Comments and other input should be sent to digsig@fipr.org.
On the basis of consultations to date, FIPR believes that the proposed Directive can be an important step towards facilitating electronic commerce through harmonised cross-border recognition of electronic signatures. Many member states are already taking steps to remove obstacles in their national laws to the use of digital signatures; however the Directive is likely to accelerate the process and also to bring important harmonisation benefits. FIPR therefore supports the draft directive and seeks to help the European Commission in identifying and dealing with possible points of conflict.
The draft Directive requires Member states to ensure that "electronic signatures" which are based on a "qualified certificate" issued by a certification service provider which fulfils certain requirements are, on the one hand, recognised as satisfying the legal requirement of a hand written signature, and on the other, admissible as evidence in legal proceedings in the same manner as hand written signatures. Our consultation exercise has identified a number of issues arising from it, as follows.
Many of the issues raised by respondents concern the question of whether certificates are more like passports or more like credit cards - in other words, whether they certify the identify of the certifcate holder or his authorisation to perform some function, such as by using a payment system. Broadly speaking, governments are more interested in passports while business is more interested in credit cards.
Under the draft Directive's proposals, qualified certificates bind a "signature creation device" (commonly envisaged to be a private key embedded in either a smartcard or a piece of software such as a browser) to the "the unmistakable name of the holder or an unmistakable pseudonym", and thus fall into the first camp.
The limited utility of "identity" certificates for trust management has been brought out in many technical discussions and compared with "authorisation" (or "capability") certificates which bind a private key to some specific capability or permission.
"A keyholder's name is one attribute of the keyholder, but...rarely of security interest. A user of a certificate needs to know whether a given keyholder has been granted some specific authorisation....The certificate holder should be able to release a minimum of information in order to prove his or her permission to act." (SPKI requirements 11/3/98).
It is thus widely believed that identity certificates may not be the best technical or commercial solution for e-commerce. Four sample applications bear mentioning from the many that been brought to our attention:
Respondents are asked for suggestions as to how the terminology of the Directive could be altered to accommodate these changes. One of our respondents summarised them as requiring that equal recognition be given not just to written and electronic signatures, but to limited use (non-identity) and closed system signatures. Is this the best formulation we can find? Is it general enough to deal with likely future trust architectures, such as XML in which keys, timestamps, copyright management data and other security objects may be embedded in electronic documents in quite general ways?
Qualified certificates are defined as containing "the identifier of the certification service provider issuing it", with the implication that (a) certificates are issued by a CSP, and (b) certificates are certified by a single CSP.
In this model, the validity of certificates issued by a CSP generally depend on authorisation by a "higher-level" authority. Signatures are verified by validating the certificate of the issuing authority, through a formal hierarchy or tree, until the "root" is reached. But as noted above, in a number of fielded systems, this "root" is a public key which is embedded in mass market software or hardware. The software or hardware vendor may either auction off the privilege of having one's key signed by this root, or make it available only to its marketing partners. There is an obvious risk of conflict between member states, who will wish mass market software sold in their countries to include all authorised CSPs, and vendors who will wish to use their control of root keys as a continued source of revenue. We were informed of one CSP in a member state that went out of business after failing to persuade one of the browser vendors to include its key in the browser distribution. We note that a similar issue has already arisen in relation to conditional-access gateways to pay-TV systems, and the regulatory framework necessary to promote competition and inhibit artificial barriers to entry have been addressed by the Commission and OFTEL.
Respondents are asked for suggestions about the appropriate level of government regulation of the use of root keys by hardware and software vendors.
Another model of certification permits the holder to create a "self-signed" certificate, which may subsequently be submitted to other parties (including CSPs), and accumulate a number of certifying signatures from these parties. Signature verification requires validation along a chain through a "web" of "trusted introducers".
It is not clear whether the web-of-trust model of certification is ideal for e-commerce applications; although it may give evidence of identity, it is less clear that it can support authorisation directly. However, some respondents believe that there are two reasons to accommodate it. Firstly, there may be many applications in which one wishes to give weight to a user-created certificate, such as if a user creates a delegation certificate authorising (for example) his attorney to control his bank account. Secondly, by far the most widely deployed software for generating and verifying digital signatures is PGP; and export restrictions hinder the emergence of any competitor with the necessary world-wide deployment and availability. It is therefore likely that in many applications, PGP will remain the preferred solution. Other respondents disagree and believe that a legal binding between a public key and either an identified person or a set of authorisation attributes is necessary.
