|
Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost. |
25 July 1999. Thanks to HN.
Source:
http://www.ict.etsi.org/eessi/Final-Report.doc
(609K, 101 pages)
Original available in Zipped .DOC format: http://jya.com/eessi.zip (176K)
20th July 1999
Hans Nilsson, iD2 Technologies, Sweden (Project leader)
Patrick Van Eecke, ICRI-K.U.Leuven, Belgium
Manuel Medina, Univ of Catalunya, Spain
Denis Pinkas, Bull, France
Nick Pope, Security & Standards Consultancy, UK
The European Commission has proposed to the European Parliament and to the Council a Directive to provide a common framework for electronic signatures. The Directive covers electronic signatures used for authentication in general as well as a particular type of "qualified" electronic signatures, which have legal equivalence to hand-written signatures. The Directive also identifies requirements that have to be met by service providers supporting electronic signatures and requirements for signers and verifiers. These requirements need to be supported by detailed standards and open specifications which also meet the requirements of European business, so that products and services supporting electronic signatures can be known to provide legally valid signatures - thus furthering the competitiveness of European business in an international market.
Under the auspices of the ICTSB, European industry and standardization bodies have launched the European Electronic Signature Standardization Initiative (EESSI). EESSI has the objective of analyzing the future needs for standardization activities in support of the European Directive on electronic signatures in a coherent manner, particularly in the business environment. An expert team appointed by EESSI has produced this report.
It should be understood that this report has been put forward with the intent of proposing standards on the basis of an open implementation framework for electronic signatures including signatures in compliance with the proposed Directive. It is not the intention of this report to establish standards that would be mandatory to support the Directive, but rather identify requirements for standards that would facilitate an open market of products and services that meet the requirements of the directive.
The most important findings of the expert team are summarized as follows:
- General security management codes of practice, e.g. BS7799 part 1 and part 2.
- Specification of security requirements for trustworthy systems used by CSPs. For this EESSI recommends that initially specific requirements should be placed on the cryptographic modules being used (e.g. using FIPS 140-1 or equivalent) with more general requirements based on a risk analysis. Also, a suitable protection profile based on the Common Criteria (ISO 15408) may be needed.
- A baseline Certificate Policy for service providers issuing qualified certificates. EESSI recommends that the policy is written according to the IETF PKIX framework RFC 2527 but should also include references to general security standards as described above.
- Specification of policy requirements for providers of trusted time-stamping services.
- Specification of security requirements for trustworthy hardware devices used as secure signature creation devices. For this, EESSI recommends concurrent acceptance and usage of FIPS 140-1 (or equivalent standard) and a suitable Protection Profile based on Common Criteria (ISO 15408). Although specification of a security target according to ITSEC also could be possible, the Common Criteria is preferred as it is more recent and has global recognition.
- Specification for the creation of electronic signatures including recommendations on the user interface.
- Specification of signature verification products and procedures.
- Technical standard for the syntax and encoding of electronic signatures, supporting multiple signers and role signatures that are verifiable long after their initial use. EESSI recommends that this is based on a profile of and extensions to the CMS standard (RFC 2315, shortly to be replaced).
- Profiles for PKI operational management protocols based on the Internet PKIX RFCs.
- Profile for Qualified Certificates based on X.509.
Further details of these work areas, as well as initial proposals as to the best European or international organizations that should execute them, are given in section 8 of this report.
Finally, EESSI also proposes that:
EXECUTIVE SUMMARY
TABLE OF CONTENTS
1.1 Background
1.2 The mandate from the Commission
1.3 The European Electronic Signature Standardization Initiative (EESSI)
1.4 The task of the Expert Team
2 BUSINESS AND USER REQUIREMENTS
2.1 Various uses of electronic signatures
2.2 A business scenario using electronic signatures
2.3 Requirements for the business community
3. IMPLICATIONS OF THE DIRECTIVE FOR STANDARDIZATION
3.1 The scope of the Directive
3.2 Definitions3.2.1 The signature definition
3.2.2 Other definitions3.3 Internal market and market access principles
3.4 Legal recognition
3.5 The annexes
3.6 Liability
3.7 Third countries
3.8 Data protection
3.9 The Electronic Signature Committee
3.10 Information, Implementation and Reviewing rules
4. A FRAMEWORK FOR ELECTRONIC SIGNATURE STANDARDIZATION
4.1 Objectives for EESSI
4.2 Classes of Electronic Signatures for standardization
4.3 Technical framework for qualified electronic signatures
4.4 A layered framework for regulation and standardization
4.5 Areas requiring standards and conformity assessment
4.6 Accreditation and certification
4.7 The New Approach and European Conformity Assessment
4.8 Supervision of CSPs
4.9 Signature policies and certificate policies
5. FUNCTIONAL AND QUALITY STANDARDIZATION FOR CSPS
5.1 General CSP Requirements5.1.1 CSP Security Management
5.1.2 Use of Trustworthy systems
5.1.3 Technical Profile Requirements
5.1.4 Policy and practice statements
5.1.5 Conformity Assessment5.2 CSPs Issuing Qualified Certificates
5.2.1 CSP Security Management
5.2.2 Use of Trustworthy systems
5.2.3 Technical Profile Requirements
5.2.4 Certificate Policy and Practice Statements
5.2.5 Conformance Assessment5.3 CSPs Issuing Trusted Time-Stamps
5.3.1 Security Management
5.3.2 Use of Trustworthy Systems
5.3.3 Technical Profile Requirements
5.3.4 Trusted Time-stamping Service Policy and Practice Statements
5.3.5 Conformance Assessment5.4 Other CSPs Services
6. FUNCTIONAL AND QUALITY STANDARDS FOR SIGNATURE CREATION AND VERIFICATION PRODUCTS
6.1 Signature creation devices6.1.1 Requirements for secure electronic signature creation devices
6.1.2 Conformity assessment of secure signature creation devices6.2 Signature creation process and environment
6.2.1 User interface for signature creation
6.2.2 Operating environment and management
6.2.3 Conformity Assessment of user interface and signature creation environment6.3 Signature verification process and environment
6.3.1 Recommendations for signature verification
6.3.2 Conformity Assessment of signature verification products
7. INTEROPERABILITY STANDARDIZATION REQUIREMENTS FOR ELECTRONIC SIGNATURES
7.1 Data format definitions7.1.1 Electronic Signature syntax and encoding formats
7.1.2 Qualified Certificates
7.1.3 Other data structures
7.1.4 Signature policies
7.1.5 Definition and support of generic roles7.2 Repositories to support electronic signatures
7.2.1 Repository for certificate policies, signature policies and contract types7.3. Further studies
7.3.1 Scalable revocations
7.3.2 Scaleable suspensions
7.3.3 Identification and naming
7.3.4 Certification path validation7.4 Protocols to interoperate with CSPs
7.4.1 Operational protocols
7.4.2 Entity registration protocols7.5 Smart cards and other hardware tokens
7.5.1 Use of hardware devices for signature creation and storage of other security related information7.6 Application Programming Interfaces (APIs)
7.6.1 APIs for infrastructure independence
7.6.2 APIs for generating and verifying electronic signatures
8. RECOMMENDATIONS AND OUTLINE OF PROPOSED WORK PROGRAMME
8.1 International co-ordination and promotion
8.2 Organizations involved
8.3 Description of work areas8.3.1 CSP Management and Policy Issues
8.3.2 Standards for Electronic Signature products
8.3.3 Standards for interoperability
8.3.4 Studies and pilots projects
8.3.5 Conformity Assessment Activities8.4 Summary of work areas
ANNEX A. INVENTORY OF RELEVANT WORK
A.1 International StandardizationA.1.1 IETF
A.1.2 ISO/IEC JTC1/SC27
A.1.3 CEN/ISSS
A.1.4 ETSI
A.1.5 ICTSB
A.1.6 W3C
A.1.7 PKCS Publicly Available Specifications from RSA Laboratories
A.1.8 European co-operation for AccreditationA.2 European Projects
A.2.1 ETS Projects
A.2.2 Fifth Framework Programme
A.2.3 ISIS
A.2.4 Trust Infrastructure for Europe (TIE)
A.2.5 EmeritusA.3 National Activities
A.3.1 Germany
A.3.2 Italy
A.3.3 United Kingdom
A.3.4 Belgium
A.3.5 Sweden
A.3.6 Spain
A.3.7 United States of America
A.3.8 CanadaA.4 Other International Activities
A.4.1 International Chamber of Commerce (ICC)
A.4.2 OECD
A.4.3 UNCITRAL
A.4.4 American Bar AssociationA.5 Security Evaluation Criteria
A.5.1 TCSEC
A.5.2 ITSEC
A.5.3 Common Criteria
A.5.4 BS 7799
A.5.5 FIPS 140-1
ANNEX B. EXISTING STANDARDS AND DEFINITIONS
ANNEX C - MAPPING ANNEX II TO EXISTING STANDARDS
C.1 Annex II and BS 7799
C.2 Annex II and RFC 2527
ANNEX D. INITIAL RECOMMENDATION FOR USE OF X.509
CERTIFICATES AS QUALIFIED CERTIFICATES
The development and use of authentication products and services is still in its introductory stage. Systems exist which use authentication for commerce, administration and public services; however, there is no complete set of agreed industry standards or technical specifications for their use. Without such standards it is not considered possible to provide a common level of security which can be recognized as being valid for use at regional level, even less at international level.
