A WORLD-WIDE OUTLOOK OF
ELECTRONIC SIGNATURE
SUMARY.-I. Introduction.-II. A world-wide vision.-2.1. European Union: Directive
1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a
Community framework for electronic signatures.-2.2. United States: Electronic Signature in
Global and National Commerce Act-“E-Sign”.-2.3. Hong Kong: the Electronic Transactions
Ordinance.-2.4. United Nations: UNCITRAL Model Law on Electronic Signature.- III. Digital
signature and Public Key Infrastructure (PKI).-3.1. Digital signature: a type of electronic
signature.-3.2. Cryptography: distinction between digital signature and in code.-3.3. Public key
infrastructure.-Certification Authority (CA).-Accreditation and certification schemes.Standards.-CSPs Registry.-IV. Conclusion.-V. Bibliography.
I.
INTRODUCTION
Open networks such as the Internet are of increasing importance for world-wide
communication. They offer the possibility of interactive communication between parties
who may not have pre-established relationships. They offer new business opportunities
by creating tools to strengthen productivity and reduce costs, as well as new methods of
reaching customers.
In order to make best use of these opportunities, a secure environment with respect to
electronic authentication is needed. Digital signatures and Public Key Infrastructure
seems to be essential tools for providing security and developing trust on open
networks.
Our aim here is to give a world-wide vision of electronic signature, and the main
technical, functional and legal trends around it. Firstly, we will show a vision of the
legal framework around the world; secondly, we will focus on some aspects and
distinctions which are necessary to better understand both legal and technical
documents regarding to electronic signatures.
1
II.
A WORLD-WIDE VISION
In general, the three different legal approaches adopted by countries world-wide with
respect to the electronic signature have been the represented in the annexed table #11.
As we can conclude from that table, the minimalist approach focuses on verifying the
intent of the signing party rather than on developing particularised forms and guidelines.
In other words, this approach wants private sector and market to impose the practice
regarding to electronic signature. On the contrary, the second approach allows
legislatures and regulatory agencies to play a direct role in setting standards for and
influencing the direction of new technology. Finally, the third and –in our opinion- the
most well-aimed approach wants both private and governmental sector to take part on
this important project.
After this general vision, we will study some of the main regulations on electronic
signature in Europe, North of America, Asia, and internationally, the Law Model of the
Union Nations.
2.1.
European Union: Directive 1999/93/EC of the European Parliament and of
the Council of 13 December 1999 on a Community framework for
electronic signatures.
The Directive on Electronic Signatures became effective in 2001 and still requires wide
implementation among the Member States. The Directive professes technologyneutrality, establishing in article 5 that Member States shall ensure that an electronic
signature is not denied legal effectiveness and admissibility as evidence in legal
proceedings solely on the grounds that it is in electronic form, or not based upon a
qualified certificate, or not based upon a qualified certificate issued by an accredited
certification-service-provider, or not created by a secure signature-creation device.
1
Table #1 has been developed with information from the Internet Law and Policy Forum´s
study An Analysis of International Electronic and Digital Signature Implementation Initiatives,
September 2000.
2
However, the Directive also provides statutory preferences for “advanced electronic
signatures” which are based on a qualified certificate and which are created by a securesignature-creation device. In other words, the Directive provides statutory preferences
for digital signatures based on a Public Key Infrastructure (PKI), stating in the same
article 5 that Member States shall ensure that advanced electronic signatures which are
based on a qualified certificate and which are created by a secure-signature-creation
device, on one hand, satisfy the legal requirements of a signature in relation to data in
electronic form in the same manner as a hand-written signature satisfies those
requirements in relation to paper-based data; and on the other hand, are admissible as
evidence in legal proceedings.
2.2.
United States: Electronic Signature in Global and National Commerce Act
– “E-Sign”2
E-Sign advocates technology-neutrality and places special limitation on the ability of
states and both federal and state regulatory agencies to require or prefer the use of
specific technologies.
Section 101 establishes that “the legal effect, validity, or
enforceability of such contract, agreement, or record shall not be denied – (1) on the
ground that the contract, agreement, or record is not in writing if the contract,
agreement, or record is an electronic record; or (2) on the ground that the contract,
agreement, or record is not signed or is not affirmed by a signature if the contract,
agreement, or record is signed or
affirmed by an electronic signature”. State
governmental efforts to establish limitations or exception form these general principles
will be pre-empted.
