P. 1
IDABC Recognition eSignatures

IDABC Recognition eSignatures

|Views: 174|Likes:
Published by Nicky Santoro
También facilitado por M. Caño y relativo a la firma electrónica ...
También facilitado por M. Caño y relativo a la firma electrónica ...

More info:

Published by: Nicky Santoro on Jan 25, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/23/2011

pdf

text

original

5.3.1.2.1 Problem description

For similar applications, Member States don’t necessarily require the same type of electronic
signature. It is perfectly possible that a similar application in one Member State is only based on user-
id/password protection while another Member State requires qualified electronic signatures for the
same type of transaction. One question is whether Member State should remain entirely free to
determine independently from each other the security level of signatures in their e-government
applications. Is it acceptable that public procurement transactions can be signed with user-
id/password based electronic signatures in one country while other countries require qualified
certificates and SSCDs in this context?

5.3.1.2.2 Assessment

It is probably not possible – but perhaps also not necessary - to harmonise the security level of
electronic signatures for each type of application. Does this mean, however, that every company and

Preliminary Study on Mutual Recognition of
eSignatures for eGovernment applications

November 2007

106

individual in every Member State will eventually need to have a complete set of electronic signature
facilities (at least including a qualified electronic signature facility)?

5.3.1.2.3 Recommendations

Similar to the issue noted above, the principle of subsidiarity and the public sector clause jointly imply
that Member States have the right to determine in principle which security level they require for each
specific application type (again, keeping in mind the limitations to this freedom in the public sector
clause, and also keeping in mind other and more far reaching harmonisation initiatives for specific
application types (such as the signature requirements for electronic invoicing). This right of the
Member States to autonomously determine the importance and security risks for each application and
the resulting signature requirements does not need to present any specific problem.

However, a larger concern is the current impossibility of ‘mapping’ non-national signature solutions
into a given security category. I.e., when presented with a non-national signature solution, a Member
State will typically have no way of determining how the signature was issued in the state of origin, and
therefore what kind of security/ reliability it provides. The issue then becomes a matter of trust in non-
national registration authority (RA) policies.

Apart from the recommendation above (reminding Member States of their obligations to notify the
Commission of restrictions in their e-Signature applications, which would result in a substantial
overview of accepted CSPs abroad), it is therefore important to inform application owners of the
signature solutions offered in other countries, and to take note of their obligation in principle to ensure
compatibility with equivalent signature solutions (RECO2). The final and long term goal would be to
enable application owners to define the signature needs of their applications in terms of a
security/reliability level, such as the appropriate legal classification under the eSignatures Directive,
rather than by assessing individual CSPs on a case by case basis. In short, application owners should
be able to shift from the current situation of ad hoc decisions for each application to a system where
they require a certain security/reliability level, rather than a specific certificate or CSP. (RECO3)

5.3.1.2.4 Conclusions

RECO2

Application owners should take note of signature solutions being used in
other countries as identified by this study, and be made aware of their
obligation in principle not to exclude foreign signature solutions
whenever possible, unless specific considerations meeting the criteria
of the public sector clause would permit this.

Target group: eGovernment application owner

RECO3

Application owners should be advised to shift from the current situation
of ad hoc decisions for each application, to a system where they require
their users to employ a certain security/reliability level, such as the
appropriate legal classification under the eSignatures Directive, rather
than a specific certificate or CSP.

Target group: eGovernment application owner

Preliminary Study on Mutual Recognition of
eSignatures for eGovernment applications

November 2007

107

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->