Professional Documents
Culture Documents
WORLD BANK
ITIDA
FINAL REPORT
WORLD BANK
TABLE OF CONTENTS
I. Executive
Summary ...........................................................................
............... 3
II. Summary of Findings &
Recommendations ...................................................... 5
III. Introduction &
Background ........................................................................
....... 6
IV. Overview of existing e-signature and PKI enabling environment in
Egypt ....... 8
A Legal
Framework .........................................................................
................. 8
B Institutional
Arrangements ......................................................................
....... 9
C Expected uses of e-signatures in
Egypt ...................................................... 11
V.
Benchmarking ......................................................................
.......................... 12
A Enabling Environment
issues ...................................................................... 12
B PKI Implementation
Issues ..........................................................................
23
VI. Recommendations for strengthening Egypt’s e-signature and PKI enabling
environment .......................................................................
.................................... 36
A As Root CA, ITIDA should develop certificate standards
policies ................ 36
applicable to Egypt, and can use its existing relationships with is
MoU .................. 36
partners in this
regard. ...........................................................................
................ 36
B Measures to limit the liability of ITIDA as Root
CA ....................................... 36
C Clarify which electronic transactions will be subject to
PKI .......................... 36
D Training for lawyers and judges on e-signatures
issues .............................. 37
E Introducing alternative dispute resolution processes for e-signature
matters37
F International
Considerations ....................................................................
.... 37
VII.
Glossary ..........................................................................
............................... 39
VIII.
Annexes ...........................................................................
.............................. 41
IX.
Bibliography.......................................................................
............................. 42
ANNEX
1 .................................................................................
.............................. 44
ANNEX
2 .................................................................................
.............................. 53
ANNEX
3 .................................................................................
.............................. 54
A United
States.............................................................................
................. 54
B State of Washington Pricing
(2003) ............................................................ 58
2 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
I. Executive Summary
3 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
Where countries have limited use of PKI, it is usually linked implicitly to
a
“weak/strong�? signature application environment. “Strong�? signatures (using PKI
for
example), are appropriate for some on-line transaction activities, requiring a
high degree of
verification, while “weak�? signatures may be appropriate for others. The legal
regime in Egypt
contemplates such a differentiation, and the Government could consider which
applications
would be best suited for use of “strong�? signatures using PKI.
Realizing the benefits of PKI will depend in part on the trust of users in
the overall
system. In part this trust will be based on the enabling environment, including
the practices
and policies of the Root CA.
4 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL Final
Report
II. Summary of Findings & Recommendations
5 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL Final
Report
III. Introduction & Background
1
Both the UNCITRAL model laws on e-Commerce and on Digital Signatures contemplate
the use of,
although are not based on the exclusive use of PKI mechanisms. PKI is well-suited
for “e-commerce�?
transactions among and between parties not known or with no prior relation to each
other.
2
ACN.9/630/Add.3 - Possible future work on electronic commerce Comprehensive
reference document
on elements required to establish a favorable legal framework for electronic
commerce: sample chapter
on international use of electronic authentication and signature methods, UNICTRAL,
available at:
http://daccessdds.un.org/doc/UNDOC/GEN/V07/822/59/PDF/V0782259.pdf?OpenElement
(UNCITRAL
Future Work).
6 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
symmetric encryption (pre-arranged shared cryptology where the same
“key�? is
used to encrypt a data message at the point of origin and decrypt it
at the receiving
end, the secrecy of which must be maintained by both parties;
passwords (this is a symmetric process and a common application
is ATM
technology);
tokens (these are like passwords, insofar as the “password�? is
embedded in the
“token�? – these can be either physical tokens (cards) or electronic
tokens);
digital biometrics (such as retinal or other scanning requires agreed
protocols and
standards of hardware and software);
secure closed systems (dedicated computer-to-computer links or
private
networks); and
blended systems (for example, using one of the above digital
technologies
combined with an orthogonal confirmation, such as a telephone
confirmation).
This report focuses on the PKI experiences of other countries that use PKI.