There are some states such as Utah, Missouri, and Washington, which favour digital
signatures and are closely aligned in many respects with the UNCITRAL Model Law
and the EU Directive. With E-Sign, the United States has resolve the tension by opting
for technology-neutrality on a national level.
However, it is curious how E-Sign provides an ironic result, putting the United States
legislative framework somewhat out of step with the global trend. E-Sign does not serve
2
A US federal Act signed into Law June 30, 2000 and effective October 1, 2000.
3
as an obstacle for the use of digital signatures or the role of certificate authorities but
neither does the law align closely3.
2.3.
Hong Kong: the Electronic Transactions Ordinance.
The article 6 of the Electronic Transactions Ordinance4 states that “if a rule of law
requires the signature of a person or provides for certain consequences if a document is
not signed by a person, a digital signature of the person satisfies the requirement but
only if the digital signature is supported by a recognised certificate and is generated
within the validity of that certificate”.
Therefore, the legal effects of electronic signatures are only provided if the signature is
supported by a recognised certificate issued by a recognised certification authority.
Indeed, licensed CSPs will enjoy the benefits of trustworthiness, consumer confidence,
and an evidentiary presumption for digital signatures, what it is to say that Hong Kong
provides statutory preferences for digital signatures based on a PKI.
A similar approach is taken by Singapore in its regulation. However, Japan has adopted
a technology-neutral formulation, establishing a presumption of the authenticity of an
electronic document if a specific person has applied an electronic signature.
2.4.
United Nations: UNCITRAL Model Law on Electronic Signature.
UNCITRAL completed the Model Law on Electronic Signature5 in 2001. This Model
Law reaffirms the general principle of the validity of electronic signatures on
technology-neutral basis and, on the other hand, provides statutory presumptions for the
reliability of digital signature technologies. The Model Law strongly aligns to the EU
Directive on Electronic Signatures in many of its features.
3
See B. RITTER, Jeffrey: New rules; New Realities: An annual Review of Electronic
Commerce Law, 3rd Annual Advanced E-Commerce Institute, November 2001.
4
http://www.info.gov.hk/itbb/english/it/eto.htm
5
See http://www.uncitral.org/AdoptedTexts
4
Many nations have begun to enact laws providing an appropriate framework for
validating electronic commercial transactions. Several of these jurisdiction have relied
upon the UNCITRAL Model Electronic Commerce Law and Model Law on Electronic
Signatures.
III.
DIGITAL SIGNATURE AND PUBLIC KEY INFRASTRUCTURE
We have just seen that the general opinion is that PKI demonstrates great promise as a
leading method for satisfying the requirements for a solid technical and legal foundation
for secure e-commerce and communications. This main security requirements are:
-
Authentication: to verify the identity and authority of individuals and organisations
communicating electronically.
-
Integrity: to provide assurances of the integrity of electronic communications and
records and detecting unauthorised modifications to them.
-
Confidentiality: to protect electronic messages and records against interception,
unauthorised access, and the disclosure of confidential or sensitive information
within them.
-
Non repudiation: to prevent parties for successfully repudiating electronic
transactions, messages, and records.
3.1.
Digital Signature: a type of electronic signature.
Several different methods exist to sign documents electronically varying from very
simple methods –such as inserting a scanned image of a hand-written signature in a
word processing document- to very advanced methods using cryptography. There is two
types of cryptographic algorithms: symmetric (based on a only key to encrypt and
decrypt) and asymmetric (based on two keys, a private one to encrypt, and a public one
to decrypt).
5
An electronic signature is “data in electronic form which are attached to or logically
associated with electronic data and which serve as a method of authentication”6.
A digital signature, or “advanced electronic signature” in the context of the Directive
1999/93/EC, is a specific type of electronic signature, created using asymmetric or
“public key” cryptography.
Technology-neutrality is the reason why the Directive did not included in its text the
concept of “digital signature”. Since a variety of authentication mechanisms is expected
to develop, the scope of the Directive might be broad enough to cover a spectrum of
electronic signatures based on public-key cryptography as well as other means of
authentication data.
The Directive grants enhanced legal effect to electronic signatures that satisfy certain
technical criteria (i.e., “advanced electronic signatures” that are based on “qualified
certificates” and created by “secure signature creation devices” as defined in a set of
annexes). In other words, the Directive enhanced legal effect to digital signatures which
work in certain secure environment. While under this scheme all signatures and
certificates are admissible in court, in practice the evidentiary hurdles for signatures that
meet the criteria for enhanced legal effect will be lower, which could create a powerful
de facto incentive to use them instead of other procedures.
