Study on Mutual Recognition of esignatures: update of Country Profiles Icelandic country profile

Transcription

1 Study on Mutual Recognition of esignatures: update of Country Profiles Icelandic country profile

2 This report / paper was prepared for the IDABC programme by: Coordinated by: Hans Graux (time.lex), Brigitte Jossin (Siemens), Guy Lambert (Siemens), Eric Meyvis (Siemens) Contract No. 1, Framework contract ENTR/05/58-SECURITY, Specific contract N 13 Disclaimer The views expressed in this document are purely those of the writer and may not, in any circumstances, be interpreted as stating an official position of the European Commission. The European Commission does not guarantee the accuracy of the information included in this study, nor does it accept any responsibility for any use thereof. Reference herein to any specific products, specifications, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favouring by the European Commission. All care has been taken by the author to ensure that s/he has obtained, where necessary, permission to use any parts of manuscripts including illustrations, maps, and graphs, on which intellectual property rights already exist from the titular holder(s) of such rights or from her/his or their legal representative. This paper can be downloaded from the IDABC website: European Communities, 2009 Reproduction is authorised, except for commercial purposes, provided the source is acknowledged. Page 2 of 18

3 Table of Contents 1 GENERAL INTRODUCTION EGOVERNMENT STRUCTURE AND ROLE OF ESIGNATURES MAIN ESIGNATURE SOLUTIONS 6 2 LEGAL AND TECHNICAL FRAMEWORK FOR ESIGNATURES ESIGNATURES REGULATORY FRAMEWORK LAWS AND REGULATIONS ESIGNATURES TECHNICAL/INFRASTRUCTURAL FRAMEWORK 8 3 EGOVERNMENT APPLICATIONS USING ELECTRONIC SIGNATURES 15 Page 3 of 18

4 1 General introduction 1.1 egovernment structure and role of esignatures Electronic signatures are not commonly used in the egovernment context in Iceland. Only one egovernment service uses electronic signatures, as will be indicated below. Some fundamental foundations for an effective environment are in place but others are still missing. The fundamental foundations are the legal environment, distribution of certificates, policies and standards. The legal environment can be regarded as sufficient. The Government passed a bill on electronic signatures in the spring of 2001 based on the Directive 1999/93/EC on electronic signatures. The right of using electronic signatures is then supported in different laws such as the Public Administration Act. Soft PKI X.509 certificates have been used in egovernment since 2003 for authentication and for electronic signatures, but a mass distribution to citizens is still missing. Today the government is implementing a central eidm system in Iceland that is based on X.509 Client certificates and ETSI standards. The main objective of this project is to get mass distribution of electronic certificates to citizens and companies for authentication and electronic signature. One of the main building blocks for this is the creation of an open and standardized PKI environment in Iceland. Based on this structure eids will be distributed to all citizens in the country. Citizens will be able to use the eids in relations to both central and local government as well as any other business in Iceland. The Icelandic Government co-operates with the Icelandic Financial Services Association in building, implementing and maintaining this infrastructure. The Ministry of Finance has created a root certificate (self-signed), named Iceland Root (Íslandsrót 1 ), which issues intermediate certificates to Identity providers (subordinate certificates authorities) in Iceland. The first intermediate certificate (Fullgilt audkenni 2 ) was issued to the company Auðkenni hf. 3 (company owned by the banks) in June 2008 and they have started to distribute certificates on bank cards to citizens and companies. Auðkenni hf. has also started to distribute certificates on smartcards that are not bank cards. These certificates are issued under the same intermediate certificate as the certificates on bank cards and fulfil the same requirements. This will be available to all that either cannot get bank cards or for some other reason want special cards e.g. employee cards for companies. The National registry has also been planning the issuing of citizen cards with certificates though nothing has been decided yet. A technical standard committee on PKI infrastructure in Iceland was established in 2006 under the national standard body, Icelandic Standards. This committee has the objective to identify specific standards or formats for electronic signatures in Iceland Page 4 of 18

