idabc recognition esignatures

8/14/2019 IDABC Recognition eSignatures

1/168

Preliminary Study on Mutual Recognition of

eSignatures for eGovernment applications

Report

November 2007


2/168

Preliminary Study on Mutual Recognition ofeSignatures for eGovernment applications

November 2007

2

This report / paper was prepared for the IDABC programme by:

Authors name: Siemens - Time.lexCompanys name: Siemens IT Solutions and Services - Time.lex

Companys address (optional):

Companys logo (optional)

Contract No. 1, Framework contract ENTR/05/58-SECURITY, Specific contract N1

Disclaimer

The views expressed in this document are purely those of the writer and may not, in anycircumstances, be interpreted as stating an official position of the European Commission.

The European Commission does not guarantee the accuracy of the information included in

this study, nor does it accept any responsibility for any use thereof.

Reference herein to any specific products, specifications, process, or service by trade name,trademark, manufacturer, or otherwise, does not necessarily constitute or imply itsendorsement, recommendation, or favouring by the European Commission.

All care has been taken by the author to ensure that s/he has obtained, where necessary,permission to use any parts of manuscripts including illustrations, maps, and graphs, on whichintellectual property rights already exist from the titular holder(s) of such rights or from her/hisor their legal representative.

This paper can be downloaded from the IDABC website:

http://europa.eu.int/idabc/

http://ec.europa.eu/idabc/en/document/6485/

European Communities, 2007

Reproduction is authorised, except for commercial purposes, provided the source is acknowledged.


3/168


November 2007

3

Executive summary

The objective of the project is to analyse the requirements in terms of interoperability of electronicsignatures for different eGovernment applications and services taking into account the relevantprovisions of Directive 1999/93/EC on a Community framework for electronic signatures and theirnational implementation as well as the report on the Directive and the standardisation activities on theinteroperability of electronic signatures.

The goal of this document is three-fold:

- identify and analyse the similarities and differences in the use of electronic signatures ineGovernment applications in each Member State both in the legal context, and on the technicalimplementation aspects;

- assess the impact of the identified similarities and differences on the interoperability of eSignaturesand hence of the eGovernment applications;

- prepare conclusions and recommendations on addressing interoperability issues related to themutual recognition of electronic signatures for eGovernment applications/services.


4/168


November 2007

4

Table of Contents

EXECUTIVE SUMMARY 3

1 DOCUMENTS 7

1.1 APPLICABLE DOCUMENTS 7

1.2 REFERENCE DOCUMENTS 7

2 GLOSSARY 8

2.1 DEFINITIONS 8

2.2 ACRONYMS 10

3 INTRODUCTION 11

4 ANALYSIS 14

4.1 EGOVERNMENT AND ESIGNATURE REGULATIONS 14

4.1.1 THE EUROPEAN LEGAL FRAMEWORK 14

4.1.1.1 Basic principles 14

4.1.1.2 Public sector clause: article 3.7 14

4.1.1.3 eSignatures and authentication 16

4.1.2 NATIONAL REGULATORY APPROACH MODELS 184.1.2.1 General strategy 18

4.1.2.2 National competence and organisation 24

4.1.3 NATIONAL ESIGNATURE REQUIREMENTS 27

4.1.3.1 Dominant Signature types 28

4.1.3.2 Choice of Unique identifiers 37

4.1.3.3 Technological choices 41

4.1.3.4 Cross border acceptance 41

4.1.4 NATIONAL TRENDS AND EXPECTATIONS 42

4.1.4.1 State of eSignatures 42

4.1.4.2 Interoperability requirements 43

4.1.4.3 Long term validity and storage 44

4.2 EGOVERNMENT APPLICATIONS USING ELECTRONIC SIGNATURES 47

4.2.1 APPLICATION APPROACH MODELS 47

4.2.1.1 Group 1: shared service approach 48

4.2.1.2 Group 2: ad-hoc approach 54

4.2.2 CLASSIFICATION BY MODEL 62

4.2.2.1 Introduction 62

4.2.2.2 Model 1: One-stop shop model 64

4.2.2.3 Model 2: common eSignature framework model 64

4.2.2.4 Model 3: Generic CSPs model 68


5/168


6/168


November 2007

6

5.4.1.1 Problem description 144

5.4.2 CLIENT SOFTWARE 144

5.4.2.1 Problem description 144

5.4.3 HARDWARE 1445.4.3.1 Problem description 144

5.5 INTEROPERABILITY ISSUES IN KEY E-GOVERNMENT SECTORS 144

5.5.1 EPROCUREMENT 145

5.5.2 VATDECLARATIONS 147

5.5.3 INCOME TAXES 148

6 LIST OF RECOMMENDATIONS 150

7 CONCLUSIONS 153

8 ANNEX A: PATTERNS CROSS-COMPARISON 156

8.1 THE COMPREHENSIVE REGULATORY APPROACH 156

8.2 THE CENTRALISED REGULATORY APPROACH 158

8.3 THE EPROCUREMENT SECTOR 161

8.4 THE ETAX AND EVAT SECTORS 162

9 ANNEX B: TECHNICAL TRENDS SUMMARIZED 164


7/168


November 2007

7

1 Documents

1.1 Applicable Documents

[AD1] Framework Contract ENTR/05/58-SECURITY

1.2 Reference Documents

[RD1] eGovernment in the Member States of the European Union 5th Edition May

2006http://ec.europa.eu/idabc/servlets/Doc?id=24769

[RD2] European Electronic Signatures Study

http://www.law.kuleuven.ac.be/icri/itl/es_archive.php?where=itl

[RD3] DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THECOUNCIL of 13 December 1999 on a Community framework for electronicsignatureshttp://europa.eu.int/information_society/eeurope/i2010/docs/esignatures/esignatures_en.pdf

[RD4] Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of

generally recognised standards for electronic signature products in accordancewith Directive 1999/93/EC of the European Parliament and of the Council, OJ L175, 15.7.2003, p.45

http://europa.eu.int/eur-lex/pri/en/oj/dat/2003/l_175/l_17520030715en00450046.pdf

[RD5] DIRECTIVE 2004/18/EC OF THE EUROPEAN PARLIAMENT AND OF THECOUNCIL of 31 March 2004 on the coordination of procedures for the award ofpublic works contracts, public supply contracts and public service contracts

http://eur-lex.europa.eu/LexUriServ/site/en/oj/2004/l_134/l_13420040430en01140240.pdf

[RD6] IDABC Work Programme Third Revision

http://ec.europa.eu/idabc/servlets/Doc?id=25302

[RD7] DIRECTIVE 2004/17/EC OF THE EUROPEAN PARLIAMENT AND OF THECOUNCIL of 31 March 2004 coordinating the procurement procedures of entitiesoperating in the water, energy, transport and postal services sectors

http://europa.eu.int/eur-lex/pri/en/oj/dat/2004/l_134/l_13420040430en00010113.pdf

[RD8]

[RD9]


8/168


November 2007

8

2 Glossary

2.1 Definitions

In the course of this report, a number of key notions are frequently referred to. To avoid anyambiguity, the following definitions apply to these notions and should also be used by thecorrespondents.

o eGovernment application: any interactive public service using electronic means which isoffered entirely or partially by or on the authority of a public administration, for the mutualbenefit of the end user (which may include citizens, legal persons and/or otheradministrations) and the public administration. Any form of electronic service (includingstand-alone software, web applications, and proprietary interfaces offered locally (e.g. at alocal office counter using an electronic device)) can be considered an eGovernment

application, provided that a certain degree of interactivity is included. Interactivity requiresthat a transaction between the parties must be involved; one-way communication by a publicadministration (such as the publication of standardised forms on a website) does not suffice.