3.2.
Cryptography: differentiation between Digital Signature and Encryption.
It is necessary to differentiate between “digital signature services” and “encryption
services7”. While digital signature is used to verify the source of data (authentication)
and to determine if they have been altered (integrity), encryption is used to protect
confidentiality of data and communications. Contrary to cryptography used for
encryption, digital signature is merely annexed to data, leaving intact the content of the
6
Article 2.1 of the Directive 1999/93/EC.
See Council Regulation (EC) No 3381/94 of 19 December 1994 setting up a Community
regime for the control of exports of dual-use goods (modified by Council Regulation (EC) No
837/95); and 94/942/CFSP Council Decision of 19 December 1994 on the joint action adopted
by the Council of the basis of Article J.3 of the Treaty on European Union concerning the
7
6
signed electronic document or electronic transaction. Therefore, if we want to ensure
confidentiality of the content of such document or transaction, we will have to “encrypt”
data which form it, in other words, to go to “encryption services” instead of “signature
services”.
In the processing of the Directive on electronic signature, some sectors already declared
their worry considering the possibility that the use of cryptography by delinquents and
terrorists could become more difficult the fight against criminality. With the New York
and Washington terrorist attacks, the debate returned to be part of everyday speech.
However, we want to make clear here that this worry exclusively refers to
confidentiality services. Digital signature does not impede data reading. Moreover, use
of digital signature could be of benefit to the fight against cybercrime, since it allows to
assign a message to a particular sender or recipient.
An specially interesting document is the Guidelines for Cryptography Policy8 of the
Organisation for Economic Cooperation and Development (OECD).
3.3. Public Key Infrastructure (PKI)
A public key infrastructure, or PKI, is the sum total of the organisations, systems
(hardware and software), personnel, processes, and agreements that allow public key
technology to function for a given set of users9.
A PKI provides authentication, integrity and confidentiality by means of digital
signature and encryption respectively, and can also support efforts to control access to
sensitive information and provide critical evidence tying a transaction, message, or
record to its originator.
In other words, PKI technology provides critical security functions that the Internet was
not designed to provide and, indeed, cannot provide. Individuals, business,
control of exports of dual-use goods, being its latest modification Council Decision
1999/193/EC.
8
Available in www.oecd.org
9
See American Bar Association, PKI Assessment Guidelines, PAG v0.30, Public Draft for
Comment, Information Security Committee, June 18, 2001.
7
governments, and other organisations have adopted many different kinds of PKIs
around the world.
- Certification Authority (CA)
Verification of the authenticity and integrity of data (provided by digital signature) does
not necessarily prove the identity of the signatory who creates the electronic signature,
thus the recipient of a message will not know if the sender is really the one he claims to
be. The recipient may therefore wish to obtain more reliable information on the identity
of the signatory. It is in this context where the notion of Certification Authority (CA) or
“Certification-service-provider” (CSP) as called by the Directive emerges. A CSP is an
entity or a legal or natural person who issues certificates or provides other services
related to electronic signatures10, such as time stamping functions.
A certificate is an electronic attestation which links signature-verification data to a
person and confirms the identity of that person11. The Directive distinguishes between a
regular “certificate” and a “qualified certificate”, being the latter a certificate which
meets certain requirements and is provided by a certification-service-provider who also
meets certain requirements. ITU-T12 Recommendation X.509 is the most internationally
accepted standard for qualified certificates.
-
Accreditation or Certification Schemes
According to the Directive 1999/93/EC13, Member States may introduce or maintain
voluntary accreditation schemes aiming at enhanced levels of certification-service
provision. Such schemes may offer CSPs the appropriate framework for developing
further their services towards the levels of trust, security and quality demanded by the
evolving market, and should encourage the development of best practice among CSPs,
being the latter left free to adhere to and benefit from such accreditation schemes14.
10
11
Article 2.11 of the Directive 1999/93/EC.
Article 2.9 of the Directive 1999/93/EC
12
International Telecommunication Union (http://www.itu.int).
13
Article 3.2. of the Directive.
See Whereas (11) of the Directive.
14
8
As far as such measures are require by the market, this accreditation and certification
schemes can give a clearer or more predictable level of legal security for both the CSP
and the consumer. For example, under Spanish regulation there is three levels of legal
effects for electronic signatures, depending on its nature, reliability and security:
1. Electronic signature may not be denied legal effects and admissibility as evidence in
legal proceedings solely because it is in electronic form. However, difficulty in this
cases will be to prove its reliability and security. Anyway, this electronic signatures
which does not meet the requirements of any of the two sections below, will not
match hand-written signature.