5 It is not common that electronic signatures are used by public administrations to issue signed documents to citizens or businesses. Currently there is only one egovernment application using electronic signatures. Electronic signatures are being used by professional accountants in signing tax reports to the Internal Revenue Directorate on behalf of their clients, and all electronic copies issued by the Internal Revenue Directorate are signed with an electronic certificate. Suitable electronic signature solutions for applications are not chosen based on any general risk management or risk assessment requirements or policies. The Icelandic policy and strategy on egovernment is determined by the Prime Minister s Office, which is also responsible for releasing policies on egovernment. The general organisational approach to egovernment in Iceland is centralised policy and strategy but decentralised implementation. The main government policy that focuses on egovernment was adopted in 2008 under the title Iceland the e-nation - Icelandic Government Policy on the Information Society In the policy are some goals that relate to eids and signatures. It states that The e-nation shall adopt online payment, eids and e-procurement, in addition to working on other key tasks. There are also some activities stated in the policy like Introducing eids in communications with public bodies and Services concerning eids and e-payments. The Ministry of Finance is responsible for matters that relate to distribution and usages of eid s in government. Implementation is undertaken by the Government offices (ministries) according to their role and subject. An earlier policy, Resources to Serve Everyone - Policy of the Government of Iceland on the Information Society includes some goals related to electronic certificates. They are at the responsibility of the Ministry of Finance. Since these goals haven t been achieved yet they are still regarded as valid and used within government. The three goals are: 1. The policy will be to aim for the general and widespread use of electronic certification so that any communicating partner may be positively identified; electronic signatures and coding shall be introduced insofar as is deemed appropriate. 2. An open but standardised market is Iceland's goal, through the use of electronic certificates and certifying services. The state's requirements shall be published with regard to the content, form and handling of electronic certificates for transactions with national institutions. Those requirements might become the model for a general Public Key Infrastructure (PKI) for industry and municipalities. A simple system, economic in operation, should be the object, so that cost may be distributed in proportion to user benefits. 3. European and international standards shall be adhered to, aiming for integration with the Public Key Infrastructure of neighbouring countries when the time seems right. The governmental policy on Information Society is coordinated by a steering group called the Information Society Taskforce, operating under the auspices of the Office of the Prime Minister. This Page 5 of 18

6 includes assisting public institutions in their efforts towards achieving the main objectives. Related to the policy the Department for the Information Society located at the Prime Minister s Office has a special fund every year to finance IT projects. A special project management team, The egovernment Taskforce focuses on egovernment issues in the policy. Several other committees are operating as well. 1.2 Main esignature solutions As noted above, electronic signatures are presently only used in a single application in Iceland, namely by professional accountants in signing Income Tax Declarations on behalf of their clients. However, they use a commercial application to do this. The Internal Revenue Directorate requires all accountants to sign these reports and their system communicates with this commercial application. There is no requirement to use qualified signatures and no special standards are being used in relation to the signatures. Electronic signatures are used by professional accountants in signing tax reports on behalf of their clients. The application relies on the eid on bank cards and soft signature certificates issued by private CSPs. In the near future, eids on bank cards will become the main eid token in Iceland. eids on bank cards are already being distributed to citizens and it is expected that a big percentage of citizens will be using them already in This will be further discussed below. 2 Legal and technical framework for esignatures 2.1 esignatures regulatory framework Laws and regulations Act No 28/2001 on electronic signatures The European Directive 1999/93/EC of 13 December 1999 on a Community framework for electronic signatures was transposed into Icelandic legislation in the spring of 2001, as Act No. 28/ Article 4 of the Act stipulates that fully qualified electronic signatures shall have the same force as handwritten signatures. Furthermore, it is stipulated that other electronic signatures can be legally binding. Icelandic legislation faithfully follows the definitions of the European Directive. The Ministry of Business Affairs is responsible for the act on electronic signatures. The Consumer Agency 7 (former name was State Accreditation Agency) is responsible for monitoring that the operation of certification-service-providers issuing qualified certificates conform to the provisions of the Act and regulations based on the Act. In the Act are articles that are on the Certification Service Providers Page 6 of 18