7 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
IV. Overview of existing e-signature and PKI enabling environment
in Egypt
This chapter reviews (i) the existing legal enabling framework for the
use of e-
signatures/PKI in Egypt, (ii) the key institutional arrangements (functions and
organization) of
ITIDA within this enabling framework, and (iii) the main purposes for which e-
signatures will
be used in Egypt.
A. Legal Framework
The legal framework that establishes the basis for legal recognition of
electronic
signatures in Egypt consists of two primary instruments – Law # 15 of 2004
Regulating E-
Signature and Establishing ITIDA (Law) and MCIT Decree # 109 of 2005 Issuing
Executive
Regulations of Law # 15 of 2004 (Decree).3
The main legal instrument implementing the Law is the Decree. The Decree
sets forth
provisions regarding the establishment of so-called public and private key
infrastructure (PKI)
for purposes of authenticating the users of e-signatures and the content of
electronic
3
Both available at: http://www.itida.gov.eg/E-Signature_Regulations.asp
8 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
documents, including the role that ITIDA will play as the root certifying
authority (Root CA)
and in the regulating certificate service providers (CSPs). In that sense the
Decree is not
entirely technology neutral. While under the Law, there is no stated preference
for the kind of
legally recognizable e-signature, a PKI preference is emerging under the decree,
though it is
understood that use of PKI-based e-signatures will be mandatory. In principle this
might mean
that while other forms of electronic signature that otherwise meet the
requirements under the
Law, they might not be presumptively be granted legal functional equivalence to a
wet ink
signature on paper, requiring the party or parties to meet the burden of proof
that the electronic
signature was valid.
B. Institutional Arrangements
Under the Law and the Decree, ITIDA acts as the root certifying authority
(Root CA) for
issuing digital certificates in Egypt. ITIDA will ultimately determine the
validity of every
digital certificate in Egypt, and will certify “foreign�?-issued certificates as
well. ITIDA will
license other entities to issue digital certificates as Certificate Service
Providers (CSP), who in
turn will issue digital certificates to end users in the private sector. On the
public side, ITIDA
will license a Government Certificate Authority (Gov CA) to issue digital
certificates for
official use. Figure 1 shows the organization of the Root CA structure. A “trust
center�? will
be built around the Root CA that will operate around the clock, the physical
attributes of which
will ensure the highest degree of security for the operational integrity of
ITIDA’s activities as
Root CA.
9 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
Figure 1
Source: ITIDA4
ITIDA has entered into Memoranda of Understanding (MoUs) with Germany and
Korea.
4
http://www.itida.gov.eg/E-Signature.asp
10 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
Figure 2
Source: ITIDA5
5
Ibid.
11 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
V. Benchmarking
The main lessons learned concerning each category and the relevance of these
lessons to
the situation in Egypt follow, and are supported with country examples. This
benchmarking
focuses on key issues of rolling out PKI-based e-signatures in Egypt.
2. Institutional Arrangements
The two systems described above (tScheme in the U.K. and Gatekeeper in
Australia) do
not differ fundamentally in their approaches and actually impose similar
criteria for those
seeking to become authentication service providers.
11
Available online at:
http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN010239.pdf See
section 18(b) for Root Certifying Authority role and section 20 for role as
National Repository of Digital Signature
Certificates.
15 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
Manage digital certificates;
In the United States, the policy framework governing the public key
infrastructure (PKI)
component of the Federal Enterprise Architecture is available at:
http://www.cio.gov/ficc/documents/CommonPolicy.pdf. This policy framework
incorporates six
specific certificate policies: (i) a policy for users with software
cryptographic modules, (ii) a
policy for users with hardware cryptographic modules, (iii) a policy for
devices, (iv) a high
assurance user policy, (v) a user authentication policy, and (vi) a card
authentication policy.
16
The authentication framework can be found at
http://www.agimo.gov.au/infrastructure/authentication/agaf_b .
