The Electronic Signatures Directive under the spotlight
What is it? The Electronic Signatures Directive, adopted by the European Parliament in December 1999, establishes a legal framework for the use of...
What is it? The Electronic Signatures Directive, adopted by the European Parliament in December 1999, establishes a legal framework for the use of electronic signatures, promotes the interoperability of electronic signature products and aims to build trust in electronic signatures. It must be implemented into UK law by 19 July 2001. This will be through the Electronic Communications Bill and regulations due to become law by May 2000.
What's in the fine print?
The directive is intended to be technologically neutral and thus does not favour cryptography over other potential means of creating or verifying electronic signatures, eg biometrics such as iris patterns or fingerprints. The central provision of the directive, Article 5, recognises two classes of electronic signatures:
1. Article 5.1 signatures: advanced electronic signatures based on a qualified certificate issued by a certification service provider and created by a secure signature creation device. These signatures satisfy the legal requirements of a signature as if they were handwritten and must be admissible as evidence in legal proceedings.
2. Article 5.2 signatures: other electronic signatures. These cannot be denied legal effect, validity or admissibility as evidence, solely on the grounds that they are in electronic form or are not based on a qualified certificate or a certificate issued by a certification service provider.
A "qualified certificate" links a particular signature verification device used to verify the electronic signature to a signatory and contains the following information:
A qualified certificate must be issued by a certification service provider meeting the requirements of Annex 2 of the directive - reliable, financially stable, secure, trustworthy, technically expert providers. Any accreditation scheme for certification service providers created by EU member states must be voluntary and non-compulsory. Thus the security, probity and technical expertise of the certification service provider is paramount, as developers of secure signature creation hardware or software, or of signature verification devices must consider not only whose qualified certificates their products will support, but who will be trusted by their customers.
What are the implications?
Electronic signatures are likely to become extremely important, both in business-to-business and business-to-consumer e-commerce. As a means of online identification, they are potentially means of combating fraud, especially credit card fraud, as they will enable both merchants and credit providers to verify the identity of the person using an electronic signature , as well as the authenticity and integrity of the electronically signed message.
In practice, the use of electronic signatures in financial transactions may favour the use of advanced electronic signatures, even though Article 5.2 electronic signatures without qualified certificates are recognised by the directive. Indeed an advanced electronic signature and its qualified certificate gives more information about the signatory than any handwritten signature ever can.
For information contact Jane Rawlings of DLA's e-commerce team on 08457-262728.
Read more on IT risk management
-
Security Think Tank: In-app segregation more intelligent and permissive
-
Security Think Tank: Seven steps to manage risk of catastrophic cyber attack
-
Security Think Tank: Incident response vital to guard against catastrophic cyber attack
-
Security Think Tank: How to reduce the impact of a potential cyber extinction event
Start the conversation
0 comments