8. Electronic
Signatures
The
anonymity and the openness of the Internet pose
several questions for business.
·
How can you be sure that the person you are
communicating with is who he claims to be?
·
How can you make sure that the communication
cannot be changed at some time between
transmission and receipt (with text-based
e-mail, it is technically quite simple to change
the content of an e-mail)?
·
How can you make sure that an outsider (for
example a competitor) is unable to read your
communications?
·
How can you be sure a secure electronic document
sent from person A to person B and then from
person B to you is the same document A sent in
the first place?
It is
clear that for international electronic trade to
flourish, a reliable form of electronic
signatures is critical. Electronic signatures,
and the management processes to which they are
subject, have the capability of providing the
means for this to happen and of creating trust
and confidence for business partners.
One of
the most widespread ways to provide secure
communication is to assign two uniquely and
intimately bound pieces of information, which
allow two or more parties to exchange
information. These pieces of information are
called keys:
·
the private key, which has to be
safeguarded;
·
the public key, which can be freely
distributed.
This is
called public key technology. It can also be
used to provide confidentiality between two
parties, the sender being able to encrypt a
message so that only the intended recipient can
decrypt it.
Private
keys are usually held on some form of storage
device – today, a smart card (similar to a
credit card, but with a micro-chip providing
limited memory and processing capability) is
very common, although there are numerous
alternatives. Smart cards generally require a
PIN code, or sometimes a pass-phrase, to
activate them. Hence, just as with a credit
card, debit card or house key, it is important
to ensure neither they nor their codes fall into
the wrong hands.
When an
individual wants to sign an electronic document
he uses his private key to perform a special
function on the document (typically a text-based
document, but it could be any form of electronic
file – an image, an audio sample, or other types
of content). The function could be merely to
confirm the data on the message and about the
message for future recipients or it could be to
encode the document.
In
addition to security issues, Electronic
Signatures can be used to:
·
confirm the identity of the other party -
authentication;
·
determine the authority or signing capacity of
the other party - authority;
·
ensure that the contents of any document have
not been changed in any way - integrity;
·
verify that the document has come from the
claimed party - authenticity;
·
sign a document in a legally-binding fashion -
legal commitment;
·
ensure that the original signing party cannot
later claim not to have signed -
non-repudiation.
Of course, it might be
possible for anyone to acquire a pair of keys in
the name of someone else, possibly an imaginary
person. How would anyone else know? The solution
is to put in place a process that requires the
key holder to satisfy a number of conditions to
prove their identity. These checks are performed
by or on behalf of a trusted third party who,
given satisfactory evidence, is prepared to
certify that the details of the key holder are
as they are claimed to be. Consequently the
public key is signed by this certification
authority, and is therefore known as a public
key certificate. Anyone who wishes to can verify
the certificate with the original certification
authority who should maintain a directory of
keys they have certified and a list of revoked
certificates. In this way, a relying party can
always be sure of the current legitimacy of the
signer's public key.
An EC
Framework Directive for electronic signatures
came into force on 19 January 2000 (deadline for
the implementation was 19 July 2001). In
essence, it says that electronic signatures
cannot be denied legal effects just because they
are in electronic format. The directive also
allows Certification Service Providers to
provide their services without prior
authorisation by national bodies. Member States
may themselves decide how they ensure the
supervision of compliance with the provisions of
the directive. The directive does not preclude
the establishment of private-sector-based
supervision systems or oblige
certification-service-providers to apply to be
supervised under any applicable accreditation
scheme. However, Member States are obliged to
notify the EC of any approved provision of
certification services.
This
directive is an important contribution to
enabling secure electronic commerce within the
European Union. Electronic signatures will be
used increasingly in the public sector within
national and EU administrations and in
communications between those administrations and
with citizens and businesses, for example in the
public procurement, taxation, social security,
health and justice systems.
|
ISOC
IWA
ARTT
RTS
