to the law, to any place where certification service provision equipment is located;
request any document or information that are necessary for control purposes;
check implementation of any security or certification procedure the certification service provider being controlled may use;
seal off any equipment required for certification service provision or retain any document related to this kind of services for up to 15 days, if necessary;
take any other action provided by law.
(4) The control personnel shall:
not disclose the data they may learn in the exercise of their functions;
keep the sources of information relating to claims or intimations confidential.
Art. 32. (1) Certification service providers are obliged to facilitate the exercise of control functions by the personnel such functions were entrusted to.
(2) In case of non-compliance with the obligation provided in 1st paragraph, apart from the penalty provided in Art. 44 letter c), the specialised supervisory and regulatory authority may order the suspension of the activities of the certification service provider until the latter cooperates with the control personnel.
Art. 33. (1) Should the control disclose non-compliance with the provisions of this law or of the regulations issued on the basis thereof, the specialised supervisory and regulatory authority shall ask the certification service provider for compliance within such a time as it may set. During this time the specialised supervisory and regulatory authority may order the suspension of the activity of the provider.
(2) Failure to comply within the time limit as provided in the above paragraph is a reason for the specialised supervisory and regulatory authority to order the certification service provider to cease its activity and be erased from the Register.
(3) In the event of a serious breach of the legal provisions, the specialised supervisory and regulatory authority may forthwith instruct that the respective certification service provider stop its activity and be struck off the Certification Service Providers� Register. �
Art. 34. (1) Whenever it orders a certification service provider to stop its activity, the specialised supervisory and regulatory authority shall ensure either revocation of certificates of that certification service provider and of the signatories, or that its activities or at least the electronic register of certificates issued and certificate revocation service are taken over by another certification service provider, subject to agreement by the latter.
(2) The specialised supervisory and regulatory authority shall promptly notify the signatories of the provider�s end of activities and of the revocation of certificates or their take-over by another provider. (3) Should no provider take over the activities of a certification service provider, the latter shall make sure that every certificate it may have issued is revoked. Should it fail to meet this obligation, the certificates shall be revoked by the specialised supervisory and regulatory authority at the provider�s expense. (4) The specialised supervisory and regulatory authority shall take over and keep the archives and the electronic register of certificates issued by the certification service provider whose activities were not taken over by another provider.
Art. 35. (1) The erasure of the certification services providers shall be made on the base of the notification made to the specialised supervisory and regulatory authority by the provider with at least thirty days before its cease of activity.
(2) The erasure can be made also ex officio by the specialised supervisory and regulatory authority, if it established by any means that the provider has ceased his activity.
SECTION THREE
Voluntary Accreditation
Art. 36. (1) In order to make proof of an increased level of security of the operations and of an appropriate level of protection of the lawful rights and interests of the users of certification services, certification service providers may apply to the specialised supervisory and regulatory authority for accreditation, if they so wish.
(2) The requirements and the procedure for issuance, suspension and withdrawal of the accreditation decision, the content of such decision, as well as the effects of its suspension and withdrawal, shall be defined through regulations issued by the specialised supervisory and regulatory authority, according to the principles of objectivity, transparency, direct proportionality and non-discrimination.
Art. 37. (1) Certification service providers accredited according to this law are entitled to specify this status in every signature certification activity they may perform.
(2) Certification service providers accredited according to this law shall ask that reference to this effect be made in the Register.
SECTION FOUR
Homologation
Art. 38. (1) The secure-signature-creation devices shall be checked for compliance with this law by homologation agencies which may be public or private legal persons agreeable to the specialised supervisory and regulatory authority in accordance with the conditions established through regulations issued by the latter.
(2) Upon completion of the checking procedure, a certificate of homologation of the secured signature-creation device is issued. The certificate may be withdrawn by the homologation agency should it find that the secured signature-creation device no longer complies with one of the provisions of this law.
(3) The conditions and procedure for the homologation agencies to be agreeable to the specialised supervisory and regulatory authority shall be defined through regulations issued by the specialised supervisory and regulatory authority.
(4) A decision of agreement shall be adopted by the specialised supervisory and regulatory authority.