17 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
Businesses can be found at:
http://www.agimo.gov.au/__data/assets/file/53619/General_Business_Certificate_Polic
y_Specification.
rtf
17
Directive 1999/93/EC of the European Parliament and of the Council of 13
December 1999 on a
Community framework for electronic signatures, OJ L 13, 19.1.2000, p.12 .
18
See Report From The Commission To The European Parliament And The Council,
Report On The Operation Of
Directive 1999/93/Ec On A Community Framework For Electronic Signatures, March
2006.
available at:
http://ec.europa.eu/information_society/eeurope/i2010/docs/single_info_space/
com_electronic_signatures_report_en.
pdf
18 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
certificate must adhere is universally recognized. The “quality�? of the
certificate is linked to
the “security�? of the certificate and the practices of the CA.
19
UNCITRAL Future Work, at para. 13(c), p. 9.
20
Section 13(1) of the Electronic Communications and Transactions Act, 2002.
21
Section I §1(2) of Federal Electronic Signature Law of Austria; Section §1(2) of
German Electronic
Signatures Law and Section 5 of Electronic Transactions Act of Singapore;
Section
22
Section 26 of Thailand’s Electronic Transactions Act (2001)
23
Part 1 of Chapter III of Electronic Communications and Transactions Act; see
also D. Campbell, E
Commerce and the Law of Electronic Signatures, p. 567
19 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
5. Interoperability
25
See Bridge/Gateway Certification Authority Page at:
http://europa.eu.int/idabc/en/document/2318
21 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
The following summary table provides some international examples of
interoperability.26
Cross
Recognition)
26
This table is found in at:
http://www.galexia.com/public/research/articles/research_articles-
art32.html#Heading96
22 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
2
and certain has n pairs, technical
limiting factor is direct trust
certification certification barriers, but bridge
workload
paths back to paths may be challenging
trusted root long administrative
co-ordination
1. Applications
Five years ago, web-based applications were the most popular PKI
applications in the
27
Section 24 of Austria’s Federal Electronic Signature Law; and Section 23 of
German’s Law on
Framework Conditions for Electronic Signatures
23 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
market followed by server certificate authentication. Organizations preferred key
pair solutions
(server certificates) compared to hardware type solutions (tokens) mainly due to
its ease of
implementation. Now, with two-factor authentication becoming more “mainstream�?,
the use of
a physical item (e.g. tokens, smart cards, grid card) may increase.
The applications that can use digital certificates vary but can be broadly
placed in a series
of categories
24 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
Digital signatures may serve as the electronic equivalent of “wet�? or
“paper-based�?
signatures. In a large number of jurisdictions, the equivalency of such
signatures has been
confirmed in law. For example, in Austria, the use of a secure electronic
signature meets the
legal requirements for a hand-written signature under the Federal Elextronic
Signature Law.28
The German law provides that use of a qualified e-signature meets the legal
requirement for a
hand-written signature.29 A requirement in law that a document or information
must be in
writing is met, in South Africa, if the document or information is “in the
form of a data
message�?.30 A similar provision is contained in the Mauritius e signature
law.31
(a) Finland
28
Section 2 §4(1)
29
See D. Campbell E Commerce and the Law of Electronic Signatures, p. 240
30
Section 12 of Electronic Communications and Transactions Act (2002)
31
Sections 5 and 6 of the Electronic Transactions Act (2000) of Mauritius.
32
See News report at: http://e.finland.fi/netcomm/news/showarticle.asp?
intNWSAID=30340
33
E-Government in Finland 2007. Available at:
http://ec.europa.eu/idabc/servlets/Doc?id=28744
25 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
Online change of address34
(b) Canada
The first provider of epass-enabled service was the Canada Revenue Agency
(“CRA�?).
As of March 2007, fifty-nine of sixty-five programs on-line across twenty-two
Canadian
federal government departments are epass-enabled. These include:
34
See:
http://www.vaestorekisterikeskus.fi/vrk/home.nsf/maindocuments/
a092a36e225eadfec2256c93003bae20?opendocu
ment
35
See http://e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=44510
36
See https://www.cosic.esat.kuleuven.be/modinis-idm/twiki/bin/view.cgi/Main/
FinnishProfile
26 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
Over 2.4 million epasses were issued as of February 2007.
