Text of (original) draft EU DIGITAL SIGNATURE DIRECTIVE

Bodo Moeller Bodo_Moeller@public.uni-hamburg.de
Mon, 6 Apr 98 21:48 CET DST 

Caspar Bowden <Caspar.Bowden@qualia.co.uk>:

> European Commission Working Draft of Directive on a Framework for
> Electronic Certification Services

Some excerpts first, my comment follows below:

[...]
> Article 2 - Definition
[...]
> 6. "qualified certificate" means a digital attestation which attributes a 
> public key or a similar device to an individual person and verifies the 
> identity of the person, by requiring its physical appearance before an 
> (accredited) certification service provider, or through appropriate other 
> measures; and contains, at least:
[...]
> (b) the name of its holder or an unmistakable pseudonym which shall be 
> identified as such;
[...]

> Article 3 -- Legal effects

> 1. Member States shall ensure that with respect to data
> authenticated by means of an electronic signature provided by an
> accredited certification service provider it is presumed that:
> (a) [...]
> (b) the electronic signature is the signature of the person to whom
> it relates; and
> (c) [...]

> 2. Member States shall ensure that data on which an electronic
> Signature is affixed and which is based on a valid qualified
> certificate provided by an accredited certification service provider
> complies with legal form requirements and can be used as proof of
> evidence at court in the same manner as if the data had existed in a
> manually signed form.

> 3. Member States shall ensure that the presumptions under paragraph
> 1, may be refuted by:

> (a) evidence indicating that the security procedure used to verify the 
> electronic signature is not to be technically recognised as secure; or

> (b) evidence relating to facts of which the relying party was or
> should have been aware which would suggest that the relying party
> acted in malicious faith.

> (c) evidence indicating that the electronic signature was affixed
> under duress, compulsion or deceive.

(Article 3 paragraph 1 mentions
   "an electronic signature provided by an accredited certification
   service provider".
To me, that paragraph seems to make more sense when these words are
replaced by
   "an electronic signature which is based on a valid qualified
   certificate provided by an accredited certification service
   provider".
Is that a typing error?  [There certainly is one in Article 4
paragraph 3, where the reference to "Article 7" must be replaced by
one to "Article 5".])

I believe that the burden of proof is imposed on the wrong party by
Article 3 paragraph 3; at least the text of the Draft Directive could
be (mis-?)interpreted to that effect.  Consider the following
scenario.  Assume that a reliably working certification service
provider hands out a certificate to someone after checking his ID
card, passport or possibly other "identification".  Besides the
problem of having to discriminate between people who happen to have
the same name (note that the name is the only identifying attribute
mentioned in the definition of "qualified certificate" -- Article 2
no. 6), there is the risk that the certification service provider
could have been deceived by a counterfeit passport [1] which
duplicates someone else's "identity".
          [1]  Or a real passport, for that matter; in the past, there
               have already been cases where people who needed a "new
               identity" because of their involvement in secret
               police operations were given a real (deceased) person's
               identity instead.
   The victim is not involved in the certification process.  Only when
people come and complain about him not obeying contracts that he
allegedly signed, he learns that there is someone else with his
"identity".  Unfortunately for him, according to Article 3 section 2
the digital signature counts as much as a manual signature, and he
cannot fulfill the requirements of Article 3 paragraph 3 for refuting
the presumed validity of "his" digital signature.  Article 5
paragraph 1 tells us that
   "Certification service provider must: [...]
   (e) record all relevant information concerning a qualified
   certificate for an appropriate period of time, in particular to be
   to proof evidence of certification in the context of a lawsuit or a
   property claim",
but Article 3 does not require scrutiny of the certification service
provider's records when a digital signature is to be used as "proof of
evidence at court".
   Let's assume that it is implicit from article 5 paragraph 1 that
the identity-theft victim _does_ have a right to demand analysis of
the certification service provider's records.  But, will they contain
enough evidence to prove his case, or will they only contain enough
information to allow the certification service provider to demonstrate
that it exercised due diligance?  "All relevant information" could be
everything up to DNA samples, which is surely not the intended
meaning.  So, what evidence will there be at minimum?  In particular,
do the provider's records have to include
- a paper application form with the user's _manual_ signature,
- high-quality photocopies of the documents used as proof of identity,
- a passport photo of the person who really approached the
  certification service provider in order to obtain a certificate,
- said person's fingerprints?

It is reasonable to demand much higher standards for the certification
service provider's records than are usually demanded for any
particular written contract.  This is because, by Article 3
paragraph 2, digital signatures as specified by this Draft Directive
can be used for a vast range of applications (as opposed to, e.g.,
signatures under the German Digital Signature Law, SigG, for which
only certain officially recognised applications are currently under
way, with other uses being left to contractual agreements between the
users), which indicates a need for very strong "signature
bootstrapping".