Extracted from original DTI Consultation document available at http://www.dti.gov.uk/cii/ecommerce/europeanpolicy/esigncondoc.pdf - white space added by Author for readability, and [footnotes] moved to bottom.

March 2001
Responses by 19 June 2001
Department of Trade and Industry

CONSULTATION ON EC DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES

Department of Trade and Industry

Consultation Document on the implementation of the EU Electronic Signatures Directive.

Introduction

1 On 19 January 2000, Directive 1999/93/EC on a Community Framework for Electronic Signatures (commonly known as the Electronic Signatures Directive and referred to hereafter as “the Directive”) was published in the Official Journal of the European Communities (OJ No,L13, 19.1.00, p12).

2 The background to the Directive was that from the early 1990s onwards legislation had been passed in several jurisdictions covering the use of on-line authentication techniques based on public key cryptography (digital signatures and the supporting digital certificates). The passing of such laws in Europe, in 1997 in Germany and Italy, opened up the prospect of a patchwork of incompatible laws governing the provision of electronic signature [1] services and the legal recognition of this key e-commerce enabling technology. The Commission proposed action to prevent this happening. The objective of the Directive was “to facilitate the use of electronic signatures and to contribute to their legal recognition” (Article 1 the Directive). At heart, it is concerned with promoting user trust and confidence in the process of authentication in the information age.

3 In short, the Directive works to promote the proper functioning of the internal market by ensuring that electronic signatures are not denied legal admissibility on various grounds and establishing benchmarks for the signature creation devices and certificates which are used to support such signatures. The Directive creates a framework whereby all parties can be assured that the benchmarks are met and thus that the provision of products or services in the single market is not constrained. It is not intended to affect the law relating to the conclusion and validity of contracts, requirements of form nor law governing the use of contracts.

4 This consultation paper has been produced to seek views on the implementation of both the obligations on Member States and also those areas where Member States have discretion whether to act. The Directive has to be implemented by 19 July 2001. As explained below, the Electronic Communications Act of 2000 implemented some of the key requirements of the Directive and there was extensive consultation on that legislation.

5 The consultation paper follows the format of the Directive in respect to the key requirements. The full text of the Directive is annexed to this paper as Annex A. Defined terms are in italics.

Article 3 Market Access

Prior authorisation

6 Member States cannot make the provision of certification services subject to “prior authorisation” (Article 3, paragraph 1). The Government will not do so. 

Voluntary accreditation schemes

7 Member States may introduce or maintain voluntary accreditation [2] schemes aiming at “enhanced levels of certification service provision”. These schemes must have objective, transparent, proportionate and non-discriminatory conditions and cannot limit the number of accreditations for “reasons which fall within the scope of this Directive”.

8 The Government took powers under Part I of the Electronic Communications Act 2000 (the ECA) to establish a statutory voluntary approvals regime. The tScheme has been established by the Alliance for Electronic Business [3] (a consortium of industry bodies concerned with the promotion of electronic business) in response to and as alternative to the Government implementing the powers taken under Part 1 of the ECA. The tScheme therefore exists as a non-statutory voluntary approvals regime for trust service providers (which would include the service providers covered by the Directive). Government is working in partnership with the tScheme but it is clearly private sector-led. The Government has no plans therefore at present to introduce a voluntary accreditation scheme and notes that the conduct of the tScheme appears to fulfil the broad objectives for schemes which might be introduced by Member States in accordance with the Directive.

Supervision

9 Member States must ensure “the establishment of an appropriate system that allows for supervision of certification service providers which are established on its territory and issue qualified certificates to the public”. “Qualified certificate” means a certificate which meets the requirements of Annex 1 and is provided by a service provider who meets the terms of Annex II. In effect, this establishes a benchmark for the content of certificate – drawing on the widely-used x509 standard for digital certificates – and the performance of the supplier in terms of competence, viability and integrity.

