lunes, 20 de diciembre de 2010

The European Directive on Electronic Signature must be updated

11 years after the adoption of the Directive 1999/93/EC, the use of electronic signatures is still residual despite the substantially increased need for legal certainty on the Net.

We must remember that in those years, we used to access the Internet with a browser called Netscape on a computer running Windows 95 and a 28.8 kbit/s modem.

Therefore it's necessary an update of the Directive that can resolve some of the problems encountered during these years, and adapt it to new needs.

Then I will announce some of the issues that, from my point of view, I consider important, leaving for other posts to develop them:
  • CSPs should ensure the provision of on-line (direct or indirect) of reliable data concerning revocation of certificates they issue. This will eliminate the "grace periods" that bring so many problems in generating AdES formats (Advanced Electronic Signatures).
  • The Directive should define the Legal Person Seal. Since is not included in the current version, some member states have developed different aproachs. For example, in Spain, there is a "qualified" electronic signature of legal persons (¿?) or, in the field of public administration, the Entity Seal to automatize administrative actions. A Legal Person Seal, which obviously should not be equivalent to a handwritten signature, would allow a good solution for electronic invoicing systems.
  • Ensure that the requirement "it is created using means that the signatory can maintain under his sole control" does not prevent the development of centralized signature systems, which consequently, the SSCDs could be deployed in the cloud.
In short, we need an electronic signature more adapted to reality.

3 comentarios:

Anónimo dijo...

As for point #3 - centralized signature devices, we are a vendor of such a centralized signature appliance called CoSign. We have identified two types of uses for such a device:
1. System signatures done on behalf of the organization.
2. End users signing with their centrally-stored key. This either takes place in-house or as a SaaS (in the cloud).

It would be nice to have a proper legal coverage by the directive for both use-cases.

Regards,

Ari Seror
ari@arx.com

Santi Casas dijo...

Ari, completely agree.

Your first use case is the one I link to the "Legal Person Seal" and the second to the signatures through centralized-stored key for natural persons.

We need a legal coverage than facilities (or at least we do not complicate) the two solutions.

Obviously the solutions must ensure the safety of the user and the relying party.

Thx for your comment.

public key infrastructure dijo...

Very well written article. In this article , what do you mean by "Legal Person Seal". How does directive define it. I mean what is basic criteria behind it ??