Art. 39. (1) The specialised supervisory and regulatory authority shall oversee compliance by the accreditation agencies of this law, of the regulations issued on the basis thereof and of the Decision of agreement.
(2) The provisions of Arts. 30-32 shall apply mutatis mutandis to the specialised supervisory and regulatory authority�s control over the activities of the homologation agencies.CHAPTER FIVE
Acknowledgment of Certificates Issued by Foreign ProvidersArt. 40. A qualified certificate issued by a certification service provider having its domicile or headquarters in another country shall be acknowledged as having the same legal effects as a qualified certificate issued by a certification service provider residing or having its domicile or headquarters in Romania if:
the certification service provider having its domicile or headquarters in another country was accredited according to this law; or
an accredited certification service provider having its domicile or headquarters in Romania guarantees the certificate; or
the certificate or the certification service provider that issued it is recognised by virtue of a bilateral or multilateral agreement between Romania and other states or international organisations on a mutual basis.
CHAPTER SIX
Liability of Certification Service Providers
Art. 41. A certification service provider that issues certificates presented as being qualified or guarantees such certificates is liable for damage caused to any person the behaviour of which is based on the legal effects of such certificates concerning:
the accuracy at the time of issuance of a certificate of all the information included therein;
the assurance that, at the time of issuance of a certificate, the signatory identified in the certificate held the signature-creation data corresponding to the signature-verification data referred to in the respective certificate;
the assurance that the signature-creation data were consistent with the signature-verification data, if the certification service provider generates them both;
the suspension and revocation of the certificate, in cases and conditions provided in Art. 24 1st and 2nd paragraphs;
fulfillment of every obligation provided by Arts. 13-17 and 19-22 herein,
unless the certification service provider proves that, in spite of his best effort, he could not prevent the damage from occurring.
Art. 42. (1) A certification service provider may indicate in a qualified certificate limitations of the scope of use of the certificate or limits on the value of transactions for the which the certificate can be used, provided that the limitations or limits are recognisable to third parties.
(2) A certification service provider may not be held liable for damage arising from the use of a qualified certificate in breach of the limitations or limits provided therein.
CHAPTER SEVEN
Obligations of Certificate Holders
Art. 43. Certificate holders shall promptly apply for revocation of their certificates if:
a. they lost the signature-creation data;
b. have good reasons to believe the signature-creation data are known to an unauthorised third party;
c. the essential information contained in the certificate is no longer valid.
CHAPTER EIGHT
Administrative Violations and Penalties
Art. 44. The following offences by certification service providers are administrative violations, unless they are criminal offences under the law, punishable by fines ranging from ROL 5,000,000 to ROL 100,000,000:
a. failure to send the notice provided at Art. 13 paragraph (1);
b. failure to notify the specialised supervisory and regulatory authority of the security and certification procedures used in such conditions and within such time as provided at Art. 13;
c. non-compliance with the obligation to facilitate the exercise of control functions by the specialised supervisory and regulatory authority�s duly empowered personnel; d. transfer of electronic signatures certification activities in breach of the provisions of Art. 24 paragraph (3).