2. Advanced electronic signature, if based on a qualified certificate and created by a
secure signature-creation-device, will match hand-written signature having the same
legal effect, and will be admissible as evidence on trial, being appraising
conforming to discretion by the trial judge. In this case, the burden of proof of the
fulfillment of those requirements goes to the part who introduce the advanced
electronic signature as an evidence.
3. There is a presumption of fulfillment of all those requirements for the advanced
electronic signature which is based on a qualified certificate and created by a secure
signature-creation-device, when CPS who provides the qualified certificate is
accredited
and the secure signature-creation-device is certified. In this cases,
therefore, the burden of proof goes to the opponent.
The use of accreditation and certification implies the existence of a mechanism to
certify compliance. Under the Directive, the Member States are supposed to designate
their own “bodies” to certify compliance with the Annexes, under the general rules set
forth by a committee composed of the Members States and the European Commission.
So far, it seems that some Member States will leave the task of certifying compliance to
a voluntary, industry-led body (e.g. Ireland, The Netherlands, and the UK), while others
(e.g. Germany, and Spain) will rely on a government agency.
9
Internationally, in those countries where accreditation or certification schemes for
electronic authentication exist, the vast majority are also “voluntary” and very few have
been found which are openly mandatory, such as the Ecuador´s one seems to be.
However, many laws require the use of accredited CSPs in transactions with the
government, which can have a powerful effect in forcing a particular standard or
accreditation procedure on the market.
In the context of accreditation and certification schemes, it is very important to establish
the evaluation criteria which will be followed to provide the corresponding accreditation
or certification. The use of recognised standards is an important means of objectively
specifying the criteria governing such evaluation. With respect to assessment of IT
products and systems security, functionality and the technical trustworthiness, two
standards are widely accepted and anticipated to play a significant role in the future: the
European Union´s Information Technology Security Evaluation Criteria (ITSEC) and
the Common Criteria Project´s Common Criteria for Information Technology Security
Evaluation (CC), being the latter the most likely candidate for long-term future use.
Table # 2 shows some interesting aspects of both evaluation criteria. The CC provides a
set of seven pre-defined assurance packages termed Evaluation Assurance Levels
(EALs). The approximate relationship between these EALs and the assurance levels
from ITSEC is shown in Table # 3.
-
Technologic Standards
At their essence, computers communicate by duplicating and reproducing information.
This requires a uniformity in the manner in which the information is structured and
communicated. The need for uniformity is transcending; internetworking only occurs
when there is sufficient critical mass around standard operating protocols, data
structures and communication systems to permit scalable use of similar information by a
community of users.
In the European Union context, industry is supposed to take the lead with
standardisation bodies in developing internationally agreed standards for electronic
signatures. These standards should focus on establishing an open environment for
interoperable products and services. The role of the European Commission in this
10
subject is to support this process. In this sense, the European Electronic Signature
Standardisation Initiative (EESSI) is currently being developing.
The drive toward standardisation is also occurring on a regional basis. In addition to
European initiatives, Korea, Japan, China and the Association of Southeast Asia nations
(ASEAN) are endeavouring to standardise PKI standards. There is, thus, understanding
that interoperability can be achieved on a regional basis, unifying the Asian economies
in a manner comparable to success being realised in the Americas and Europe.
At an international level, besides ISO15 and ITU, the Internet Engineering Task Force
(IEFT), and the World Wide Web Consortium (W3C) are the principal standardisation
bodies which we must follow closely. Table # 4 shows some aspects of their
developments as well as the European Union initiative.
The majority of countries with laws on electronic authentication have not developed
detailed standards, although they are working on them. It appears that many countries
are waiting for either regional standards –as many European countries are awaiting
finalisation of the EESSI project- or market standards -as seems to be the case in many
South American countries- to emerge before finalising their own.
-
CSPs Registry
Many countries also require CSPs to register in some way before starting their activities,
such as Spain and Luxembourg. In the Spanish case, CSPs have to register before
starting their business activity. The paradoxical thing is that such registry is not still
created despite the regulation came effective more than two years ago.
IV.