The Communication of the European Commission "A European Initiative in Electronic Commerce" identified the need for electronic signatures as a key issue for electronic commerce. Whilst the signing of contractual exchanges for electronic commerce are not the sole application of electronic signatures it is likely to become an essential component for the future of European business in the competitive global market.
At the request of the Council, the European Commission has proposed a Directive1 to provide a common framework for electronic signatures. It is not the intent of this Directive to cover the whole domain of applications of authentication, but rather to focus on the legal validity of an electronic signature attached to an electronic document so that it has the same legal effect as a hand written signature attached to a paper document. However, contractual freedom should prevail for "electronic signatures used within closed groups, for example, where contractual relationships already exist". The Directive identifies minimal requirements for trusted service providers supporting electronic signatures as well as requirements for signers and verifiers. These requirements need to be supported by detailed standards and open specifications which are recognized as meeting these requirements so that products and services supporting electronic signatures can be known to provide legally valid signatures.
_________________
1. This report references the Common Position of the "Proposal for a Directive of the European Parliament and of the Council on a common framework for electronic signatures" dated 24th June 1999.
Several standardization initiatives have already been launched in this area at the national, regional and international levels by organizations and industry fora. Worth to mention are the activities of the International Chamber of Commerce, the UNCITRAL activity on Model Law, the ILPF current inventory, the IETF and ABA standardization activities. They are, however, at this stage, not necessarily sufficient to provide a harmonized legal framework for Europe. A consistent and coherent approach is necessary, overseen by the "Electronic Signature Committee" (as identified in Article 9 of the Directive), so that the legal framework for electronic signatures can build, as far as possible, upon standards and other forms of voluntary agreements. Such agreements can be used to provide signatures which can be recognized as legally valid not only across Europe, but at international level.
In order to provide timely standards permitting full and efficient implementation of a common framework, based on consistent Member States' legislation, standardization initiatives should be encouraged at an early stage, in particular so as to obtain adequate international co-operation.
Industry and European standardization bodies, within the framework of the ICTSB, have been requested by the Commission to analyze the future needs for standardization activities to support the essential minimum legal requirements as stated in the Directive in relation to electronic signatures products and services available on the market. The assessment of available standards and current initiatives at global and regional level, both in formal standardization bodies and industry consortia, should identify gaps and the need for any additional standardization initiatives in all relevant forms, such as standards, specifications, agreements, workshops or any other form of consensus building. On the basis of this analysis, an indicative work programme should be proposed.
Industry and European Standardization bodies should set up an implementation framework, compliant with the minimal legal framework stated by the Directive. This will answer business needs and bring the full advantage of the legal recognition of the electronic signature in support of the development of the open electronic commerce environment.
To meet the requirements of the Commission mandate, the ICTSB has launched the European Electronic Signature Standardization Initiative (EESSI) placed under the direction of a steering group composed of:
The Steering Group is assisted in its work by an Expert Team with the following members:
Hans Nilsson, ID2 Technologies, Sweden (Project leader)
Patrick Van Eecke, ICRI-K.U.Leuven, Belgium (Legal Expert)
Manuel Medina, Univ. Polit. of Catalunya, Spain
Denis Pinkas, Bull, France
Nick Pope, Security & Standards Consultancy, UK
In addition, a review team has been appointed consisting of:
Leslie Seymour, consultant
Bart Preneel, COSIC, K.U.Leuven, Belgium
Robert Willmott, consultant, UK
The expert team has been requested to produce a report as the starting point for the steering group to meet the EESSI objectives. The report should prepare the grounds for the necessary standardization activities and identification of the standardization needs in support of the emerging legal framework for electronic signatures in the European Union, based on an assessment of existing standards and technical specifications in this area.
The expert team should provide an analysis and evaluation of the role of standardization in response to essential legal requirements as they are currently under discussion (based on the proposed Directive) or already adopted by Member States.
The legal requirements set out in the proposed Directive focus on certificates and certification services to ensure minimum levels of security and to allow their free movement throughout the Single market. Standardization efforts should therefore be oriented towards establishing transparent, proportionate and non-discriminatory rules for such certification schemes.
In addition to certificates and certification services covered by the scope of the proposed Directive, standardization activities should also cover the off-line use of electronic signatures and electronic signature products and services to be made available to the end-user.
It is not the intention of this report to establish standards that would be mandatory to support the Directive, but rather identify requirements for standards that would facilitate an open market of products and services that meets the requirements of the directive.
The requirements have to be considered in an open environment, and in close co-operation with all relevant parties; subsequently adequate and efficient co-operation mechanisms should be put in place in view of establishing international-wide consensus among all parties concerned.
Arrangements should be proposed to establish the relevant international co-operation to ensure that the relevant standards are available at global level.
The expert team was asked to include the following specific items in the
report:
The expert team was not asked to include a survey of existing and proposed legislation, since this recently has been covered extensively in the report Legal Aspects of Digital Signatures, prepared for the European Commission by ICRI-K.U.Leuven.
The document "COM (97)503 - Ensuring Security and Trust in Electronic
Communication" lists various uses of electronic signatures:
For the two first areas above, it is envisaged that the electronic signature is used with equivalent legal effect as a hand-written signature.
For the three last areas, the requirement is only for authentication. Those uses do not imply legal binding proof, either because of the nature of the application (limitation to authentication purposes) or of the nature of the environment (Intranet, personal purposes). In that sense, the full use of legal electronic signature is not relevant.
Note: At this time there exist several concurrent definitions of the term "electronic signature". As a result this term is used in various communities with different meanings. The most internationally recognized definition has been proposed by UNCITRAL. There exists an internationally recognized definition of "digital signature" (ISO 7498-2. see annex B for the full definition) which is too often used interchangeably with the term "electronic signature". It defines a security mechanism which can be used to build various security services such as authentication, data origin authentication, data integrity, or non-repudiation.
A business scenario is proposed to help consider the requirements. The business scenario consists of three stages of business transactions:
a) Pre-contract exchangesb) Contract establishment
c) Post-contract establishment
Pre-contract exchanges could include, for example, requests for product and pricing information, discussion of possible contract terms etc. During this stage no commitments are entered into. There is a requirement not to mislead but this only requires simple evidential consideration. Thus, at this stage, there is a requirement for data origin authentication, but not for indication of intent.
Contract establishment could include, for example, a specific offer of contractual terms and acceptance of those terms. This requires clear evidence of intent from an identifiable source. Thus, at this stage there is a requirement for an electronic signature that serves as evidence of the origin of data and that the originator had a clear intent related to that data. During the exchange of contract, the time between creating a signature and the relying party verifying the signature will be relatively short.
In the case of later dispute between a signer of contractual conditions and the other party relying on those conditions, the data together with its electronic signature would be presented as evidence by the relying party to be verified by some arbitrator or judge. This can occur a significant period (e.g. years) after the electronic signature was created.
Post contract exchanges involve further exchanges under the terms of the contract (e.g. making a specific order within general terms defined in the pre-agreed contract). In general the requirements for protecting the exchanges will be dependent on the application covered by the contract.
EESSI requirement: The further development of internationally recognised business scenarios, as part of the development of standards for electronic signatures, would significantly aid the understanding of the requirements.
