What is it? The Electronic Signatures Directive, adopted by
the European Parliament in December 1999, establishes a legal
framework for the use of electronic signatures, promotes the
interoperability of electronic signature products and aims to build
trust in electronic signatures. It must be implemented into UK law
by 19 July 2001. This will be through the Electronic Communications
Bill and regulations due to become law by May 2000.
What's in the fine print?
The directive is intended to be technologically neutral and thus
does not favour cryptography over other potential means of creating
or verifying electronic signatures, eg biometrics such as iris
patterns or fingerprints. The central provision of the directive,
Article 5, recognises two classes of electronic signatures:
1. Article 5.1 signatures: advanced electronic signatures based
on a qualified certificate issued by a certification service
provider and created by a secure signature creation device. These
signatures satisfy the legal requirements of a signature as if they
were handwritten and must be admissible as evidence in legal
proceedings.
2. Article 5.2 signatures: other electronic signatures. These
cannot be denied legal effect, validity or admissibility as
evidence, solely on the grounds that they are in electronic form or
are not based on a qualified certificate or a certificate issued by
a certification service provider.
A "qualified certificate" links a particular signature
verification device used to verify the electronic signature to a
signatory and contains the following information:
- that the certificate is a qualified certificate
- the name of the signatory or their pseudonym
- the identity of the certification service provider, their
advanced electronic signature, the validity period of the
certificate, and an identifying number for the
certificate
- signature verification data corresponding to the signature
creation data under the control of the signatory
- any limits on the scope of use of the qualified
certificate,
- any limits on the value of transactions to which the electronic
signature can be used, if applicable
- specific attributes of the signatory may be included, if
relevant, eg creditworthiness, authority to sign for a company. VAT
number were examples appearing in earlier drafts of the
directive.
A qualified certificate must be issued by a certification
service provider meeting the requirements of Annex 2 of the
directive - reliable, financially stable, secure, trustworthy,
technically expert providers. Any accreditation scheme for
certification service providers created by EU member states must be
voluntary and non-compulsory. Thus the security, probity and
technical expertise of the certification service provider is
paramount, as developers of secure signature creation hardware or
software, or of signature verification devices must consider not
only whose qualified certificates their products will support, but
who will be trusted by their customers.
What are the implications?
Electronic signatures are likely to become extremely important,
both in business-to-business and business-to-consumer e-commerce.
As a means of online identification, they are potentially means of
combating fraud, especially credit card fraud, as they will enable
both merchants and credit providers to verify the identity of the
person using an electronic signature , as well as the authenticity
and integrity of the electronically signed message.
In practice, the use of electronic signatures in financial
transactions may favour the use of advanced electronic signatures,
even though Article 5.2 electronic signatures without qualified
certificates are recognised by the directive. Indeed an advanced
electronic signature and its qualified certificate gives more
information about the signatory than any handwritten signature ever
can.
For information contact Jane Rawlings of DLA's e-commerce team
on 08457-262728.