EU DIRECTIVE ON SIGNATURES
Nigel Hickson
nigelhickson at compuserve.com
Sat, 22 Aug 1998 09:45:16 -0400
This is a MIME-encapsulated message
--87bdde24-39c3-11d2-afce-00805fbe60fa
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Colleagues =
For information; I attach the information DTI have just circulated to
directive "contact" list. =
Nigel =
--87bdde24-39c3-11d2-afce-00805fbe60fa
Content-Type: text/plain; charset=ISO-8859-1; name="dirtxt.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="dirtxt.txt"
=D0=CF=11=E0=A1=B1=1A=E1=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=
=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=FF=
=FF=FF=FF=FF=FF=FF=01States Ministers) on 19 May 1998. There was little =
discussion at this level, and no attempt to reach a consensus, instead th=
e Council referred the proposal to a working group. This is made up of =
officials from all the Member States and the Commission, meetings were he=
ld on 10 June, 2 July and 16 July at which the Articles and Annexes of th=
e Directive were read through and discussed. The first reading was compl=
eted during the meeting of 16 July. It is worth noting that the associate=
d explanatory memorandum, and the preamble will be dealt with only after =
the Working Group has agreed the Articles.=0D=0DWhilst the 10 June meetin=
g was held under the UK Presidency the later meetings have been held unde=
r the Austrian Presidency. Further meetings are scheduled for 10 and 24 =
September - and probably others in October - with, it is hoped, a common =
position being reached at the Telecomms Council scheduled for 27 November=
=2E The European Parliament has also to consider the proposal under the =
Co-Decision procedure (with a first reading likely in September).=0D=0DOu=
r expectation is that a revised version of the proposal, taking into acco=
unt the discussions so far, will be available before, or at, the 10 Septe=
mber meeting. There is, however, likely to be a time delay before that ve=
rsion is posted on the Commission Web site - we will of course let everyo=
ne know when it is available.=0D=0D2. BACKGROUND=0DThe rational for some =
form of action stems from the overall requirement for trust and confidenc=
e, on the part of the user, in the use of cryptographic services. In par=
ticular the Commission have identified that electronic signatures are lik=
ely to play an important role in the information age, by helping to guara=
ntee the integrity and non-repudiation of information. It has also highl=
ighted the need for legal certainty in the use of electronic signatures t=
hrough the proposals for legal recognition. Thus the Commission=92s Com=
munity-wide action is intended to prevent individual members states adopt=
ing inconsistent measures. Germany, Italy and Spain have now legislated =
in this area with Austria, UK, and Denmark not far behind. Needless to s=
ay all Member States laws will need to align with the Directive before th=
e specified implementation date.=0D=0DAs already noted the Commissions vi=
ew (which we support) is that the ability to determine the originator of =
data and protection of the integrity are important elements of secure ele=
ctronic commerce. Electronic signatures go some way to providing this, e=
specially when =93certified=94 by a body known as a =93Certification Auth=
ority=94 (CA) or, as used in the proposal, =93Certification Service Provi=
der=94 (CSP). The certification process enables a degree of certainty fo=
r the recipient of an electronic signature that the sender is really who =
they claim to be. Businesses are not likely to act on electronic orders =
unless they are content as to the identity of the buyer. Thus Certificat=
ion Authorities are seen to perform an important role in binding the iden=
tity of an individual to an electronic signature certificate. Hence the =
discussion within the proposal on the criteria that CAs should meet (in t=
erms of competence etc) in allowing a degree of trust to the certificates=
which they issue.=0D=0D3. ISSUES.=0DThere are a number of issues that th=
e UK is seeking to address during the Working group discussions. One con=
cern has now been resolved, the Directive will not seek to deal with encr=
yption (confidentiality) services.=0D=0DArticle 1. (Scope)=0DThere is gen=
eral agreement that the two main objectives of the proposal are:=0Da lega=
l framework for accrediting certification service providers (i.e. certifi=
cation authorities), and=0Dthe legal recognition of electronic signatures=
=2E=0DHowever there has been some disagreement on who it should be aimed =
at. The UK (with some support) have noted that both businesses and the =
public should be able to benefit, whether they are in so called =93open=94=
or =93closed=94 user groups. The UK has also suggested text to explicit=
ly limit the scope to electronic signatures.=0D=0DArticle 2 (Definitions)=
=0DThe definitions have not yet been discussed, however it is likely that=
the Commission=92s definition of an =93electronic signature=94 will be c=
ontroversial. As currently worded it restricts legal recognition to thos=
e produced by public key cryptography techniques (so called Digital Signa=
tures). The UK - in line with our proposed legislation - will seek to en=
sure that other types of electronic signatures (eg those relying on biome=
tric techniques) are also included.=0D=0DArticle 3 (Market Access)=0DDisc=
ussions so far have not yet satisfactorily clarified how the notion of =93=
self accreditation=94 will work. The UK will be seeking some form of =93=
compliance=94 arrangements to ensure that certificates from self-accredit=
ed CSPs can be trusted. Some countries (not supported by the UK) have ev=
en argued that the proposal should specify mandatory (rather than volunta=
