3 April 1998: Add message and EU directive
2 April 1998: Add message
30 March 1998
From: Peter Dare <peter_dare@uk.ibm.com> To: <ukcrypto@maillist.ox.ac.uk> Subject: Draft EU directive on electronic signatures Date: Mon, 30 Mar 1998 15:04:19 +0000 The European Commission has produced a draft directive on electronic signatures (which term includes digital signatures). If adopted by the Parliament and Council, the directive will require member states (MS) to pass laws (before 1/1/2000 ?) which have the following effect EU-wide: --- A legal presumption that digital signatures supported by a qualifying certificate guarantee integrity and authenticate the signer and the signer's intention to sign. Digitally signed data to have the same legal status as documents signed in ink and to be admissible in court. Rebuttal possible on the basis of technical problems with the verifying system (sic). --- Anyone can be a CSP (certification service provider) - MSs may introduce only voluntary pre-approval regulation. Any voluntary schemes shall regulate services provided FROM a MS, without restriction against services provided TO a MS from elsewhere in the EU. --- All CSPs (whether or not they are pre-appoved) must be reliable, employ the right people, use trustworthy systems, be financially sound, keep proper records, provide proper consumer information, publish policies/contractual terms/practice statements/liability obligations. --- All certificates must be properly formatted. --- If a CSP issues a certificate, the CSP is immediately liable to any person who reasonably relies on that certificate, even if there is no contractual relationship with the CSP concerned, for correctness of contained information, legal compliance, correct binding of public key to private key held by the named subject. Some let-outs: liability for economic loss only, not loss of profits; "all reasonable measures" taken; stated limitations on certificate use; stated limitations on certificate liability per claimant or even per certificate. --- The Commission will negotiate mutual recognition outside the EU. Such agreements must the be recognised under MS law. --- Data protection rules apply to certificate subjects. Subjects can request pseudonyms. CSPs disclose to law enforcement real names behind pseudonyms when serious crime is suspected - but at the end of the investigation the subject gets told that there was a disclosure. (You've heard of "key escrow" - this is "name escrow".) --- There will be a consultative committee with observers from industry and user groups. peter_dare@uk.ibm.com
Date: Mon, 30 Mar 1998 16:51:25 -0500 From: Nigel Hickson <nigelhickson@compuserve.com> Subject: DIGITAL SIGNATURE DIRECTIVE To: UKCRYPTO@maillist.ox.ac.uk Hi there, As Mr Dare has shared parts of the draft (and it is that) directive with the Group; perhaps I can explain its status. As you recall the directive was trailed in (97)503 last year which the Telelcoms Council in December welcomed. The Commission have been working on the directive, with encouragement of the UK presdency, and a recent draft has been sent to member States for comment ahead of its formal adoption later in April (we hope). The draft is marked (at this stage) "confidential" which is why we have not shared it with industry and why it is probably not on any offical website. I am going to a member State meeting on Thursday (yes, I will not be in the Hague then) to discuss draft and will report back. As you will note - from Peter's comments - the directive (much to our disapoinment) says nothing on encryption! Nigel Hickson
From: "Bert-Jaap Koops" <E.J.Koops@kub.nl> To: ukcrypto@maillist.ox.ac.uk Date: Thu, 2 Apr 1998 10:05:27 MET Subject: Re: DIGITAL SIGNATURE DIRECTIVE Nigel Hickson wrote: > The draft is marked (at this stage) "confidential" which is why >we have not shared it with industry and why it is probably not >on any offical website. A 'Draft Directive... of the European Parliament and of the Council of ... on a common framework for electronic certification services' was published in BNA's Electronic Commerce & Law Report of 4 March 1998, pp. 307-311. It is available at http://www.newsstand.lotus.com/ if you have a subscription to the electronic version of BNA's EPLR. Cheers, Bert-Jaap --------------------------------------------------------------------- Bert-Jaap Koops tel +31 13 466 8101 Center for Law, Administration and facs +31 13 466 8149 Informatization, Tilburg University e-mail E.J.Koops@kub.nl -------------------------------------------------- Postbus 90153 | This world's just mad enough to have been made | 5000 LE Tilburg | by the Being his beings into being prayed. | The Netherlands | (Howard Nemerov) | --------------------------------------------------------------------- http://cwis.kub.nl/~frw/people/koops/bertjaap.htm ---------------------------------------------------------------------
Date: Thu, 2 Apr 1998 15:58:15 -0500 From: Nigel Hickson <nigelhickson@compuserve.com> Subject: DIGITAL SIGNATURE DIRECTIVE - progress To: <ukcrypto@maillist.ox.ac.uk> Colleagues I noted that I would report on discussions in Brusssels between member States on the draft Directive. These took place today in the framework of the SOG-IS group. They were very positive; all countries voiced support for what the Commission were trying to achieve; there were concerns however about the sheer complexity of tackling elctronic (as opposed to digital) signatures and the difficulties of legisalting for legal recognition when member states legal systems were so different. The Commission will no doubt reflect and will hopefully reflect some of the comments in their next draft (or the final text). As I have said we hope it will be adopted by Commission ahead of Telecoms Council in May (19). Regards Nigel Hickson