CONCLUSION
Legal interoperability is essential to realising the potential gains of electronic
commerce. The growth of competing legal and technical frameworks could result in an
intricate and unworkable maze of conflicting standards; divergent legal requirements
11
could effectively erect barriers to international trade; and a system in which each
country prescribes its own standards could inhibit mutual recognition and crosscertification requirements.
Nearly every country has at least initiated a national accreditation, certification, or
standardisation scheme for electronic signature products and services, which could lead
to a Babel that imperils international legal interoperability.
Almost all the laws give basic legal effect to electronic documents and signatures, with
the exception of certain types of documents or acts such as a will. Thanks to the
pressure that the European Union could exert on the processing of the UNCITRAL
Model Law on Electronic Signatures, many countries are adopting the hybrid approach
of neutrality-technology with enhanced legal effects for digital signatures and PKI, and
it seems that the United States are being obligated to joint this generalised trend.
Anyway, there is still a long road to run towards communications and systems security.
Security is very difficult, both to understand and to implement. For example, the
security value of authentication is all but completely defeated by Single Sign-On.
Authentication is supposed to prove that the user is present at the controlling computer
at the time of the test. Under SSO, when the user has to rush to the washroom, any
passing person can walk up to that user’s computer and sign on someplace via the SSO
mechanism.
15
International Organisation for Standardisation (http://www.iso.ch/iso/en/ISOOnline.openerpage).
12
TABLE # 1: World-wide legal framework
Aim
Approach
Motivation
Legislation/ Regulation
Countries
1) Minimalist
!
To facilitate the use of electronic !
signature generally, rather than advocate
a specific protocol or technology.
To remove existing legal obstacles to the !
recognition and enforceability of electronic
signatures and records, by ensuring that
electronic signatures and records fulfill
existing legal requirements for tangible
signatures.
They are generally limited to defining !
the circumstances under which an
electronic signature will fulfill any such
requirements, with a goal of
establishing a standard of proof.
Traditional common
law countries:
Canada
USA16
UK
Australia
New Zealand
2) More
prescriptive
!
To advocate PKI technology.
!
To establish a legal framework for the !
operation of PKI –whether or not other
forms of secure authentication are included
or permitted- as well as a reflection of form
and handwriting requirements that apply in
the offline world.
They
contain
the
following !
characteristics:
Adoption
of
asymmetric
cryptography
Certificate Authorities (CAs)
Duties of key holders
Circumstances under which
reliance on an electronic
signature is justified.
Some civil law
countries:
Germany17
Italy18
Argentina
Malaysia
To adopt a third approach representing a !
convergence and synthesis of the two
approaches above.
To achieve legal neutrality by granting at !
least minimum recognition to most
authentication technologies, while at the
same time creating a better-defined, more
predictable
legal
environment
by
incorporating
provisions
for
an
authentication technology of choice.
They generally take the form of !
enacting laws that prescribe standards
for the operation of PKIs, and
concomitantly take a broad view of
what constitutes a valid electronic
signature for legal purposes.
Most notably in the
European Union:
EU Digital
Signature
Directive19
Singapore20
3) “Two-tier” or !
hybrid method
16
The United States, despite initial contrasting approaches among individual states, has largely resolved the tension by opting for the minimalist approach on a national level. The recently-adopted Electronic Sibnatures
in Global and National Commerce Act (“E-sign”) represents an affirmation of the minimalist approach.
17
The original German Digital Signature Law, passed the 13rd of June of 1997, established stringent technical standards for what types of digital signatures are to be deemed “secure”.
18
Italy took this a step further in its legislation passed the 5th of August of 1997, by conveying legal effect only to signatures that have been authenticated by a licensed CA
19
At the minimalist level, the EU Digital Signature Directive prohibits EU Members States from denying legal effect to an electronic signature solely on the grounds that it is in electronic form, or on the grounds that it
does not satisfy the standars set forth elsewhere in the directive for “advanced electronic signatures” that are based on “qualified certificates” and that are created by “secure signature creation devices”.
20
Singapore´s Electronic Transactions Bill takes a similar approach, and distinguishes between technologies based on levels of security by establishing one legal treatment for “electronic signatures”, and another for
“secure electronic signatures”. The “electronic signatures” are generally given minimum legal effect, while the “secure electronic segnatures” are entitled to an additional presumption of intefrity, a presumption that the
user affixed the signature with the intent of signing or approving the document.