Art. 45. The following offences by certification service providers are administrative violations, unless they are criminal offences under the law, punishable by fines ranging from ROL 10,000,000 to ROL 250,000,000:
a. failure to provide the persons specified in Art. 14, 1st paragraph, in compliance with the conditions provided in Art. 14, 1st and 2nd paragraphs, with the mandatory information provided in Art. 14, 3rd paragraph, or to provide all this information, or to provide accurate information;
b. non-compliance with the obligation concerning the processing of personal data provided in Art. 16;
c. failure to make the entries required by law in the electronic register provided in Art. 17, or to make them within the time limit required by Art. 14, 5th paragraph, Art. 23, 1st or 2nd paragraph, or to make them accurately;
d. issuance of certificates presented as qualified to applicants, when such certificates do not contain all the mandatory specifications required by Art. 18;
e. issuance of qualified certificates containing information that is inaccurate, or contrary to the law, morals or public order, or that was not checked for accuracy as provided by Art. 18, 4th paragraph;
f. issuance of qualified certificates without the applicant�s identity being checked, as Art. 19 provides; g. failure to take action that would guarantee confidentiality in the process of signature data generation, should the provider generate such data;
h. failure to keep all the information about a qualified certificate for at least 5 years after the validity of the certificate has expired;
i. storage, reproduction or disclosure of signature-creation data to third parties, unless the signatory so requires, in cases where the provider issues qualified certificates;
j. storage of qualified certificates in a format that is in breach of the provisions of art. 20 letter j);
k. use of signature-creation devices in violation of the provisions of Art. 4, 8th paragraph herein, in cases where the provider issues qualified certificates;
l. if the provider intends to end its activities, or in any of the cases provided in Art. 24, 5th paragraph,when imposible for the provider to continue the activity, failure to notify the specialised supervisory and regulatory authority at least thirty days in advance of the specific circumstances that make further operation impossible or of its intention;
m. in any of the cases provided in Art. 24, 5th paragraph, if imposible for the provider to continue the activity and the provider could not foresee this situation with at least thirty days in advance, failure to notify within the term provided in Art. 24, 2nd paragraph of the specific circumstances that made it impossible for the continuation of electronic signatures certification-related activities;
n. failure to take appropriate action, in any of the cases provided at Art. 24, 1st and 2nd paragraphs, to ensure conservation of the archives or processing of personal data so as the law provides;
o. failure to suspend or to revoke the issued certificates, when suspension or revocation is compulsory, or failure to do so within the time provided by law;
p. continuation of electronic signatures certification activities when the specialised supervisory and regulatory authority instructed that such activities be suspended or ended;
q. undue use of the accredited provider status through a specific reference to that effect or in any other way in the issuance of certificates or performance of other electronic signatures certification-related activities;
r. failure to apply for registration at the Certification Service Provider�s Register within the term provided in Art. 29, 1st paragraph, for the data and information provided in Art.29.Art. 46. Non-compliance by the homologation agency of its obligation to facilitate the exercise of control functions by duly delegated specialised supervisory and regulatory authority�s personnel is an administrative violation punishable by fines ranging from ROL 15,000,000 to ROL 250,000,000.
Art. 47. The assertion of the administrative violation and the aplication of the penalties provided in this Chapter shall be enforced by the specialised supervisory and regulatory authority�s personnel entrusted with control functions.
Art. 48. The provisions of this Chapter shall be complemented by the provisions of Law No.32/1968 on ascertaining and punishing administrative violations.
CHAPTER NINE
Final provisionsArt. 49. (1) The rating of the fees established by the homologation agencies for the homologation of secure-signature-creation devices and for the additional services shall be freely established, in compliance with the Competition Law no. 21/1996.
(2) The agencies mentioned in 1st paragraph may gather fees with different rates for different geographical areas or for emergency services, for on-line registrations or through the Internet, respecting their own commercial strategies and the legal provisions.
(3) Shall be forbidden for the agencies or their representatives to publish comparative tables, regarding the fees rating, and to adopt any measures that may restrict the commercials regarding the fees rating charged by the agencies for providing their services.
Art. 50. (1) The activities of the homologation agencies are subject to the provisions of the Competition Law No. 21/1996, regarding the establishment of the fees rating for the services provided and regarding the acts or facts that can restrict in any way the competition on the above mentioned services market.
(2) The homologation agencies are also subject to the provisions of the Law no. 11/1991 considering any of its meanwhile modifications, regarding the unfair competition.
Art. 51. The amount of the penalties provided in the low herein will be updated by Government Decision taking account of the evolution
of the inflation rate.
Art. 52. Within a three months period from the publication of this law in the Official Journal of Romania 1st part, the specialised supervisory and regulatory authority shall elaborate the Rules of application of this law.
Art.53. This law enters into force at the date of its publication in the Official Journal of Romania, 1st part and will apply three months after its entry into force.http://www.legi-internet.ro/en/e-sign.htm
This Directive lays down the criteria that form the basis for legal recognition of electronic signatures by focusing on certification services. These comprise the following:
common obligations for certification service providers in order to secure transborder recognition of signatures and certificates throughout the European Community;
common rules on liability to help build confidence among users, who rely on the certificates, and among service providers;
cooperative mechanisms to facilitate transborder recognition of signatures and certificates with third countries.