It should be noted that for the purposes of this questionnaire, only services which rely oneSignatures are relevant, and that the focus is on eGovernment applications offered tocitizens and businesses (A2C and A2B, rather than A2A).

o eSignature: data in electronic form which are attached to or logically associated with otherelectronic data and which serve as a method of authentication with regard to this data. Notethat this also includes non-PKI solutions. However, PKI solutions are the principal focus ofthis questionnaire, and non-PKI solutions should only be included if no PKI solutions are in

common use. It should also be noted that the questionnaire only examines eGovernmentapplications in which the eSignature is used to sign a specific transaction, and not where thesignature is merely used as a method of authentication of the eSignature holder as definedbelow.

o Advanced electronic signature: an electronic signature which meets the followingrequirements:

(a) it is uniquely linked to the signatory;

(b) it is capable of identifying the signatory;

(c) it is created using means that the signatory can maintain under his sole control; and

(d) it is linked to the data to which it relates in such a manner that any subsequent change ofthe data is detectable;

Again, this definition may cover non-PKI solutions.

o Qualified electronic signature: advanced electronic signatures which are based on a qualifiedcertificate and which are created by a secure-signature-creation device, as defined in theeSignatures Directive1.

1 See http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:EN:HTML


9/168


November 2007

9

o Authentication: the corroboration of the claimed identity of an entity and a set of its observedattributes (i.e. the notion is used as a synonym of entity authentication). It should be notedthat the questionnaire is focused on the use of eSignatures as a method of signing atransaction, and not on their use as a method for authenticating the eSignature holder.

o Relying party: any individual or organisation that acts in reliance on a certificate (in a PKIsolution) or an eSignature.

o Validation: the corroboration of whether an eSignature was valid at the time of signing.


10/168


November 2007

10

2.2 Acronyms

A2A............................................. Administration to Administration

A2B............................................. Administration to Businesses

A2C............................................. Administration to Citizens

CA............................................... Certification Authority

CRL............................................. Certificate Revocation Lists

CSP............................................. Certificate Service Provider

eID .............................................. Electronic Identity

OCSP.......................................... Online Certificate Status Protocol

OTP............................................. One-Time Password

PKCS .......................................... Public-Key Cryptography Standards

PKI .............................................. Public Key Infrastructure

SA............................................... Supervision Authority

SOAP.......................................... Simple Object Access Protocol

SCVP .......................................... Server-based Certificate Validation Protocol

SSCD.......................................... Secure Signature Creation Device

USB............................................. Universal Serial Bus

TTP ............................................. Trusted Third Party

TSA............................................. Time Stamp Authority

TST ............................................. Time Stamp Token

XAdES ........................................ XML Advanced Electronic Signature

XML ............................................ eXtensible Markup Language

XML-DSIG................................... XML Digital Signature


11/168


November 2007

11

3 Introduction

The background of this report is the European Community Programme for the interoperable delivery

of pan-European e-government services to public administrations, businesses and citizens(hereinafter IDABC).2 The objective of IDABC is to identify, support and promote the developmentand establishment of pan-European e-government services and the underlying interoperablecommunications networks supporting the Member States and the European Community in theimplementation, within their respective areas of competence, of Community policies and activities,achieving substantial benefits for public administrations, businesses and citizens.

The report is part of a larger study, of which the objective is to analyse the requirements in terms ofinteroperability of electronic signatures for different e-government applications and services takinginto account the relevant provisions of Directive 1999/93/EC of 13 December 1999 on a Communityframework for electronic signatures and their national implementation. .

The first phase of this study provided an extensive overview of currently existing or envisagedrelevant e-government applications in all Member States, which make use of electronic signatures(e.g. for public procurement, tax and social security declarations, request and delivery of documents,etc.).

Per Member State, relevant information has been collected and a profile has been drafted describingfor each application the type of electronic signature legally required, the technical implementation ofthe interface between the application and the electronic signature, the applicable technical restrictionsnotably regarding interoperability with non-national electronic signatures and the authorities orinstitutions that have been contacted to obtain information. The information has been collectedthrough a network of national experts.

The aim of this study is to analyse the national country profiles, to detect similarities and differencesand, on the basis of this comparative study, to provide an assessment from the perspective ofinteroperability for cross-border e-government services in Europe.

The study focuses on signature applications with regard to the interaction between governmentalauthorities and the public (A2B and A2C services, i.e. services to citizens, professionals, companies).Purely internal interactions (A2A services, i.e. the e-government back-office) as such are not withinthe scope of the study. Applications merely serving entity authentication purposes (i.e. not involvingelectronic signatures) are not the aim of this study. They will be the object of a further study in theframework of IDABC, focusing on electronic identity management schemes for e-governmentpurposes.

The main objective of the programme of which this study is a part, is to make progress in the field ofinteroperability of electronic signature applications between Member States. The results of the studymust allow the elaboration of a strategy on the required inputs and components to produce aninteroperability solution for secure electronic signatures. Recommendations for such a strategy will bethe object of the third phase of the study.

This report aims at:

- comparing existing solutions and requirements from the countries and identifying similaritiesand differences on the legal as well as on the technical levels. A topology of eGovernmentapplications/services will be built based on their legal and technical requirements.

- detecting potential interoperability issues, i.e. legal and technical obstacles for usingelectronic signatures in cross-border e-government transactions.

2 More information on the IDABC programme can be found on http://ec.europa.eu/idabc.


12/168


November 2007

12

- prepare conclusions and recommendations on addressing interoperability issues related tothe mutual recognition of electronic signatures for eGovernment applications/services

The report focuses on legal as well as on technical aspects of electronic signatures in e-government

applications.The legal framework pertaining to the use of e-signatures in e-government applications can be adeciding factor in its uptake. Particularly, the framework needs to meet the requirements of allinvolved parties:

- it needs to offer legal certainty with regard to the requirements to be met by the used e-signature technique;

- it needs to offer legal certainty with regard to the result of using the application (i.e. the legaleffect of the signature and the signed document);

- it needs to offer sufficient guidelines to service providers in all stages of the process(application owners and designers, CSPs, token manufacturers, etc);

- it needs to ensure the long term validity of the signature and the signed document for any

application to which this factor is relevant;- a variety of additional legal requirements need to be met, including with regard to privacy

protection, liability, and security.

In this report, we will describe what legal standards have been presented to the Member States andCandidate Countries (hereafter: the surveyed countries), and how they have taken these to heart increating their own legal framework with regard to e-signatures in eGovernment applications. Specificattention will be devoted to the requirements for the most dominant signature techniques for thesurveyed countries, and the impact that this may have on cross-border interoperability.

The main purpose is to provide a short descriptive overview of European regulatory initiatives and theissues they present, and a more thorough examination of national approaches, specifically with

regard to their e-government regulations. To the extent possible, categories of approaches will beproposed for each examined legal aspect. An evaluation of this information will be included in thechapter on the impact of e-signature interoperability.

We will first take a brief look at the European legal framework with regard to e-signatures as it appliesto e-government applications, since this is essentially the baseline that has been provided to thesurveyed countries as a general target.

Secondly, the national regulatory approaches in the surveyed countries will be described, focusing onthe structural choices that have been made in establishing such a framework, particularly keeping intoaccount at which level regulations have been created (national vs. local; general vs. applicationspecific, etc.).

The third part of the analysis will indicate what e-signature solutions areendorsed/recommended/required in the surveyed countries, and which requirements have beenimposed (including qualification according to the tiers of the e-signature directive, and accessibility ofthe application to non-nationals). Finally the report will also examine the extent to which theregulatory framework in the surveyed countries has stabilised at this point, and which future trendscan be expected.

From a technical perspective we will look in detail at every e-government application of all surveyedcountries to find if their approach is in some way illustrative of a given trend. The main purpose is todescribe the technical and organisational solution models, which need to be taken into account forfurther analysis and recommendations. The applications will be classified in a limited number ofmodels, in order to obtain some degree of transparency and to enable an assessment with regard tointeroperability for cross-border e-government transactions.


13/168


November 2007

13

Four application models have been detected based on similarities shared by the describedeGovernment applications. The objective is to characterise and classify the various electronicsignature applications in the surveyed countries against these four models.