37
See “Secure Channel and e-business Standards�?. Presentation by Bob Sunday,
Office of Chief Information Officer,
Government of Canada, available at: www.isacc.ca/isacc/_doc/Book21-2007/ISACC-07-
37304.ppt
38
While this OMB report is somewhat dated, an extensive literature search provided
this as the only document
discussing US e-government initiatives that use PKI.
39
See Highlights document available at:
http://www.pubklaw.com/ecomm/d04157high.pdf. The full report
is available at: http://www.gao.gov/new.items/d04157.pdf
40
See “Electronic Identity Being Consciously Promoted in Europe and Around the
World�? available at:
http://e.finland.fi/netcomm/news/showarticle.asp?intNWSAID=43382
27 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
somehow known to each other (e.g. the issuer is the institution with whom the
certificate
holder is or will become a client). From a privacy perspective, this is not a
bad thing but it
means that digital certificates are often used for only one application. In
Canada, the federal
government’s epass service is based on the CA not knowing the identity of the
certificate
holder.
(e) Asia
“Internet Banking
All banks deployed licensed certificate authentication system. If a customer
has to
transfer his money online, the customer must sign digital signature using
his
licensed certificate. Some banks enhance the level of control by blocking to
see
the transaction of an account if they haven’t a certificate.
E-Government
The government services web sites for civil petition, many types of
certificate
issuance, notification of internal work process, etc. With licensed
certificate,
people submit their digital signatures when it is needed and access related
information, get certificates by printing, and request civil petition.
E-Commerce
When they use credit card on the Internet shopping mall site, they have to
submit digital signature if the total price of the product exceed 300,000
Korean Won. It is now applied to major two credit card companies, but
supposed to apply to every credit card company from October 2005. It is
expected to
block illegal usage of credit cards.�?
29 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
Korea : E-Commerce : Digital Content Authentication
(f) Africa
2. Distribution of Certificates
42
See http://www.certification.tn/index.php?id=149
43
See http://www.certification.tn/index.php?id=139
44
See http://www.certification.tn/index.php?id=140
45
See http://www.certification.tn/index.php?id=128
46
See section 28 of South Africa’s Electronic Communications and Transactioons
Act, 2002.
30 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
certificate.
Certificates stored on a computer hard drive are the least expensive means
of storing a
certificate but also the least secure. Essentially, a browser generates the
private and public
keys. The certificates and private keys are then stored in PIN-protected,
encrypted files on hard
drives. The browser performs functions such as encryption/decryption and digitally
signing
electronic documents using those certificates and private keys.
USB token that plug directly into a Universal Serial Bus (USB);
47
The figures provided here are drawn from data available at the public websites
in these countries.
48
For an interesting discussion on the subject of “calculating�? PKI ROI, see,
e.g., “Guidelines on how to determine
Return on Investment in PKI�?, available at:
http://www.oasis-pki.org/whitepaper/roi.pdf published by eh OASIS PKI
Group (OASIS Paper).
32 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
the pricing of certificates is often not readily available.49 Usually, in
terms of cost, the fixed
and variable cost of producing certificate no. 1 is the total cost of
establishing the Certification
Authority issuing the certificate. The marginal cost of producing certificate
no. 2 is zero (this
leaves aside any licensing fees associated with certificate production).
Figure 3
End
user
Registration
RA
CA
Certificates
Key
Media
Application
Adapted from
OASIS PKI White Paper
49
An illustration of pricing, the cost of obtaining identity and encryption
certificates under the ACES program in the
United States from one service provider, and examples of pricing for certificates
issued by the Washington State
Certification Authority are provided in Annex 3.
33 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
Four types of cost can be identified and need to be estimated to determine the
Total Cost of Ownership
for a PKI system:
End user related - All costs associated with supporting end users, including
help desk, education, and
the marketing efforts frequently undertaken to promote the benefits of PKI.
