Electronic signature framework

Transcription

1 R E P U B L I C O F S E R B I A Negotation Team for the Accession of Republic of Serbia to the European Union Working Group for Chapter 10 Information society and media Electronic signature framework

2 Contents Legal framework Harmonization with the EU Directive Supervision Certification bodies Projects Challenges and future activities

3 Relevant Acquis Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a community Framework for Electronic Signature 31999L0093 Commission Decision 2000/709/EC of 6 November 2000 on the minimum criteria to be taken into account by Member States when designating bodies in accordance with Article 3(4) of Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures 32000D0709 Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council D0511 Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market COM(2012) 238 final of /0146 (COD) 52012PC0238

4 National Legislation Law on Electronic Signature (Official Gazette of RS No. 135/04) Regulation on specific terms and conditions for issuing qualified electronic certificates (Official Gazette of RS No. 26/08) Regulation on technical and technological procedures for creating a qualified electronic signature and criteria to be met by devices for creating a qualified electronic signature (Official Gazette of RS No. 26/08, 13/10) Rulebook on register of certification bodies for qualified electronic certificates issuing in the Republic of Serbia (Official Gazette of of RS No. 26/08) Rulebook on the records of certification authorities (Official Gazette of of RS No. 48/05, 82/05, 116/05) Law on Electronic Document (Official Gazette of RS No. 51/09) Regulation on Time Stamp Issuing (Official Gazette of RS No. 112/2009)

5 esignature framework Law on Electronic Signature (2004) - Regulation on specific terms and conditions for issuing qualified electronic certificates (2008); - Regulation on technical and technological procedures for creating a qualified electronic signature and criteria to be met by devices for creating a qualified electronic signature (2008, 2010); - Rulebook on register of certification bodies for qualified electronic certificates issuing in the Republic of Serbia (2008); - Rulebook on the records of certification authorities (2005) Law is harmonized with EU regulations Two main roles of Law: - To define conditions under which electronic signatures are legally equal to handwritten signatures; - To define which requirements must be met by Certification bodies for the issuance of qualified electronic certificates

6 Technological framework for esignatures Standards ETSI (European Telecommunications Standards Institute) ESI (Electronic Signatures and Infrastructures); Standards CEN/ISSS and documents CWA (CEN Workshop Agreement); Documents IETF RFC (Request for Comments); Documents and recommendations of the company RSA Data Security PKCS (Public Key Cryptographic Standards); Common Criteria (for Information Technology Security Evaluation) in section EAL (Evaluation Assurance Level); American standards FIPS (determined by the standardization body: National Institute of Standards and Technology - Federal Information Processing Standards).

7 Scope Directive 1999/93/EC - Article 1 Law on Electronic Signature: Scope of the Law: The present Law shall govern the use of the electronic signature in legal transactions and other legal deeds and in the conduct of business, as well as the rights, duties and liabilities associated with the electronic certificates, unless otherwise provided by other laws. The provisions of the present Law shall also apply to the communications between authorities, communications between authorities and parties and presentation and drawing up of decisions of the authorities in electronic form in the administrative, court and other proceedings before a government agency, if the law governing such proceedings provides for the use of electronic signature. Article 1

8 Law on Electronic Signature: Definitions - Article 2 Electronic signature Advanced electronic signature Certification service provider Etc. Definitions Directive 1999/93/EC - Article 2 A qualified electronic signature shall meet the following requirements : 1) That it is associated with the signatory exclusively; 2) That it identifies the signatory unambiguously; 3) That it comes into being using the means which the signatory can control independently and which are kept under the signatory s exclusive supervision; 4) That it is directly associated with the data it relates to in a way which unambiguously allows any change made in the original data to be inspected; 5) That it has been formed on the basis of the signatory s qualified electronic signature; 6) That it can be verified on the basis of the signatory s qualified electronic certificate. Article 7

9 Law on Electronic Signature: Market access Directive 1999/93/EC - Article 3 Certification bodies do not have to possess special electronic certificateissuing licences - Article 13 The ministry responsible for the information society (hereinafter: the competent authority) shall set the technical and technological procedures for the formation of qualified electronic signatures and the criteria to be satisfied by the qualified electronic signature forming means - Article 11 The competent authority shall keep the Register of Certification Bodies for the Issuance of Qualified Electronic Certificates in the Republic of Serbia Article 19

10 Market access Directive 1999/93/EC - Article 3 Law on Electronic Signature: If a certification body meets the requirements referred to in Article 18 of the present Law, the competent authority shall render a decision allowing it be entered in the Register - Article 20 The competent authority shall exercise inspective supervision over the enforcement of the present Law and operation of the certification bodies - Article 36 There is no provision in the Law on Electronic Signatures, which prevents the use of electronic signatures in the public sector.