10 “Supervision” is not a defined term in the Directive and the preamble does not clarify its meaning to any great extent. The preamble (recital 13) says that private sector supervisory systems are not excluded but that providers are not obliged to apply to be supervised “under any applicable accreditation scheme”.

11 The concept of supervision has featured significantly in discussions between Member States about the implementation of the Directive. The approaches proposed range from the stringent – with detailed rules supplementing the terms of Annexes I and II – to light touch regimes. There is clearly a strong feeling in some Member States that the value of qualified certificates as a basis for the use of electronic signatures in transactions depends on the certainty that Annexes I and II are applied with rigour. Equally, other Member States are placing greater faith in accreditation arrangements to ensure that the objectives of the Directive are met.

12 The issue is how to take this forward in the UK. There are two questions: what should be the nature of the supervisory regime and whether legal backing should be given to the supervisory function; who should take on this role of the supervisor.

The nature of a supervisory regime

13 As indicated above, this is an area where the Member State has discretion. The UK supports the objectives of the Directive and would not wish to implement supervision in a way which would undermine confidence in the use of qualified certificates. Nevertheless, the Government’s guiding principle on the use of regulatory powers is to “fit the remedy to the risk”. The problem in this case is that both the nature and the scale of the risk are, at this stage, unquantifiable. The risk would be to the confidence by society generally in these forms of authentication and, in particular, the risk to relying parties if qualified certification did not fulfil the expectations of the Directive. It is by no means certain that a large number of suppliers will issue qualified certificates and it is not clear how many will do this outside of the co-regulatory framework of the tScheme. The risk, and hence the remedy, would be entirely different if the market was serviced by a small number of large, reputable organisations working in a co-regulated environment compared with several hundred small or micro service providers. It is worth considering the types of supervisory regime which might be appropriate for these extreme scenarios.

14 In a low risk scenario, supervision may be de minimis. This would involve the supervisor observing the market and recording those service providers of which he becomes aware either through observation or the provider volunteering information. The supervisor would give such publicity as he considered appropriate to any activities of certification service providers of which he became aware which did not comply with the Directive.

15 In a high risk scenario, it is possible to envisage a much more active supervisory regime. If there was sufficient grounds to suspect that the terms of Annex II were not being complied with to any significant extent (evidence of non-compliance with Annex I being more easily determined) or qualified certification was brought into disrepute in other ways, then powers might be taken to:

- Require notification that qualified certificates were being issued, with penalties for non-reporting (if this were done after the commencement of business, it would not breach the disbarring of prior authorisation);
- Require documentation to be maintained supporting claims of compliance with the Annexes and penalties for the failure to do so;

16 In such a regime, direct auditing of the documentation or the commissioning of independent audits would probably be occasioned by a trigger event such as an observation of malpractice or a complaint by the public. Such a regime would be resource intensive and a fee regime would need to be established and notified at the time such a regime was established.

17 In deciding the way forward, we also need to bear in mind the impact of tScheme. The scheme is voluntary but is committed to accommodating the specific requirements of qualified certificate issuance into its approval profiles. If tScheme is successful, and the majority or all of the issuers of qualified certificates are tScheme approved, this will lead to confidence in the issuance of qualified certificates in the UK.

Who should be the supervisory body?

18 The classical “regulatory” skillsets are available in many parts of Government. For the more rigorous approach to supervision, the most obvious candidate to undertake this role would be OFTEL (noting the proposal to merge this organisation into a more broadly-based OFCOM). The need to challenge CSPs on elements of the Directive which are based on cryptographic technologies would probably require the import of specialist skills. These are available commercially but it might be more credible if this specialist function were performed by the Communications and Electronic Security Group – the Government’s technical authority on information technology security.

19 A more radical approach would be to ask tScheme to undertake this function. The Directive says that service providers should not be obliged to apply to be supervised under any applicable accreditation scheme. There is a strong argument that those organisations who have consciously chosen not to subscribe to tScheme and its values should not be compelled to become linked to the Scheme, simply because they have chosen to issue qualified certificates.