Note that some costs are
borne directly by the user; for example, the user may need to spend time and
money presenting in
person to a Registration Authority (RA).
Box 150
50
See, OASIS Paper,
34 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
will influence cost/pricing of certificates. As an example, the issuance of
certificates through
the epass program in Canada is done electronically; the verification of
identity is done online
through the use of shared secrets between the institution and the client
seeking to register a
digital certificate with that institution. This is a lower cost exercise than
if the client had to
present him/herself to an individual and provide tangible proof of identity.
51
See, Eric Guizzo, “Britain’s Identity Crisis: Proposed biometric ID cards won’t
prevent fraud or terrorism�?, IEEE
Spectrum, January 2006.
35 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
VI. Recommendations for strengthening Egypt’s e-signature and
PKI enabling environment
36 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
which kinds of electronic transaction activities ITIDA expects will be subject
to PKI, ITIDA
can also better understand the cost and benefit structure of implementation of
PKI in Egypt. In
this regard it is understood that a key element of this will be the awareness
raising campaign,
which is the subject of the next phase of the World Bank RTA with ITIDA. This
campaign
should also foster trust and confidence and enhance greater use of the systems
made available
under the PKI regime.
F. International Considerations
The United Nations General Assembly recently approved the opening for
signature of the
UNCITRAL Convention on Electronic Contracting (Convention).52 The Convention
applies to
cross border e-commerce activity, and therefore falls outside the focus of
this report, insofar as
the scope for the report deals with use of e-signatures within Egypt. However,
the Convention
raises a least one interesting issue with respect to the Law in Egypt. The
Convention contains
a “party autonomy�? provision that permits the parties to a transaction (or a
series of
transactions) to determine their own protocols – as between the parties – that
will apply in
terms of authentication. The Law only provides that foreign certificates
(i.e., PKI-based e-
signatures) can be recognized in Egypt. However, as noted in 4.A, above, the
Law does not
have a party autonomy provision. Therefore, in terms of cross-border
authentication, foreign
52
United Nations Convention on the Use of Electronic Communications in
International Contracts,
adopted by the General Assembly on 23 November 2005, available at:
http://www.uncitral.org/uncitral/en/uncitral_texts/electronic_commerce/
2005Convention.html
37 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
parties not relying on PKI-based authentication cannot be assured that their
electronic contract
will be automatically granted legal validity. It does not necessarily mean that
the contract
would be voided, but the burden of proof would shift to the party claiming
validity of the e-
signature. Finally, if Egypt were to ratify this Convention, it may need to do so
on the basis of
an exception to the Convention’s party autonomy provisions.
38 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
VII. Glossary
Bridge CA
Certificate
CRL
39 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL Final
Report
domain.
53
See: http://en.wikipedia.org/wiki/X.509
40 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
VIII. Annexes
41 of 60
WB /ITIDA RTA e-Signatures / PKI
CONFIDENTIAL Final Report
IX. Bibliography
General References
Baker & Mckenzie: http://www.bakernet.com/ecommerce/germany-t.htm
For E signature in South Korea:
For E signature legislation in Mexico (in Spanish), see:
For E signature/commerce legislation in Mauritius, see:
http://www.lowtax.net/lowtax/html/jmuecom.html
On list on countries with e signature legislation, see:
http://rechten.uvt.nl/simone/ds-new.htm
www.gov.mu/portal/goc/ncb/file/eta.pdf
43 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
ANNEX 1
AUSTRIA
54
Geoges Fischer article, p.166
45 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
CANADA
Legal Basis The Personal Information Protection and Electronic
Documents Act is the Federal law; there are various
provincial
laws on e-signatures, but these statutes do not apply
to elections
legislation, wills and trusts, powers of attorney,
documents
relating to interest in land matters and negotiable
instruments
Institutional Arrangements
Security
Party Autonomy The legislation does not require use without a
person’s consent;
parties can opt out.