On February 24, 1999, the EESSI project arranged a consultation meeting to discuss the requirements for electronic signature standardization with the business community, users, regulators, service providers, product suppliers and various standards bodies. The following list summarizes the most urgent needs and viewpoints expressed at the meeting:
Currently, several countries in Europe are already either specifying or deploying solutions for electronic signatures. Some countries are issuing or planning to issue electronic identity cards with private keys and certificates to its citizens. These cards are to be used for authentication and electronic signature purposes, both for official communication with public institutions and for business-to-consumer applications.
Also, several European banks have already deployed, or are planning the deployment of electronic identity cards to their customers, both for home banking, corporate banking and electronic commerce. A number of very large European and international banks are planning such a deployment through the establishment of Identrus (formerly called Global Trust).
Because of all these current activities, the business community has a very urgent need for standardization in the area of electronic signatures. If standards are not set quickly enough, different countries and business communities will end up specifying and deploying incompatible solutions, which will seriously hamper the development of a European market for electronic commerce.
In order to fulfil its task and draw up a work programme, the EESSI project has necessarily analysed the implications of the Directive2 from the perspective of industry and the standardization community. This analysis is not a formal legal interpretation of the Directive, but constitutes the expert team's understanding of the present content. It does not represent the position of the European Commission.
_________________
2. This report references the Common Position of the "Proposal for a Directive of the European Parliament and of the Council on a common framework for electronic signatures" dated 24th June 1999.
It should be understood that this report has been put forward with the intent to propose standards on the basis of an open implementation framework for electronic signatures including signatures in compliance with the proposed Directive.
On 13 May 1998, the European Commission submitted a proposal for a European Parliament and Council Directive on a common framework for electronic signatures (COM (1998) 297 final, O.J. 23 September 1998, C 325/04-11).
The proposed directive is based on article 47 (2) concerning the freedom of establishment, article 55 on the freedom to provide services and article 95 relating to approximation of laws, of the Treaty of Amsterdam. The legislative procedure laid down in article 251 of the Treaty is being followed.
On 22 April 1999 the Council of Ministers on its meeting held in Luxembourg agreed on a Common Position, which contains a number of changes compared with the original draft of 13 May 1998. An adoption of the Common Position by the European Parliament is soon to be expected.
The Commission's proposal aims at ensuring the proper functioning of the internal market in the field of electronic signatures by creating a harmonised and appropriate legal framework for their use. The proposal is based essentially on the following principles:
1. ensuring technological neutrality. Although the proposal concentrates on digital signature technologies employing public-key certificate-based cryptography, it aims to be technology-neutral and therefore does not focus only on those kinds of signatures;2. avoiding any prior authorization scheme for the provision of CSPs so as not to limit the supply of such services and technological innovation, whilst permitting the introduction of voluntary accreditation schemes for providers of such services with the aim of providing confidence in the security level;
3. recognising the legal validity of an electronic signature, by preventing it from being denied validity solely on the grounds that it is in the form of electronic data, and guaranteeing that it is considered equivalent to a hand-written signature if it meets a certain number of conditions.
A few definitions in the Directive differ from the terms used in existing
technical standards. Since this report concerns standardization, we would
like to make the following clarifications:
| Definition in the Directive | Term used in this report | Explanation |
| Certification Service Provider (CSP) | CSP | In the Directive, this definition encompasses not only certification authorities (CAs), but also time-stamping authorities, directory service providers and any other service provider related to electronic signature. It is thus included in the previously popular ISO defined term Trusted Third Party (TTP). Since the term Certification service provider easily may be confused with CA, we have chosen to always use the abbreviation CSP, keeping in mind that it actually encompasses a range of service providers. Whenever we need to talk specifically about CAs, we will either use the term CA, or the equivalent term CSP issuing certificates. |
| Accreditation | Accreditation/
Certification |
In relation to standards, the term accreditation means assessment and approval of Certification Bodies (as described in ISO/EN 45010). The term certification is generally used when a "Certification Body" certifies that an organization or product conforms to a standard. Whilst, as described later, accreditation may be applied directly to CSPs, checking conformance of products and CSPs against a standard is generally considered to be more akin to certification. To clearly separate out accreditation and certification, the separate terms are used in this report. |
| Signatures fulfilling the requirements of article 5.1. | Qualified electronic signature | A term is needed for electronic signatures meeting the requirement identified in 5.1 of the Directive, which includes requirements for advanced electronic signatures, qualified certificates and secure electronic signature creation devices. For the purpose of this report, we have introduced the term qualified electronic signature. |
| (Not used in the Directive) | Signature Policy | A named set of rules for the creation and verification an electronic signature, including any use of CSPs, that is recognized as being valid within a given legal / contractual context. |
| ditto | Certificate Policy | A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. (Many of the requirements of a signature policy will be met by the rules in a certificate policy.) |
| ditto | Certification Practice Statements (CPS) | A statement of the practices which a certification authority employs in issuing certificates. |
Annex B contains a list of other important standards and definitions in the area of electronic signatures.
Article 1 describes the scope of the Directive. The Directive aims both at facilitating the use of electronic signatures as well as contributing to their legal recognition. Therefore, it establishes a legal framework for electronic signatures, signature products and certain certification services in order to ensure the proper functioning of the internal market.
Certification Service Providers (CSPs) and electronic signature products
The Directive aims to cover every kind of service related to electronic
signatures. The Directive explicitly states in its recitals that CSPs should
not be limited to the issuance and management of certificates, but also encompass
any other service using or ancillary to electronic signatures, and thus covers
all of the following services:
... as well as:
The Directive also aims to ensure a free flow of electronic signature products in the Internal Market through the publication of recognized standards for such products.
Electronic signatures
For the legal effect of electronic signatures, however, the Directive has a limited scope:
- The Directive does not cover aspects relating to the conclusion and validity of contracts or other legal obligations where there are formal requirements prescribed by national or community law.- It does not affect rules and limits governing the use of documents contained in national or community law.
- Parties are still free to agree among themselves the terms and conditions under which they accept electronically signed data (to the extent allowed by national law).
The Directive, in other words, chooses for a broad approach when guaranteeing a free market for CSPs but for a limited approach when giving legal effect to electronic signatures.
The two main objectives of the directive |
|||||
|
3.2 Definitions
Article 2 of the Directive contains a few definitions. These definitions are only used in a Directive related environment and do not necessarily correspond to technological terminology.
3.2.1 The signature definition
| For the purpose of this Directive:
1."electronic signature" means data in electronic form attached to, or logically associated with, other electronic data and which serves as a method of authentication. 1a. "advanced electronic signature" means an electronic signature which meets the following requirements: (a) it is uniquely linked to the signatory;
2. "signatory" means a person who holds a signature creation device and acts
either on their own behalf or on the behalf of the person or the entity they
represent. |
It is noteworthy that the term "digital signature" is not used.
In the light of the Commission's strategy to encompass as many services and products and electronic signatures in the scope of application of the Directive (for the sake of free circulation and the non-discrimination of electronic signatures) a very broad definition of electronic signatures is used.
The technology neutral approach of the Directive would not allow reference to specific technologies, such as digital signatures based on asymmetric cryptography. However, it is clear that the Directive, when describing an "advanced electronic signature", has taken into consideration the characteristics of asymmetric cryptography and certificate-based verification.
The use of the term "signature" in the Directive may cause confusion and may provoke a limited approach, suggesting that the directive would only cover electronic alternatives for the well-known hand-written signature. This is not true. Instead, the Directive uses a distinction between "electronic signature " and "advanced electronic signature ".
An "electronic signature" without being further qualified, is indeed an electronic authentication. The term " authentication " itself is not defined nor explained in the recitals of the Directive and thus leaves room for a broad interpretation. However, the term is usually defined as "validation of a claimed identity". Every type of electronic authentication will be regarded as an electronic signature, as long as it is attached to or associated in a logical way with other electronic data. Thus, biometric authentication methods, such as Penop or Smartpen, are regarded as electronic signatures, Message Authentication Codes (MAC), which are based on symmetric cryptography, are electronic signatures. Public key authentication schemes, such as digital signatures, are electronic signatures. The definition of an electronic signature in the directive does even not exclude the typed name at the bottom of an email or the attachment of a scanned signature to a document.
All kinds of authentication which are currently being used in a paper environment (e.g. a stamp or a seal) and which can be replaced by electronic means fall under the scope of the directive. As such, the directive has taken a much more general approach than other legal instruments or guidelines dealing with electronic signatures.