7 (CSPs). Chapter VI includes articles with requirements for Certification-Service-Providers Issuing Qualified Certificates. Chapter VII is on Supervision of Certification-Service-Providers Issuing Qualified Certificates. The ministry and the Consumer Agency are currently preparing regulations that are based on this Act. Supporting legislation comes through the Public Administration Act as amended in 2003 and the Electronic Commerce Act, The Public Administration Act, No. 37/1993 (egovernment legislation) On 10 March 2003 an amendment (No. 51/2003) 8 was approved to the Public Administration Act, No. 37/1993 9, adding a special chapter on the electronic handling of matters by public administration. Through this modification, general obstacles to the development of electronic administration were removed. While formulating the amendment, the committee in question was guided by the concept of equivalent value, and also emphasised the need to maintain technical impartiality. The alteration involved mere permission for the electronic handling of governmental administration cases, but not an obligation. Article 38 in the act handles Electronic Signatures, it states: When established law, custom or general administrative provisions require material from a party or government authority to be signed, the authority may determine that electronic signatures can serve in place of handwritten signatures, insofar as electronic signatures assure, in a similar degree to handwritten signatures, the personal confirmation of the one from whom the material originates. A qualified electronic signature, according to the Act on electronic signatures, shall always be considered to fulfil the legal requirements on signatures. When established law, custom or general administrative provisions require material or certain aspects of it to be certified, this requirement shall be considered to be fulfilled through certification by an electronic signature that conforms with the first paragraph above and confirms the aspects for which certification is demanded. When established law, custom or general administrative provisions do not require material from a party or government authority to be signed, the authority may determine that it is permissible to use means other than electronic signatures in order to confirm electronic material. Act on the Protection of Privacy as regards the Processing of Personal Data, No. 77/ The Act on the Protection of Privacy as regards the Processing of Personal Data, No. 77/2000, as amended, was passed in 2000 and came into effect on 1 January The act implements the EC Data Protection Directive and deals with how the protective principle relates to data quality and presented criteria for the legitimacy of data processing. The act applies to any automated processing of personal data and to manual processing of such data if it is, or is intended to become, a part of a file. It has been amended by Act No. 90/2001, Act No. 30/2002, Act No. 81/2002 and Act no. 46/2003. Act on Electronic Commerce and other Electronic Services, No 30/ Page 7 of 18

8 In the Act on Electronic Commerce and other Electronic Services, No 30/2002 it states that electronic contracts are equivalent to written contracts. In the act it is stated that it does not apply to contracts governed by family law or by the law of succession, contracts requiring stamps and contracts that create or transfer rights in real estate, except for rental rights. Furthermore, the provisions do not apply to public registration or notarial acts. In all contracts that can legally be electronic, electronic signatures can be used. National registry and official identity documents The Act on national registry, no. 54/ specifies the rules for public registration and assigns this task to The National Registry. The act on national ID card, no. 25/ specifies the framework for issuance and use of national ID cards in Iceland. The act on passports, no. 136/ specifies the rules for issuance of Icelandic passports. National ID cards and ordinary passports are issued by the National Registry. The act on road traffic no. 50/ assigns the task of issuing driving licences to the National Commissioner of the Icelandic Police Other esignatures regulatory framework issues Qualified signature certificates on bank cards are only issued after personal appearance, identification and authentication of the signatory. There are no national signature policies for egovernment applications and no rules regarding long term validity of signatures. This is something that has been discussed within government and is included in one of the actions of the current egovernment policy. There are no rules or laws regarding any cross border interoperability initiatives (such as e.g. the recognition of foreign signature solutions, the establishment of validation services, etc. There are no rules creating a legal hierarchy between multiple signature types used within Icelandic government (either nationally or cross-border), based on the technical/organisational characteristics of signature solution that are being used. 2.2 esignatures technical/infrastructural framework Electronic signatures are not commonly used in the egovernment context in Iceland. Only one egovernment service uses Electronic signatures. Some fundamental foundations for an effective environment are in place but there is still some missing. eids on bank cards will become the main eid token in Iceland in the near future. eids on bank cards are already being distributed to citizens and it is expected that a big percentage of citizens will be using them already in Because of this the focus will be on this infrastructure in this chapter Page 8 of 18

9 - PKI environment Iceland - The environment is structured in three main layers. Firstly there s the international environment, then the main related Icelandic laws, and then the national PKI environment. The PKI-Iceland environment shows three main requirement sets; Certification Service Provider (that includes the Certification Authority), Subject (the one certified) and the verifier (the one that relies on the certificate). In addition, we show the requirement sets for the relations between the entities; certificate profile, the CRL protocols, the format and syntax for signed and encrypted objects, smartcards and the time stamping. In the picture it is attempted to provide an overview of the relevant standards and recommendations in each requirement set. It is realized that there are other standards and recommendations that are references, but the standards and recommendations indicated should be the ones that are directly relevant. It is also indicated what requirement definitions and related documents are needed (shown as pages). Three of them have the scope of the entire PKI (PDS; requirements for PKI and definition of security levels), but others are specific for the requirement sets. The Certificate profile can be found at the general webpage about eids in Iceland 16. eid on bank cards 16 Page 9 of 18

