Guidelines for the use of electronic signature

Transcription

1 Republic of Albania National Authority for Electronic Certification Guidelines for the use of electronic signature Guide Nr. 001 September 2011 Version 1.3

2 Guidelines for the use of electronic signature This guide is intended to assist the clarification of the law "On Electronic Signature". Furthermore, it will inform that the use of the electronic signature provides more trust and confidence during electronic communications and gives legal power to electronic documents. The purpose of the Law According to Article 1, the purpose of the Law "On Electronic Signature" is the creation of the necessary legal framework for the recognition and the use of electronic signatures in the Republic of Albania. The object of the law is to define the basic functional, technical and legal requirements, which Certification Service Provider must fulfill; the modalities of registration and reporting at the National Authority for Electronic Certification (NAEC); the procedures for invalidation and revocation of qualified certificates; the status of the Assessment Body, the acknowledgment and the acceptance of electronic signatures and foreign products. This law is in full compliance with the Constitution of Albania and the European Parliament Directive 1999/93/EC on electronic signatures. Chapter I of the Law describes general provisions that indicate the purpose of the law, the particular specifications of this law, together with definitions about electronic signatures. Chapter II defines the core and the primary mission of this law, the legal validity of electronically signed document, as well as exceptions in particular cases. Chapter III defines the status of the National Authority for Electronic Certification, the modalities on accreditation, supervision of the Certification Service Providers. This chapter specifies the Authority's overall role in the registration, supervision, auditing, and cessation of operation of the Certification Service Providers (CSP), as well as validation or revocation of the qualified certificates. Chapter IV describes the terms and conditions of operation of the CSPs. This chapter, which includes Articles 19-23, summarizes the phases of the CSP s accreditation process.

3 Chapter V is a very important part of the law, because it shows the modalities of the issuance of qualified certificates, the requirements that have to be fulfilled for their generation, content, and revocation procedures. Time stamps are also described in this part and the purpose of their usage in electronic documents. Chapter VI defines the legal responsibilities and liabilities of the CSP in cases it causes damage. Chapter VII describes the handling of personal data which are used in the creation of qualified certificates and the obligations for CSPs to hand over these data to the law enforcement agencies. Chapter VIII is divided into three parts. The first part describes some of the requirements of signature creation devices and technical components of the certificate. The second part is another important component of the entire process, which is the Assessment Body, the way it operates, the requirements and criteria to be accredited as such. The third part defines the way of handling the foreign products. Chapter IX and X specifies the fees, administrative measures in cases of violations, penalties applied, etc. Definitions 1. "Electronic signatures" shall mean all data in electronic form, attached to other electronic data or logically linked to the data and used for authentication and the integrity of the signed document. An electronic signature is an electronic verification tool. This term is usually defined as verification of the identity of the holder. Any kind of electronic verification shall be considered as electronic signature, as long as it is associated with other data in electronic form. 2. "Certificates" shall mean electronic certificates assigning signature test codes to a person and confirming his/her identity. They appear as codes or algorithms used to check and verify an electronic signature. 3. "Qualified certificates" are issued by certification service providers in accordance with the Law on electronic signature, which fulfill the requirements set in this Law and other adopted regulations.

4 Obligations relating to qualified certificates are requirements related to its content. A certificate to be considered qualified must contain the information cited in this document. 4. certification-service-provider means an entity or a legal or natural person who issues certificates or provides other services related to electronic signatures; 5. "Qualified time stamps" are electronic certificates issued by a Certification Service Provider, to confirm the data sets are presented in a certain time. 6. "Signature-code owners" shall be natural persons who own signature codes; where qualified electronic signatures are concerned, they must have been assigned the appropriate signature test codes in qualified certificates; Certification Services A qualified certificate shall contain the following specifications: a. To show that this certificate is issued as such; b. Device of identification of the certification service provider; c. State in which it is issued; d. The name of the signatory or his/her nickname; e. The signature verification data which correspond with the data creation of the signature that is in possession of the undersigned; f. Start and end of the term of the certificate; g. Code certificate; h. Advanced electronic signature of the representative; i. Limitations on the purpose of certification, if any; j. Definitions of transactions that can be performed on this certificate, if any. Electronic signature features