To: jya@pipeline.com Subject: EU DIRECTIVE Date: Fri, 03 Apr 98 13:37:17 PST From: "Willis H. Ware" <willis@rand.org> -- Since you post to UKCRYPTO you probably have this. If not, the EU directive is below; I've cleaned up the formatting. willis ------- Forwarded Message From: Caspar Bowden <Caspar.Bowden@qualia.co.uk> To: "'ukcrypto@maillist.ox.ac.uk'" <ukcrypto@maillist.ox.ac.uk> Subject: Text of (original) draft EU DIGITAL SIGNATURE DIRECTIVE Date: Fri, 3 Apr 1998 04:14:06 +0100 European Commission Working Draft of Directive on a Framework for Electronic Certification Services DIRECTIVE .... . OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of .... . On a common framework for electronic certification services THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION Having regard to the Treaty establishing the European Community, and in particular Article 57(2), 66 and 100A thereof. Having regard to the proposal from the Commission. Having regard to the opinion of the Economic and Social Committee. Having regard to the opinion of the Committee of the Regions. Acting in accordance with the procedure laid down in Article 189b of the Treaty. (1) Whereas the Commission presented on 16 April 1997 to Council, the European Parliament, the Economic and Social Committee and the Committee of the Region a Communication on an European Initiative in Electronic Commerce1 ; (2) Whereas the Bonn Ministerial Conference, held on 6 - 8 July 1997, stressed the necessity of a legal and technical framework for digital signatures2 ; (3) Whereas the Commission presented on 8 October 1997 to the European Parliament, to the Council, the Economic and Social Committee and the Committee of the Regions a Communication on Ensuring security and trust in electronic communication -- Towards a European framework for digital signatures and encryption3 ; (4) Whereas on 1 December 1997, the Council invited the Commission to submit as soon as possible a proposal for an European Parliament and Council Directive on digital signatures; (5) Whereas divergent rules in the Member States may create a significant barrier to the use of electronic communications and electronic commerce and thus under the development of the Internal Market; (6) Whereas the divergent activities in the Member States indicate the need of harmonisation at Community level; whereas the rapid technological development and the global character of the Internet require a technology open approach not focusing only on digital signatures but on electronic signatures in general; (7) Whereas this Directive therefore will contribute to the use and legal recognition of electronic signatures within the European Community; (8) Whereas in order to stimulate electronic commerce, a regulatory framework at a European level should not favour a unique technologic solution and therefore cover electronic signatures in general; (9) Whereas in order to contribute to the general acceptance of electronic signatures, electronic signatures should be legally valid; (10) Whereas in order to facilitate the Community-wide provision of certification services, priority should be given to market access schemes relying on a general accreditation procedure; whereas such a general accreditation procedure allows the provision of certification services without requiring an explicit decision by a national authority; whereas such general accreditation schemes may take the form of either a set of specific conditions defined in advance in a general manner, such as a class license, or a general legislation which may allow the provision of the certification service; (11) Whereas in order to facilitate the Community-wide provision of certification services the introduction of individual accreditation schemes should only be possible on a voluntary basis. (12) Whereas Member States shall ensure that certification service providers comply with the essential requirements; whereas Member States may develop a detailed framework taking into account their specific administratives traditions; (13) Where as certification service providers offering certification services which do not comply with the relevant essential requirements should be liable to any person reasonably relying on certificates; whereas harmonised liability rules would contribute to the general acceptance and legal recognition of electronic signatures within the European Community; (14) Whereas the development of international electronic commerce requires the inclusion of interoperable mechanisms which involve third countries: whereas in order to ensure Interoperability at a global level agreements on multilateral rules with third countries on, inter alia, mutual recognition of certification services and certificates, access to third countries' markets are necessary; (15) Whereas the Commission may take all necessary actions to implement international agreements; whereas the Commission may start further multilateral and bilateral negotiations on aspects of certification services on the basis of specific mandates from the Council, which should make it possible to conclude balanced agreements ensuring access for Community certification service providers in third countries as well as mutual recognition arrangements for certification services; (16) Whereas certification service providers should respect data protection and individual privacy; (17) Whereas it is desirable to establish a committee to assist the Commission in achieving a harmonised and proportionate application of the provisions which meet the need of the market and the public at large; (18) Whereas to enable the Commission to monitor effectively the control of the market, it is necessary that Member States provide the relevant information