10 Today the government is implementing a central eidm system in Iceland that is based on X.509 Client certificates and ETSI standards. The main objective of this project is to get mass distribution of electronic certificates to citizens and companies for authentication and electronic signature. One of the main building blocks for this is the creation of an open and standards compliant PKI environment in Iceland. Based on this structure eids are being distributed to all citizens in the country. Citizens are able to use their eids in relations to both central and local government as well as any other businesses in Iceland that accept them in communication. The Icelandic Government co-operates with the Icelandic Financial Services Association in building, implementing and maintaining this infrastructure. The Ministry of Finance has created a root certificate (self-signed), named Iceland Root (Íslandsrót 17 ), which issues intermediate certificates to Identity providers (subordinate certificates authorities) in Iceland. Islandsrot PKI architecture is a single CA Model/Hierarchy. Islandsrot is currently not linked to other PKI infrastructures through any existing Bridge-CA network or similar modal. Islandsrot issued an intermediate certificate (Fullgilt audkenni 18 ) to the company Auðkenni hf. 19 (company owned by the banks) in June 2008 and they have started to distribute certificates on bank cards to citizens and companies. Auðkenni has also started to distribute certificates on smartcards that are not bank cards. These certificates are issued under the same intermediate certificate as the certificates on bank cards and fulfill the same requirements. This will be available to all that either cannot get bank cards or for some other reason want special cards e.g. employee cards for companies. The Icelandic National registry has also been planning for issuance of citizen cards with certificates, but nothing definitive has been decided on this yet. Facts on eids on bank cards: The eid consists of two standard x509 client certificates, one for Authentication (standard SSL/TLS), and one for Non-Repudiation-Signatures (Qualified signature certificate). The certificates (and the corresponding private keys) are stored on smart-cards (ISO-7816 PKCS#15). Certification policies 20 fulfill the technical specification ETSI TS End certificates profile is based on ETSI: Qualified Certificate profile, ETSI TS End certificates for Non-Repudiation-Signatures are claimed to be qualified signatures on secure signature creation device that should fulfill the law on electronic signatures based on the EC Directive on electronic signature. Certificates for authentication fulfill the same requirements as the certificate for Non-Repudiation- Signatures but it is not claimed in the certificate that it fulfills the law since that is not required for Certificates for authentication. Citizens are provided with CSP-middleware 21 (MS-CSP, PKCS#11, AppleCSP). Support for CEN TS and ISO is planned. The issuer of the certificate is Auðkenni hf Page 10 of 18

11 The certificates are compliant with RFC 3739 and ETSI TS The description of the fields of the signature certificate for citizens and employees is contained in the table below: x.509 Fields Profile for an e-id citizen Qualified Signature Certificate Version Serial Number V3 Allocated automatically by the Root CA Subject Distinguished Name Country (C) Organizational Unit (OU) Organizational Unit (OU) Organizational Unit (OU) Serial Number (SN) Common Name (CN) IS einkaskilriki Undirritun [Sequential number from ARM] [Personal ID num. National registry] [name from National registry] Validity Signature Algorithm Key Length [value from ARM] (Three months longer than the validity of the payment card) SHA-1 hash with RSA 2048 bit x.509 Extensions Key Usage Digital Signature Non-Repudiation Key Encipherment Data Encipherment Key Agreement Certificate Signing CRL Signing Basic Constraints Subject Type Authority Key ID Subject Key ID Certificate Policy extension Critical Selected Critical End Entity 160 bit SHA bit SHA-1 Leave blank if not required Policy Identifier OID Page 11 of 18