Interoperability There seems to be no provision in the federal law
relating to
(cross border recognition) recognition of foreign certificates and electronic
signatures. The
legislation does contain, however, provisions on
place of
sending and receipt of electronic communications
Interoperability
(cross certification)
E Government
GERMANY
MAURITIUS
48 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
SINGAPORE
49 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL Final
Report
SOUTH AFRICA
Interoperability
(cross certification)
E Government E Government services are recognized: any public body
that
accepts the filing of documents or requires that
documents be
created or issues any permit/license or approval or
provides for a
manner of payment may do so through data messages or
electronic
means
50 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL Final
Report
SOUTH KOREA
Legal Basis Has two laws: The Basic Law on Electronic Commerce
and
the Electronic Signature Act (1999)
Institutional Arrangements The Act mandates the Government (Ministry of
Information) to
designate an authorized certification authority to
ensure the
security and reliability of electronic commerce and
to promote
sound transactions. The Act designates KISA (Korean
Information Security Agency) as the body responsible
for
supervising e signature certification services.
Security The Act distinguishes between accredited electronic
signatures
(based on an accredited certificate and meeting
specified security
requirements) and other e signatures.
Party Autonomy
Interoperability The Act provides that the Ministry of information
shall promote
(cross border recognition) activities aimed at achieving smooth
interoperability of e
signatures, domestically and internationally.
Interoperability The Act provides that the government may enter into
agreements
(cross certification) with other foreign governments for mutual
recognition of e
signatures. Such agreement shall grant “the same
legal status or
effect�? to a foreign CA or e signatures or
certificate issued by a
foreign CA as the Korean certificate or e signature.
E Government An “E Government Act�? was enacted to promote
efficiency in
public services
THAILAND
51 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
Interoperability Promoted: Certificate of e signature is effective
regardless of
(cross certification) geographic location of where certificate is issued
or the e signature
is created or used; and regardless of geographic
location of place
of business of issuer of certificate or signatory.
E Government The Act applies to transactions (applications,
payments,
permissions, registrations etc) of the affairs of
the State or State
agency;
Additional Requirement: Royal Decree may require
the CSP to the
public to notify or apply for registration or prior
to commencement
of business with public sector
UNITED KINGDOM
Bank Services
o Bradesco http://www.bradesco.com.br/br/pessoa-fisica/prods
o Bradesco http://www.bradesco.com.br/pj/conteudo/pergunt
o Unibanco http://www.unibanco.com.br/epd/sgr/cer/index/.asp
Notarial Services
o http://www.notariado.org.br/soft.asp
o http://www.anoregpr.org.br/certificacaodigital.htm
Agrobusiness
o http://www.agrolivre.gov.br/modules/tinycontent/index.php?id=3
53 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL Final
Report
ANNEX 3
A. United States
Commercial
Government
Clin
Description Clin # Price
Price
#
Individual and Business Representative Certificates (Level 3)1
Per Certificate
Digital Signature Certificates 0051a
0002
54 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
over 25,000
$30.00 $29.00
over 25,000
$25.00 $24.00
35F-164J
Technology Updates
N/A 0005 refer to GS-
35F-164J
Ad Hoc Data Collection, Analysis, and Dissemination
N/A 0006 refer to GS-
35F-164J
Component and Code Signing certificates (Level 3)1
Per Certificate
Application Digital Signature Certificates 0052a
$500.00 0008a $490.00
1,001 to 10,000
$13,200.00 $12,000.00
10,001 to 25,000
$26,400.00 $24,000.00
25,001 to 50,000
$52,800.00 $48,000.00
over 50,000
$105,600.00 $96,000.00
Per Transaction
55 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
Validation Volume 5,000,000 to 10,000,000
$0.65 $0.579669
Per Day
class size of 10)
LRA Training and Certification of trusted individuals in your 0055a
$2,500.00 0011a $2,300.00
organization to streamline registration process
Recovery Process associated with an (optional) tailored 0055b
$2,500.00 0011b $2,300.00
organizational private key archival and recovery system for
encryption private keys
PKI Sponsor training and certification of trusted individuals 0055c
$2,500.00 0011c $2,300.00
in an organization to request, renew and use component
certificates
Code Signing Attribute Authority (CSAA) training and 0055d
$2,500.00 0011d $2,300.00
certification of trusted individuals granted signature
authority for an organization to authorize applications or
individuals for a code-signing certificate
Key Recovery Official Training and certification of trusted 0055e
$2,500.00 0011e $2,300.00
individuals in accordance with the requirements of the U.S.