Secondly, we will define the concept of interoperability. Our analysis of the profiles of the surveyedcountries has shown that interoperability may have several interpretations. This section presents thedefinition we used to classify the various e-government applications.

Thirdly, we present an analysis based on the models. For each model, a list of applications belongingto that model will be presented, and the major deviations of each application type will be observed,and assessed.

Finally, a last sub-section will contain a list of all eGovernment applications that have been assessed,sorted by country and by model.

The legal and technical analysis of the e-signature applications in the surveyed countries will lead usto a list of interoperability issues. The issues will be presented and can be used as a basis for a

discussion on possible European strategies in this area.


14/168


November 2007

14

4 Analysis

4.1 eGovernment and eSignature regulations

4.1.1 The European legal framework

Before taking a closer look at the national regulatory e-signature frameworks, it is worth providing ashort overview of the main European provisions in this regard, as they essentially constitute thebaseline provided to the Member States as an aide or l imit to their own regulatory initiatives.

In this section, we will take a succinct look at the e-signatures directive3 (hereafter referred to as theDirective) as it pertains specifically to the public sector.

4.1.1.1 Basic principles

The stated goal of the Directive, as expressed in article 1, was to create a harmonised legalframework for the use of electronic signatures and certain related certification services, in order toimprove their legal reliability and encourage ongoing dematerialisation efforts:

Article 1. The purpose of this Directive is to facilitate the use of electronic signatures and tocontribute to their legal recognition. It establishes a legal framework for electronic signaturesand certain certification-services in order to ensure the proper functioning of the internalmarket. []

The Directives provisions were in principle horizontal in scope, i.e. without any inherent limitation to aspecific sector. Thus, its tiered categorisation of signatures (basic, advanced and qualified), and moreimportantly the related principles of non-discrimination and legal equivalence (article 5) would havebeen applicable to solutions employed in the e-government sector as well.

However, article 3.7 contains an important derogation of this principle:

7. Member States may make the use of electronic signatures in the public sector subject topossible additional requirements. Such requirements shall be objective, transparent,proportionate and non-discriminatory and shall relate only to the specific characteristics of theapplication concerned. Such requirements may not constitute an obstacle to cross-border

services for citizens.

4.1.1.2 Public sector clause: article 3.7

It is clear that the Directive thus allows Member States to impose additional requirements toelectronic signatures as used in public sector applications. The main purpose of the legal section ofthe report will be to assess how the Member States have interpreted this clause, and what type ofsignatures they commonly require for such applications.

3 Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a

Community framework for electronic signatures, OJ L 13, 19.01.2000, p.12.


15/168


November 2007

15

It is noteworthy that the Directive prohibits the creation of obstacles to cross-border services forcitizens (emphasis added) but we dont think that this term has to be interpreted in a strict sense inthis context.

However, even if this would be so, the requirements must remain objective, transparent,proportionate and non-discriminatory and shall relate only to the specific characteristics of theapplication concerned. Thus, it is clear that the intended goal was for such requirements to be theexception (as they should be application-specific), and clearly justified by the needs of the servicebeing provided and the common interest.

Furthermore, and specifically with regard to the cross-border exchangeability of e-signature, theDirective also explicitly notes that:

Article 3 Market Access

1. Member States shall not make the provision of certification services subject to priorauthorisation.

2. Without prejudice to the provisions of paragraph 1, Member States may introduce ormaintain voluntary accreditation schemes aiming at enhanced levels of certification-serviceprovision. All conditions related to such schemes must be objective, transparent,proportionate and non-discriminatory.

Member States may not limit the number of accredited certification service providers forreasons which fall within the scope of this Directive.

3. []

The ELSIGN Study4 already noted that these principles of voluntary accreditation and public sectorrestriction occasionally combined to a situation which was hardly in compliance with the Directives

intentions:

Also, the Directives rules on voluntary accreditation seem to be misunderstood by nationalgovernments. Many European countries wrongfully consider voluntary accreditation schemesas a means of controlling whether or not a Certification Service Provider operates incompliance with the provisions of the Directive. Another alarming observation is that thevoluntary accreditation schemes, in many European countries, are in practice, not reallyvoluntary. A typical example being that many national e-government programmes only acceptaccredited CSPs to participate in the programme, and thus indirectly oblige a CSP to get anaccreditation. This evolution is certainly not in line with the Directives vision.

Concerning the so-called public sector exception of Article 3.7, which allows Member States

to make the use of electronic signatures in the public sector subject to possible additionalrequirements, we have seen divergences in both the interpretation and implementation of thisprovision. It seems clear that in many countries the use of electronic signatures in the publicsector is subject to additional (security) requirements. Communicating electronically withpublic authorities is in many countries possible only through the use of signatures based on aQualified Certificate issued by an accredited CSP. Member States need to be reminded thatapplying additional conditions can only be justified by objective reasons and should only relateto the specific characteristics of the application concerned. Also, Member States need toensure that basic competition rules are not being infringed by their initiatives. (p.5)

4 Study on the legal and market aspects of electronic signatures, see

http://europa.eu.int/information_society/eeurope/2005/all_about/security/electronic_sig_report.pdf


16/168


November 2007

16

Finally, in its recommendations, the ELSIGN Study stated:

[] it is necessary to perform a more detailed study on the internal Market consequences ofthe e-government programmes of the Member States. There is a clear danger that theseprogrammes will result in national barriers, fragmentation and [lacking] interoperability. (p. 12)

One of the main purposes of this report is precisely to assess whether or not this risk has materialisedin practice.

4.1.1.3 eSignatures and authentication

A major and frequently recurring point of debate is the relationship between electronic signatures andauthentication. In practice, it f requently occurs that a person is requested to authenticate himself in ane-government application, after which he may exchange certain documents freely and without anyfurther technical steps. This method of proceeding (which is common in many countries, but which isparticularly prevalent in e.g. the United Kingdom, Lithuania, the Netherlands and Malta) is oftensignalled as an electronic signature, both by the national experts and by the public sector applicationowners. However, there is some debate as to whether or not such a process can be considered anelectronic signature.

A significant number of experts are of the opinion that this is the case. The reasoning behind this istypically twofold. First of all, it is clear that the underlying process from a technical perspective can bequite similar, in the sense that a PKI system is often5 used to authenticate the user, and that to thelayman this process is barely distinguishable from an actual act of signing6. Secondly, the Directiveexplicitly defines the electronic signature as data in electronic form which are attached to or logically

associated with other electronic data and which serve as a method of authentication (article 2.1,emphasis added). Thus, there is a legal basis for the link between authentication and e-signatures7.

None the less, in our opinion the distinction between two core functionalities must be made. Firstly, itis indeed clear that any signature will serve to some extent as a mechanism for authentication,understood as the corroboration of a claimed set of attributes or facts with a specified, or understood,level of confidence8. However, for the purposes of electronic signatures, the authentication referredto in the Directive can in our view only refer to data authentication, understood as the corroborationthat the origin and integrity of data is as claimed9; and not to entity authentication10.

5 But not always; username/password systems are also in common use for lower security typeapplications.

6 Especially in cases such as the Belgian eID card, where the same PIN code is used for signaturepurposes and authentication purposes, so that only the more attentive and knowledgeable users willbe able to ascertain which of the two certificates is actually being used by the application.7 This perspective is also taken in the paper Regulating a European eID A preliminary study on aregulatory framework for entity authentication and a pan European electronic ID for the Porvoo e-IDGroup by Thomas Myhr. Seehttp://www.fineid.fi/vrk/fineid/files.nsf/files/7431D844D1C359F9C225711F004553CB/$file/Thomas_Myhr_report.pdf8 See inter alia the Modinis eIDM Glossary, https://www.cosic.esat.kuleuven.be/modinis-idm/twiki/bin/view.cgi/Main/GlossaryDoc#4_5_Authentication9 See inter alia the Modinis eIDM Glossary, https://www.cosic.esat.kuleuven.be/modinis-

idm/twiki/bin/view.cgi/Main/GlossaryDoc#4_5_1_Data_authentication


17/168


November 2007

17

We argue against the extension of the notion of a signature to include entity authentication processes,both for practical and for philosophical reasons. In legal practice, a signature has traditionally beenonly one of many ways in which a person can confirm his identity, express his consent, effect non-repudiation, and a myriad of other functions which are traditionally ascribed to signatures. The

signature has been given a specific legal status in most jurisdictions, although other ways of obtainingthe same legal result are usually (but not always) allowed. It is therefore not surprising that e-government applications would show the same degree of flexibility, and permit other solutions thanelectronic signatures to serve the same function. This does not mean in our opinion that such othersolutions can be readily considered to be signatures.