20 Nevertheless, it is possible to envisage a role for tScheme, or other bodies that may come forward, in assisting or leading on the supervision function if it were closer to the de minimis model described above.

Conclusions and what action should Government take?

21 At this stage, given the uncertainty of the market, the Government propose to provide by regulation the de minimis option outlined above. This will be subject to review in two years (and thus will fit well with the timetable for the review of the Directive) and the regime will be reassessed in the light of the development of the use of qualified certificates in the UK. This review will require a dialogue with the relevant stakeholders and a formal consultation on whether the role of the supervisor should be changed.

22 It is proposed that a supervisory regime be established to take receipt of representations on the performance of CSPs and publicise information about the appropriate issuance of qualified certificates. At this stage, it would seem most appropriate to maintain the supervisory function within the DTI but to ask tScheme to assist in the observation and commentary on market practices. We believe that this would most clearly meet the Government’ s guidelines on Better Regulation.

QUESTION 1: Do you agree that the implementation of a supervisory regime should be based on a de minimis approach and subject to review in two years’ time?

Secure Signature Creation Devices

23 The Directive places emphasis on the security of the signature creation device and Annex III sets out in broad terms what properties are required to be considered a “secure signature creation device”. (SSCD). This mirrors the benchmarking of the certification process and the two – SSCD and Qualified Certificate - used together meet the quality requirements of the class of Advanced Electronic Signature [4] which should be seen, in certain circumstances, as being equivalent to a hand written signature (see discussion of Article 5.1 below).

24 The Directive deals with how Member States may ensure that SSCDs meet the terms of Annex III. Article 3.4 permits Member States to designate appropriate public or private bodies to determine the conformity of such devices with the terms of Annex III. Such designated bodies have to meet certain criteria laid down by the Commission in consultation with the Member States. This process has been finalised and the criteria – which deal in broad terms with the competence, integrity and independence of such bodies – have been laid down [5]. Article 3.5 goes on to describe a process whereby the Commission can publish the references to Standards for electronic-signature products and that Member States shall presume that there is compliance with the requirements laid down in Annex II point f (the requirement that certification service providers use “trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them”) and Annex III (the requirements for secure signature creation devices). Thus there are effectively two routes for a device to meet the terms of Annex III.

25 The two questions in relation to the implementation of the Directive are whether the Government should appoint a designated body under 3.4 and whether any specific action should be taken to ensure that the Government can give due weight to the need to acknowledge compliance under 3.5.

Designated body

26 The Government seeks the views of all interested parties on whether the UK should appoint a designated body.

27 As background to this decision, the following factors should be taken into account. There is wide scope for how the designated body might perform its task of assessing against the compliance of devices with Annex III. It could simply take the terms of the Annex as a template and judge evidence in support of the individual components against that template. Or the designated body could refer to standards. A Standard is under preparation within the joint CEN/ETSI European Electronic Signatures Standardisation Initiative (EESSI) – an attempt by European business to provide standards to support the Directive and promote interoperability amongst authentication products and services. This Standard has proved controversial and at the time of the consultation it was not clear whether the Standard would be agreed or when it might be approved under the process described in Article 3.5.

The draft Standard is effectively based on the Common Criteria approach of drawing up a standard profile for assessment by a third party. If such a standard were agreed and the designated body did not use it or other standards with the same objective, it might leave the UK open to the criticism that the assessment regime for these products was not in keeping with the spirit of the Directive and lacked sufficient rigour.

28 The most obvious designated body might be CESG who could manage the process alongside the existing UK assessment scheme under the Common Criteria for product security evaluations. Another possible approach would be to ask tScheme to extend their remit and to specifically take on the task of the designated body. The scheme could use the Standard or develop its own profiles in the light of the Standard to run assessments by appropriate third party assessment bodies (these might well be the existing Common Criteria/ITSEC approval bodies but might also be the assessment bodies who are being appointed to carry out tScheme profile assessments).