ry) accreditation arrangements.=0D=0DArticle 4 (Internal Market Principle=
s)=0DThis is not seen to be controversial since it is based upon a standa=
rd format used in other directives.=0D=0DArticle 5 (Legal Recognition)=0D=
This is the heart of the proposal, and the most disputed Article. It req=
uires Member States to ensure that national legislation allows for electr=
onic signatures; and guarantees that signatures meeting the standards in =
Annex I and Annex II are treated as the equivalent to hand written signat=
ures. The UK has no problems with this approach, but there are moves fro=
m other countries to water down the provisions. Problems have also been =
raised on the effect these provisions may have on some countries laws (su=
ch as witnessing of =93Wills=94) where physical writing is important.=0D=0D=
Article 7 (International Aspects)=0DThis notes the importance of giving r=
ecognition to electronic signatures from providers located in countries o=
utside the EU providing they meet certain standards. It thus gives the C=
ommission a negotiating mandate to conclude arrangements with third count=
ries. But also allows for global electronic commerce, and although the U=
K is content with the Article we wish to retain some flexibility for bi-l=
ateral arrangements.=0D=0DArticle 8 (Data Protection)=0DThis references t=
he two existing Data Protection Directives (General Data Protection Direc=
tive 95/46/EC and Telecoms Data Protection Directive 97/66/EC), but then =
details some specific clauses applying to CSPs. The UK and some other Me=
mber States are opposed to the article on the grounds of logic and princi=
ple, believing that there is no reason why specific arrangements are nece=
ssary. In particular, we have been resolute in noting our objections to =
the requirement in para 4 - for a CSP to tell a user if their information=
has been subject to legal access.=0D=0DArticle 9 (Consultation Committe=
e)=0DThe provision for a committee to discuss any changes to Annex II pro=
visions has been broadly welcomed, provided that (in Comitology terms) it=
is a management rather than an advisory body. The UK have suggested tha=
t the Committee should also look at Annex I. Conversely the Commission l=
egal services have questioned whether such a body has any rights to chang=
e any part of a Directive. Article 145 of the Treaty of Rome allows for =
three types of committee, in general the Commission prefers one with limi=
ted powers, whilst Member States are more inclined to prefer one with tee=
th, the ultimate format will depend upon the strengths of the arguments, =
and the precedents set in previous Directives. The UK will also try to e=
nsure that industry and business have some say in this committee.=0D=0DAr=
ticles 10 - 14=0DAgain these are standard clause constructs, and are not =
part of the specific discussions.=0D=0DAnnexes=0DThe Annexes are the tech=
nical core of the proposal, and thus crucial aspects in that they determi=
ne the content of an electronic signature certificate (Annex 1) and the c=
riteria which a Certification Service Provider must meet (Annex II). We =
have sought clarification on the current wording and have suggested some =
amendments. Other Member States have also sought changes, mostly in alig=
nment with the UK, and the Commission are preparing a further text. A th=
ird Annex has also been proposed to cover the criteria for electronic sig=
nature products themselves: this although not contrary to UK policy may =
be too prescriptive for a dynamic market place.=0DThe exact stance that t=
he UK would take on any of the issues would be determined by the overall =
effect of the Annex rather than specific points raised.=0D=0DAnnex I (Req=
uirements for Certificates)=0DA number of Member States have expressed co=
ncerns on various aspects of this Annex. Some points of note are:=0DIs th=
e term =93qualified certificate=94 appropriate, or should it replaced wit=
h say =93identity certificate=94 .=0D(c). following a number of points, =
the Commission is expected to separate the elements relating to identific=
ation aspects from trade related aspects. Also the value of the term =93=
credit worthiness=94 has been questioned, and holder suggested instead of=
=93signatory=94.=0D(d) does this only relate to digital signatures.=0D(e=
) =93Operational period=94 needs to be clarified, perhaps replaced by =93=
period of validity=94.=0D(h) and (i) be amalgamated.=0DAn extra statement=
referring to the applicable policy of the service provider.=0D=0DAnnex I=
I (CSP Requirements)=0DThis Annex too, provoked Member States to seek cla=
rity and even amendments. Some points of note have been:=0DThe requireme=
nts are too vague.=0D(a) The implementation of this was questioned. Also=
some Member States suggest that some sort of authorisation by government=
s be required, whilst others feel that public authorities should not be i=
nvolved at all.=0D(c) needed clarification, particularly what does =93cap=
acity to act=94 mean.=0D(i) In order to ensure that private signature key=
s are private the words =93unless that person explicitly asks for it=94 m=
ay be deleted.=0D=0D4. ACTIONS=0DWe are grateful for your continued inter=
est in this complex issue, and will be grateful for any feedback that you=
feel is relevant.=0D=0DFinally if you do not wish to receive any further=
communications please let me know and I will remove you from the list.=0D=
=0DBest regards=0D=0DNigel Hickson=0DJohn Smith=0D21 August 1998=0D=06t=15=
=2EDOC=05Smith5P:\MSOFF43\WINWORD\DOCUMENT\DIRECTIV\UKGRP\EMAIL2.DOC=05Sm=
ith5P:\MSOFF43\WINWORD\DOCUMENT\DIRECTIV\UKGRP\EMAIL2.DOC=05Smith5P:\MSOF=
F43\WINWORD\DOCUMENT\DIRECTIV\UKGRP\EMAIL2.DOC=05Smith5P:\MSOFF43\WINWORD=
\DOCUMENT\DIRECTIV\UKGRP\EMAIL2.DOC=FF@HP LaserJet III=
--87bdde24-39c3-11d2-afce-00805fbe60fa--