Indeed, if entity authentication could be said to be a form of signature on the grounds that it canobtain similar results, the traditional value attached to signatures in many legal frameworks would bein serious peril. After all, if one can be said to have electronically signed a document after suitablysecure electronic entity authentication, then it seems one must also accept that a paper documentshould be considered signed if a person has merely handed it in after authenticating himself inanother suitable fashion (e.g. after ID card verification, or simply after visual identification bysomeone familiar with the provider of the paper document). Paper documents should by this logic be

considered signed, even if there is ostensibly no signature attached to the document. This is not thecase: both in the paper and in the electronic context (as witnessed by the definition of the electronicsignature in the Directive), a signature is always attached to or logically associated with the signeddocument.

This distinction is thus not a purely theoretical or academic exercise. To accept that entityauthentication can be equalled to an electronic signature for the reason that the same functions areserved is an exaggeration of the theory of functional equivalence, to the point where the notion of asignature becomes redundant, and where it merely becomes synonymous with the expression ofconsent, validation, non-repudiation, and any other functionality which can be ascribed to a signature.The purpose of the Directive was not to abolish the notion of a signature, but to allow technicalequivalents to it.

It is therefore our opinion that any process ensuring only entity authentication cannot be given the

status of an electronic signature, no more than a real life entity authentication process can turn anunsigned document into a signature bearing one.

These considerations should of course not be interpreted to mean that we consider entityauthentication as an invalid operating method in e-government applications, or indeed that we wouldconsider it to be somehow inadequate or less suitable than an electronic signature. As in any otherlegal field, a signature has its purposes and its uses in e-government, but it should never beconsidered to be a requirement when a different solution offers the necessary guarantees. We merelywish to emphasise that in such cases, we find that no signature is actually used, and that applicationsusing purely entity authentication are therefore strictly speaking out of scope for this study.

It is interesting to note that many countries relying on entity authentication methods are in a transitoryphase, where the authentication method is planned as a user friendly but lower security level solution,but where actual signature solutions are being planned for higher security applications.

10 See also the ELSIGN Study (The Legal and Market Aspects of Electronic Signatures report) in thisregard. See

http://europa.eu.int/information_society/eeurope/2005/all_about/security/electronic_sig_report.pdf


18/168


November 2007

18

Example: the Maltese approach:

This mechanism is being rolled out in three phases. The first phase consists in the provision of ausername and password to each citizen for him/her to be able to authenticate himself/herself whenrequesting eGovernment services. The second level is the distribution of digital certificates, while thethird level consists of a qualified digital certificate based on a smart card which would replace thecurrent Government-issued Identity Card. Malta is currently at the first phase of the project and hasimplemented eID Level 1.

However, some eGovernment services already run on normalized digital certificates. For theserestricted number of eGovernment services, meant for Governments business Clients, the Maltesegovernment procures digital certificates from a commercial CA. This allows Government, as a relyingparty and the Business as the client, to benefit from a range of advanced eGovernment servicesand to gain experience with certificate-based eServices. Digital certificates act as identity tokens forelectronic authentication but none of the eGovernment services require the user to sign

electronically.

Thus, the main driver behind entity authentication as a proxy for electronic signatures seems to beuser friendliness and flexibility, rather than any philosophical or political preference. It has been notedby several experts that entity authentication is retained as a proxy for electronic signatures for thesimple reason that it is considered good enough in terms of safety and reliability, and that additionalrequirements would encumber the underlying processes excessively in a manner that would offer littleadded value.

For these reasons, entity authentication shall only be dealt with below insofar as it is presented by aMember State as its current main proxy for electronic signatures. It should be noted that, for reasonsof brevity, entity authentication will simply be referred to as authentication in the remainder of thereport.

4.1.2 National regulatory approach models

A first question that needs to be assessed is how the surveyed countries generally regulate their e-signature applications. There are several components to this question.

First of all, the general regulatory strategy of the surveyed states needs to be described: is therecentralised regulation, do the rules vary from sector to sector or even from application to application,

etc. In short, a f irst question is to what extent a global vision is enacted in the countrys regulation.Secondly, there is the legal-technical issue of competence: at what level is regulation enacted? Whilenational harmonisation is expected, it is none the less conceivable that certain regions or evencommunes in any given country have taken a frontrunner role, possibly by relying on differenttechnological solutions.

4.1.2.1 General strategy

While all surveyed countries have put in place specific regulation with regard to e-signatures ingeneral (typically as a result of the transposition of the Directive, or at least updated to reflect itsprovisions), there is still a significant difference in the general strategies followed by the surveyed


19/168


November 2007

19

countries. While all aim to encourage the use of e-signatures in public sector applications, theregulatory approach can differ significantly. Broadly, the following archetypes can be distinguished(with the usual caveat that virtually no country falls cleanly and uniformly in one category, but thatmost choose to incorporate aspects of several approaches).

4.1.2.1.1 Centralised

A first conceivable strategy (followed by a large majority of European countries) is the creation of asingle centralised legal framework, consisting of a single e-signatures law, on which all e-signatureuses are to be based. While this central legislation may have limited specific references to the use ofe-signatures in an e-government context (usually in the form of a transposition of the aforementionedarticle 1.7 of the Directive), the focus is on establishing a global e-signatures framework, withoutemphasis on the manner in which it is used.

Such central laws are then typically completed by a series of governmental/ministerial decreesdetermining the specific modalities of the use of e-signatures in an e-government context. Thus, this

approach can be summarised as creating an e-signature regulatory core, and drafting the necessaryadditions and clarifications around this core as required.

Example: the Belgian approach:

The legal basis for the introduction of electronic signatures in eGovernment applications can befound in various legislative provisions, which allow changing the way in which data are collected fore.g. social security and tax purposes, or which put electronic notifications on par with papernotification in a social security context.

By way of example, the social security contributions collecting institution can lay down the form andrules for the electronic obligatory notification of the start and end of employee relationships

11. Also,

the social security management committee can lay down conditions for access to and use of theinformation systems of social security institutions and the information system of the federalgovernment, including standards for message exchange.

The result can be diverse and occasionally lacks consistency, since only the core is common, andactual application details can vary quite widely.

This approach is followed in a number of countries, including:

11 Royal decree of 5 November 2002 introducing the immediate notification of an employment

relationship.


20/168


November 2007

20

Country Normative source:

Belgium The act of 9 July 2001 laying down a legal framework for electronic

signatures and certification servicesCroatia Electronic signature act, Narodne novine, no. 10/2002

Cyprus Legal Framework for Electronic Signatures and Associated Matters Law of2004

Czech Republic Act on electronic signature 227/2000 Coll.

Denmark Act no. 417 of 1 October 2000 on Electronic Signatures

Estonia Digital Signature Act (hereinafter DSA) on March 8, 2000

Finland The Act on Electronic Signatures (14/2003); and the Act on ElectronicServices and Communication in the Public Sector (13/2003)

France Act of 13 March 2000 regarding several provisions related to electronicdocuments and the electronic signature; and the Arrt of 26 July 2004 withregard to the qualification of certification service providers issuing digitalcertificates and to the accreditation of the bodies in charge of theevaluation of CSPs.

