E-Signatures. Chris Reed. Professor of Electronic Commerce Law



Similar documents
UNCITRAL United Nations Commission on International Trade Law Introduction to the law of electronic signatures

SSLPost Electronic Document Signing

2002 No. 318 ELECTRONIC COMMUNICATIONS. The Electronic Signatures Regulations 2002

ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Ericsson Group Certificate Value Statement

Legal Status of Qualified Electronic Signatures in Europe

WACOM esignature Solutions

Moving Towards an Electronic Real Estate Transaction

Legal aspects of electronic signatures in Bulgaria

ELECTRONIC SIGNATURES

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

Proposed Regulations for Trinidad and Tobago s E-transactions Bill

Merchants and Trade - Act No 28/2001 on electronic signatures

REPUBLIC OF LITHUANIA. LAW ON ELECTRONIC SIGNATURE

Electronic Signature Article

Dr. Taher Habibzadeh. Abstract

National Certification Authority Framework in Sri Lanka

ELECTRONIC SIGNATURE REQUIREMENTS FOR LENDERS

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Controller of Certification Authorities of Mauritius

OB10 - Digital Signing and Verification

January 30, 2014 Mortgagee Letter

1 L.R.O Electronic Transactions CAP. 308B ELECTRONIC TRANSACTIONS

Guidelines for the use of electronic signature

An Act to provide for the facilitation of the use of electronic transactions and signatures and for related matters.

Electronic and Digital Signatures

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

ELECTRONIC SIGNATURES FACTSHEET

State of Arizona Policy Authority Office of the Secretary of State

White Paper. The E-Sign Act. Use and enforceability of identifiers, passwords and personal identification numbers as signatures

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or

A BILL ENTITLED. AN ACT To Facilitate electronic transactions and for connected matters. PART 1 Preliminary

Business Issues in the implementation of Digital signatures

Understanding Digital Signature And Public Key Infrastructure

Egyptian Best Practices Securing E-Services

Profession Practice Advice for the Profession

Guidelines Related To Electronic Communication And Use Of Secure Central Information Management Unit Office of the Prime Minister

The Virginia Electronic Notarization Assurance Standard

esign Online Digital Signature Service

Article. Robust Signature Capture Using SigPlus Software. Copyright Topaz Systems Inc. All rights reserved.

Electronic Signatures: A New Opportunity for Growth. May 10, 2005

Title. This chapter may be cited as the "Uniform Electronic Transactions Act." TOC

Electronic Signatures for South African Law Firms

THE LAW OF THE REPUBLIC OF ARMENIA ON ELECTRONIC DOCUMENT AND ELECTRONIC SIGNATURE CHAPTER 1. GENERAL PROVISIONS. Article 1. The subject of the Law

Chapter 7: Network security

Cryptography and Network Security

Law Governing Framework Conditions for Electronic Signatures and Amending Other Regulations

Digital Signature Policy Guidelines. Version 1.1. March Contains corrected links to documents

1 Definitions

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Electronic Commerce ELECTRONIC COMMERCE ACT Act. No Commencement LN. 2001/ Assent

Qualified Electronic Signatures Act (SFS 2000:832)

and contractual notices

Electronic Signature: Increasing the Speed and Efficiency of Commercial Transactions

Protection Profiles for TSP cryptographic modules Part 1: Overview

View from a European Trust Service Provider Server Signing: Return of experience and certification strategy

1. Lifecycle of a certificate

Digital Signatures. Meka N.L.Sneha. Indiana State University. October 2015

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

ELECTRONIC TRANSACTIONS ACT 2008 ARRANGEMENT OF SECTIONS PART I PRELIMINARY PART 2 APPLICATION OF LEGAL REQUIREMENTS TO ELECTRONIC RECORDS

Advanced Authentication

A Digital Signature Scheme in Web-based Negotiation Support System

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Notify your Account Specialist or Licensing Manger you wish to sign electronically Give the address of the Signatory (if different)

Security framework. Guidelines for trust services providers Part 1. Version 1.0 December 2013