The Directive defines new ideas:the electronic signature, data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication.
the advanced electronic signature, which meets the following requirements:
- it is uniquely linked to the signatory;
- it is capable of identifying the signatory;
- it is created using means that the signatory can maintain under their sole control;
- it is linked to the data to which it relates in such a manner that any subsequent change in the data is detectable.the qualified certificate, which must in particular include:
- an indication that it is issued as a qualified certificate;
- the identification of the certification service provider;
- the name of the signatory;
- provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended;
- signature-verification data corresponding to signature-creation data under the control of the signatory;
- an indication of the beginning and end of the period of validity of the certificate;
- the identity code of the certificate;
- the advanced electronic signature of the issuing certification service provider.The certificate must also be issued by a certification service provider which meeting specific requirements laid down in the Directive.
Market access
Member States must not make the provision of certification services subject to prior authorisation of any kind.
They may introduce or maintain voluntary accreditation schemes aimed at enhancing levels of certification-service provision.
Member States may not limit the number of accredited certification service providers for reasons which fall within the scope of the Directive.
Member States may make the use of electronic signatures in the public sector subject to possible additional requirements.
Member States may not restrict the provision of certification services originating in another Member State in the areas covered by the Directive.
Legal effects of electronic signatures
The main provision of the Directive states that an advanced electronic signature based on a qualified certificate created by a secure-signature-creation device satisfies the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data (for convenience this type of signature is usually called a “qualified signature”. Although the Directive describes it as such, it does not give a definition for it). It is also admissible as evidence in legal proceedings.
In addition, an electronic signature may not legally be refused simply because:
it is in electronic form;
it is not based on a qualified certificate;
it is not based upon a qualified certificate issued by an accredited certification service provider;
it is not created by a secure signature-creation device.
Liability
Member States must ensure that a certification service provider which issues a qualified certificate is liable vis-à-vis any person who reasonably relies on the certificate for:
the accuracy of all information in the qualified certificate;
compliance with all requirements of the Directive in issuing the qualified certificate;
assurance that the holder identified in the qualified certificate held, at the time of the issuance of the certificate, the signature-creation device corresponding to the signature verification device given or identified in the certificate;
in cases where the certification service provider generates the signature-creation device and the signature-verification device, assurance that the two devices function together in a complementary manner.
The certification service provider must not be liable for damage arising from use of a qualified certificate that exceeds the limitations placed on it.International aspects
Member States must ensure that mutual legal recognition of qualified certificates and electronic signatures from third countries is applied if certain reliability conditions are met. The Commission may make proposals to ensure that international standards and agreements are fully implemented.
Data protection
Member States must ensure that certification service providers and national bodies responsible for accreditation or supervision comply with Directive 95/46/EC on the protection of personal data.
RELATED ACTS
Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions “Action Plan on e-signatures and e-identification to facilitate the provision of cross-border public services in the Single Market”[COM(2008) 798 final – Not published in the Official Journal].In this communication, the Commission proposes an Action Plan aimed at assisting Member States in implementing mutually recognised and interoperable electronic signatures and e-identification solutions, in order to facilitate the provision of cross-border public services in an electronic environment. This is essential to avoid fragmentation of the single market.
Electronic signatures and e-identification are essential elements in enabling businesses and citizens to access public services. In particular, cross-border access to these services requires interoperable electronic signatures and e-identification solutions at European level. However, different legal, technical and organisational issues hinder the interoperability of identification systems. Similarly, although electronic signatures enjoy legal recognition in Europe as a result of the Directive detailed above, different technical and organisational issues also hinder its interoperability.
The Action Plan is structured in three parts:
actions targeted at improving the interoperability of qualified electronic signatures and advanced electronic signatures based on qualified certificates, which will clarify the regulatory framework and increase confidence in Certification Service Providers established in another country.
actions in the medium term to encourage the interoperability of advanced electronic signatures, which, in particular, would enable the validity of a signature received from another country to be easily verified.
actions in the medium term aimed at making e-identification interoperable.