Greece Presidential Decree 150/2001 of 25 June 2001

Hungary Act XXXV of 29 May 2001 on electronic signatures

Latvia Electronic Documents Law effective as of 1 January 2003

Lithuania Law on Electronic Signature No VIII-1822 of 11 July 2000

Luxembourg Regulation of 1 June 2001 on electronic signatures, electronic paymentsand the creation of an electronic commerce committee

The Netherlands Act of 8 May 2003 on electronic signatures

Poland Regulation of the Ministry Council from August, 7th, 2002 concerningtechnical and organisational requirements for qualified certificationauthorities, certification policies for qualified certificates issued by them,and technical requirements for secure signature creation and verificationdevices

Romania Law no. 455/2001 regarding the electronic signature

Slovakia Act of 15 March 2002 on electronic signature

Sweden Act on Qualified Electronic Signatures

4.1.2.1.2 Comprehensive

This second approach attempts to solve this problem by first establishing a holistic e-governmentpolicy or vision (or even a broader e-society policy comprising such issues as e-government, e-inclusion, e-health, etc.), which is then implemented in a homogeneous manner throughout allaffected sectors.

This typically results in a single broader legal act encompassing electronic signatures (or e-societyactivities in general); or in a series of regulatory initiatives aiming to gradually implement acentralised vision.


21/168


November 2007

21

Example: the Austrian approach:

The E-Government Act is an overall legal basis for the instruments used to provide eGovernmentand for closer cooperation between all authorities providing eGovernment services. Guidingprinciples are freedom of choice for users of which means of communication to use when submittingpublic administration requests, security and improved legal protection provided by appropriatetechnical means such as the citizen card, and unhindered access for people with special needs topublic administration information and services by the end of 2007.

The E-Government Act defines the principal eGovernment elements. This includes the citizen cardconcept together with the identity management system based on sector-specific personal identifiers,provisions on the authority to act as a representative, or electronic delivery. Related to electronicsignatures, two provisions have been made: []

Example: the German approach:

On 13th

September 2006 the federal Government passed a new programme with the name E-Government 2.0. The content and basic thinking is in line with the E-Government action plan as partof the i2010 initiative. Programme implementation resides with all federal departments withcoordination being handled by the Federal Interior Ministry. To this end a dedicated eGovernmentcompetence centre will be set up within the BMI in 2007.

The main benefit of this approach is that such initiatives tend to benefit from an increased internalconsistency, since the relevant provisions are drafted as a whole. Such approaches also favourdistinct solution models, often emphasising one single token or one specific technology over others.

The downside of this approach is that the system can become inflexible or immune to changes, sinceany modification can upset the coordination between the provisions, negating the central vision.



Austria The E-Government Act of 1 March 2004

Germany E-Government 2.0 programme

Italy Extensive set of rules, including d.lgs. 82/05, the Digital Administration Code(Codice dellamministrazione digitale

Portugal Resolution of the Council of Ministers No. 108/2003 the Plan of Action for the E-Government

Slovenia eGovernment Strategy of the Republic of Slovenia for the period 2006 to 2010

Spain Plan de Medidas 2006-2008 para la mejora de la Administracin (Measures Planto improve the Administration

Turkey The Information Society Transformation Policy (high level action plan)


22/168


November 2007

22

4.1.2.1.3 Sector Based

A decentralised version of the earlier approaches, this model entails the creation of a suitable legalframework on a sector by sector basis, i.e. specific regulations for the social security sector, the taxsector, public procurement, civil administration, etc. Rather than depending on a global e-signaturesmodel, this approach favours the creation of a model taking into account the specific problems andsensitivities of each concerned sector.

The genesis of such approaches is typically not the result of a specific vision or of a desire to ensurethat the regulatory framework is optimally adapted to the needs of the sector involved. Rather, suchapproaches tend to evolve organically in situations where no central framework for e-signaturesexisted, but where the need for technological advancements was still felt and acted upon in a specificsector. Thus, it is conceivable that sector specific solutions are created before a national solutionmodel.

This is e.g. the case in Malta, where the current trend is to rely on authentication mechanisms(userID/password based), rather than on e-signatures, except for two distinct sectors where specific e-signature solutions have been introduced.

Example: the Maltese approach:

The usage of electronic signatures is as yet not very diffused, since most of the services launchedhave been based on eID Level 1 authentication mechanism (using a username and password). Thisis not the case for only the following eGovernment services:

i. the Inland Revenue Departments (IRD) eGovernment services for:

on-line submission of social security forms (for employers who employ ten or moreemployees)

on-line submission of tax and social security forms and the related payments of taxcontributions (for Tax Practitioners for their corporate taxpayers)

ii. the Vehicle Licenses Online for:

vehicle-owners who wish to pay their road license online vehicle-owners who wish to check the due date of the next Vehicle Roadworthiness Testing Insurance agents who wish to provide the road-license payment to their clients through an

authenticated login

The advantage of sector specific regulation is of course that the solution has been built to the exact

needs of that sector, which should (in theory) result in a relatively well suited framework.The obvious downside is that solution models can differ greatly from sector to sector, thus harmingconsistency on a national scale, and creating interoperability problems even within a nations borders.

Such approaches are typically implemented by simply modernising existing legal texts toaccommodate a specific new technology, without introducing more all-encompassing changes.Alternatively, as in the Maltese example above, it can be a result of an as of yet incomplete transitionto a generic signature framework.



23/168


November 2007

23


Malta Specific systems for internal revenue and transportation sectors apart from thegeneric regulation ( Chapter 426 of the Laws of Malta, subsequently amended byLegal Notice 251 of 2006)

Ireland Electronic Commerce Act 2000 is applicable to e-signatures in general, but sectorspecific rules exist as well

4.1.2.1.4 Ad hoc legal frameworks

This final model is the logical extreme of the sector based approach described above. In this specificcase, regulation is created not with regard to an entire legal system or to a specific sector, butspecifically for a single application. While more limited in scope than the sector based approach, theunderlying logic is similar: a desire or need to advance one specific application, while a more global

vision has not yet been universally accepted.This is a model that has been followed to a certain extent in Bulgaria, where efforts are now underwayto harmonising national e-signature practices.

Example: the Bulgarian approach:

At the present moment the Bulgarian eGovernment is at a stage of development whereby theavailable electronic services are mostly separate elements than parts of an organized structure. TheeGovernment projects are usually implemented separately within the structure of one administrative

body and under the control and the coordination of this body. Steps for overcoming the lack ofcoordination between the administrative authorities in relation to the eGovernment developmenthave been undertaken through drafting a particular legislative framework of the BulgarianeGovernment, including the eGovernment Strategy, Action Plan for the implementation of theStrategy, eGovernance Act etc.

A similar situation presently exists in Slovenia:

Example: the Slovenian approach:

Currently the applications in public administration that rely on e-signature use different modules forcreating digital signatures. Most of them use web components while others integrate desktop signingmodules. Such a situation is quite unsuitable because digital signatures created in all theseapplications are not interoperable and some of them are not developed according to guidelines andrecommendations. Recently a decision to unify solutions for digital signatures in all publicadministration applications has been taken. A tender for development of an independent module forcreating digital signatures will soon start and the selected solution will be available to all publicadministration institutions.


24/168


November 2007

24

However, the availability of specific ad hoc solutions is not restricted to legacy applications that havenot yet been sufficiently harmonised. In several instances, applications were reported that relied ondistinct signature mechanisms because it was felt that the generic framework did not provideadequate safeguards to meet the requirements of the field at hand:

Example: the UK approach:

However, there are two notable applications that do not use the [eGovernment] portal (and they areboth described in more detail below).

The first is the e-Conveyancing application being developed for the Land Registry, which is agovernment executive agency and trading fund responsible to the Lord Chancellor that keeps andmaintains the Land Register of England and Wales. Its main purpose is to register title to land and torecord dealings once the land is registered. Established in 1862, it is required by statute to be self-

financing and makes no call on public funds.It was felt that the extreme sensitivity and liability implications relating to transactions for the buyingand selling of peoples homes meant that a bespoke solution needed to be developed that could beintroduced carefully in phases with tight controls on all aspects of the process, and should thus notbe added into the more generic solution provided by the Government Gateway.