12 Policy User Notice CPS URL CRL Distribution Point Directory location Publicly Available Location This certificate is intended for signing. This certificate is issued as a qualified certificate in accordance with act 28/2001 and Directive 99/93/EC. Non Critical Not used. Authority Information Access Non Critical [1]Access Method=On-line Certificate Status Protocol ( ) Alternative Name: URL=ocsp.audkenni.is [2]Authority Info Access Access Method=Certification Authority Issuer ( ) Alternative Name: URL= Qualified Certificate Statements ( ) ETSI and SSCD Profile for an e-id Employee Qualified Signature Certificate x.509 Fields Version Serial Number V3 Allocated automatically by the Root CA Subject Distinguished Name Country (C) Organization Organizational Unit (OU) Organizational Unit (OU) Organizational Unit (OU) Serial Number (SN) Common Name (CN) IS [From the ARM] starfsskilriki Undirritun [Sequential number from ARM] [Personal ID num. National registry]:[company Firm registry ID num.] [name from National registry] Validity Signature Algorithm Key Length [value from ARM] (Three months longer than the validity of the payment card) SHA-1 hash with RSA 2048 bit Page 12 of 18

13 x.509 Extensions Key Usage Digital Signature Non-Repudiation Key Encipherment Data Encipherment Key Agreement Certificate Signing CRL Signing Basic Constraints Subject Type Authority Key ID Subject Key ID Certificate Policy extension Critical Selected Critical End Entity 160 bit SHA bit SHA-1 Leave blank if not required Policy Identifier OID Policy User Notice CPS URL CRL Distribution Point Directory location Publicly Available Location This certificate is intended for signing This certificate is issued as a qualified certificate in accordance with act 28/2001 and Directive 99/93/EC. Non Critical Not used. Authority Information Access Non Critical [1]Access Method=On-line Certificate Status Protocol ( ) Alternative Name: URL=ocsp.audkenni.is [2]Authority Info Access Access Method=Certification Authority Issuer ( ) Alternative Name: URL= Qualified Certificate Statements ( ) ETSI and SSCD Any service provider who wants to take advantage of the existing infrastructure and allow/require citizens to use their Client Certificates for authentication/signatures to their services can do so. For Page 13 of 18

14 authentication, all that is needed is for the service provider to set up his own standard SSL web server certificate (e.g. from Verisign or any other issuing certificate authority) and configure the web server to allow/require client certificate authentication. No specific interaction is required between the citizen and the service provider although it is possible that, depending on various different configurations, that the service provider chooses to interact with the citizen. The Serial_Number field in the Certificate subject denotes the Personal Identification Number of the Certificate holder (the citizen) which is a unique number, created for all citizens by the National Central Registry. The Certificate also contains the name of the citizen. This information should be enough for most service providers. If needed, service providers will also be granted certificate-lookup-access for public certificates of their customers. Identity Provider runs validation service for the client certificates. Validation is done through standard 23 CRL/OCSP 24 lookup. Validation is open so that any service provider (domestic/international) can use the validation service. LDAP directory standard is used to publish certificates. Certificate on a bankcard for qualified signatures There are no limitations/legal obligations in Iceland on the use of hash algorithms (SHA-1, SHA-256, ) A technical standard committee 25 on PKI infrastructure in Iceland was established in 2006 under the national standard body, Icelandic Standards. This committee has the objective to identify specific standards or formats for electronic signatures in Iceland. It is currently working on the following papers: 1. Certificate Profile (in review; version 1.4 issued in January 2007) 2. Certificate Status Protocol 3. Profile for Signed Object 4. Definition of Security Levels 5. Requirements for CAs (based on agreement between the state and all Icelandic banks published in May 2008) 6. Technical Integration 7. Requirements for PKI 8. Time Stamping The only Validation Service Providers that are being used in egovernment applications is Auðkenni hf. But they issue the certificates on bank cards. 23 For Islandsrot it is but for eids on bank cards. It is Page 14 of 18

