The European electronic signatures directive the unanswered questions
by Jos Dumortier
On September 25, to coincide with the ISSE 2001 conference in London, EEMA organised a closed meeting of legal experts from Austria, Belgium, Bulgaria, Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, The Netherlands, Norway, Portugal, Spain, Sweden, Switzerland and the United Kingdom to compare and contrast the implementation of the European Electronic Signatures Directive: European Directive 1999/93/CE on a common framework for electronic signatures into their national law. The Directive should have been introduced into the law of each European country by July 19 2001.
On 29 and 30 November 2001, at the main office of Belgacom in Brussels, EEMA held a workshop: The legal impact of the Electronic Signatures Directive on Business. The objective of which was to distribute the information collected on September 25 to a wider audience of business and government representatives and to look deeper into the strategic consequences of the European directive, as transposed into the legislation of the Member States, for certification service providers and product vendors.
The workshop was attended by about 120 delegates, not only from the European Union but also from Eastern Europe, the US and Brazil. Belgium, Finland, France, Germany, Italy, The Netherlands, Sweden, Switzerland and the United Kingdom were among the European attendees.
The programme was designed to focus on the main items of the European Electronic Signatures Directive: legal recognition of electronic signatures, liability of certification service providers, supervision of Certification Service Providers (CSPs), accreditation schemes, conformity testing for electronic signature products and legal aspects of standardisation.
The workshop concluded with a question and answer session, with answers to questions that had been submitted to the panel in advance. They provide a unique insight into the issues surrounding the take up of certification services, and demonstrate some of the confusion surrounding various aspects of their use. The views expressed by both the panellists and participants reflect the ongoing debate surrounding the use of qualified certificates and some of the business issues for CSPs. This article reports the views of the panellists on selected topics: the value of becoming a CSP; market forces; the use of qualified certificates; qualified signatures for a closed user group; the acceptance of the certificate; worldwide recognition of standards; privacy; and case law.
The value of becoming a CSP
A fundamental question is to do with the value of becoming a qualified CSP, with all the obligations and liabilities associated with that, especially since all digital signatures can be legally acceptable regardless of whether they are operated with qualified certificates or not. The answer lies in the distinction that has to be made between non-qualified electronic signatures that have some limited degree of legal value, and electronic signatures that have exactly the same value as the hand-written version. If, as a CSP or a certificate manufacturer, you take the second instance, and wish to be able to tell the public that your certificates can be used as an alternative to the hand-written signature, then you have to be a qualified certificate provider; and that entails fulfilling the requirements of Annex II of the European Electronic Signatures Directive. Therefore, while it remains a matter of choice whether the CSP goes for accreditation they must understand that the legal equivalence of a hand-written signature can only be achieved automatically through a qualified certificate.
It is worth remembering that in many instances, contact with government offices and corporations will require the use of a qualified signature, and that should have two effects. Firstly it will push the value of qualified electronic signatures forward; but it will also force CSPs to offer qualified certificates if they wish to remain competitive.
Market forces
The value of a qualified electronic signature depends on market demand. The Finnish Identity Project was cited as an example of how end-users are not prepared to pay approximately ¤25 for certificates without significant added value. The question therefore arises, Do consumers care if the certificate is qualified or not? From a business perspective, if the answer is no, the CSP will not earn much money from the end-users. He will not in any case earn from the relying parties because he doesnt know who they are the certificates are issued to the public. However, if governments automatically include qualified certificates on widely distributed chip cards, then it will clearly set the standard for the market.
The use of qualified certificates
There is some debate as to whether qualified certificates should be used for purposes other than verifying electronic signatures. While it is of course possible to use a qualified certificate for other purposes, it is wise to have a separate key pair for non-repudiation and authentication purposes. For example, in many countries electronic identity cards are being issued. It makes good business practice to issue those cards with two certificates. One of those should be with a qualified certificate and key for compliant signatures; and that certificate and key should not be used for anything else. This is for both security and ceremonial reasons. The users should be aware that they are using a very special key for a very special purpose for signing something. In some countries there is a requirement for a separate pin code to ensure that this happens. A second certificate is usually used for authentication and/or encryption. Whether or not the second certificate is qualified is a matter of choice and market demand.