When defining an "advanced electronic signature", the Directive's definition is similar to the digital signature as defined by ISO 7498-2 (see Annex B), which also is technology neutral. Digital signatures as defined by ISO may be realized in practice not only using asymmetric cryptography but also using symmetric cryptography associated with tamper-proof signature creation devices and tamper proof signature verification devices. In the same way "advanced electronic signatures" can be realized using either technology. An "advanced electronic signature" without being further qualified, is indeed equivalent to a "digital signature", as defined by ISO.
Contrary to some other existing legal instruments and guidelines (E.g. UNICTRAL, some U.S. laws) the Directive does not consider the approval of the contents by the signatory as an essential element of an electronic signature. The Directive accepts every electronic authentication method as an electronic signature, whether it invokes legal effect or not, and whether the signatory approves the contents of the document or not. By taking this broad approach the directive is able to cover every kind of authentication without having to tackle the legal differences which are existent between the European Member States' legal systems. The signatory's approval thus needs to be specified by other means, for example in the text of the signed document, or by referring to a "signature policy" which includes approval.
The Directive uses the term "person" in its definition of signatory, and does not explicitly state "natural persons" as in other directives. Thus, the Directive currently leaves it to the Member States to decide if an electronic signature should be limited to natural persons or also include legal persons, in accordance with national legislation with regard to validity and effect of signatures.
3.2.2 Other definitions
| A certification service provider (CSP) means a person who or entity which issues certificates or provides other services related to electronic signatures. |
The typical Certification Authority (CA) in a PKI (Public key infrastructure) environment is certainly regarded as a CSP, but also registration authorities, time-stamping service providers, electronic notaries, electronic archiving service providers are CSPs in the sense of the Directive as long as there exists a link with electronic signatures.
| An electronic signature product means hardware or software, or relevant components thereof, which are intended to be used by a certification service provider (CSP) for the provision of electronic signature services or used for the creation or verification of electronic signatures. |
In defining an electronic signature product, the Directive has also taken a broad approach; smart cards for the storage of private signature keys, an electronic signature program, such as the ones embedded in the Microsoft Internet Explorer or Netscape Navigator and its related electronic mail programs, biometric devices to give access to a signing function: all are regarded as electronic signature products.
| Signature creation data means unique data such as codes or private
cryptographic keys, which is used by the signatory in creating an electronic
signature.
A signature creation device means a configured software or hardware device to implement the signature creation data. |
Signature verification data and a signature verification device is mutatus mutandis defined in the same manner. A smart card functioning not only to store private signature keys but also to sign effectively would be a typical example of a signature creation device. If this device meets the specific security requirements, which are contained in Annex III of the Directive, it will be regarded as a secure signature creation device.
| A certificate means a digital attestation which links a signature verification device to a person, and confirms the identity of that person. |
The ISO-ITU standardized X.509 certificates for public key authentication can certainly be regarded as certificates in the sense of the Directive.
| A qualified certificate means a certificate which meets the requirements laid down in Annex I and is provided by a certification service provider (CSP) that fulfils the requirements laid down in Annex II. |
Qualified certificates are only relevant in relation to the legal recognition of electronic signatures under the conditions of article 5.1 of the Directive (see section 3.4 below), and in relation to liability of CSPs issuing qualified certificates to the public (see section 3.6 below).
The principles of the Internal Market are dealt with in article 4 of the Directive. As regards to certification services (including all services provided by CSPs), it states that a Member State shall only apply to national legislation that conforms with the Directive to CSPs established on its territory. Member States may not restrict the provision of services from CSPs that originate in another Member State either. Article 4 also obliges the Member States to ensure that electronic signature products complying with the Directive shall be permitted to circulate freely in the Internal Market.
Furthermore, article 3 of the Directive describes the market access principle relating to certification services and products for electronic signatures.
Certification Service Provider
For the provision of certification service the Directive sees four market access principles:
1. Member States may not make the provision of certification services subject to prior authorization (mandatory licensing). Prior authorization does not only mean any permission which requires the CSP concerned to obtain a decision by national authorities before being allowed to provide its services, but also any other measures having the same effect;2. Member States may, however, introduce or maintain voluntary accreditation schemes to encourage enhanced level of services and best practice among CSPs. The Directive defines voluntary accreditation as:
"any permission, setting out rights and obligations specific to the provision of services, to be granted upon request by the CSP concerned, by the public or private authority charged with the elaboration of, and supervision of compliance with, such rights and obligations, where the CSP is not entitled to exercise the rights stemming from the permission until it has received the decision by the authority".However, the conditions relating to the accreditation must be objective, transparent, proportionate and non-discriminatory. Furthermore, Member States may not limit the number of accredited CSP. (It should be noted that the term "Accreditation" used by the Directive should be read as " Certification" in standardization terminology. The term "Accreditation" in the conformance assessment area is reserved for the assignment of specific bodies (mostly laboratories) to certify services or products.
3. Member States shall ensure the establishment of a supervisory system to control the CSP established on its territory issuing qualified certificates to the public. CSP willing to issue such qualified certificates will have to meet the conditions of Annex II of the Directive. Such "a posteriori supervision" may either be governmental or operated by the private sector.
4. With respect to the use of electronic signatures in the public sector, Member States are allowed to make CSPs and products subject to additional requirements if these requirements are objective, transparent, proportionate and non-discriminatory, and only relate to the specific characteristics of the application concerned. Typical examples are additional requirements in the field of social security or taxation.
The following table summarizes the controlling instruments for CSPs mentioned
in the directive:
| Controlling instrument | Characteristics | Description | Status in the Directive |
| Authorization | - Obligatory
- A priori |
CSP is not allowed to provide any service without a prior permission | Forbidden |
| Accreditation/
Certification |
- Voluntary
- A priori |
CSP gets a quality label if it proves it meets certain requirements | Not mandatory.
Allowed if conditions are objective, transparent, proportionate and non-discriminatory and without numeric restrictions |
Special cases
| CSP issuing qualified certificates to the public | Obligation for Member States to control via
supervision:
E.g. self-declaration scheme with subsequent control by governmental body or private institution |
| CSP issuing certificates for public sector purposes | Member State is allowed to set up additional requirements
and to control it via
accreditation scheme self-declaration scheme |
Signature products
For signature products, Member States are obliged to ensure that electronic signature products complying with the Directive can circulate freely in the Internal Market.
Regarding the security of the signature products, the Commission will establish and publish reference numbers of generally recognised standards for electronic signature products in the Official Journal. A product complying with a recognised standard will be presumed to meet the security requirements of the signature products used by the CSP (= point (f) of Annex II) and of the secure signature creation devices (=Annex III).
Conformity of secure signature creation devices with Annex III must be determined by appropriate public or private bodies designated by Member States. The Commission shall, pursuant to the procedure laid down in Article 9, establish criteria for Member States in determining whether such a "notified body" is appropriate to be designated. Determination of conformity with the requirements of Annex III made by these bodies shall be recognised by all Member States.
It is currently unclear how conformance assessment of trustworthy systems (Annex IIe) shall be performed, since this is not mentioned in article 3.4 of the Directive. However, it can be assumed that this also should be performed by appropriate public or private bodies, similarly to secure signature creation devices.
No specific controlling mechanisms are mandated for signature verification products. However, Member States and Commission are requested to work together to promote development and use of signature verification products, in the light of the recommendations in Annex IV and in the interest of the consumer.
5.1 Member States shall ensure that advanced electronic signatures which
are based on a qualified certificate and which are created by a secure signature
creation device
(a) satisfy the legal requirement of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies that requirement in relation to paper-based data, and 5.2 Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that the signature is in electronic form, or is not based upon a qualified certificate, or is not based upon a qualified certificate issued by accredited certification service provider, or is not created by a secure signature creation device". |
Article 5 is a core element in the Directive. This article describes the possible legal effects of an electronic signature in the Internal Market.
As a general principle the Directive states in article 5.2 that Member States may not deny the legal effect of an electronic signature or the admissibility as evidence in legal proceedings only because of the electronic form of the signature or because the requirements of the Annexes I to III are not being fulfilled.
Hence, this general acceptance rule of electronic signatures means that Member States may not draft or maintain legislation forbidding the use of electronic signature and authentication tools for legal purposes solely on the grounds that they are in electronic form. This does not effect national rules regarding the free consideration of evidence by the judge.