Government Key Recovery Policy (KRP)
On-site Registration Authority Daily Rate, per day 0055f
$2,500.00 0011f $2,300.00
Technology Support
Per Hour
Schedule
Senior Level Hourly Labor Rate 0056b
$205.00 refer to GSA
Schedule
Per Year
Gold Technical Support for all supplies and services5 0056c 20% of
total 0012a 20% of total
cost cost
Platinum Technical Support for all supplies and services6 0056d 30% of
total 0012b 30% of total
cost cost
56 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report
Smartcard (Token, USB Reader, and Software) 0057a $102.50 0013a
$100.50
57 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
B. State of Washington Pricing (2003)
Initial Certificate Pricing For High and Intermediate Assurance Level Certificates,
prices below
include the cost of hardware and software cryptographic modules as required by the
Washington State
Certificate Policy. Standard Assurance Level Certificates use an Internet Browser
or Roaming software
client to manage and protect Private Keys and Certificates and therefore do not
require the purchase of
special hardware or software for Private Key protection.
$10.00
Standard Assurance Level Certificates
Browser-Based Certificates
Price includes the Annual Subscription Fee*, and issuance of a single signing
Certificate (which
may also be used for authentication and access control). Browser-based Standard
Assurance
Level Certificates are stored in a workstation’s browser and requires the use of
Microsoft
Internet Explorer (IE) Version 5.xx or higher or Netscape Version 4.7 or higher
browser that
support 128-bit encryption (browser is not included in the price). Key recovery
services are not
offered for browser-based Standard Assurance Level Certificates.
58 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
Roaming Certificates
Price includes the Annual Subscription Fee*, and issuance of a single signing
Certificate (which may also
be used for authentication and access control). Uses an unlimited-use downloadable
“roaming�? client to
allow an individual to access their Private Key and digital Certificate from any
compatible workstation
connected to the Internet. Uses a familiar user name and password interface and
provides the user the
ability to reset their password up to five times per year. Requires Windows 98 or
higher and Internet
Explorer 5.xx and higher or Netscape 4.7. Key recovery services are not offered for
Standard Assurance
Level Roaming Certificates.
$10.00
Standard Assurance Level Certificates
Browser-Based Certificates
Price includes the Annual Subscription Fee*, and issuance of a single signing
Certificate (which
may also be used for authentication and access control). Browser-based Standard
Assurance
Level Certificates are stored in a workstation’s browser and requires the use of
Microsoft
Internet Explorer (IE) Version 5.xx or higher or Netscape Version 4.7 or higher
browser that
support 128-bit encryption (browser is not included in the price). Key recovery
services are not
offered for browser-based Standard Assurance Level Certificates.
59 of 60
WB /ITIDA RTA e-
Signatures / PKI
CONFIDENTIAL
Final Report
$10.00
Roaming Certificates
Price includes the Annual Subscription Fee*, and issuance of a single signing
Certificate (which
may also be used for authentication and access control). Uses an unlimited-use
downloadable
“roaming�? client to allow an individual to access their Private Key and digital
Certificate from
any compatible workstation connected to the Internet. Uses a familiar user name and
password
interface and provides the user to reset their password up to five times per year.
Requires
Windows 98 or higher and Internet Explorer 5.xx and higher or Netscape 4.7. Key
recovery
services are not offered for Standard Assurance Level Roaming Certificates.
60 of 60
WB /ITIDA RTA
e-Signatures / PKI
CONFIDENTIAL
Final Report