15 3 egovernment applications using electronic signatures It is not common that electronic signatures are used by public administrations to issue signed documents to citizens or businesses. Currently there is only one egovernment application using electronic signatures. Thus, descriptions cannot be provided for the sectors of public procurement, ehealth and ejustice. Electronic signatures are being used by professional accountants in signing Income Tax Declaration on behalf of their clients, but they use a commercial application to do this. The Internal Revenue Directorate requires all accountants to sign these reports and their system communicates with this commercial application. There is not a requirement to use qualified signatures and no special standards are being used in relation to the signatures. Electronic signatures are used by professional accountants in signing tax reports on behalf of their clients. Application/Service Classification CL1 Application/Service Name Income Tax Declaration from accountants CL2 Application/Service Type A2B CL3 Concerned sector Taxation CL4 Intended clients Accountants that sign Income Tax Declaration on behalf of their clients CL5 Abstract Description The application allows accountants to sign Income Tax Declarations and send them electronically to the tax authorities. The tax administration then validates the signature and files the report. The application is a desktop application that is installed at the computers of users. CL6 Application/Service responsible contact information esignature use in the application Organisational aspects OR1 Which institutions, providers, etc. are involved in the signature scheme, and how do they relate? OR2 Which validation service provider / validation authority is involved for the signature validation? The application supports the eid on bank cards and soft signature certificates issued under the old eidm schema. Organisational details for all of these have been provided in the general description above. No separate validation service is required; validation of the signatures will be possible through the general esignature validation methods for the eid card and commercial CAs as described above (OCSP lookups are supported for all). Page 15 of 18

16 OR3 How is the long term validity of the signatures (including longterm archiving of certificates and signatures) ensured, if applicable? Not applicable: after receipt and validation of the declaration, the report is signed and filed within the system of the tax administration. The application user can at any time get an official copy (in the form of a PDF document electronically signed by the tax administration), which then becomes the official copy of the declaration. Thus, long term validity of the original declaration is less relevant for this application esignature use in the application legal aspects LG1 LG2 LG3 LG4 LG5 LG6 Does the system require an advanced signature / advanced signature based on a qualified certificate / qualified signature? Does the choice of signature type result from a risk assessment process? What is the legal basis (law, decree, ) for this application? Does the legal basis impose additional legal requirements on the electronic signature beyond the aforementioned qualification? How does the application determine if the user is authorised to use the application (if applicable)? What information is signed by the user and what is the objective of the signature? Advanced signatures are sufficient No, the determining factor was the use of available signature solutions. The Act on Income Tax No The application is a commercial application that is run on the desktop at the company s computer. So authorised access to the application itself is in the hands of the company. But for the application to be able to communicate with the web service of the tax authorities the company has to sign a contract with the tax authorities and each user has to be approved by them. The tax authorities then require an electronic certificate and with that they check if it is an authorised user that s communication with them. The signature serves to confirm the accuracy of the information contained in the declaration. The user signs an xml file that includes all the information in the report. esignature use in the application technical aspects Page 16 of 18

17 esignature use in the application technical aspects T1 What kind of token or credentials are used (smart cards, software certificates, paper tokens, mobile tokens, ) to create the signature? The application supports the eid on bank cards were the user are able to create qualified signatures. Soft signature certificates issued under the old eidm schema are currently also accepted this year. T2 T3 T4 T5 T6 T7 T8 T9 What are the hard- and software requirements on the client side for the use of the esignature? How are the signature/certificate presented to the application? Is there specific information in the certificate that plays a notable role in the functioning of the application? Which standards have been implemented in the esignatures application? How is the signature verified and how is the verification data processed and stored? What types of validation protocols are used for the electronic certificate validation? (OCSP, CRLs, SCVP ) How is the signature type technically enforced by the application? Does the application require the use of time-stamping services? Users need have the tax form application installed on there computer. When the eid on bankcard is used: availability of the card and smart card reader. With regard to software, middleware described in the general sections above should be installed. If soft certificate is used then that needs to be installed on the computer. Support to usages is a part of the desktop application. Through the interface provided in the application: the user chooses to use either the eid bankcard or soft certificate after completing the declaration, and will then be prompted to enter the appropriate PIN number. No, the declaration is claims-based; while the certificate is necessary to ensure non-repudiation, the information contained in it is not strictly essential. The application does not follow any special standards on esignatures. Validation is done through standard OCSP lookup. Certificate validation and signature validation OCSP lookup is used. The application only supports the eid on bank cards and soft signature certificates issued under the old eidm schema. No. Interoperability aspects I1 Is the system accessible to nonnationals, and if so, how? Yes, provided that they have a certificate. Page 17 of 18

18 I2 Does the application support non-national signatures (i.e. signatures created using certificates from non-national CSPs)? No. Miscellaneous M1 M2 Are there any statistics on the actual use of electronic signatures for this application (if not: please provide an estimation)? Can you provide any budget/cost information related to the implementation of electronic signatures in this application? About 30% of tax reports for individuals and about 81% for companies are electronically signed. Unknown. Page 18 of 18