A second principle of the Directive is that Member States are obliged to recognize certain types of electronic signatures with the same legal effect as it would give to hand-written signatures (article 5.1).
This extra guarantee would only be valid for electronic signatures fulfilling certain technical security requirements: only "advanced" electronic signatures which are based on a "qualified" certificate and which are created by a "secure" signature creation device have this advantage. Member States shall ensure that this type of electronic signature satisfies the legal requirement of a signature in relation to data in electronic form in the same way as a hand-written signature satisfies the requirement in relation to paper-based data. These signatures shall also be admissible as evidence in legal proceedings.
The conditions for meeting the technical minimum requirements can be found in the definition of an 'advanced electronic signature' and in the Annexes I, II and III of the Directive. Although not defined in the Directive, this type of electronic signature could be called a "qualified electronic signature".
Electronic signatures
|
Article 5 thus provides two levels of legal certainty for electronic signatures depending on the level of technical security related to that electronic signature. On a first level, electronic signatures in general, cannot be denied legal effect. On the second level, electronic signatures fulfilling some minimal technical security requirements will have the same legal effect as hand-written signatures.
In some cases and for some applications, the technical security functions required by the Directive may not be sufficient. In those cases, additional technical requirements, such as time-stamping, may be introduced by product and service developers to enhance the technical security of all types of electronic signatures, including qualified electronic signatures.
The annexes constitute an important part of the Directive. Nevertheless, with the exception of Annex IV, they are only relevant for the use of electronic signatures as legal alternatives for hand-written signatures, i.e. in relation to article 5.1 of the Directive. The applicability of the liability rules (article 6) and the foreign recognition rules (article 7) of the Directive is also only restricted to this context.
Annex I
The obligations contained in Annex I relating to the qualified certificate are purely requirements for the contents of the certificate. A certificate must at least contain the information referred to in Annex I in order to be a candidate for being a qualified certificate.
It is expected that an X.509 version 3 certificate making use of the appropriate extensions, will be able to contain the necessary information.
The Directive aims to ensure that a party relying upon an electronic signature based on a qualified certificate can determine all of the information specified in Annex I on the basis of the certificate only. This implies that either all this information is fully available in the certificate itself, or that it is present in an encoded form which is interpreted by all electronic signature products in a uniform, standardised way when presented to the relying party (for example a code in the certificate and a standardised full text linked to this code in the product). Incorporation by reference, for example by referencing a URL, is not acceptable, because the information on this URL can change without notice.
It should be noted though that a certificate containing the obligatory elements of Annex I will be regarded as a qualified certificate only if it has been issued by a certificate service provider complying with the obligations of Annex II.
Annex II
Articles 2.(10) and 2.(11) of the Directive imply that CSPs issuing qualified certificates must fulfil at least the technical and organizational security requirements laid down in Annex II. Only a CSP meeting the requirements of Annex II is able to issue qualified certificates. Moreover, CSPs fulfilling Annex II requirements and issuing qualified certificates to the public will be subject to the specific liability system as described in article 6 of the Directive.
The Annex states that a CSP that issues qualified certificates must for example ensure the operation of a prompt and reliable certificate directory and secure and immediate revocation service (e.g. CRL or certificate revocation list in PKI terms).
A CSP also has to verify the identity and if applicable any specific attributes of the person to which a qualified certificate is issued by appropriate means in accordance with national law. It also has to ensure that the date and time, when a certificate is issued or revoked, can be determined.
Noteworthy is that a CSP is also obliged to inform the person applying for a certificate of the precise terms and conditions for the use of the certificate, including any limitations on the use of the certificate, the existence of a voluntary accreditation and the procedures for complaints and dispute settlement.
Annex III
Annex III states the requirements that signature creation devices have to fulfil in order to be regarded as a secure signature device. Electronic signatures created by a secure signature device and supported by a qualified certificate would get the legal recognition following the specifications of article 5.1 of the Directive.
A secure signature creation device must at least ensure by appropriate technical and procedural means that:
- the signature creation data used for signature generation can practically occur only once, and that its secrecy is reasonably assured. The exact interpretation of this requirement is open to debate (see section 6.1.1).- the signature creation data used for signature generation cannot be derived with reasonable assurance and that the signature is protected against forgery using currently available technology. In digital signature terms, this requirement would mean that it should not be possible to recreate the private key by for example deriving it from the public key.
- the signature creation data used for signature generation can be reliably protected by the legitimate holder against the use of others. The use of a smart card or other hardware token for storing the signature creation data (e.g. private key) may be expected to fulfil this requirement.
Interesting is that the words 'reasonably' and 'reliably' are not defined nor explained which thus leaves room open for interpretation. A last requirement for a signature creation device to be deemed to be secure is that it must not alter the data to be signed or prevent such data from being presented to the signatory prior to the signature process. A secure signature creation device thus, in itself, does for example, not have to provide the functionality of showing the signatory what he is to sign (the so-called WYSIWYS, or what-you-see-is-what-you-sign-technology), but should not make it impossible to utilize technology allowing the signatory to see what he signs. It can be assumed that currently no existing signature devices prevent the implementation of this functionality.
Annex IV
Annex IV contains a few recommendations for the verification of electronic signatures. This annex applies to all electronic signatures, and is the only one that is not obligatory to fulfil for qualified electronic signatures (with legal effect according to article 5.1).
The term 'displayed' in the text of Annex IV should be read in a broad sense and does not only mean the display of the data on a screen, but also every other functionality of presenting the signed information to the verifier: text, voice, images etc.
The Annex advises that during the signature verification process, it should be ensured with reasonable certainty, that:
- The data used for verifying the signature correspond to the data presented to the verifier, and that the signature is reliably verified and the result of that verification is correctly presented.- The verifier can, as necessary, reliably establish the contents of the signed data.
- The authenticity and validity of the certificate required at the time of signature verification are reliably verified, that the result of verification and the signatory's identity are correctly presented and the use of a pseudonym is clearly indicated; and
- Any security relevant changes can be detected. This last requirement could mean that in case of failed verification, the verifier is made aware of it by, for example, an indication "failure to verify".
Noteworthy is that the Annex IV recommendations are not restricted to specifications for signature verification devices only but to the signature verification process as a whole.
A minimum liability regime for CSPs is established in article 6 of the Directive. This liability regime only applies to CSPs issuing qualified certificates to the public.
Member States are obliged to make sure that a CSP issuing certificates to the public is liable for damage caused to any person who reasonably relies on the certificate.
The CSP would, unless he proves that he has not acted negligently, be liable for:
- inaccuracy of the contents of the qualified certificate at the moment of issuance,- non-functioning together in a complementary manner of the signature creation device and signature verification device when the CSP provides the signature devices,
- the non-assurance that at the time of the issuance of the certificate, the person identified in the qualified certificate held the signature creation data corresponding to the signature verification data given or identified in the certificate, and
- failure to register revocation of the certificate.
The Directive, however, limits the liability of CSPs by obliging the Member States to ensure that CSPs may indicate limits on the uses of the certificates and on the value of transactions for which the certificate can be used. The limits must, however, be recognisable to third parties. The CSP shall not be liable for damages arising from a contrary use of a qualified certificate, which includes limits on its uses.
Liability regime: Only for CSP in the sense of Annex II, issuing certificates to the public in the sense of Annex I.
| Liability causes | Exemptions |
| Incorrect contents of the certificate | CSP can prove he has not acted negligently |
| Person identified in certificate does not hold corresponding signature creation data | Certificate is used contrary to the limits of the certificate |
| Incorrect matching of signature creation and verification data (if CSP provides these data) | |
| Malfunctioning of the CRL |
Article 7 covers the international aspects of the Directive and is also restricted to the issuance of qualified certificates.
Certificates issued to the public as qualified certificates by a foreign CSP (i.e. established outside the European Community), may be recognised as qualified certificates within the European Community in three situations:
a) the issuer in the third country meets the requirements of the Directive and is accredited by a Member State in the context of a voluntary accreditation scheme,b) the foreign certificate is guaranteed by a European Community CSP fulfilling the requirements of the Directive, and
c) the certificate or the CSP is recognised in the context of a bilateral or multilateral agreement between the European Community and third countries or international organizations.
Article 7 also gives the European Commission the task of making proposals to implement standards and international agreements for facilitating cross-border certification services with third countries and legal recognition of advanced electronic signatures originating in third countries.
