Draft EU directive on electronic signatures

Peter Dare peter_dare at uk.ibm.com
Mon, 30 Mar 1998 15:04:19 +0000 

The European Commission has produced a draft directive on electronic si=
gnatures
(which term includes digital signatures).  If adopted by the Parliament=
 and
Council, the directive will require member states (MS) to pass laws (be=
fore
1/1/2000 ?) which have the following effect EU-wide:
--- A legal presumption that digital signatures supported by a qualifyi=
ng
certificate guarantee integrity and authenticate the signer and the sig=
ner's
intention to sign.  Digitally signed data to have the same legal status=
 as
documents signed in ink and to be admissible in court.  Rebuttal possib=
le on
the basis of technical problems with the verifying system (sic).
--- Anyone can be a CSP (certification service provider) - MSs may intr=
oduce
only voluntary pre-approval regulation.  Any voluntary schemes shall re=
gulate
services provided FROM a MS, without restriction against services provi=
ded TO a
MS from elsewhere in the EU.
--- All CSPs (whether or not they are pre-appoved) must be reliable, em=
ploy the
right people, use trustworthy systems, be financially sound, keep prope=
r
records, provide proper consumer information, publish policies/contract=
ual
terms/practice statements/liability obligations.
--- All certificates must be properly formatted.
--- If a CSP issues a certificate, the CSP is immediately liable to any=
 person
who reasonably relies on that certificate, even if there is no contract=
ual
relationship with the CSP concerned, for correctness of contained infor=
mation,
legal compliance, correct binding of public key to private key held by =
the
named subject.  Some let-outs: liability for economic loss only, not lo=
ss of
profits; "all reasonable measures" taken; stated limitations on certifi=
cate
use; stated limitations on certificate liability per claimant or even p=
er
certificate.
--- The Commission will negotiate mutual recognition outside the EU.  S=
uch
agreements must the be recognised under MS law.
---  Data protection rules apply to certificate subjects.  Subjects can=
 request
pseudonyms.  CSPs disclose to law enforcement real names behind pseudon=
yms when
serious crime is suspected - but at the end of the investigation the su=
bject
gets told that there was a disclosure.  (You've heard of "key escrow" -=
 this is
"name escrow".)
--- There will be a consultative committee with observers from industry=
 and
user groups.

peter_dare@uk.ibm.com
=