29 Another important factor in the Government’ s decision will be the cost. There are very few manufacturers of these products in Europe (although manufacturers from outside the EU can apply to any designated body). The Government would need to be assured that any costs it bore in setting up such a designated body would be justified by a level of approvals which would meet the ongoing costs of maintaining such a body. It is this sort of consideration which is leading many Member States to be cautious about the possibility of establishing a designated body. The Government would therefore particularly welcome the views of the manufacturers of such products to establish whether the creation of a designated body is feasible.

30 A designated body does not need to be appointed and, in any case, not before the deadline for implementation and does not require the Government to take new powers. If it were decided to appoint a designated body this could be done by an administrative act.

QUESTION 2: Do you believe that the UK should have a designated body and if so who should it be and how should they assess compliance with Annex III of the Directive?

The presumption of compliance

31 We do not believe that we need to make legislative changes to implement 3.5. The UK is bound to accept that compliance with appropriate standards created under Article 3.5 will have the effect of assuring compliance with Annex II point f or Annex III. For Annex II, we believe that this will compel the UK to accept that those service providers subject to supervision under the Directive (see above) will be deemed to have met the terms of Annex II point f if they meet the relevant standard (and again one is in preparation by EESSI). For standards relating to Annex III, we believe that, when presented with an advanced electronic signature, the UK will need to accept as confirmation of the validity of the signature creation device, either a current approval from an EU designated body or confirmation that the terms of the relevant standard have been met. There are at present no plans to introduce independent assessment regimes for either standard referred to in Article 3.5 (although it is possible that the existing product evaluation scheme could be extended to provide such assessment). Advice will need to be prepared for those parts of the public sector who are likely to accept digital signatures in the course of their business on what the recognition of such standards will mean in practice.

QUESTION 3: What do you believe will be the impact of Article 3.5 and is there any further action the Government could take?

Signature Verification Devices

32 Article 3.6 requires Member States to work together with the Commission to promote the use of Signature Verification Devices according to the recommendations in Annex IV.

The Commission have not made proposals on how such promotion might be undertaken. Accordingly, we make no proposals in respect of this requirement.

Public Sector requirements

33 Article 3.7 allows Member States to make the use of electronic signatures subject to possible additional requirements – relating only to the specific characteristics of the application used. Several Departments are looking at the use of PKI technologies for internal purposes and in relation to the more sensitive transactions with citizens and businesses. The Office of the eEnvoy have set out its views on how authentication techniques might be used in relation to on-line Government Services. (www.e-envoy.gov.uk/frameworks/authentication/contents.htm) These principles will inform the way that authentication is used at the “Gateway” portal for one-stop citizen and business access to Government services. The Office of the eEnvoy, in conjunction with the Communications and Electronic Security Group, are also developing guidance on the use of public key infrastructure within Government.

34 The Government will need to ensure that any “additional requirements” will need to meet the terms of Article 3.7 and advice will be prepared on how such requirements should be imposed and how they might be notified to the Commission under the terms of Article 11.1(a). In particular, this guidance will need to make clear that such requirements may “not constitute an obstacle to cross-border services for citizens”. In this context it is important that Departments understand the meaning and value of qualified certificates and advanced electronic signatures originating from other Member States.

QUESTION 4: Do you agree with our analysis of the meaning of Article 3.7 and the proposed course of action to ensure compliance with it?

Article 4 Internal Market Principles

35 This article requires that each Member State should not restrict the provision of certification services originating from other Member States and should allow electronic signature products which meet the terms of the Directive to circulate freely. None of the proposals in this paper appear to create any internal market problems. No further action is planned in relation to this requirement.

Article 5 Legal Effect of Electronic Signatures

36 The key elements of Article 5 – the legal admissibility of electronic signatures – has been met by Section 7 of the Electronic Communications Act. This covers both Article 5.1(b) and 5.2 which deals with the electronic signatures in legal proceedings.