5 An electronic signature is considered "data in electronic form, which are logically related to other data in electronic form and serve as a method of authentication." These data can be codes, photo, seals, etc. Also, it should be clear that the electronic signature is attributable to data authentication and does not apply to actions such as use of a PIN code to access a bank account. In this case there is no need of using electronic signature. In the meantime to enter the same code for the confirmation of a financial transaction is an example of data verification and therefore it is considered an electronic signature. Advanced electronic signatures shall be the electronic signature which fulfills four requirements: a) Are exclusively assigned to the specific owner of the signature code; b) Enable the identification of the owner of the signature code; c) Are produced with secure means which the owner of the signature code can keep under his sole and exclusive control, and d) Are linked to the data in such a manner that enables any subsequent alteration of the data to be easily detected; Whereas "Qualified electronic signatures" are advanced electronic signatures, which are based on a qualified certificate that is valid at the time of the creation of the signature, and have been produced with a secure signature-creation device, that are issued by a Certification Service Provider legally accredited as such. For facilitation purpose, it is called just electronic signature. Also, it should not be forgotten that the signatory is not the person who creates signature, but the person who owns the signature-creation device. A common example of signature devices is a smart card, flash drive, USB crypto token etc. Legal effects of electronic signatures and exceptions Any electronic document, which contains electronic data that forms an electronic signature, has the same legal effect and proving force as a written document. The electronic signature cannot be used in some specific areas, such as legal actions in the field of family law and inheritance, legal actions which require legalization from a public institution, a notary act or other acts that require an authorization by the court of law.

6 The law does not extend to matters relating to the validity and dissolution of contracts or other legal obligations under the requirements established by other laws. An electronic signature is considered invalid when it does not meet security requirements specified by law. Authority, registration and supervision The National Authority for Electronic Certification is the competent authority with the task of enforcing the Law "On electronic signature" and other regulations and guidelines for its implementation. In exercising its functions, NAEC issues guidelines, which regulates and specifies the technical and legal procedures for proper functioning of the process. NAEC registers the names of the Certification Service Providers and Assessment Bodies after terms and conditions are met. Certification Service Providers CSPs can be any natural or legal persons who fulfill the requirements and criteria specified by law. One of the main requirements of CSP is the trust; it is materialized in the legal and professional status of staff, security management, financial and regularity of the process of issuing qualified certificates. Another requirement is the technical security. It mainly relies on the characteristics of the devices which CSPs use while producing qualified certificates, technical security, creation and storage of codes, public and private keys as well as standards on which all activities of CSPs conform. Accreditation Any natural or legal person, who fulfills the legal and technical requirements for issuing qualified certificates or qualified time stamps, must submit the necessary documentation to the Authority, which processes their requests and after evaluating the technical and legal requirements, registers these entities recognizing them as Certification Service Providers. The operation of a certification service does not require prior approval under current law, but notification and accreditation at the Authority is obligatory for all entities that want to exercise this activity. Anyone commencing to operate as a CSP shall notify it to the competent authority before or at the time it starts the operation.

7 Voluntary use of electronic signatures The use of electronic signature is voluntary, and mandatory cases are few and defined by law. Assessment Body Another important component of the electronic certification is the Assessment Body. This body is represented by natural or legal persons; after passing the accreditation process, control of professional certificates, documents, which guarantee and prove that this body will act in accordance with the law and ensures a professional and fair process, it will be accredited by the Authority. Assessment Bodies analyze the security measures and operating procedures adopted by the CSPs, and confirm that these are in accordance with law and other regulations. Assessment Bodies before the beginning of the verification process, starts with the documentation submitted to the Authority, by the CSP, as well as audit the specifications and standards according to the "certificate policy", "certificate practice statement" etc. Under its responsibility Assessment Bodies gives to the Authority the confirmations that CSP has fulfilled the requirements laid down by Law. Foreign products Based on Article 54 of Law no. 9880, dated , "On electronic signature", electronic signatures and foreign products for electronic signatures are recognized and applied in conformity with agreements concluded by the Republic of Albania and foreign countries for their acceptance and exchange of data. These products must fulfill at least the technical reliability and security provided in the law and other regulations adopted pursuant to it. Albanian law is based on Directive 1999/93/EC, which defines the entire legal framework supporting the legislation of EU member states on electronic signature. The Directive aims to intervene with the idea that international developments in electronic commerce require agreements that go beyond EU borders, having no restrictions; agreements with multilateral criteria and common interest can be useful. Under Article 7 of this Directive, Member States have to ensure that certificates issued in third countries (outside EU) have the