The second such application is the DTIs Oil & Gas Trust Scheme. Here it was felt that therequirements of the industrial sector being served were more specific than those provided for by theGovernment Gateways generic approach and that the financial model dictated by the value of thetransactions meant that a standalone solution was the most efficient way of achieving a workablesolution. Like the Government Gateway, tScheme is used as the basis for determining the suitabilityof the CAs but unlike it, there are extra requirements placed on the CA over and above the basictScheme approval criteria.

It should be noted that the existence of ad hoc legal frameworks can in a sense be encouraged byharmonisation initiatives. For example, following the e-procurement directives (Directive 2004/17/ECand Directive 2004/18/EC), a given Member State may decide to prioritise the implementation of ane-procurement platform incorporating e-signature functionality, before a global strategy for e-government applications in general has been put into place.

Again, the main risk is the creation of a disjointed or maladjusted legal framework, when a moreglobal vision is drafted into law that does not mesh entirely with the legacy application created for aspecific problem field.



Bulgaria The Electronic Documents and Electronic Signatures Act is an attempt tocoordinate eSignature policy; but harmonization is not yet complete.

United Kingdom Existing legislation is being amended on a case by case basis.

4.1.2.2 National competence and organisation

Aside from the general regulatory approach, issues of national competence can also play a

noteworthy role in assessing interoperability risks. Particularly (but by no means exclusively) within


25/168


November 2007

25

federal countries, the division of competences between the federal and regional levels can becomplicated, since there may be a common e-signature infrastructure which is offered on a federallevel which is open to use by regional or local authorities; or such regional or local authorities maycreate their own independent infrastructures. Depending on the national situations, these diverging

local solutions may not (yet) have been subjected to harmonisation initiatives.While the focus of the study was on national e-signature policy, which inevitably slants results towardnational solutions rather than regional/local initiatives, the main conclusion is that even federalcountries are attempting (or have already attempted) to harmonise their e-signature infrastructures ona federal level. Two examples of this are Belgium and Germany.

Example: the Belgian approach:

eGovernment, in particular horizontal integration, is driven by the following services:

Federal eGovernment

Federal eGovernment initiatives are lead and coordinated by FedICT, the Federal Public Service forInformation and Communication Technology (www.fedict.be).

Regional eGovernment

Regional eGovernment initiatives are lead and coordinated by the respective regional services.

CORVE, the coordination service for Flemish eGovernment (http://www.corve.be); EASI, the coordination service for Walloon eGovernment (http://easi.wallonie.be); BRIC, the Brussels Regional Informatics Centre, for the Brussels Capital Region

(http://www.bric.irisnet.be/site/en).

Local eGovernment

Local eGovernment initiatives are lead and coordinated by local authorities, mostly municipalities.Several municipalities set up an online interactive desk for the provision of eGovernment services(www.iloket.be), developed by the IT service provider for communes (www.cipal.be). Typically, thesesystems rely on the authentication mechanisms offered on a federal level, usually the e-ID card,certificate or token offered by FEDICT (see below for a description of each option). In practice, theuser visits the communal website to access a local portal, which verifies the users credentialsthrough an LDAP framework offered by FEDICT. Upon successful authentication by FEDICT on afederal level, the end user can access the local service.

[]

As most electronic signatures in eGovernment applications have been designed at a federal level,internal Belgian interoperability difficulties are few.


26/168


November 2007

26

Similarly, the German report notes:

Example: the German approach:

In recent years Germany has experienced enormous changes in the public administration arenaboth at federal and state level and at community level. As long ago as 1999, the federal Governmentplaced extensive emphasis on its reform programme "modern state - modern administration" formodernising the Federal Republic of Germanys public administration. 440 of the federalGovernments administrative services were made available online as part of the BundOnline 2005

12

initiative, which came to an end in December 2005. The lead role was taken by the Federal InteriorMinistry (Bundesministerium des Inneren - BMI)

13. It is fair to say however that only a very small

proportion was designed for the use of electronic signatures.

However, because of Germany's federal structure - Germany is organised into 16 federal states14

,

which exercise responsibility on their own account and some of which are able to look back on along tradition - the federal Government is unable to take any far-reaching decisions on behalf of thefederal states and municipalities. As most administrative services in Germany are provided not bythe federal Government but by the states and municipalities, their eGovernment activities assumeparticular significance in the German context. It would clearly be beyond the scope of this study toexamine all of the eGovernment initiatives of the 16 federal states.

However, despite both being federal states, the practical situation is noticeably different, with Belgiumhaving a significantly more centralised system, with less fragmentation and diversity between itsconstituent regions and communities15.

12http://www.bundonline2005.de/13http://www.bmi.bund.de/14http://www.magazine-deutschland.de/bl_overview.php15 It can be argued that this is a consequence of the historical genesis of the federal states involved:Belgium is a centrifugal federal state (i.e. a former unitary state that has at some point decentralisedpart of its competences), which could naturally lead to a more unified approach than would be thecase for a centripetal federal state such as Germany (i.e. a federal country composed of states thattraditionally had a larger degree of autonomy which have centralized part of their competences).

Since this discussion is out of scope for this Study, it will not be examined further.


27/168


November 2007

27

Again, it should be noted that issues of fragmentation between regions also occur in unitary nations:

Example: the Polish approach

As the result of the hierarchical administrative structure most of systems and services built foreGovernment purposes are also very hierarchised. Moreover, in the case of eGovernment systems inPoland there is a tendency to centralise information during collection, storage and processing. Theinformation is transferred from the communities and district level to the regional administration authorities(the voivodeship level); then the direct transfer from the voivodeship level to the central administrationauthorities (ministries, departments) occurs. [] Practically there are no intersector public administrationsystems, nor regional/local government ones. It means there is a lack of a vertical and horizontalintegration. Therefore the citizen (or an organisation) has no possibility to gather information from oneaccess point. He is forced to use many portals and access points.

[]

In Poland the minister designated for IT implementation is responsible for the development of intersectorA2C and A2B IT solutions (horizontal integration), whereas the responsibility for sector-specific ITsolutions (vertical integration) is delegated to the minister of an appropriate government administrationdepartment.

So there is no institution at the national level which would be responsible for the development of all ITsystems which use digital signatures.

4.1.3 National eSignature requirements

In this section, we will take a closer look at the signature requirements most commonly imposed bylaws or regulations to the dominant e-signature applications in the surveyed countries. It should benoted that the emphasis here is not on the legal requirements imposed by the core legislations (whichis typically a faithful transposition of the Directive and therefore broadly includes provisions for allsignature types), but rather on the national administrative practices.

First of all, this requires an examination of the legal qualification of the signature type most commonlyrequired in e-government e-signature applications (in terms of the Directive: abasic/advanced/qualified signature or an ad hoc solution that does not map cleanly into thesegroups).

Secondly, we will examine what kind of unique identifiers are included in the certificates of PKI-basedsignature systems, and the legal issues (mostly with regard to privacy regulations) revolving aroundthese.

A brief overview will also be given to the (lack of) technological neutrality of the legal frameworks inthe surveyed countries, and the extent to which any specific technology is allowed / encouraged /mandated.

It should be reiterated that this report is descriptive; the consequences of these qualifications forinteroperability purposes will be dealt with in section 5 of this report. Nonetheless, a summaryoverview will be provided at the end of this section describing the measures which are commonlytaken to allow cross-border functionality.


28/168


November 2007

28

4.1.3.1 Dominant Signature types

It is interesting to note that, while most countries have faithfully copied the provisions of the Directive,several countries have interpreted these in a slightly different manner, or have tailored their specifice-government e-signature policies to their legal traditions. In this section of the Report, we will providea short overview of the national e-signature policies, and discuss a few specific interesting examplesin more detail.