37 It is the Government’ s view that the first part of Article 5.1 will need to be implemented in UK law. This states that:- “Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure signature creation device a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper-based data:”

38 We propose to provide under regulations made under section 2(2) of the European Communities Act that where a person in relation to data in electronic form uses an advanced electronic signature which is based on a qualified certificate and is created by a secure signature creation device, any legal requirement for a signature in respect of such data is satisfied. This would not alter the substantive English, Northern Irish or Scots law on when writing is required for a transaction. Its practical impact should be limited given that requirements as to form usually specify both writing and signature. Implementation in Scotland and Northern Ireland would be a devolved matter to be dealt with by Scottish and Northern Irish Ministers, the Scottish Parliament and the Northern Irish Assembly.

QUESTION 5: Do you agree with the proposed regulation to implement Article 5.1(a)?

Article 6 Liability

39 Article 6 requires Member States to impose a minimum level of liability on certification service providers who provide qualified certificates to the public. Article 6(1) requires that where:-

- a certification service provider either:-

    - issues a certificate as a qualified certificate to the public; or
    - guarantees a qualified certificate to the public

- and a person reasonably relies on that certificate for any of the following matters:-

    - the accuracy of all information contained in the qualified certificate at the time of issue
    - the inclusion in the qualified certificate of all the details referred to in Annex I of the Directive;
    - the holding by the signatory identified in the qualified certificate at the time of its issue of the signature identification data corresponding to the signature verification data given or identified in the certificate; or
    - the ability of the signature verification data to be used in a complementary manner in cases where the certification service provider generates them both

- and as a result that person suffers loss,

then the certification service provider must be liable in damages in respect of the loss “unless the provider proves that he had not acted negligently”.

40 We believe that this will require that the claimant will need to establish that the service provider issued or guaranteed a qualified certificate to the public, that the claimant reasonably relied on it and that such reliance was for any of the specified purposes and that damage was caused by such reliance. The final words of Article 6(1) make it clear that the onus is on the service provider to prove that he had not acted negligently. We have looked at the obligations imposed by Article 6.1 against the existing requirements of the English, Northern Irish and Scots law of tort and delict and contract. We have concluded that existing law does not provide a comprehensive solution to the requirements of the Directive and therefore provision will need to be made which would ensure that in the circumstances set out in Article 6.1 a certification service provider is liable unless he proves that he has not acted negligently and that this liability is not dependent on the existence of a duty of care.

41 Article 6.2 requires that where:-

- a certification service provider issues certificates as qualified certificates to the public;
- a person reasonably relies on that certificate; and
- that person suffers loss as a result of any failure by the certification service provider to register the revocation of the certificate,

then that certification service provider must be liable in damages in respect of the loss unless the certification service provider proves that he has not acted negligently.

Again provision will need to be made to ensure that in the circumstances set out in Article 6.2, a certification service provider is liable unless he proves that he had not acted negligently and that this liability is not dependent on the existence of a duty of care.

42 Provision will also need to be made to implement the requirements of Article 6.3 – that certification service providers can indicate limitations in the qualified certificate on its use and shall not be liable for loss as a result of the use of the certificate which exceeds that limitation. Likewise, provision will need to be made to implement the requirements of Article 6.4 – that certification service providers may indicate a limit on the value of transactions for which the certificate can be used and shall not be liable for any loss to the extent that loss results from the use of the certificate in relation to a transaction the value of which exceeds that limit.

QUESTION 6: Do you have any comments on the proposal to implement Article 6 and that this should be achieved by regulations under the European Communities Act?

Article 7 International Aspects

43 The Directive requires that Member States treat qualified certificates originating from non-EU service providers as legally equivalent to EU certificates if they meet one of three criteria. These are that they are accredited by a an accreditation scheme in a Member State, their certificate is guaranteed by a service provider from a Member State or the service provider is in a country which is subject to a bilateral or multilateral agreement.

No further action is proposed to meet this requirement.