Commission report of 15 March 2006 on the operation of Directive 1999/93/EC on a Community framework for electronic signatures [COM(2006) 120 final – not published in the Official Journal].The report indicates that EU Member States have implemented the general principles of the Directive.
The Commission notes that transposition of the Directive into the legislation of the Member States has met the need for the legal recognition of electronic signatures. It therefore considers that the Directive's objectives have been fulfilled and that no need for its revision has emerged at this stage. The Commission nonetheless plans to consult the Member States and relevant stakeholders to address a number of issues, particularly on interoperability problems, technical aspects and standardisation.
The Commission notes that, in the event, there has been far less use of qualified electronic signatures than expected. The main reason for this is economic, in that service providers have little incentive to develop a multi-application electronic signature and prefer to offer solutions for their own services. A number of applications in the future might nonetheless trigger market growth, particularly in relation to eGovernment services.
Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council
[Official Journal L 175, 15.7.2003].
This Decision gives the references of three generally recognised standards for electronic signature products which presume compliance with the qualified electronic signature.Commission Decision 2000/709/EC of 6 November 2000 on the minimum criteria to be taken into account by Member States when designating bodies in accordance with Article 3(4) of Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures [Official Journal L 289 of 16.11.2000].
This Decision sets out the criteria that Member States must take into account when designating national bodies to evaluate the conformity of secure signature-creation devices.http://europa.eu/legislation_summaries/information_society/l24118_en.htm
Malta, a European financial center located in the Southern areas of the Mediterranean Sea, has developed comprehensive e-commerce legislation and is an active e-commerce player. In 2001, Malta's government enacted the Electronic Commerce Act III, which has been amended five times (2002, 2004, 2005 and twice in 2007). This act establishes rules regarding electronic signatures, certification authorities, electronic contracts, consumer protection, and electronic data. This article provides a synopsis of Malta's rules on electronic contracts, electronic signatures and certification services, and computer crimes involving electronic data.
Electronic Contracts
Malta's Electronic Commerce Act III of 2001 (the E-Commerce Act) addresses electronic contracts in Part III, articles 9 through 11. Electronic contracts are valid and will not be denied legal effect, validity or enforceability just because they are celebrated or entered into by electronic means. The offer, acceptance of the offer, subsequent amendments, and cancellation or revocation of the offer may be communicated by electronic means. A contract is concluded when after placing his order the recipient of the service receives from the service provider an acknowledgement of receipt of the order made by the recipient; provided that (1) the service provider's acknowledgement is given without undue delay and by electronic means; and (2) the recipient's order and the acknowledgement of the receipt are deemed to have been received when the parties to whom they are addressed are able to access them. The E-Commerce Act requires originators to provide addressees with effective and accessible means to identify and correct errors and accidental transactions prior to conclusion of electronic contracts. Part IV of the E-Commerce Act, called Transmission of Electronic Communications, is relevant to the conclusion of electronic contracts. It describes the time of dispatch of an electronic communication, the time of receipt, the place of dispatch and receipt, and the attribution of electronic communications.
According to the First Schedule of Article 11, the following are the information requirements that electronic contracts must meet,
(1) "The name and address where the service provider is established;
(2) The electronic-mail address where the service provider can be contracted in a direct manner;
(3) The registration number of the service provider in any trade register or of any professional body if applicable;
(4) Where the activity of the service provider is subject to an authorization, the activities covered by the authorization granted to the service provider and the particulars of the authority providing such authorization;
(5) The Value Added Tax (VAT) registration number of the service provider where the service provider undertakes an activity that is subject to VAT;
(6) The different steps to follow to conclude the contract;
(7) The technical means for identifying and correcting input errors prior to the placing of the order;
(8) The language or languages in which the contract may be concluded;
(9) A statement of whether the concluded contract will be filed by the service provider and whether it will be accessible."
Electronic Signatures and Certification Services
Malta's law recognizes electronic signatures. Part V of the E-Commerce Act addresses signature certification services. The general rule is the provision of signature certification services or services related to electronic signatures do not require prior authorization. However, Minister's regulations may establish and maintain an accreditation scheme that enhances the levels of signature certification services, and designate accreditation authorities.