U.S. DEPARTMENT OF EDUCATION

Electronic signature, authentication, identity management & UNCITRAL

Introduction to Computer Security

ELECTRONIC TRANSACTIONS ACT 1999 BERMUDA 1999 : 26 ELECTRONIC TRANSACTIONS ACT 1999

PARLIAMENT OF THE DEMOCRATIC SOCIALIST REPUBLIC OF SRI LANKA

RapidSSL Subscriber Agreement

BERMUDA ELECTRONIC TRANSACTIONS ACT : 26

Building a Digital Signature to Meet State Statute Requirements Using a Certificate Authority. Adobe Acrobat Pro DC (Released July 2015)

[Brought into force by appointed day notice on 16 th June 2003.]

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

UNCITRAL legislative standards on electronic communications and electronic signatures: an introduction

REGISTRATION AUTHORITY (RA) POLICY. Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A.

How To Choose An Electronic Signature

Digital Signatures The Law and Best Practices for Compliance. January 2014

HKUST CA. Certification Practice Statement

whitepaper THE ESIGN ACT Harnessing New Hiring Efficiencies with Electronic Signatures

Federal Law No. (1) of 2006 On Electronic Commerce and Transactions

Electronic And Digital Signatures

SECURITY IN NETWORKS

Transcription:

E-Signatures Chris Reed Professor of Electronic Commerce Law Centre for Commercial Law Studies, Queen Mary University of London Of counsel, Lawrence Graham Agenda Rethinking the concept of signature e-signature technologies The problem of identity Legal validity of e-signatures Cross-border validity Regulation of signature service providers

A word of warning! Signatures have less legal significance than most (even lawyers) think Rarely needed to validate private dealings Often required for quasi public documents (wills, real estate transfers) Main role is for communication with government Apparent disputes about signature validity are often really about proof of agreement/acceptance of document Rethinking the concept of signature What is a signature? Method of evidencing: Identity of signatory Authenticity of [document] Intention to be bound by document Technologies include pens, typewriting, rubber stamps Potential legal approaches Law validates only manuscript signatures All technologies which achieve specified evidential effects can be valid Only specified technologies can create valid signatures

e-signature technologies These work in one of two ways: Adding information to an electronic document Typed name Scanned image of manuscript signature Logically associating information with an electronic document Encryption-based Associated information can be: Asymmetric encryption key Biometric data Adding information Signature is a mere add-on to document E.g. scanned image of manuscript signature, signature line of email Like signing a Post-It note Fails to provide evidence that: Signatory added the signature data Document is unchanged since signature Extrinsic evidence could be used to prove these matters, e.g. Email headers + records of servers + Evidence of workings of sender s corporate email system

Logical association Every electronic signature uses a method which can prove the link between: Identity information, e.g. Secret encryption key Biometric data and the document content Logical association means the necessary evidence is all in the document+signature Digital signatures are a subset of electronic signatures Use third party certification of secret keys PKI, or Public Key Infrastructure Applying a digital signature Alice sends a message to Bob She signs it with her secret key Bob checks the signature with Alice s public key If the check matches the message: Alice sent the message Alice agreed to its contents The message has not subsequently been altered

Digital signature technology Document { NumberStream } 1 [Hash function] [Hash function] MessageDigest NumberStream 2 (MessageDigest Ks )mod N = DigitalSignature (DigitalSignature Kp )mod N = MessageDigest Evidential basis of digital signatures Public key encryption can be broken But it is computationally infeasible to do so Key is N + Ks and Kp N is product of two prime numbers Ks and Kp derived from those numbers Assumption: the prime numbers can only be discovered by brute force (i.e. try all possibilities) Threatened by quantum computing Time taken to break a key where N=256 bits @ 1000 attempts per second = longer than expected lifetime of universe Currently used key lengths exceed 512 bits Each extra bit doubles the time to search for potential keys