Voluntary accreditation
Voluntary accreditation schemes for certification services, such as the T-Scheme in the UK, are being established in most of the European countries. There are many differences between these schemes, for instance with regard to the required security level necessary to obtain the accreditation but also with regard to the procedure and to the costs. Fortunately representatives of some of the national schemes are moving towards a possible collaboration or even a mutual recognition. Talks in this direction have recently been started between the T-Scheme and the Dutch accreditation body TTP-NL. From a legal viewpoint, the provider can freely choose the scheme from which he will get his accreditation. In practice though, most of the providers will go to the accreditation body of the country where they have their main establishment.
Case law
It is always interesting to see how case law in the online world is developed to mirror that offline. There are not many court cases yet in the area of digital signatures, probably because most are used within a closed group environment. Furthermore, in most cases there is an explicit clause between contracting parties stating that no party will question the value of the signature. However, an Italian judge recently had to decide on the electronic value of a document; and despite the fact that the document did not have a signature that complied to digital signature law in Italy, he nevertheless decreed it a valid document. A similar case happened in Bulgaria, underlining the need for clarity in contracts.
There is no European convergence of laws on digital signatures and each country has its own interpretation. However, the Commission requires each Member State to transpose the Directive into its legislation and can review that implementation over time, and exercise control if necessary to ensure that the implementation does not hinder European advancement.
Qualified signatures for a closed user group
There was some debate as to the usefulness of using qualified signatures within a closed community/group, as opposed to issuing public keys. The Directive only deals with CSPs issuing certificates for the public. There is no legal or statutory obligation in terms of closed groups. The danger is naturally that the group may not be as closed as is supposed the notion of closed and open is ambiguous.
What qualifies as the acceptance of the certificate?
There is no general answer to this question. In practice you can have procedures whereby people receive certificates but cant use them without a pin code. There are many different approaches. However the moment of acceptance is generally when the card is made operational. It is also a matter of contract, and the CSP can stipulate a provision to cover it. A problem is also that non-technical people will not know how to look at the contents of the certificate, and therefore will not know what they are accepting. That is why the Certificate Policy (CP) and contract are necessary. With these safeguards, it becomes merely the acceptance of a product or service, rather like accepting a computer without having to inspect the hard disc.
Worldwide recognition of standards
As always there was an interest in whether there are yet worldwide recognition schemes for electronic signatures and certificates. While the panel was not aware of any such schemes, there is, for obvious reasons great interest in developing them, and the subject is currently under debate. It seems likely that a particular scheme developed, for example, in the US, may over time become so widely accepted that in practice it becomes world-accepted, albeit not in every situation or context. There also exists the concept of accepting a top level root CP for each individual nation, which is recognised across borders within the accredited scheme. This is not the same as harmonising schemes, but rather creating an acceptable passport. Each will look different but will be accepted as the national scheme for a particular country. This idea was first created in 1997 and is still valid. Cross certification is a completely different and much more complex goal to achieve.
Privacy
While the workshop did not deal explicitly with Article 8 of the Directive this issue is clearly of concern and can be looked at from both a practical and philosophical viewpoint. On the practical side, the main consequence for the CSP in Article 8 is that if you are in the business, you are automatically in an opt in system, as far as the use of data for direct marketing purposes is concerned. The general rule under the Directive of 1995 is the right of the individual to oppose their personal data being used for commercial and other purposes without their active agreement; and some Member States have interpreted that rule very strictly. From a privacy point of view we have to be careful as to how much information we demand. More and more the industry focuses on setting up systems for identification, and demanding much more authentication than we would in the offline world. Its like having to show a passport before entering a shop a situation that would be completely unacceptable offline. There are therefore many people working to conciliate the concepts of privacy and PKI, and the European Commission is promoting such research.
The questions surrounding the European Electronic Signatures Directive are numerous, and this article has touched upon just a few of them. A full summary of the Workshop, including the full questions and answer session is available from EEMA.
The future
It is clear from this article that much work remains to be done in terms of clarifying the Directive throughout Europe. In order to keep its members abreast of the latest developments, EEMA will be holding regular meetings with the European Member states, and will provide regular updates to the ICT community.
|