concerning national accreditation schemes and bodies; (19) Whereas in accordance with the principles of subsidiarity and proportionality referred to in Article 3b of the Treaty, the objective of creating a harmonised legal framework for electronic signatures and related services cannot be effectively achieved by the Member States and therefore is better achieved at a Community level; whereas this Directive is limited to the minimum requirements necessary to meet this objective and does not exceed that which is necessary to achieve this aim: HAVE ADOPTED THIS DIRECTIVE I. Scope and definitions Article 1 - Scope and Aim This Directive aims at facilitating the provision of electronic signatures in electronic communication and electronic commerce within the Internal Market as well as providing for the legal recognition of electronic signatures. It establishes a common framework for services related to electronic signatures within the European Community. Article 2 - Definition For the purpose of this Directive: 1. "electronic signature" means a process which indicates the signatory's electronic approval of the content of data and which meets the following requirements: (a) uniquely linked to the signatory; (b) capable of identifying the signatory; (c) created in a manner or using a means under the sole control of the signatory; and (d) linked to the data to which it relates in such a manner that if the data is altered the electronic signature is invalidated. 2. "digital signature" means an electronic signature which uses an asymmetric cryptographic technique such that a person having the signatory's public key can determine whether: (a) the transformation was created using the signatory's private key that corresponds to the signatory's public key; and (b) the transformed data record data record has been altered, 3. "signatory" means a natural or legal person who creates an electronic signature. 4. "private key" means the key of a key pair used to create a digital signature. 5. "public key" means the key of a key pair used to verify a digital signature. 6. "qualified certificate" means a digital attestation which attributes a public key or a similar device to an individual person and verifies the identity of the person, by requiring its physical appearance before an (accredited) certification service provider, or through appropriate other measures; and contains, at least: (a) the name of the certification service provider issuing it; (b) the name of its holder or an unmistakable pseudonym which shall be identified as such; (c) a public key which corresponds to a private key under the control of the holder or a similar device fulfilling the same function; (d) beginning and end of the operational period of the certificate; (e) existing limitations on the scope of use of the certificate; (f) existing restrictions of the certification service provider's liability; (g) the algorithms with which the public key or a similar device can be used; (h) the number of the qualified certificate; and (i) the electronic signature of the certification service provider issuing it. 7. "certification service provider" means a (accredited) person who or entity which: (a) issues publicly available certificates attributing a public key or a similar device to a person and verifying the identity of that person; (b) provides other services related to electronic signatures. 8. "general accreditation scheme" means a procedure setting out rights and obligations specific to the certification service sector and allowing persons or entities to provide certification services, regardless whether it is regulated in a form of either a set of specific conditions defined in advance in a general manner, such as a "class license" or under general law and whether such regulation requires registration. which (is voluntary and) does not require an explicit decision by a national accreditation body before exercising the rights stemming from the accreditation. 9. "individual accreditation scheme" mean a procedure setting out rights and obligations specific to the certification service sector which does not entitle persons or entities to provide certification services until they have received an explicit decision by the national accreditation body. 10. "national accreditation body" means an institution, legally distinct and functionally independent of a certification service provider, charged by a Member State with the elaboration of, and supervision of compliance with, accreditations. II. Electronic signatures Article 3 -- Legal effects 1. Member States shall ensure that with respect to data authenticated by means of an electronic signature provided by an accredited certification service provider it is presumed that: (a) the data has not been altered since the time the electronic signature was affixed to it; (b) the electronic signature is the signature of the person to whom it relates; and (c) the electronic signature was affixed by that person with the intention of signing the data. 2. Member States shall ensure that data on which an electronic signature is affixed and which is based on a valid qualified certificate provided by an accredited certification service provider complies with legal form requirements and can be used as proof of evidence at court in the same manner as if the data had existed in a manually signed form. 3. Member States shall ensure that the presumptions under paragraph 1, may be refuted by: (a) evidence indicating that the security procedure used to verify the electronic signature is not to be technically recognised as secure; or (b) evidence relating to facts of which the relying party was or should have been aware which would suggest that the relying party acted in malicious faith. (c) evidence indicating that the electronic signature was affixed under duress, compulsion or deceive. III. Certification service providers Article 4 -- Principles governing accreditation 1. Member States shall make the provision of certification services subject to a general accreditation scheme. Member States may issue an individual accreditation scheme only if this accreditation scheme is set up on a voluntary basis. 