Electronic and Digital Signatures: A Global Status Report - Executive Introduction 

 

Table of Contents

Acknowledgements
Executive Summary
I.           

INTRODUCTION
Private and Public Sector Confidence
Research Survey Objectives

II. UNCITRAL MODEL LAW AND EU DIRECTIVE
Electronic and Digital Signatures Definition
UNCITRAL Model Law
European Union Electronic Signatures Directive
Major Differences Between the UNICTRAL Model Law and the EU
          Electronic Signatures Directive
Conclusion
III.

STATUS OF ELECTRONIC SIGNATURES LEGISLATION
Status of the Electronic Signatures Legislation Enactment
Survey Results
          Legal Requirements for Electronic Signatures and Handwritten Signatures
          Definition or Liability Limitation for the Sender, Receiver or Certification
               Service Provider
          Geographic or Procedural Limitations That Could Prevent Cross-border
               Recognition of Electronic Signatures
          Provisions for Preserving Relevant Electronic Records
          Provisions for Nonrepudiation
          Electronic Signatures Records Archived by Law Enforcement
               Authorities/Agencies
          Provisions for Shared Secret for Signature of a Corporation or Other
               Artificial Legal Entity
Summary

IV.

GUIDELINES FOR IMPLEMENTING DIGITAL SIGNATURES
Legal Significance of Electronic and/or Digital Signatures
          How Does Digital Signature Technology Work?
          What Are the Legal Requirements for Business Partner's Jurisdiction
               as well as the Home Business Jurisdiction?
          Can Digital Certificates and Digital Signatures be Relied Upon-the Trust
               Issue?
          Is There a Need For a Contractual Agreement With Respect to the Use
               of Electronic or Digital
               Signatures?
          What Should be the Implementation Guidelines for Electronic or Digital Signatures?
Sample Steps for Implementing Electronic Signature Law
Conclusion

APPENDIX I.  

STATUS OF ELECTRONIC/DIGITAL SIGNATURE INITIATIVES IMPLEMENTATION AS OF OCTOBER 2001

APPENDIX II.  

STATUS OF US LAWS ON DIGITAL AND ELECTRONIC SIGNATURES

APPENDIX III.  

LIST OF CERTIFICATION AUTHORITY/TRUSTED THIRD-PARTY PRODUCTS AND SERVICES

APPENDIX IV.   URL INDEX

 

Executive Summary

Digital signatures, if properly implemented and utilized, could minimize risks of imposters, electronic forgeries and message repudiation. Digital signatures provide reliable authentication of documents in computerized digital form. Further, digital signatures provide a high degree of information security for information traversing public networks, such as the Internet, where anyone can spoof the data.

If digital signatures are used to replace written signatures for signing legal contracts and documents, they must contain the same specific properties that make a written signature a reliable form of authentication. They must be easy to produce, easy to recognize and difficult to forge. Also, the electronic or digital signature technology and implementation approach for document signing must be understood clearly.

This research noted that the requirements for country electronic signature laws might vary widely. The UNCITRAL Model Law and the EU Directive attempt to reduce legal barriers to using electronic technology to sign contracts. Some country laws only require electronic signatures while other laws only recognize digital signatures. The responsibilities of the sender, receiver and certification authorities are not addressed in all laws.

If a digital signature is used as the legal equivalent of a handwritten signature, especially in cross-border electronic commerce, careful legal review and advice about the national laws, with special focus on multiple jurisdictions, is strongly recommended. In addition to the national law, the state or province laws must be reviewed. If the country in which the trading partner resides does not have a digital signatures law, contractual agreement should address the legal perspective for the use of digital signatures.

While some laws provide that electronic signatures are admissible as evidence in any legal proceedings in relation to questions of communication authenticity or data integrity, others do not address whether electronic signatures are admissible as evidence in a court of law. Digital signatures in EU member states must meet a long list of requirements before being considered as equivalent to a handwritten signature.

Some laws do not have specific regulations addressing certification authorities and allow voluntary schemes for certification authorities. Laws in various European countries require that certification authorities are liable for the damage caused to any entity that relies on a qualified certificate. The only way to escape liability is if negligent action cannot be proven. The EU Directive provides that certification authorities may limit their liability and stipulate a financial cap for transactions affected or limit the use of their certificates. Foreign certification authorities within the EU member states are recognized within EU member states. However, some EU members do not recognize foreign certificates issued outside the EU member states for cross-border transactions.

The legal requirements for the business partner's jurisdiction, as well as the local jurisdiction, must be clear in the law or a separate contractual agreement. Due diligence ensuring a trusted environment for the use of digital signatures for document signing is required. If digital signatures and certification authorities are subject to conflicting legal and technical requirements in different jurisdictions, it may be difficult or close to impossible to use digital signatures in cross-border transactions.

There are costs associated with the implementation of a digital signature system, such as: establishing and utilizing certificate authorities, maintaining a repository of signer certificate related information, software and hardware support of digital signature administration, the verification process and the trusted environment, the hardware securing a subscriber's private key and the purchasing of certificates for issuance.

The many benefits of electronic signatures, specifically digital signatures for e-commerce, may far outweigh the costs. However, the real value of electronic signatures will be defined fully and understood generally only after applicable laws are tested and upheld in courts and organizations are convinced they can trust electronic signatures.

© 2002 Information Systems Audit and Control Foundation reproduction for any purpose is not permitted without ISACF prior written permission. No other right or permission is granted with respect to this work.

Print copies are available through the ISACA bookstore

Information Systems Audit and Control Foundation
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008, USA
Phone +1.847.253.1545
Fax: +1.847.253.1443
E-mail: [email protected]