4.1.3.1.1 Overview table of signature requirements

In this section, we will provide a short overview of the requirements imposed on the principal e-signature solutions in the surveyed countries. For specific details (including alternative signaturetypes less commonly encountered in these countries), we refer to the full country reports.

For the purposes of this report, the qualifications are used in the following sense:

Qualified signature: use of a qualified certificate in combination with an SSCD, as the notionis defined in the glossary above. Note that in most cases, the SSCD is not formally accreditedas such, but its status is generally accepted.

Qualified certificate: use of a qualified certificate in the sense of the e-Signatures Directive 16is required, but no requirement of an SSCD is presented.

Advanced signature: use of a non-qualified certificate meeting the requirements of theDirective as presented in the glossary above.

Simple signature: use of a lower level signature solution, meeting the definition of anelectronic signature in the Directive, but not that of an advanced or qualified signature. In thiscase, the specific solution type is commented further below.

Authentication: use of an authentication mechanism, typically based on a username/password

system, which cannot formally be considered a signature as discussed above in section 6.2.3.In this case, the specific solution type is commented further below.

It should be noted that the table below contains the qualifications reported by the nationalcorrespondents, as reviewed by the Expert Group.

Country Signaturerequirements

Detail / Other info

Austria Qualified signature The so called Citizen Card concept is a voluntary concept,typically but not necessarily (e.g. mobile phones) rolled out

through smart cards. Uses sector specific variations on aunique ID number (the so called SourcePIN). Foreignsolutions can be integrated by mapping. So calledadministrative signatures are being phased out (deadline: end2007), but are considered as equivalent to qualified signatures.

16 As communicated by the correspondent. It should be noted that some countries may imposeadditional requirements on qualified certificates, such as the French requirement for CSPs to issuecertificates in compliance with the norm AFNOR AC Z74-400 (TS 101 456); which would imply thatqualified certificates in other countries might not be considered qualified under French law if they

have not received such certification.


29/168


30/168


November 2007

30


Detail / Other info

Lithuania Qualified signature/ Authentication

There are some services, based on electronic signature (notonly for authentication), Citizens can read legal acts publishedin official magazine (http://www.valstybes-zinios.lt). Forauthentication in government services portal(http://www.epaslaugos.lt/govgate/index.do?language=lt) ispossible to use qualified certificates or banking systems.

Luxembourg Advancedsignature /

authentication

An advanced electronic signature on a smart card is offered byLuxTrust; qualified certificates are planned but not yet rolledout. In practice, username/password authentication isfrequently used instead of electronic signatures.

Malta Authentication /advanced signature

and qualifiedcertificate

The baseline solution is the eID (electronic identity) which canbe issued to the holders of a Maltese eID card, and which

consists only of a username and password. Futureimplementations will rely on advanced and qualifiedcertificates for higher levels of security as required by theapplication (not yet implemented).

TheNetherlands

Authentication /

Qualified certificate

Both PKI Overheid (a hierarchy of accredited CSPs, using softcertificates) and DigiD (actually an authentication system;requires a Social Security Number) are in common use; an eIDcard by the name of eNIK is planned. Commercial CAcertificates (from accredited CSPs) are allowed for someapplications and available to foreigners.

Poland Advancedsignature

Advanced and qualified certificates are issued by accreditedCSPs, either as soft certificates or on a smart card. A

requirement for qualified certificates is most common in e-government applications, although many applications requiretheir own solutions.

Portugal Advanced/qualifiedsignatures /

Authentication

Present status is still fragmented. Advanced and qualifiedcertificates are issued by commercial CSPs, either as softcertificates or on a smart card; authentication functionality isused as well. An e-Card with a qualified signature certificate isplanned and will likely become the dominant technology in thefuture, but it has not yet been deployed.

Romania Qualified certificate Soft certificate from accredited CSPs.

Slovakia Advanced and

qualified signatures

Qualified certificate from accredited CSPs stored on SSCD or

soft certificates, often stored on smartcards. An eID card isplanned

Slovenia Qualified certificate No uniform policy yet, but most applications rely on qualifiedsoftware certificates from accredited CSPs. Smart cards willbe deployed to the public in 2007-2008 (public sector officialsalready use smart cards).

Spain Qualified signature The mandatory eID card (DNI) contains qualified certificatesfor authentication and e-signatures. While deployment hasbegun only recently, it will likely become the dominanttechnology in the future. Soft certificates from accreditedCSPs are also in common use; they can be stored on a smartcard.


31/168


November 2007

31


Detail / Other info

Sweden Qualified signature(see comment)

Swedish eIDs (either soft certificates or smart cards) cancontain certificates for authentication and e-signaturepurposes, and contain the Swedish personal identity number.These eIDs are issued by several recognised private sectorinstitutions (typically banks). It is noteworthy that the issuingbanks do not declare their certificates to be qualified, but thatthey are in practice accorded a trust level which seemscomparable.

Turkey Qualified certificate The general legal framework is currently considered to beunclear, stressing only the use of qualified certificates as aprerequisite for equivalence to handwritten signatures. No e-government applications using e-signatures were identified.

United Kingdom Authentication /Simple certificate

No rigid distinction between authentication and signature.Access through the Government Gateway Portal (eitheruserID/password or certificate based, depending on theapplication) permits signature functionality. CAs must beaccredited, but advanced/qualified certificates are generallynot a formal criterion.

4.1.3.1.2 Typical and atypical examples

In this section, we will look at a few Member States in detail if their approach is in some wayremarkable or illustrative of a given trend (e.g. The Netherlands use of authentication; the Estoniangeneric eID based approach; the influence of historical legal traditions in Germany and Denmark;

etc.). The main purpose of this section is to describe a few typical legal solution models, which needto be taken into account for further analysis and recommendations.

4.1.3.1.2.1 The Danish and German examples the influence of legal traditions

Both the Danish and the German profiles are interesting examples of the influence of legal traditionsand socio-cultural sensitivities on the choices made when implementing a regulatory e-signaturesframework.


32/168


November 2007

32

The first example is the Danish solution model:

Example: the Danish approach

The definitions of advanced and qualified electronic signature under Danish law are very close tothe definitions of the European Directive. Advanced and qualified electronic signatures cannot beissued to legal persons under Danish law.

[]

The practical effect of the Danish eSignature Act has been disappointing as no qualified electronicsignatures are being offered by certification providers in Denmark. One of the main obstacles hasbeen the requirement for signature holders to meet up and identify themselves in person. Realisingthat few people would do this the Government initiated the establishing of above mentioned OCES

signature.

The OCES signature is a light version of the qualified electronic signature with the importantdifference that the holder of an OCES signature does not have to perform fact to face identification.The OCES signature is widely supported by public authorities in their eGovernment solutions and isexplained in details below.

The OCES signature is not covered by the Danish eSignature Act as the OCES signature is notbased on a qualified certificate. Neither is the OCES signature covered by any other generaleSignature legislation (the eSignature Act focusing on qualified electronic signatures is the onlygeneral eSignature legislation under Danish law).

The Danish legal situation is to a large extent a result of its traditionally more flexible approach toelectronic documents in civil and commercial relations. The presence of a signature was for mostdocument types not a requirement for the admissibility of the document in legal proceedings underDanish law. It is telling from that perspective that the Danish eSignature Act does not contain atransposition of art. 5.2 of the Directive with regard to the non-discrimination of e-Signatures. Rather,the Danish eSignature Act focused more on the validity requirement of qualified signatures of art. 5.2of the Directive.

The fact that the Danish government was able to make the pragmatic choice for an advancedsignature that did not require in-person identification is to a large extent a consequence of thistradition of legal flexibility. As a result, the main e-signature solution in Denmark is an advancedsoftware certificate, a significantly lower barrier than in other countries.