2. Accreditation schemes shall comply with the principles set out in this Directive. Moreover, such conditions shall be objectively justified in relation to the service concerned, non-discriminatory, proportionate and transparent. 3. The requirements for certification service providers which shall be attached to such an accreditation are set out in Article 7. Member States shall, in the formulation and application of their accreditation systems, facilitate the provision of certification services between Member states. 4. Member States shall ensure that any fees imposed on certification service providers as part of the accreditation procedure seek only to cover administrative costs incurred in the issue, management, control and enforcement of the applicable accreditation scheme. Such fees shall be published in an appropriate and sufficiently detailed manner, so as to be readily available. 5. Member States shall ensure that information concerning the procedures relating to the accreditation schemes are published in an appropriate manner, so as to provide easy access to that information. Reference to the publication of this information shall be made in the national official gazette of the Member State concerned and in the Official Journal of the European Communities. Article 5 -- Requirements 1. Member States shall ensure that certification service providers meet the following requirements: Certification service provider must: (a) possess the reliability necessary for offering certification services, in particular be independent of financial and other interest in underlying transactions, guarantee that it will comply with all legal requirements set up for the operation of a certification service provider and notify to the national regulation authority an internal security plan; (b) employ personal which possesses the expert knowledge, experience, and qualifications necessary for the operation as a certification service provider, in particular competence at the managerial level, expertise in public-key or other technology fulfilling a similar function and familiarity with proper security procedures; (c) use trustworthy systems for its services, in particular utilise approved hardware and software, take measures against forgery of certificates, install a prompt and secure revocation service and guarantee the confidentiality during the process of generating private signature keys. Private signature keys and similar devices shall not be stored by a certification service provider. (d) have sufficient financial resources to operate in conformity with this Directive, in particular to be able to bear the risk of being held liable for mistakes by effecting an appropriate insurance (or limiting his liability); (e) record all relevant information concerning a qualified certificate for an appropriate period of time, in particular to be to proof evidence of certification in the context of a lawsuit or a property claim. 2. Member States shall on the basis of paragraph 1 lay down more detailed requirements for certification service providers and for qualified certificates. The committee established under Article 9 shall support Member States by proposing these requirements. Article 6 - Liability 1. Member States shall ensure that by issuing a qualified certificate, a certification service provider is liable to any person who reasonably relies on the certificate for: (a) all information in the qualified certificate being accurate as of the date it was issued, unless the certification service provider has stated oppositely in the certificate; (b) complying with all requirements of this Directive in issuing the qualified certificate; (c) the holder identified in the qualified certificate holds the private key or a similar signature device corresponding to the public key or similar device listed in the certificate; (d) the holder's public key and private key constituting a functioning key pair or a similar device fulfilling the same function; and (e) to the certification service provider's knowledge, the qualified certificate not having any material facts affecting the certificate's reliability. 2. Member States shall ensure that certification service provider are only liable for direct economic damage shall not include any anticipated profits. 3. Member States shall ensure that notwithstanding paragraph 1, a certification service provider is not liable if it can demonstrate that it has taken all reasonably practicable measures to avoid errors in the qualified certificate. 4. Member States shall ensure that notwithstanding paragraph 1, a certification service provider may, in the qualified certificate limit the use of the certificate. The certification service provider shall not be held liable for damages arising from a contrary use of the certificate. 5. Member States shall ensure that notwithstanding paragraph 1, a certification service provider may, in the qualified certificate, limit the value of transactions for which the certificate is valid. The certification service provider shall not be held liable for damages in excess of that value limit. 6. Member States shall ensure that notwithstanding paragraph 1, a certification service provider may, in the qualified certificate, restrict his liability to a specific amount. Article 7 -- International aspects 1. The Commission shall take all necessary to facilitate the introduction of interoperable certification services with third countries. 