Three ways for equivalency between foreign certificates and qualified
certificates in Article 7:
| | | | | | | | | | | | | | | | | |
I | Foreign CSP fulfils Annex II
Foreign certificate fulfils Annex I Foreign CSP is accredited by a Member State |
|
| Foreign certificates
= European qualified certificate, if |
II | Foreign CSP is cross-certified by European CSP
Foreign certificate fulfils Annex I Foreign CSP fulfils Annex II European CSP fulfils Annex II |
|
| III | Foreign CSP is recognized in context of agreement between EC and third country or international organization |
Data protection rules are incorporated in article 8 of the Directive. The general Data Protection Directive 95/46/EC applies to CSPs and national bodies responsible for accreditation or supervision.
Furthermore, CSPs issuing certificates to the public may collect personal data only directly from, or with the explicit consent of, the data subject. Also important is the fact that Member States may not prevent CSPs inserting a pseudonym in the certificate instead of the signatory's name.
An advisory "Electronic Signature Committee", composed of the representatives of the Member States and chaired by a representative of the Commission, assists the European Commission.
The Electronic Signature Committee is to be consulted for:
- Clarifying the requirements of the annexes;- Establishing the criteria for the designation of national bodies which determine the conformity of secure signature creation devices with Annex III (see Article 3.4);
- Determining the generally recognised standards for electronic signature products which would comply with the requirements laid down in point (f) of Annex II and Annex III (see Article 3.5). Reference numbers of these standards will be published by the Commission in the Official Journal.
It is currently unclear what is meant by "generally recognised standards" in this context. Within the standards community, the term "standards" and "publicly available specifications" is generally used, and we assume that this proposal includes both. Publicly available specifications means specifications produced by industrial communities (e.g. Open group, PKCS specifications), which may not have formal recognition as standardization bodies, but are open to unrestricted public use and have become widely adopted as a de-facto standard.
The consultation procedure is as follows:
1. The representative of the Commission submits to the Committee a draft of the measures to be taken.2. The Committee delivers its opinion on the draft within a time-limit which the Chairman may lay down according to the urgency of the matter.
The Commission adopts measures that shall apply immediately. However, if these measures are not in accordance with the opinion of the Committee, they shall be communicated by the Commission to the Council forthwith and the application of the measure shall be suspended for three months. The Council may then take a different decision within this time limit.
EESSI Recommendation: The "Electronic Signature Committee", which is composed of representatives of the Member States and the Commission would need to get advice from the industry. To this respect, EESSI recommends the establishment of an "Electronic Signature Industry Advisory Group" to provide advice and recommendations to the "Electronic Signature Committee". The "Electronic Signature Industry Advisory Group" should be composed of recognized technical experts in the area of electronic signatures from the vendor and user industry
Member States are obliged to inform the European Commission on the
following:
Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive within 18 months after entry into force of the Directive. Taking into account the European Parliament elections in June 1999 delaying the adoption procedure of the Directive, it may, however, be expected that the Member States will have a harmonized common framework on electronic signatures before the end of the year 2002.
The Commission will bring forward a review of this Directive two years after its implementation in part to ensure that the advance of technology or changes to the legal environment have not created barriers to achieving the aims stated in this Directive.
From the Directive, the HLSG report on Electronic Signature and other relevant input documents, two priority areas of standardization can be identified:
There is also a strong requirement for technical interoperability standards for electronic signature functions, in order to achieve interoperability between products and services:
1. Users want standardized and interoperable products to enable them to buy different components from different vendors.2. Vendors want standards to enable them to sell products on an international market.
As a means for providing an open competitive marketplace for implementations of electronic signature services and products, the following interoperability standards are therefore required:
It is the objective of the Directive to be non-discriminatory and implementable with as wide as possible range of technologies. However, it is also recognized that it is very difficult to define a common basis against which implementations may be judged without selecting a particular technology for electronic signatures.
For this reason, EESSI has also identified the need for selecting a first set of presently recognized technologies and mechanisms to be used for electronic signatures. This is further described in section 4.3. However, wherever possible generic frameworks for procedures and practices are recommended.
4.2 Classes of Electronic Signatures for standardization
The qualified electronic signature
| Article 5.1: Member States shall ensure that advanced electronic signatures, which are based on a qualified certificate and which are created by a secure creation device satisfy the legal requirement of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies that requirement in relation to paper-based data, and are admissible as evidence in legal proceedings. |
In order to be able to make reference to electronic signatures fulfilling all the requirements of article 5.1, we have in this report introduced the following definition:
A qualified electronic signature is a signature that fulfils all the requirements of Article 5.1
By fulfilling these requirements, legal acceptance is recognized for advanced electronic signatures fulfilling these minimum technical security requirements. There is then obviously a need to standardize these requirements to enable conformity assessment, but also to achieve a harmonized (e.g. agreed minimum) level of security across Europe.
The need for general requirements for electronic signatures
One important question is: Do we also need to standardize any aspect of technical security for legal value according to article 5.2?
When using electronic signatures, users are primarily concerned with achieving well-defined and acceptable quality of security and liability. One method of achieving a degree of assurance of the security is through the management of the supporting services. By applying standards to the management of security, such as managing the risks, auditing operation, identifying personnel with specific responsibilities for security, it is possible to achieve a degree of harmonization. Whilst this may not be given the same degree of assurance in the level of protection as the placing specific requirements on the provision of supporting service (as in annex II), there are definite advantages where technology independence is a concern. This approach is of particular relevance to the requirements of general electronic signatures given in 5.2 of the Directive.
The need for enhancements to the electronic signature
Another important question is: Do we only need to standardize the minimal technical security requirements for electronic signatures resulting from the Directive, or do we have to go further to enhance the technical security? From a legal point of view, the signer does not need to fulfil other requirements than those mentioned in article 5.1. However, it should be made clear that only a minimum level of technical security is reached when solely fulfilling the article 5.1 requirements. Thus, on their own, the requirements placed on the signer for the production of qualified electronic signatures may not be sufficient for a verifier or an adjudicator as technical evidence to settle some disputes.
For example, consider the case when an electronic signature is supported by a certificate which has been revoked some time after the signature was created. In order to settle a dispute over such an electronic signature, it is necessary to provide evidence that shows that the certificate was still valid at the time the signature was generated. Thus, independent evidence of the time that the signature was created is required to prove that certificate was not revoked at the time the signature was generated. This can be achieved through a Time Stamping Authority (TSA) which binds a time-stamp to signed data. Hence, many consider that a TSA is an important component of electronic signature infrastructure.
Time-stamping and other enhancements can in certain cases thus be required for both general and qualified electronic signatures. In this report, we have therefore also considered standardized enhancements to the baseline requirements for general and qualified electronic signatures to address commonly recognized threats. We call these "enhanced electronic signatures".
Different types of electronic signatures
In summary, there is a need for standardization for various types of electronic
signatures, as described in the following table.
| Type of signature: | General electronic signature as required in 5.2 | Qualified electronic signature - as specified in 5.1 (Annex I, II, III) | Enhanced electronic signature (applicable to both general and qualified electronic signatures) |
| Level of legal certainty: | Can not be denied legal effect (art 5.2) | Same legal effect as hand-written signature (art 5.1) | Enhancement of technical evidence |
| Explanation: | Any electronic signature that is not a qualified electronic signature. | Minimum technical level required for the signer so that his electronic signature can be considered as legally equivalent with a hand-written signature. | Additional technical requirements for a verifier, such as time-stamping, but also for the signer, to enhance technical security and obtain protection against certain threats. |
The EESSI work will primarily focus on the middle column, i.e. standardization
for qualified electronic signatures. However, in some places, the report
will indicate general requirements for electronic signatures as well as
additional requirements for enhanced electronic signatures.
The Directive is not strictly technology neutral; for qualified electronic signatures, it mandates the use of a specific set of mechanisms, namely certificate-based asymmetric cryptography using Certification Authorities. The Directive, and in particular annexes I and II, identifies requirements for Qualified Certificates and CSPs creating such certificates. The Directive thus implicitly defines a "technical framework".
For this framework to be fulfilled in a consistent manner, providing a common level of quality and functionality, it is considered necessary to define one or more agreed sets of components (security mechanisms and technologies). Thus the approach should be to specify one or more "sets of components" that can be used to fulfil the technical framework which supports qualified electronic signatures. Then, any specific management requirements for supporting those components (e.g. certificate policy) shall be identified. Also, specific security requirements and practice statement requirements relating to the set of components shall be identified. Finally, technical profiles need to be established on how the technical standards for CSP (e.g. certificate formats, certificate management protocols) should be employed to meet the technical framework requirements.