Respondents are asked for suggestions about whether, and how, the draft Directive should be amended to accommodate user-signed certificates.
A third model of certification is where public keys are certified using existing, non-electronic mechanisms. One early example of this is the `Global Trust Register', a directory available in both paper and electronic form which contains the fingerprints of many of the world's most important public keys. This approach to certification attempts to rectify the worst shortcomings of the first two approaches while respecting the reality of PGP's market dominance. Likely future examples include the established directories of doctors, lawyers, etc which could easily include public key fingerprints. There are also people who include a public key fingerprint on their business card or letterhead. It would clearly be a bad thing if the Directive were to render invalid a signature made using a key whose owner had publicly certified it by such out-of-band means. If this were the case, there might also be technical challenges to whichever out-of-band means were used to distribute the root public keys of authorised CSPs.
Respondents are asked for suggested amendments to the Directive to accommodate non-electronic certificates, whether as a means of bootstrapping the trust infrastructure or generally.
The German digital signature law sets out a number of criteria for CSPs. High technical security standards will impose high entry costs, which in turn will lead to certification services being provided by a small number of large organisations rather than by a large number of small firms. Some people have argued that this is a bad thing; that it would be more natural if CSPs were organisations that people trust, such as the family lawyer or doctor, rather than a distant impersonal body such as the passport office or the phone company.
In many applications, local certification manes sense. For example, Europe's largest employer - Britain's National Health Service - manages personnel at the level of the individual hospital or medical practice rather than having a single central staff function. It would therefore be much more convenient to manage keys and certificates at this level rather than centrally, and this is what existing encryption pilots and projects do. The prospects of 11,000 small certifiers alarmed some interests in government, which suggested one large centralised TTP, but this now appears to have been rejected, both on economic grounds and for reasons of professional control and confidence. Similar issues have already arisen in the context of the control of electronic tachographs, and one may also expect them to arise in other professional and commercial aplications.
The draft Directive gives some relief. Explanatory Memorandum, III-7 states that "The legal recognition of electronic signatures should be based upon objective, transparent, non-discriminatory and proportional criteria and not to be linked to any authorization or accreditation of the service provider involved." The Preamble (10) states "whereas the legal recognition of electronic signatures should be based upon objective criteria and not be linked to authorization of the service provider involved."
Yet article 3(2) states that "Member States may introduce or maintain voluntary accreditation schemes aiming at enhanced levels of certification service provision. All conditions related to such schemes must be objective, transparent, proportionate and non-discriminatory." Article 6 (Legal effects) does not contain a reference to non-discrimantory recognition, merely that a signature should "not be denied legal effect...on the grounds that...(it) is not based upon a certificate issued by an accredited certification service provider".
The combined effect of these provisions is confusing. There appears to be no explicit prohibition of discriminatory linkage of (voluntary) accreditation to recognition, corresponding to the that contained in the Memorandum and Preamble. The UK is contemplating legislation which would counsel the courts to presume a lower burden of proof for signatures based on certificates from voluntarily licensed CSPs, than for unlicensed, thus creating market pressure in favour of licensed certificates. The adoption of such measures by some but not all member states is bound to raise barriers to the internal market.
Respondents are invited to comment on whether such a differential standard of proof of validity for licensed and unlicensed CSPs would constitute a breach of the Directive, on grounds of "discrimination"; on whether such a differential standard is desirable; and on how might the Directive be amended to address the issue of discriminatory presumption of validity, linked to accreditation.
The revocation of certificates is of great importance to commerce. Over the years, banks have developed complex worldwide systems for revoking stolen credit cards, with 24-hour emergency numbers, national and worldwide blacklists, and multiple levels of stand-in processing to reduce communication costs. Proposals for the revocation of public key certificates have not evolved to this level, but some systems (such as SET) will piggy-back on the existing credit card infrastructure.
