Digital Signatures and European Laws
by Mirella Mazzeo
|Editor's Note: First published January 2004, this document has been updated November 2010 with greater clarity on the difference between a key holder and owner, and the fact that a private key need not be attached to any device (though often is, to make it easier to use).
People who do business on the Internet require security and trust. In electronic commerce and communication you can't see the person you are speaking with, you can't see the documents that prove one's identity, and you can't even know if the web site you are connected to belongs to the society it says. You must also ask yourself: is this indeed the contract my business partner has sent to me or has someone unauthorized seen and changed it before it reached my desk? What will happen if I have problems with the contract and I must take it to a court of law?
To answer these juridical necessities the European Union adopted a community framework for electronic signatures some time ago (directive 1999/93/EC of the European Parliament and the council of December 13, 1999, on a community framework for electronic signatures) that has been implemented in various European countries. The European directive is used for business in which European partners (persons or societies) or public administrations are involved. It also means that if an American organization enters into an electronic contract with a European society it has to respect European requirements to ensure the contract is valid. This paper will address these issues and then provide an overview of current trends within various countries in Europe.
Introduction to digital signatures
A digital signature, also called an electronic signature, means data in electronic form that is used for security and trust in electronic business and communications. It is nowadays based on applied cryptography with asymmetrical keys. Imagine the door of a house with a two key deadbolt: the key you use to enter (public key) is not the same one required to exit (private key) so if a thief gets in the house he won't be able to exit. With digital signatures your private key, made with mathematical data associations and used to write your text, is different from the public key the addressee uses to read it. Therefore, even if the reader manages to decode the reading key, he won't have any information about the writing key.
The electronic signature working principle is this: you create some text, the text is encrypted by your private key using a mathematical relationship, you send the encrypted text, the reader who receives the text uses your publicly available key (connected to the private key) to open it, and she is then sure the text is original and it is written by you. A key does not need to be attached to any device, but often is stored on one to make it easier to use. Thus, a private key used as an electronic signature generally resides on a smart-card in a smart-card reader that is installed in the signatory's personal computer.
The principle of use is the same for every kind of digital signature, but the value of each key is different for many reasons:
European law (directive n.93/1999, hereinafter referred to as "dir.") provides three kinds of electronic signatures, each with different juridical value:
Duties of a qualified electronic signature user
Choosing a Certification Authority
To obtain a strong electronic signature you have to first refer to a qualified certification-service provider. In Europe, a qualified Certification Authority (annex II, dir.) must respect:
Obtaining a secure electronic signature
To obtain a strong digital signature you have to contact a qualified Certification Authority. The qualified certification-service provider list is available at the Electronic Authority for Public Administration for each European Union country, which consists of Italy, France, Spain, Germany, the United Kingdom, Luxembourg, Holland, Belgium, Portugal, Austria, Finland, Ireland, Denmark, Sweden, and Greece. Alternatively, one can contact the Electronic-Signatures Committee through the European Union online. The links provided are to the only official web sites that exist; where no link exists, the relevant country current does not have an official site for their public key infrastructure. Qualified Certification Authorities are diffused around the world, and they are in the list of one of the European Countries, but their value is automatically recognized in all Europe.
Current Trends in Europe
Each European Country must develop its own PKI, but some countries have been earlier to adopt it than others. Italy has a leading position because it was one of the first European countries to provide the technical measures required for strong digital signatures. It was the first to use secure digital signatures to connect all leaders of all government departments. In Italy's Justice Department, with over 40,000 employees there are already more than 10,000 strong digital signatures.
Finland uses biometric keys instead of smart-cards to produce strong digital signatures, but they are scarcely diffused. Currently, only about 1% of public employees have one, likely because the tools required are too expensive: Finnish strong electronic signatures have the same juridical value than other country qualified signatures, but Finnish keys are more expensive.
Spain uses strong digital signatures in relationships between their citizens and public administration and it is the only European country in which the qualified certification-service provider is also a public administration.
Germany is now giving secure digital signature tools to their public administration, and is working to ensure interoperability between the Certification Authorities. France is currently testing digital signatures in some public administrations. The United Kingdom is late in joining public key infrastructure; at the moment no public administration in the UK uses electronic signatures. Denmark is working for a PKI unitary for all public administrations, but at the moment only 2% of public employees have a digital signature. Austria has implemented the "Citizen Card", a smart-card for strong digital signatures used for social security and also for private business use. Holland is very late: it is the only European Country without a national law that covers the 1999 European Directive.
Electronic signatures are backed by valid European laws and thus qualified digital signatures have great potential. Strong digital signatures have great importance to all businesses who must do electronic transactions with European partners because they have a very deep juridical value. Once again, a secure digital signature warrants the authentication, integrity, confidentiality, and non-repudiation of a signatory; these are the most desired guarantees in e-business. Strong digital signatures thus have widespread use for high value e-commerce situations: everyone wants to be sure her/his contract is valid and there is no hacker interference.
The PKI situation in Europe is still not consistent across all countries, however. Some countries, such as Italy, Austria, and Spain have well-developed infrastructure already in place; others such as Finland, Denmark, Germany, and France are still testing their PKI solutions. Further, some countries such as Holland and the United Kingdom have not even started deploying their public key infrastructure.
The Legal and Market Aspects of Electronic Signatures (263 page PDF) by the European Commission, final version.
Links to E.U. national resources on electronic signatures
European Institute of Public Administration, Electronic signature, 2003.
CNIPA (Italian Committee for electronic in Public Administration), Firma elettronica: tecnologie e standard, 2003.
CNIPA, Firma Digitale, 2003.
Le Camere di Commercio Italiane (Italian Business Department), Firma digitale e Registro delle Imprese. Dall'anagrafe delle imprese la spinta verso l'e-Government, 2002.
Antonello Cherchi, La firma elettronica europea è pronta, 24/2/2003.
Luca Martini, La valenza probatoria della firma digitale: aspetti giuridici e problematiche connesse, 2003.
Mario Gentili, La firma digitale, 8/2/2001.
Laura Turini, Dopo il click attenzione alla firma , 17/11/2003.
Giuseppe Briganti, Forma ed efficacia del documento informatico dopo il D.L.vo 23 gennaio 2002 n.10: "Attuazione della direttiva 1999/93/CE relativa ad un quadro comunitario per le firme elettroniche", 2002.
Mario Petrulli, La firma digitale e la disciplina antiriciclaggio, 2001.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.