13
Table # 2: Evaluation criteria of accreditation and certification schemes
EVALUATION CRITERIA
CC
The Common Criteria for Information Security Evaluation21 is the standard for specifying and evaluating the security features of computer
products and systems. The CC is intended to replace previous security criteria used in North America and Europe with a standard that can be
used everywhere in the world. The Common Criteria project harmonises ITSEC, CTCPEC (Canadian Criteria) and US Federal Criteria (FC).
CC has been adopted by ISO as standard 15408, and it is the most likely candidate for long-term future use. The CC is essentially a catalogue
of security requirements with identified dependencies. Requirements are given for security features (or functionality) and for security
assurance (defined as grounds for confidence). The CC provides a set of seven pre-defined assurance packages termed Evaluation Assurance
Levels (EALs).
ITSEC
During the 1980s, the United Kingdom, Germany, France and the Netherlands produced versions of their own national criteria. These were
harmonised and published as the Information Technology Security Evaluation Criteria (ITSEC)22. The last issue, Version 1.2. was published
by the European Commission in June 1991. In September 1993, it was followed by the IT Security Evaluation Manual (ITSEM) which
specifies the methodology to be follow when carrying out ITSEC evaluations.
Council Recommendation of 7 April 1995 on common information technology security evaluation criteria recommended the application of
the Information Technology Security Evaluation Criteria (ITSEC) within evaluation and certification schemes for an initial period of two
tears, to meet immediate evaluation and certification needs in connection with the trade and use of information technology products, systems
and services, and also recommended advancing international harmonisation and standardisation of information technology security
evaluation criteria.
21
22
http://csrc.nist.gov/cc/
http://www.cordis.lu/infosec/src/crit.htm
14
Table # 3: Approximate Assurance Correspondence
CC
ITSEC
EAL1
---------------
EAL2
E1
EAL3
E2
EAL4
E3
EAL5
E4
EAL6
E5
EAL7
E6
15
Table # 4: Standardisation Organisations
Organisation
Who is it?
Security IT Field
Standards
INTERNATIONAL STANDARDIZATION ORGANIZATIONS
IEFT
(official)
The Internet Engineering Task Force23 is a open international community of 1.
network designers, operators, vendors, and researchers concerned with the 2.
evolution of the Internet architecture and the smooth operation of the Internet.
3.
Relevant Supervisory Body: Public Key Infrastructure (PKIX) Working Group
W3C
(private)
4.
The Word Wide Web Consortium25 develops common protocols that promote 1.
evolution and ensure interoperability of the World Wide Web
2.
Internet standards to support an X.509-based PKI.
!
!
Alternative certificate revocation methods.
Certificate name forms and extension usage for certificates
designed for use in legally-binding non-repudiation contexts.
Protocols for time stamping and data certification.
IP Security Protocol (ipsec)24
Secure HyperText Transfer
Protocol (S-HTTP)
An industry standard for enabling web sites to express their !
privacy practices in a standardised format that can be
automatically retrieved and interpreted by browsers.
An important specification affecting XML26-based content
which allows programs and scripts to dynamically access and !
update the content and structure of documents.
Platform for Privacy
Preferences Project (P3P)27
Document Object Model
3.
UROPEAN UNION STANDARDIZATION ORGANIZATIONS
EESSI
(official)
This European Electronic Signature Standardisation Initiative28 is working on
EU-wide standards and accreditation for signature creation devices, signature
verification, and other areas such as the supervision of the CSPs issuing qualified
certificates to the public (registration/notification; self-declaration for fulfilling
QC policy).
-
The standards-related work is carried out by CEN and ETSI (EU-wide
standardisation bodies).
ETSI29 is responsible for defining standards for
qualified certificates, security management and
certificate policy for CSP issuing qualified
certificates; electronic signature syntax and encoding
formats (Annexes I and II of the EU Directive)
CEN/ISSS is responsible for creating standards for
signature creation and verification products and
functional standards for certification service
providers (Annexes III and IV of the EU Directive
and also Annex II (f).
....................................
23
http://www.ietf.org
http://www.ietf.org/html.charters/ipsec-charter.html
25
http://www.w3.org/P3P/
26
Extensible Markup Language.
27
Microsoft has incorporated P3P capabilities in Internet Explorer 6.0. The most recent public draft of the related standards was issued on September 28, 2001 and it is available in www.w3.org.
28
www.ict.etsi.org/eessi/EESSI-homepage.htm
29
European Telecommunications Standards Institute. The ETSI draft Technical Report “Electronic Signature Standardization Report” is available in www.etsi.org/SEC/ESRep042.pdf .
24
16