2. For this purpose, the Commission shall make proposals to take all necessary actions to seek the effective implementation of international agreements applicable to certification services, and shall, in particular and where necessary, submit proposals to the Council for appropriate mandates for the negotiation of bilateral and multilateral agreements, also covering the rights of Community organisations, with third countries and international organisations. The Council shall decide by qualified majority. 3. Member States shall ensure that certificates issued by a third country certification service provider are recognised as legally equivalent to certificates issued by certification service providers operating under this Directive: (a) if the certification service provider has an accreditation of a Member State of the European Union; or (b) if the certificate is recognised by an accredited certification service provider operating under this Directive, and that certification service provider guarantees for the certificate, to the same extent as for its own certificates; or (c) if the certificate is recognised by a bilateral or multilateral agreement between the European Union and third countries or international organisations. 4. Member States shall inform the Commission of any general difficulties encountered, de jure or de facto, by Community organisations in obtaining accreditation and in operating under accreditation in third countries, which have been brought to their attention. Article 8 - Data Protection 1. Member States shall ensure that certification service providers operate in a manner fulfilling the requirements laid down in Community law for data protection and privacy. 2. Member States shall ensure that a certification service provider may collect personal data only directly from the data subject and only insofar as necessary for the purposes of issuing a certificate. 3. Member States shall ensure that in the case of persons using pseudonyms, the certification service provider shall transmit the data concerning the identity of these persons to public authorities upon their request. IV. Electronic Certification Committee Article 9 -- Constitution and procedures 1. The Commission shall be assisted by a committee, the "Electronic Certification Committee" (hereinafter referred to as "the Committee"), of an advisory nature composed of the representatives of the Member States and chaired by the representative of the Commission. 2. The Committee shall be consulted on the matters covered by Article 5. 3. The representative of the Commission shall submit to the Committee a draft of the measures to be taken. The Committee shall deliver its opinion on the draft, within a time-limit which the Chairman may lay down according to the urgency of the matter, if necessary by taking a vote. The opinion shall be recorded in the minutes; in addition, each Member State shall have the right to ask to have its position recorded in the minutes. The Commission shall take the utmost account of the opinion delivered by the Committee. It shall inform the Committee of the manner in which its opinion has been taken into account and decide within one month after having received the opinion of the Committee. 4. The Commission shall periodically consult the representatives of the certification service providers, the consumers and the manufacturers. It shall keep the Committee regularly informed of the outcome of such consultations. V. General and final provisions Article 10 -- Notification 1. Member States shall supply the Commission with the following information: (a) the names and addresses of the national accreditation bodies: (b) information on national accreditation regimes. 2. Any information supplied under paragraph 1 and changes in respect of this information shall be notified by the Member States within one month of their entry into force. Article 11 -- Review procedures The Commission shall review the operation of this Directive and report thereon to the European Parliament and to the Council, on the first occasion not later than [date]. This review shall inter alia assess whether the scope of the Directive should be maintained or should be reduced taking account of technical development. The report shall in particular include an assessment, on the basis of the experience gained, of the need for further development of the accreditation structures and of aspects of harmonisation, in particular of the accreditation procedures. The report shall be accompanied, where appropriate. by complementary legislative proposals and outline the activities of the Committee. Article 12 -- Implementation 1. Member states shall comply with this Directive before 1 January 2000. They shall immediately inform the Commission thereof. When Member States adopt these laws, these shall contain a reference to this Directive or shall be accompanied by such a reference at the time of their official publication. The methods of making such a reference shall be laid down by the Member States. 2. Member States shall communicate to the Commission all other provisions of national law which they adopt in the field governed by this Directive. Article 13 -- Entry into force This Directive shall entry into force on the twentieth day following that of its publication in the Official Journal of the European Communities. Article 14 - Addressees This Directive is addressed to the Member States. ________ 1 COM(97)157 final of 16.04.97 2 European Ministerial Conference, entitled "Global Information Networks: Realising the Potential", Bonn 6-8.7.97, http://www.echo.lu/bonn/conference.html 3 COM(97)503 final of 08.10.97; ------- End of Forwarded Message