In Annex III, the Directive also identifies requirements for the protection of the private key. Several types of hardware devices are able to meet the requirements of Annex III, such as smart cards, PCMCIA cards and Personal Digital Assistants (PDAs). Standardization for using these devices for electronic signatures is needed. However, nothing precludes, and we also foresee, that other devices will rapidly be standardized to fulfil the requirements of annex III.
EESSI Requirement: Specification of one or more sets of components fulfilling the technical framework for Qualified Electronic Signatures.
EESSI Initial Recommendation:
The following set of components mechanisms, described in standards and
publicly available specifications, are proposed as a first set of components
that can be used for qualified electronic signatures:
The reasons for choosing this particular set of technologies are the
following:
It should be noted that there exists another cryptographic technique based on the use of asymmetric cryptography, namely identity-based digital signatures that can be used for electronic signatures. However, this technology is not yet widely deployed.
Elliptic Curve Cryptography presently looks very promising and standards exist for this technology. As soon as it starts to get more widely deployed, it will most likely be included in the set of components.
Introduction of a framework for electronic signatures requires a combination of legislation and technical standards. At one end, we will have the Directive and national legislation introduced to support electronic signatures according to the Directive. At the other end, we have technology and a number of technical standards that presently can be used for electronic signatures, for example digital signatures, hashing algorithms, certificates, cryptographic algorithms etc.
What we need to define is a layered standardization framework that binds
these two ends together in an appropriate way. In both Germany and Italy
for example, this has been achieved through a layered legal structure:
If the same effect is to be achieved to support the Directive, there is a need for a division of responsibilities between legislation and standardization. We also need a harmonized way for specifying how legislation can refer to standards.
A general observation by independent experts is that Germany and Italy have made too much use of the legislative instrument to detail the technical requirements, instead of standardization. The German Signature Ordinance and the Italian Technical Rules could equally well have been implemented as national standards.
The EESSI recommendation is to minimize the legislation and keep it very general. Technical standards developed and supported by the industry can then supply the basic necessary framework, as described below.
Levels of standardization and regulation |
||||||
E.g. German, Italy: |
EU Directive |
National Implementation |
||||
| |
| |
| |
Level 1 |
|||
| |
|
| |
Level 2 |
|||
| |
-------> |
| |
Level 3 |
|||
|
|
Level 4 |
||||
Level 1: Legislation
Level 2: High level requirements
Level 3: Functional and quality standards
At this level, we have to find a solution to the following dilemma: "How can security standards for electronic signatures achieve a common and well-defined level of security whilst at the same time cater for the "rapid development of technology and the global character of the Internet [which] necessitate an approach which is open to the range of existing and potential future technologies and services ."?
The approach taken in the Directive, and also by the EESSI, is that it is not possible (or more correctly: not economically feasible) to specify and build an absolutely secure system, resistant to all possible threats. Instead, a balance has to be found between the costs involved and acceptable business risks.
Level 4: Technical interoperability standards
This is definitively needed by the industry.
4.5 Areas requiring standards and conformity assessment
The Directive describes several areas that may require standardization and
conformity assessment of product and services to those standards:
In addition, there may be a need for additional standards and voluntary
conformity assessment also in the following areas:
Article 3.4 of the Directive also requires that the conformity of secure signature creation devices against the requirements of Annex III be "determined" by appropriate bodies. The criteria for "designating" such bodies is to be established "pursuant to the procedures laid down in Article 9". This assessment of conformance against annex III of the directive has similar implications to conformance assessment of devices against standards recognized under Article 3.5. Thus it is considered that these processes need to be aligned.
EESSI Recommendation: Conformance assessment of secure signature creation devices against Annex III under Article 3.4, and the scheme for conformance assessment of standards for electronic signature products that may be recognised under Article 3.5 should be aligned.
Chapters 5 and 6 describe the requirements of standards against which conformity assessment can be performed, for CSPs and for products. All these standards can be said to belong to Level 3 of the framework model (Functional and quality standards). There is also a need for technical interoperability standards (Level 4). These are described in chapter 7.
It is currently somewhat unclear to what extent the Directive prescribes mandatory conformity assessment. The remaining part of this chapter discusses various aspects of conformity assessment.
The standards EN 45010, EN 45011 and EN 45012 specify accreditation of certification bodies for products and management systems. The standards are also published by ISO/IEC as Guides 61, 66 and 62. In Europe, each Member State has a nationally recognized Accreditation Body, which performs such accreditation (e.g. SWEDAC, COFRAC, UKAS, RvA). Detailed guidance for information security management systems is being defined in EA-7/0X. This is illustrated in the following diagram.
International Conformity Assessment |
|
Accreditation body for |
|
Assessment of |
|
_______________________ |
|
Certification body |
Certification body |
Certification of |
Certification of |
Manufacturer/ |
Manufacturer/ |
The accredited Certification Body performs assessment and certification of
organizations according to a specific functional, management, quality or
technical standard. The European co-operation for Accreditation (EA) ensures
mutual recognition within EU/EFTA for mutual recognition of certifications.
For more information on EA, see Annex A.1.8.
From the viewpoint of Electronic Signatures, assessment may be required for the qualitative, management and function aspects of both the signature creation / verification products and CSPs used to support electronic signatures. Standards are then necessary against which such assessment can be made. These standards will of necessity relate to a set of selected technical solutions, since different styles of operation will have widely differing functional requirements. However, they do not need to go into the details of the specific use of technology necessary to meet the requirements of interoperability. Hence the decision has been made in this report to clearly delineate the level 3 functional / qualitative standardization requirements needed for assessment of a product or service, and the level 4 standardization requirements relating to interoperability.
For the signature products requiring conformity assessment according to the directive (secure signature creation devices and trustworthy systems), there are presently no general standard criteria for accreditation of certification bodies. Such criteria are currently tied to the specific security evaluation scheme (e.g. ITSEC, Common Criteria etc).
Consideration also needs to be given to requirements for accreditation schemes which are globally recognised to enable cross recognition of products and services certified outside Europe. In addition, industry lead schemes such as those being developed under the Emeritus project should be considered.
EESSI Requirement: Standard criteria for accreditation of certification bodies performing conformity assessment of signature products, as well as guidelines for performing such assessment.
EESSI Recommendation: Where conformity assessment is to be determined by a certification body designated by a Member State (e.g. as required under Article 4 of the Directive) through a national authority, it is recommended that they are selected under the equivalent criteria as for certification bodies accredited under the European accreditation scheme operating under EN 45010. Consideration also needs to be given to requirements for globally recognition of accreditation schemes and Industry lead certification / accreditation schemes.
The New Approach
In 1985, the Commission introduced a new strategy to complete the internal market for goods in a White Paper. The strategy is called The New Approach. It is further elaborated in the Councils Resolution on a new approach to technical harmonization and standards.
New approach directives shall contain the essential requirements to be fulfilled to provide for protection of life, health environment etc. These requirements must be fulfilled before the product can be lawfully placed on the market. It is left to standardization bodies to draft standards that contain detailed technical specifications on how to fulfil the essential requirements. Use of these standards (harmonized standards) remain voluntary, but give presumption of conformity to the essential requirements. New approach directives also contain conformity assessment procedures, making provisions, safeguard clauses and free movement clauses. The directives are normally totally harmonizing, i.e. Member States must see to that all provisions of the directive are met before the product is placed on the market and at the same time Member States must ensure free movement for goods complying with the directive. A Manufacturer's Declaration should, according to the new approach, normally be sufficient. If a manufacturer uses other technical specifications than harmonized standards instead, third-party involvement is envisaged.
For more information on the New Approach, see: http://www.newapproach.org/
Manufacturer's Declaration
The most simple form of a Manufacturer's Declaration is a statement made by the manufacturer that a product/service is produced in a way that ensures compliance with the requirements set out in regulations, acts, technical standards or other normative documents. Such declarations are typically made in accordance with ISO/IEC Guide 22 (EN 45014).
The Manufacturer's Declaration can thus be a direct alternative to traditional third-party certification or testing. In this case, the declaration is often combined with a requirement on the manufacturer to demonstrate how he has ensured that the product/service complies with the stipulated requirements. One way of doing this is to use an accredited laboratory. Additionally or alternatively, the manufacturer can be required to have an appropriate quality system in place in order to be allowed to make the Manufacturer's Declaration.