The Minister may supervise signature certification services that provide qualified certificates. Also, the E-Commerce Act states that those who provide qualified certificates are liable for damages caused to any person who reasonably relies on such certificates. Providers of qualified certificates may limit the use of such certificates provided that those limitations are clear and readily identified as limitations. In this case, the provider shall not be liable for damages caused for uses that did not acknowledge the limitations.
Computer Crimes Involving Electronic Data
The E-Commerce Act also typifies as criminal some acts that violate data security or computer misuse. For instance, those who without authorization use a computer or any other device to access data, software, or documentation held in a computer or in any other computer; or uses, copies, or modifies such data, software, or documents is guilty of an offense. Additionally, any person who outputs or copies any data, software, or supporting documentation from a computer in which it is held or stored, is guilty of a computer crime. Impair the operation of a system or software also constitutes a computer crime under Malta's law. Moreover, altering, taking, installing, moving, erasing, destroying, or adding to any data, software, or supporting document, without authorization, constitutes a computer crime. Disclosing or using another person's password or discovering a code or other access information without authorization constitutes computer misuse crime.
The following are computer crimes when committed without proper authorization (1) modifying computer equipment or supplies used or intended to be used in computer, computer system, or computer network; (2) taking possession of, damaging or destroying computer, computer system, computer network, or computer supplies used or intended to be used in computer, computer systems, or computer networks.
Any of these crimes are sanctioned under Malta law even if committed outside Malta, when they affect computers, computer software, data, or supporting documentation located in Malta or connected to a computer located in Malta
Therefore, it is clear that Malta e-commerce law is in accord with European and international principles regarding electronic contracts, electronic signatures, and data and computer crimes.
http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2233
Under the law of the Republic of Slovenia, electronic signature has been implemented by the Act n. 57/2000 on Electronic Commerce and Electronic Signature. This Act, which complies with the legal framework set by the European Directive 1999/93/EC of December 13, 1999 on Electronic Signature, provides that electronic signature has the same probative value as handwritten signature under certain conditions. This Act also regulates also regulate the activity of Certification Services Providers (CSPs)
The Electronic Commerce and Electronic Signature Act, completed by the Decree n. 77/2000 and 2/2001 on Conditions for Electronic Commerce and Electronic Signing, regulates legal issues that arose from fast technological development and accelerated introduction of e-commerce into the business and public sector of the Republic of Slovenia. The essential purpose of these regulations is to equalize, where it is possible and reasonable, the electronic form of operation with the earlier classical paper operation, and, under special conditions, to recognize to the electronic signature the same validity as the written signature has in the paper world. Thus these regulations have suppressed a variety of legal obstacles for the development of e-commerce in Slovenia
Pursuant to Article 14 and 15 of the Electronic Commerce and Electronic Signature Act,
1. Electronic signature cannot be denied legal effectiveness or admissibility as evidence solely on the grounds of its electronic form or not being based on a qualified certificate or a certificate issued by an accredited certification service provider or not being created by a secure signature creation device.
2. Advanced electronic signature, verified with qualified certificate, is equal to autographic signature in relation to data in electronic form, and has therefore equal legal effectiveness and admissibility as evidence.
http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=1573
18.09.2012
-
• The authenticity in electronic interaction Without Borders (presentation)
27.03.2012
-
• Test Protocol
27.03.2012
-
• The authenticity in electronic interaction Without Borders
27.03.2012
-
• Method for Authentication Provision in Cross Border Interaction
27.03.2012
06.04.2011
-
• EGYPT: Electronic Signature Law 2004
05.01.2011
-
• Latvia: Electronic Documents Law 2002
04.01.2011
-
• THE LAW OF THE REPUBLIC OF ARMENIA “ON ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE”
27.10.2010
-
• Electronic Signature Law of the People’s Republic of China
06.08.2010
-
• European legislation on eSignature
21.06.2010
21.06.2010
21.06.2010
21.06.2010
21.06.2010
14.06.2010