Article 8 – Data protection

44 Article 8.1 requires Member States to ensure that certification service providers and national bodies responsible for accreditation or supervision comply with the requirements of Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This Directive has been implemented by the Data Protection Act 1998.

45 Article 8.2 goes further however and requires member states to ensure that a certification service provider which issues certificates to the public may collect personal data only directly from the data subject, or after the explicit consent of the data subject, and only insofar as it is necessary for the purposes of issuing and maintaining the certificate.

Article 8.2 further requires that data may not be collected or processed for any other purpose without the explicit consent of the data subject.

46 Provision will need to be made to ensure that these stricter requirements concerning data protection apply in relation to certification service providers referred to in article 8.2.

QUESTION 7: Do you agree with the proposal to implement Article 8.2 and thereby place specific data protection requirements on certification service providers?

Articles 9-15

47 These articles concern the management of the implementation of the Directive.

Conclusions

48 It is difficult to envisage what impact the Directive will have on the use of authentication in the EU and in the UK in particular. In particular it is difficult to see where and how the concept of the advanced electronic signature will impact on UK electronic transactions. It is possible that the concept of the qualified certificate will gain currency and will assist in the growth of the electronic authentication and provide clear co-ordinates for arrangements on the mutual acceptability of certification with other jurisdictions. Some of these uncertainties may be resolved by Governments adopting these benchmarks for G2B or G2C services. The benchmarking of the provision of certification clearly chimes with developments in the UK especially the idea of approving service providers embodied in Part 1 of the ECA and being given substance by the work of tScheme.

49 Against this background the above proposals are designed to meet the requirement of the Directive with the lightest possible touch.

QUESTION 8: Do you have any views on the likely impact of the Directive in the UK and how it may assist in promoting trusted and secure electronic transactions?

Consultation

50 We invite comments as soon as possible and by no later than 19 June 2001. It will not be possible to take into account responses received after this date.

51 Comments should be sent to Geoff Smith at DTI either by: by e-mail (preferably as a Word document or text format) to (elecsigsconsultation@dti.gov.uk) or in writing to:

Information Security Policy Group
Communications and Information Industries Directorate
Department of Trade and Industry
Bay 226
151 Buckingham Palace Road
London SW1W 9SS

Clearly stating who you are and, where relevant, who you represent. You are free to comment on any aspect of the implementation of the Directive but it would be helpful if you could address the questions referred to in the body of the text above and summarised at Annex B.

52 Should you wish any part, or all, of your comments to be treated in confidence you should make this clear in the response. In the absence of such instructions, responses will be assumed to be open placed, in the Libraries of the of the Houses of Parliament, published by Ministers (including publication on the DTI website) or shared with others. In the event that there are a large number of responses and a range of views on the proposals outlines above, it would also be out intention to publish a summary of the response to this consultation exercise.

DTI
Communications and Information Industries Directorate
March 2001 URN 01/750

[Annexes omitted - repetition]

[Footnotes]

[1] The use of the term “electronic signatures” enables the law to reflect a broader set of approaches to electronic authentication and not simply to focus on digital signatures based on the cryptography.

[2] The Directive uses the term “accreditation” to describe the process described as “certification” in the UK – that is the third party assessment of suppliers. The tScheme is more closely aligned to the process of certification in that it controls the use of an approval mark. Agreement to grant approval is based on independent assessment of the tScheme profiles by bodies that are accredited by the UK Accreditation Service.

[3] For more information on tScheme go to WWW.tscheme.org.

[4] The use of the term Advanced Electronic Signature in the Directive is worth comment. As a defined term it exists as four broad performance characteristics. In this form, the concept only clearly features as a requirement on the way in which a certification service provider signs a qualified certificate. The only other specific reference to Advanced Electronic Signatures is in Article 5.1 which requires the additional criteria of meeting Annexes 1, II and III. This has led some jurisdictions to coin new expressions - such as “qualified signature” - for this special class of Advanced Electronic Signatures.

[5] Commission Decision (EC) 2000/709 (OJ L289, 16.11.00, p42)


End of document