The German example is radically different, again partially due to its legal tradition, which issubstantially more formal in Germany than in Denmark. The German Civil Code makes a distinctionbetween several categories of formal documents, including the mandatory written form (sec. 126BGB), the agreed written form (sec. 127 BGB), the notarisation (sec. 128 BGB) and finally thecertification by a notary public (sec. 129 BGB), none of which traditionally could be signed in anelectronic form. Following the eCommerce directive and the eSignature directive (directive1999/93/EC), the German legislator introduced two new document categories, the so called Textform(sec. 126b BGB) and the electronic form(126b BGB), the latter of which was capable of replacing asubstantial number of traditional paper document types, but also required a qualified signature. Thus,the qualified signature was the de factostandard for valid e-signatures under German law.

It is thus not surprising that this also became the standard for e-signatures in e-governmentapplications:


33/168


November 2007

33

Example: the German approach

As regards the topic of electronic signatures in eGovernment applications, it is worth noting thatwhen electronic signature procedures are used or offered, only qualified signatures are used. Thisapplies for the federal Government, states and municipalities and can be traced to the German legalsystem (so-called written form requirement).

While choosing drastically different approaches, both the Danish and the German situations are thusgood examples of the influence of legal traditions on the present e-government framework.

4.1.3.1.2.2 The Estonian example generic e-signature functionality through a mandatory eIDcard solution

The Estonian system is equally interesting, because it was designed based on the requirement thatthe solution offered should allow Estonian citizens to use electronic signatures in an easily accessibleand harmonious way, without having to consider differences between systems. To do so, it relies on atandem consisting of the mandatory eID card (which includes two qualified certificates: one forsignature functionality, and one for authentication purposes) and of a common digital signaturesystem, revolving around the common set of libraries, tools and applications known as DigiDoc.

Example: the Estonian approach

In order to bring digital signatures into everyday life, common understanding and signature handlingpractices are required. In addition, software and technology must be available for anyone interested, inorder to create compatible applications. After all, the key to unleashing potential digital signature benefitslies in communication between organizations, not within one organization. Therefore, it is vital that allorganizations in a given community interpret and understand digital signatures the same way. In case ofEstonia, the community is the whole country.

A number of digital signature implementations and applications are available on the market, all claiming tobe suitable for specific purposes. However, no known application or implementation of the lateststandards was found which would suit the needs of the Estonian project, and reliance on foreign software

providers guaranteeing the functioning of a country's everyday life relying on digital signatures can also beseen as a strategic risk. Therefore, a whole new approach and a whole new software architecture was needed.

In 2002, SK together with its partners created an all-around digital signature architecture called DigiDoc.As the name suggests, DigiDoc aims to meet all the needs users might have about digital signaturecreation, handling and verification.[]The DigiDoc library provides easy-to-use interfaces to all of the above and there is no need for applicationdevelopers to know OCSP protocol specifics or DigiDoc (XAdES, XML-DSIG) format internals. It can beembedded in any application and on top of it, a COM interface has been implemented, making it easy toadd DigiDoc support to any Windows application supporting COM technology. A Java implementation andwebservice is also provided. DigiDoc architecture is presented in the figure below.


34/168


November 2007

34

However, providing the libraries, web service and formats was not enough because these do not addvalue to end users without real applications. Although DigiDoc support is present in most Estoniandocument management systems, some web sites dealing with documents etc, a couple of standardend-user applications are also provided. DigiDoc Client is a Windows application that lets users simplysign, verify and encrypt documents, and DigiDoc portal is an application that lets users do the same onlinewithout the need to install any stand-alone software. Naturally, both are based on the same DigiDoclibrary and thus fully compatible signatures given in Client can be verified in portal and vice versa.

This approach is particularly interesting because of the consistent distinction being made between thee-signature components itself (the eID card, DigiDoc and the surrounding infrastructure) and theapplications making use of the signed documents. As a result, interoperability requirements becomeeasier to map than with solutions where specific applications have a larger impact on how signaturesare generated and/or processed.

4.1.3.1.2.3 The Dutch example authentication as an interim solution

As discussed extensively above, there are a number of Member States which presently rely mostly onauthentication mechanisms as a sufficient proxy for e-signature functionality in public sectorapplications. The Netherlands, which currently relies largely on the DigiD system, is one example ofthis approach.


35/168


November 2007

35

The Dutch example:

DigiD stands for Digital Identity and is a system shared between cooperating governmental agencies,allowing to digitally authenticate the identity of a person who applies for a transaction service via internet.With increasing numbers of public authority offices implementing the DigiD system, it is easy to beginusing their range of electronic services after first choosing your own login code (users name andpassword) at www.DigiD.nl. In short: DigiD provides users with a personalised login code for the fullspectrum of contact with various governmental bodies. Anyone with a Social Fiscal number (SOFI-number) can apply for a DigiD.

However, while the DigiD system is an authentication system relying only on a username/password,this solution will be complemented in the future by an eID card know as eNIK. Similar to comparable

solutions such as the Belgian, Estonian, Finnish, Italian and Spanish ones, eNIK would containdistinct certificates for authentication and e-signature functionality. While it is presently not yet knownwhich applications would require eNIK in the future and which would continue to support DigiD, it islikely that at least some applications will require the use of actual signatures in the future.

4.1.3.1.2.4 The Finnish approach public/private sector collaboration

The Finnish situation is interesting because it offers two very distinct solutions: either a FINEIDsignature (based on a qualified certificate on a smart card), or the bank controlled Tupasauthentication system.

Example: the Finnish approach

Three different types of electronic signatures are predominantly used in eGovernment applications:1. Signature applications based on the FINEID electronic identity card, which contains a qualified

certificate;2. Signature applications based on the FINEID certificate card for organisation use (organisation CA

certificates) which contains a qualified certificate; and3. TUPAS bank identification system.

The FINEID certificates are qualified signature certificates as specified in the relevant European Directiveand in the Finnish Act that implements the directive. For eGovernment applications the proportion ofqualified vs. Advanced certificates that are used for signing is not measurable since only FINEID andTupas based signature methods are offered in the services.

The Tupas system does not provide for qualified nor advanced signatures since it is a two-factorpassword authentication method. Advanced certificates are not used in eGovernment services, eventhough some are available (e.g. commercial SoneraCA certificates). The reasons for this are multiple andthey are described in more detail in section 6 of the report.


36/168


November 2007

36

It is interesting to note that, despite to the division in functionality (with FINEID offering both signatureand authentication functionality, and TUPAS only offering authentication), both solutions arecommonly supported, without any clear system of preference.

4.1.3.1.2.5 The Bulgarian approach higher regulatory threshold

While the Bulgarian EDESA (Electronic Documents and Electronic Signatures Act) globally followsthe provisions of the Directive, it is interesting to note that the baseline signatures concept is in factthe advanced electronic signature of the Directive:


According to Art. 13, Para. 1 of EDESA electronic signature is a data attached to the electronicmessage (data message) in a way agreed between the author

17(the signatory) and the addressee

and enough secure for the needs of the turnover which:

reveals the identity of the author (the signatory); reveals the consent of the author (the signatory) with the signed electronic message; and protects the content of the electronic message against any further changes.

The meaning of electronic signature under the Bulgarian EDESA is similar to the meaning ofadvanced electronic signature under the Directive.

Similarly, the Bulgarian advanced signature is in fact what the Directive labelled as a qualifiedsignature:


The advanced electronic signature under EDESA could be equalled to the qualified electronicsignature under the meaning of art.5, para.1 of the eSignatures Directive.

Finally, the signature type endorsed most frequently by the Bulgarian government (the so calleduniversal electronic signature) is an advanced signature relying on a qualified certificate. Thus, thebar in Bulgaria is set relatively high, falling just short of a qualified signature (due to the lack of aSSCD requirement).

In fact, the Austrian legislator took a similar approach, by retaining the qualified signature as thefundamental notion (under the name of secure electronic signature):

17 The author is the natural person who makes the electronic statement on his own behalf or on

behalf of a legal entity or another person as a proxy.


37/168


November 2007

37

Example: the Austrian approach:

Austrian legislation did not explicitly introduce the concept of advanced electronic signatures.Qualified electronic signatures are however liter