11 Legal effects of electronic signatures Directive 1999/93/EC - Article 5 Law on Electronic Signature: In relation to the data in the electronic form, a qualified electronic signature shall produce the same legal effect and probative force as a manually affixed signature and as a manually affixed signature and stamp, in relation to the data in paper form - Article 10 An electronic signature may produce legal effect and may be used as evidence in legal proceedings, except when under a special law, only a manually affixed signature can produce legal effect and probative force - Article 6

12 Law on Electronic Signature: Liability Directive 1999/93/EC - Article 6 Any certification body which is issuing qualified electronic certificates or guarantees the qualified electronic certificates of some other certification body shall be liable for any damage done to a person who has relied on such certificate in the following cases: 1) If the information included in a qualified electronic certificate was not correct at the time of its issuance; 2) If the certificate does not include all of the elements prescribed for a qualified electronic certificate; 3) If it has not checked at the moment of issuance of the certificate whether the signatory is in possession of the electronic signature forming data which correspond to the electronic signature verification data;

13 Law on Electronic Signature: Liability Directive 1999/93/EC - Article 6 4) If it fails to make sure that the electronic signature forming and verification data can be used complementarily, in the cases in which such data are generated by the certification body; 5) If it fails to revoke a certificate in compliance with the provisions of Article 30 of the present Law; No certification body shall be liable for the damage referred to in paragraph 1 of this Article, if it proves that it has acted in accordance with law and its general and internal rules of operation - Article 34

14 Liability Directive 1999/93/EC - Article 6 Law on Electronic Signature: For the purposes of the present Law, a qualified electronic certificate shall mean an electronic certificate issued by a certification body engaged in the issuance of qualified electronic certificates, which shall contain the following: 8) Limitations on the use of certificate, if any Article 17 No certification body shall be liable for any damage resulting from the use of a certificate beyond the scope of limitations, if such limitations are clearly stated in the certificate Article 34

15 International aspects Directive 1999/93/EC - Article 7 Law on Electronic Signature: The electronic certificates issued by any foreign certification body shall enjoy the same treatment as domestic electronic certificates. The qualified electronic certificates issued by foreign certification bodies shall enjoy the same treatment as the domestic ones in the following cases: 1) If the foreign verification body concerned has obtained the competent authority s permit pursuant to Articles 18 and 20 of the present Law, or 2) If they originate from a country with which a bilateral agreement has been concluded on the mutual recognition of qualified electronic certificates Article 35

16 Law on Electronic Signature: Data protection Directive 1999/93/EC - Article 8 The duties of any certification body engaged in the issuing of qualified electronic certificates shall be as follows: 9) Acting in compliance with the provisions of laws and regulations governing the safeguarding of personal data. Article 28 A qualified electronic certificate may be issued to any person on its own request, on the basis of its identity which has been established beyond any doubt and other data relating to the applicant. Article 24 The use of pseudonyms is not regulated by the Law on Electronic Signature.

17 Directive 1999/93/EC ANNEX I Requirements for qualified certificates ANNEX II Requirements for certificationservice-providers issuing qualified certificates ANNEX III Requirements for secure signature-creation device ANNEX IV Recommendations for secure signature verification Law on electronic signature Article 17 and (A Article and Article of Regulation on specific terms and conditions for issuing qualified electronic certificates) Article 18 Article 8 Article 9

18 Commission Decision 2003/511/EC Decision 2003/511/EC Law on electronic signature 1. Regulation on specific terms and conditions for issuing qualified electronic certificates; Decision 2003/511/EC 2. Regulation on technical and technological procedures for creating a qualified electronic signature and criteria to be met by devices for creating a qualified electronic signature A.1.1 (1) Article 58 A.1.2 (2) Article A.2 (1) Article (1) Article (2) Article (2) Article (2) Article

19 Supervision Law on Electronic Signature: Article The competent authority shall exercise inspective supervision over the enforcement of the present Law and operation of the certification bodies. The authorities duly designated by the laws and regulations governing the safeguarding of personal data shall supervise the operation of certification bodies in the collection, use and safeguarding of the personal data of users. Supervision-Ministry of Trade, Tourism and Telecommunications. FESA Membership

20 Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market Electronic time stamp Section 5 Law on Electronic Document: - Time Stamp Generation System - Article 14 and Article 15 - Request for Time Stamp Generation - Article 16 - Time Stamp Data Structure Content - Article 17 - Time Contained in the Time Stamp - Article 18 - Time Stamp Safekeeping - Article 19 Regulation on Time Stamp Issuing

21 Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market Electronic documents Section 6 Law on Electronic Document: - Electronic Document Legal Effect Article 4 - Electronic Document Creation - Article 5 - Electronic Document Presentation Forms - Article 6 - Electronic Document Copy - Article 7

22 Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market Qualified electronic delivery service Section 7 Law on Electronic Document: Electronic documents' delivery Section 3: - Certificate on Electronic Document Receipt Article 8 - Electronic Document Duplication Article 9 - Electronic Documents' Delivery among Government Bodies and Users Article 10 - Electronic Documents' Delivery among Government Bodies Article 11

23 Certification Bodies in Republic of Serbia 1. Republic of Serbia Post CePP Setifikaciono telo pošte 2. Chamber of Commerce and Industry of Serbia PKS CA 3. Halcom BG CA 4. E Smart Systems ESS QCA 5. Ministry of Interior MUP CA

24 Certification Bodies in Republic of Serbia Time Stamp Service Providers 1. Republic of Serbia Post CePP Setifikaciono telo pošte 2. Directorate for egovernment

25 Ministry of Interior Certification Body An identification card issued by the certification body MUP after personalization have added on the chip a certificate for authentication. Certificate for the digital signature will be generated and entered into the chip of ID cards only on the request of citizens. The total number of issued certificates for authentication on the identity cards from the beginning of publication

26 Ministry of Interior Certification Body The total number of issued QES on the ID card on the request of the citizens

27 Number of issued QES per year CA 1 CA 2 CA 3 CA 4 CA 5 QES/year up to Total number of issued QES

28 QES in electronic services E-Portal services E-Submission of payroll tax applications

29 Challenges and Future Activities Establishing of a national trusted list Adoption of a new national law in accordance with the Proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market

30 Thank you for your attention QUESTIONS Brussels, 11 July 2014