Conformity assessment in the European Community
The New Approach was completed with a Council Decision concerning a system for conformity assessment, i.e. assessment that a product is in conformity with the essential requirements in the relevant directive. The Global Approach contains a number of "modules" that may be used to show conformity. The modules entail both the design and the construction phase of the product. They can be more or less burdensome for the manufacturer; from manufacturer's declaration of conformity through type approval to unit verification and full quality assurance. In a new approach directive, the choice of what modules should be used is made in the directive. This choice is based, among other things, on the risks of the products concerned.
The aim of this system is to achieve mutual recognition of testing and conformity assessment in the EU, both in the mandatory and voluntary area. The criteria for the bodies concerned must be clear, uniform and objective so that Member States and others relying in the results have confidence in the system. Such criteria for testing laboratories and for certification bodies are contained in the harmonized European Norms, EN 45000. These standards also contain norms for conformity assessment of the certification bodies as well as requirements on the accreditation bodies. The EN 29000 standard contains requirements for quality systems. All third party conformity assessment is performed by so called notified bodies. Usually, these are accredited certification bodies. The EC Member States shall notify to the Commission the bodies that are accredited for conformity assessment. The Member State is responsible for that the notified body conforms to the requirements of the relevant directive.
Self Regulation by Industry
A further alternative approach which may be used for assessment of certification service providers is through self-regulation. An example of this is being developed under the Emeritus project which envisages a model based on a Global Trust Services Federation (GTSF) made up of a Trust Services Association (TSA) in each nation. The activities of the Federation is to include, where this is allowed by national laws, the accreditation of service providers against criteria which give subscribers some assurance of the quality of service offered by individual TSPs.
This approach provides a mid way between the EN 45000 based accreditation scheme which is rigidly controlled from the top down, and the liberal Manufacturers Declaration.
Conformity assessment for the Directive on Electronic Signatures
The electronic signatures Directive is not a new approach Directive in the strict sense. It is the first occurrence of a new kind of Directive based on the "light and flexible regulatory approach of high-tech issues". Due to the nature and characteristics of emerging new technologies, only the strict minimum necessary to ensure the most important factors is covered by such a Directive. Compliance with Annex III, or the standard implementing Annex III of which the number has been published, is regarded to be such a factor, and can only be determined by a notified body.
However, it is the opinion of EESSI and the industry that Manufacturer's Declarations also should be allowed and valid. Conformity assessment of CSPs and signature products should be possible in three different ways:
a) Formal assessment and certification by an accredited certification body. Such external assessment is normally performed before the start of operation or sale (a priori).b) Manufacturer's Declaration, which specifies that the manufacturer conforms to the required standards, and has applied an appropriate quality control procedure. Verification of such a claim may either be performed a priori, as above, or later, for example after a dispute (a posteriori). Manufacturer's Declaration does not exclude testing, certification and inspection by an external laboratory. It is just an alternative way of demonstrating that quality assurance of a product or service is performed in an acceptable manner.
c) Self regulation with assessment carried out by an industry led federation of service providers.
| Article 3:3: Each Member State shall ensure the establishment of an appropriate system which allows the supervision of Certification Service Providers established on its territory which issue qualified certificates to the public. |
The concept of supervision in this article, and its relation to the "voluntary
accreditation scheme" in Article 3.1 is somewhat unclear. It can be interpreted
as follows:
It should be pointed out that there is no implicit relation between such a supervised CSP and a certified CSP. A CSP may be supervised (issuing qualified certificates according to Annex I and II), certified (fulfilling a specific set of standards, but not issuing qualified certificates, and thus not supervised) or both.
Electronic signatures are commonly applied within the context of a legal or contractual framework. This establishes the requirements on the electronic signatures and any special semantics (e.g. agreement, intent). These requirements may be defined in very general abstract terms or in terms of detailed rules. The specific semantics associated with an electronic signature implied by a legal or contractual framework are outside the scope of this study.
However, of general concern for electronic signatures are the specific
requirements for the creation and verification of electronic signatures
independent of the specific semantics. These rules have to be recognized
as meeting the requirements of the legal / contractual framework (for example,
by direct reference, through accreditation or by accepted reasoning). These
rules and requirements may include, for example:
Another important fact that needs to be agreed between signer and verifier is the type of commitment made by the signer by applying his signature.
Without agreement on such detailed rules, the signer and verifier are uncertain as to what may be recognized by the other party as a valid signature. This set of rules is referred to, in this document, as a signature policy. A signature policy may be implied by the collection of rules that are applied by the signer and verifier, or formalised in a single specification that can be referenced (named).
In this document, a signature policy is defined as:
"a named set of rules for the creation and verification of an electronic signature, including any use of CSPs, that is recognized as being valid within a given legal / contractual context."
A signature policy may be defined, for example, by a party relying on the electronic signatures and selected by the signer for use with that relying party. Alternatively, a signature policy may be established through an electronic trading association for use amongst its members. The standards identified in this document may be used as the basis for a signature policy meeting the requirements of the Directive.
Certificates, supporting electronic signatures, are commonly issued under a Certificate Policy. This is defined in X.509 as
"a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements."
A certificate policy generally includes undertakings by:
a) the certificate issuer (CA) (e.g. verification of subjects when registering, maintenance of audit logs, delays and means for the notification of revocation) as well asb) obligations of signers (e.g. maintaining secrecy of the private key) and
c) requirements on relying parties in the proper use of certificates in validating signatures.
Many of the signature policy requirements on signers will be met by the rules in a certificate policy. Hence, many of rules of the signature policy for the signer side may be established just by reference to the acceptable Certificate Policies. However, some aspects of signature policies are outside the scope of the certificate policies (e.g. the use of time-stamping services, archiving) and hence need to be established independent of the Certificate Policy.
Whether or not a certificate policy is used by the CSP, the signature policy needs to establish rules for the use of CSPs. In the simplest case, this can be a list of trusted CSPs but it can also include the certificate policies that are acceptable as well as constraints on the CSPs such as naming and key usage.
Standardization requirements for Certificate Policies are identified in chapter 5; the standardization implications of Signature Policies have yet to be established.
EESSI Requirement: Study of the standardization implications of Signature Policies.
This chapter describes the requirements for functional and quality standards for CSPs (Level 3 of the standardization framework model), as well as the corresponding conformity assessment.
Certification Service Provider, as defined in the Directive, encompasses all types of trusted service providers related to electronic signatures.
This includes services relevant to CSPs issuing qualified certificates:
- Certification authority services- Registration authority services
- Directory services
It also includes additional services which may be used to support electronic signatures, such as:
- Time-stamping services- Attribute Authority services
- Trusted archival services
- Notarisation services
This chapter considers:
a) General standardization requirements that are applicable to any of the above CSPs, whether or not they support qualified electronic signatures.b) Standardization requirements for CSPs issuing qualified certificates (Certification Authorities with associated registration and directory services).
c) Standardization requirements for additional services which can be used to support electronic signatures.
For each of these areas this chapter discusses requirements for:
This report considers the services relevant to CSP issuing qualified certificates (certification authority, registration authority, directory) as a whole. Whilst these services may be provided independently it is considered that in the short term one body should be given overall responsibility for the provision of these services to the user. Thus, currently requirements for qualitative standards for CSPs issuing qualified certificates are considered as a whole. However, it may be necessary to within these standards to clearly delineate the responsibilities between providers of the different services.
5.1.1 CSP Security Management
To achieve some assurance of the secure operation of a CSP for general electronic signatures, as well as for qualified electronic signatures, there is a need to establish codes of practices for the secure management of the CSP, independent of the services provided.
There are "codes of practice" standards for the management of information
security, which are commonly accepted. They include practices for the
identification of security risks as well as the application of the appropriate
controls to manage those risks. Three such standards and publicly available
specifications are:
BS 7799 Part 1 has been already used in a number of countries in Europe and around the world, and is likely to be proposed for standardization internationally.
Such codes of practice place little or no constraint on the services that can be offered by the CSP and give the signer and verifier a degree of assurance that the electronic signature is not weakened by poor security management of the CSP.
EESSI Requirement: European recognition of standard security management guidelines (e.g. BS 7799, ISO TR 13335, COBIT) generally applicable to CSPs supporting electronic signatures.
For