Biometric data (e.g. signature metrics, fingerprint) Biometric signatures Encryption function Biometric signature Signature checked against known biometric data Evidential quality depends on (undisclosed) encryption function MessageDigest The problem of identity Is Alice really Alice? Secret key Certification Authority Public key

Certification process Signatory provides evidence of identity Ranges from merely giving valid email address to attendance with identity documents To whom? Note role of RA in current commercial model Signatory provides copy of public key Signatory provides evidence that possesses secret/private key CA checks that public key validates digital signature CA issues certificate Legal validity of e-signatures Two models Valid if produces required evidential effects UNCITRAL Model Law US E-Sign EU Directive electronic signature Valid if Certified by trusted third party (Certification Authority); and Certification meets minimum standards Examples: EU Directive advanced electronic signature Singapore secure electronic signature

UNCITRAL UNCITRAL Model Law on Electronic Signatures 2001 Electronic signature means data in electronic form in, affixed to or logically associated with, a data message, which may be used to identify the signatory in relation to the data message and to indicate the signatory s approval of the information contained in the data message (art. 2(a)) 6(1) Where the law requires a signature of a person, that requirement is met in relation to a data message if an electronic signature is used that is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement. 6(3) An electronic signature is considered to be reliable for the purpose of satisfying the requirement referred to in paragraph 1 if: (a) The signature creation data are, within the context in which they are used, linked to the signatory and to no other person; (b) The signature creation data were, at the time of signing, under the control of the signatory and of no other person; (c) Any alteration to the electronic signature, made after the time of signing, is detectable; and (d) Where a purpose of the legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable. US E-sign Electronic Signatures in Global and National Commerce Act 2000 101(a) IN GENERAL- Notwithstanding any statute, regulation, or other rule of law (other than this title and title II), with respect to any transaction in or affecting interstate or foreign commerce-- (1) a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and (2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation. 106(5) ELECTRONIC SIGNATURE- The term electronic signature means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

EU E-Signatures Directive Art 2(1) electronic signature means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication Not to be denied validity solely on grounds that in electronic form art. 5 Signature + certification EU Directive art. 2(2) advanced electronic signature means an electronic signature which meets the following requirements: (a) it is uniquely linked to the signatory; (b) it is capable of identifying the signatory; (c) it is created using means that the signatory can maintain under his sole control; and (d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable. Certificate must meet Annex I CA must meet Annex II Certificate creation must meet Annex III Singapore Electronic Transactions Act 1998 s. 20 has similar requirements But certificate must be issued by a licensed CA

Cross-border validity Validity is a question for applicable national law Mutual recognition of certificates from other countries Based on recognition of accreditation schemes, not individual CAs Singapore Act ss. 20(b)(ii), 43 EU Directive art. 7 Contents of certificate E-signatures Directive Annex I Qualified certificates must contain: (a) an indication that the certificate is issued as a qualified certificate; (b) the identification of the certification-service-provider and the State in which it is established; (c) the name of the signatory or a pseudonym, which shall be identified as such; (d) provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended; (e) signature-verification data which correspond to signature-creation data under the control of the signatory; (f) an indication of the beginning and end of the period of validity of the certificate; (g) the identity code of the certificate; (h) the advanced electronic signature of the certification-serviceprovider issuing it; (i) limitations on the scope of use of the certificate, if applicable; and (j) limits on the value of transactions for which the certificate can be used, if applicable.

Regulation of signature service providers Authorisation/licensing Accreditation Quality of company and staff Quality of processes Identification of signatory Security of keys Security of certificate creation Recordkeeping CA Liability Liability schemes Statutory Usually negligence-based EU Directive art. 6(1) Utah Act s strict liability overtaken by E-Sign Contractual E-Sign, Singapore Role of CPS Other? Tort-based?

Conclusions Currently, e-signatures are little-used Few legal requirements for signatures in commercial and private dealings Main uses likely to be Closed groups (e.g. Origo) B2C dealings affecting rights, e.g. banking, DRM Main driver for adoption is dealings with government Estonian ID card Single, government-issued e-signature would be adopted widely for commercial and private dealings

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information