In the single-issuer model of X509, the power to revoke a certificate rests with the issuer, and revocation of the issuer-certificate of a CSP revokes the validity of all certificates at lower levels, if verification is performed hierarchically. The propagation of revocation information is thus critical; and improper revocation of a high-level certificate causes drastic denial of service.
In the web model, revocation may also be under the control of a certifier (e.g. a CSP) or the certificate holder. A certificate may be regarded as selectively valid according to the extant trust chains which can be verified. Revocation propagation must be well defined, but a web of trust is resilient to single points of failure.
More recent implementations and proposals introduce a number of new mechanisms ranging from designated revokers through reconfirmation services. It is becoming increasingly widely realised that the risks of permitting an arbitrary number of people to rely on a certificate for value are severe; in the language of the credit card industry one should ideally have a zero floor limit for internet transactions. In the absence of this (and even perhaps in its presence), banks will insist on recourse against the merchant. Otherwise there is a risk of attacks, whether for profit or purely disruptive, in which a credit card is simultaneously used at a large number of online merchants.
Respondents are invited to comment on whether the Directive should contain any provisions on revocation.
A closely related set of issues concern liability. The Directive seeks to make member states ensure that certification service providers which issue qualified certificates are liable to persons who rely on the certificate, in limited respects.
The curious situation that arises here is that `open' certificates that the certificate subject may present to as many people as he wishes - such as passports, university degrees, driving licences and professional registration documents - are not instruments which normally give rise to any liability by the certificate issuer. Those instruments which do commonly give rise to liability - such as the electronic analogues of credit cards, share transfer forms, cheques, bills of lading and other negotiable instruments - are typically used in closed systems because of the requirement to provide safeguards against multiple spending. However, this appears to mean that as "authorization" rather than "identity" certificates (and so not "qualified") they will not be accorded any specific legal effect by the directive.
The point has been made that businesses are not generally interested in identity but in ability to pay (the restauranteur is interested in whether you have a credit card, not in whether you have a passport). Governments on the other hand are interested in identity because they operate many systems which can be defrauded by people who can successfully pretend to be more than one individual. Therefore, it is argued, the whole push for licensed CSPs is simply an attempt by governments to get industry to assume some of their costs by constructing a PK infrastructure of a kind that businesses does not really need at all.
The most convincing example which we have found of an identity certificate being of importance in commerce is in applications for consumer credit. However, this transaction can also be seen as the creation of an authorisation certificate (a credit card or store account card), and credit givers appear to be happy with the available risk management and due diligence mechanisms.
One respondent suggested a hybrid approach in which CSPs only certify identity, and according to announced policy, with strictly limited liability; while a separate registry then handles the authorisation aspects of each application. This would fit with the aim of the smartcard industry to market multifunction cards on which a number of different applications can be loaded. On the other hand, many business applications (such as SET) want their users to have keys that are not shared, and there are both marketing and technical security reasons for having different keys (and if need be different smartcards) for different applications.
Respondents are invited to comment on the liability aspects of identity versus authorisation, and on open versus closed certificates; specifically, whether the Directive should establish any issuer liability for the former, and whether (assuming that it is extended to cover the latter) there should arise any liability other than that which arises in the normal course of business.
A related concern is that if governments compel businesses (or healthcare providers) to set up identity or credentialling services for government use, this will erode their customers' trust and damage their operations. Specific concerns range from bank `signature cards' to number and/or smartcard systems for health insurance in a number of member states. For these reasons, and because of the cost of compliance with data protection law, many businesses (especially in the healthcare sector) prefer to operate with de-identified data. Any provision that pseudonyms must be capable of defeat by law enforcement agencies has the potential to greatly complicate their operations.
Respondents are invited to comment on what provisions the Directive should make on pseudonymous identifiers; and more generally on whether they perceive a risk that PK infrastructures may come to associated in the public mind with `Big Brother'. What steps if any should the Directive take to forestall this risk, and to ensure that PKI works with rather than against data protection?
Some people have commented that the Directive needs to take more account of consumer rights. Contracts between a member of the public and large organisations such as banks and software vendors have a tendency to be unfair because of the disparity in bargaining power, and mitigating the worst effects of this is widely accepted as a proper function of government at local, national and community level.
