|
|||||
|
|||||
|
|
Member and |
8. Electronic SignaturesThe anonymity and the openness of the Internet pose several questions for business. · How can you be sure that the person you are communicating with is who he claims to be? · How can you make sure that the communication cannot be changed at some time between transmission and receipt (with text-based e-mail, it is technically quite simple to change the content of an e-mail)? · How can you make sure that an outsider (for example a competitor) is unable to read your communications? · How can you be sure a secure electronic document sent from person A to person B and then from person B to you is the same document A sent in the first place? It is clear that for international electronic trade to flourish, a reliable form of electronic signatures is critical. Electronic signatures, and the management processes to which they are subject, have the capability of providing the means for this to happen and of creating trust and confidence for business partners. One of the most widespread ways to provide secure communication is to assign two uniquely and intimately bound pieces of information, which allow two or more parties to exchange information. These pieces of information are called keys: · the private key, which has to be safeguarded; · the public key, which can be freely distributed. This is called public key technology. It can also be used to provide confidentiality between two parties, the sender being able to encrypt a message so that only the intended recipient can decrypt it. Private keys are usually held on some form of storage device – today, a smart card (similar to a credit card, but with a micro-chip providing limited memory and processing capability) is very common, although there are numerous alternatives. Smart cards generally require a PIN code, or sometimes a pass-phrase, to activate them. Hence, just as with a credit card, debit card or house key, it is important to ensure neither they nor their codes fall into the wrong hands. When an individual wants to sign an electronic document he uses his private key to perform a special function on the document (typically a text-based document, but it could be any form of electronic file – an image, an audio sample, or other types of content). The function could be merely to confirm the data on the message and about the message for future recipients or it could be to encode the document. In addition to security issues, Electronic Signatures can be used to: · confirm the identity of the other party - authentication; · determine the authority or signing capacity of the other party - authority; · ensure that the contents of any document have not been changed in any way - integrity; · verify that the document has come from the claimed party - authenticity; · sign a document in a legally-binding fashion - legal commitment; · ensure that the original signing party cannot later claim not to have signed - non-repudiation. Of course, it might be possible for anyone to acquire a pair of keys in the name of someone else, possibly an imaginary person. How would anyone else know? The solution is to put in place a process that requires the key holder to satisfy a number of conditions to prove their identity. These checks are performed by or on behalf of a trusted third party who, given satisfactory evidence, is prepared to certify that the details of the key holder are as they are claimed to be. Consequently the public key is signed by this certification authority, and is therefore known as a public key certificate. Anyone who wishes to can verify the certificate with the original certification authority who should maintain a directory of keys they have certified and a list of revoked certificates. In this way, a relying party can always be sure of the current legitimacy of the signer's public key. An EC Framework Directive for electronic signatures came into force on 19 January 2000 (deadline for the implementation was 19 July 2001). In essence, it says that electronic signatures cannot be denied legal effects just because they are in electronic format. The directive also allows Certification Service Providers to provide their services without prior authorisation by national bodies. Member States may themselves decide how they ensure the supervision of compliance with the provisions of the directive. The directive does not preclude the establishment of private-sector-based supervision systems or oblige certification-service-providers to apply to be supervised under any applicable accreditation scheme. However, Member States are obliged to notify the EC of any approved provision of certification services. This directive is an important contribution to enabling secure electronic commerce within the European Union. Electronic signatures will be used increasingly in the public sector within national and EU administrations and in communications between those administrations and with citizens and businesses, for example in the public procurement, taxation, social security, health and justice systems. |
|
|
|