8 same legal value as those issued in EU countries, but ensuring that each of these conditions are met: 1. A Certification Service Provider meets certain requirements in the directive and is accredited by a voluntary scheme of accreditation of an EU member country. 2. Certificates are guaranteed by a CSP located in an EU country, which meets the requirements of the directive. 3. Certificates or CSPs are recognized by a bilateral agreement or multilateral agreements between the EU and a third country and an international organization. Decision no. 525, dated complies with two requirements, namely governmental agreements, and insurance from a local CSP. For the recognition of foreign certificates and products, the regulation "On the electronic signature states that the products and qualified certificates issued by a certification service provider operating in a foreign country with which the Republic of Albania signed an agreement, known only as the service provider, shall submit all documentation required by Law to the local authorities for the recognition of qualified certificates. Liability CSPs shall notify the Authority before or at the time of commencing operation of issuing qualified certificates. They must submit to the Authority all documentation, which include security policies for devices and personnel, legal and technical criteria to be followed and all other documentation required by Law. In cases of the cessation of activity, CSPs must immediately notify the Authority and submit all documentation at his disposal. Also, it should revoke all valid certificates, or ensure that valid certificates are taken over by a different service provider. CSPs are obliged to inform the owner of the signature codes for the termination of its activities and transferring of certificates to the control of a different service provider.

9 Issuance of qualified certificates An important part of the process of issuing qualified certificates is to identify and obtain personal data from the applicant. Every incorrectly collected data, invalidate the certificate. The data included in the certificate are defined by Law, but by request, certification service provider can use additional data. If requested by the applicant the Certification Service Provider may use a pseudonym instead of the real name in the qualified certificate. The CSP is responsible for protecting the personal data used in a certificate and should take appropriate measures for personnel selection and protection of codes, security of equipment used for the creation of qualified certificates. Data Protection The law obliges the CSP to supervise the data and to ensure privacy, increasing confidence in the use of electronic signatures. This guide emphasizes the principle that personal data must be processed in accordance with European Directive (Directive 95/46/EC dated 10/24/1995) of data protection. The Certification Service Provider is obliged to collect personal data only through the subject or with his consent, through a third party authorized by him. Also, the Certification Service Provider shall require only the necessary information needed to issue the certificate and must use them only for this reason. To preserve the signature codes and produce qualified electronic signatures, certification service provider shall make arrangements to ensure that data for qualified certificates cannot be falsified or forged without detection. The Law on electronic signature allows the Authority to require from Certification Service Providers the personal data of the certificate holder in the following cases: a) When it is necessary for the prosecution of criminal acts or violations of law and when such a request comes from the law enforcement agencies; b) To avoid risk to national security or public order;

10 c) To the requirements of the law from the taxation authorities, customs other investigative agencies; d) Following a court decision; In relation to measures of data protection and archiving, the Certification Service Provider shall periodically report to the Authority. Information obligation The certification service provider has the legal obligation to inform the applicant that a qualified electronic signature has the same effect in legal transactions as a handwritten signature unless otherwise specified by law. Also, the use of electronic signature is voluntary and the CSP shall remind the applicant that data with a qualified electronic signature may have to be signed again if the security level of the current signature is reduced by the passing of time. Costs and fees Registration fees are calculated on the basis of working days of employees of the Authority, taking into account the real costs of time and materials spent on assessing the documentation for the required inspections or audits. These fees are in accordance with Decision No. 503, at , "On the approval of tariffs for services provided by the National Electronic Certification Authority". Administrative measures Article 56 of Law, describes in details when NAEC takes administrative measures against CSP. Violations are not criminal offenses, but administrative offenses and are punished with a fine of 1 or 2 million (ALL). When the Authority deems reasonable that violations are of such scale that can damage the integrity and reliability of the CSP, it temporarily suspends all or a part of its operations. Appealing against administrative measures can be performed within 10 days to the Minister that covers this line and his decision can be further appealed within 30 days in the court of law.