Concern has been expressed that the Directive may have the effect of undermining this function. In many previous cases of dispute, such as those between individuals and banks over `phantom withdrawals' from automatic teller machines, the banks' defence has been to claim that their systems were infallible - that any dispute by a customer of a debit entry on a bank statement that was claimed to be for an ATM withdrawal must be mistaken or mendacious. Such sweeping claims by the banking industry have been undermined in the UK and the Netherlands by the conviction of criminals for ATM fraud, and in Germany by court appointed expert witnesses exploring vulnerabilities in the Eurocheque card system. However many banks wish to return to the status quo ante and each new technical development (such as the introduction of smartcards) tends to be seen as an opportunity to revive claims of technical infallibility.
Previously, the Commission has tended to side with the consumer, and a recent report recommended that the sworn statement of a consumer that a transaction had not been made should be awarded equal weight to a claim by a bank's experts that it must have been. However, the current draft Directive appears to go in the other direction; provided a signature is supported by a qualifying certificate, there will be a strong presumption of validity. This is disturbing given firstly, the banks' record on consumer disputes; secondly, the fact that most electronic commerce implementations to date have a history of serious security bugs; and thirdly, that the certifiers proposed for the financial industry in a number of countries are far from being neutral between banks and customers but are rather consortia owned by the banking industry.
Respondents are invited to comment what sort of protection should be extended to consumers, and what mechanisms should be available to adjudicate between a signature backed by a qualified certificate on the one hand, and the sworn statement of a credible witness on the other.
This leads to the issue of evidence. In criminal trials especially (though also in civil matters), the defendant's right to examine and test all the evidence against him is strongly upheld in most member states. In the absence of such a right, claims of system infallibility place an intolerable burden of proof on the defendant. This causes difficulties for the prosecution when defendants demand the right to have their expert witness examine systems whose owners are not prepared to cooperate. Differing transparency traditions in different member states have the potential to inhibit trade, as evidence generated in one state may be relatively fragile in another.
One possible benefit of digital signatures is that, carefully implemented, they could greatly reduce the amount of the system that could have contributed to the creation of an item of evidence, and thus the transparency requirements and the scope for evidentiary challenge. However, some people are of the opinion that these benefits will not be fully realised without some official guidance.
Respondents are invited to comment on whether the Directive should make any specific transparency recommendations in order to facilitiate the cross-border utilisation of evidence.
One respondent expressed concern about whether, under the proposed Directive, natural persons would be able to sign on behalf of organisations. Another respondent raised the problem of how we determine the extent to which someone who presents me a business card from a given company can bind that company. The current business infrastructure does not generally attempt to solve this problem (although banks print books of the authorised signatures and powers of their officers and circulate these books to correspondent banks). If the future electronic trust infrastructure tries to impose a general solution for this problem, then it might give rise to substantial costs and complexity.
There are many possible scenarios, such as when an individual officer has full signing powers, where some quorum or authorised set of officers can sign, where an authorisation is restricted (as when an engineer can sign 1m ECU for lab equipment but may not sign at all for stationery), where a time-limited delegation has been arranged, where someone acts as an agent, and where an organisation is bound by a letter from its attorneys.
Furthermore, if individual as opposed to corporate keys can bind the company, then considerations of revocation and control generally would suggest that each company have its own CSP infrastructure. This would conflict with the desire of some member states to have few, large CSPs rather than many small ones.
Respondents are invited to comment on whether the Directive should cover such situations explicitly, and if so how.
One respondent has suggested that the purpose of the directive could be achieved more simply by a general nondiscrimination provision, to the effect perhaps that parties have the same freedom of contract with respect to accepting electronically signed data as they currently have with respect to accepting manually signed data.
A related but more technical issue is formal versus material validity of signatures. Many member states have specific formal requirements for a written signature to be used in certain transactions (in the UK, for example, real estate transactions and guarantees must be in writing). These form the main legal obstacle to the use of digital signatures, as they cannot be circumvented by a contract (say) between a bank and its customer. However, the directive does not appear to go as far as to demand that member states accord electronic signatures full formal validity in all circumstances, but rather imposes the weaker requirement of material validity. It thus appears to do less than it should. A suitably phrased non-discrimination provision could solve this problem.
Respondents are invited to comment on whether the Directive should be phrased in such terms.