Legal Issues on PKI qualified electronic certificates

Legal Issues on PKI & qualified electronic certificates. • THIBAULT VERBIEST • • Attorney-at-law at the Brussels and Paris Bar Professor at the Universities of Liège and Paris I Sorbonne • Chairman of the Internet Rights Observatory • • WWW. ULYS. NET thibault. verbiest@ulys. net

Introduction & awareness case "E-commerce is seeing rapid growth both for companies as well as for consumers. But without security and trust, financial and commercial transactions via the Internet will not see decisive growth“ (EU Commission statement) Hi my name is G. W. Bush and please transfer $1. 000 to

Trust & Security online? Ø Technical trust n n n Ø PKI based solutions Know your customer Guarantee the integrity of the message Guarantee the confidential character Legal trust n n Admissibility of technical measures Electronic ‘contract’ or instruction is valid and effective. Adequate regulatory framework

Regulatory Framework European Union Directive 99/93 on electronic signatures Belgium Act of 20 October 2000 & Act of 9 July 2001 Royal Ordinance of 6 December 2002 (CSP) Directive 2000/31 on electronic commerce Acts of 11 March 2003 on electronic commerce

Regulatory Framework - Europe Ø Directive 1999/93 on electronic signatures (13. 12. 99) n n Ø Entry into Force: 19 January 2000. Implementation by Member States: 19 July 2001. Main principles n Enhance Internal market principles: § § n Everybody is free to run a CSP (CA) § n n mutual recognition & cross-border provision Third Countries? no prior authorisaton / voluntary accreditation? Electronic signatures may not be denied legal effect Cf. notion electronic Technology neutral legislation signature

Regulatory Framework - Belgium Ø Act of 20 October 2000: § § admissibility and legal recognition Modifications of Belgian Civil Code (art. 1322) and Civil Procedure Code Ø Act 9 July 2001 on certain aspects of electronic signatures & certification services Ø Royal Ordinance of 6 December 2002 on the accreditation of Certification Service Providers BE. SIGN (be. sign@mineco. fgov. be) (CSP)

Regulatory Framework -Act 9 July 2001 Ø Principle of non-discrimination (art. 4 § 5) An electronic signature cannot be denied legal effectiveness solely on the grounds that it is an electronic one Ø Principle of assimilation (art. 4 § 4) hand-written signature = electronic signature IF § advanced electronic signature based on a qualified certificate and which is created by a secure-signaturecreation device § Key notions: Advanced electronic signature & qualified certificate

Regulatory Framework -Act 9 July 2001 Notions ü Electronic signature: method of authentication ü Advanced electronic signature: electronic signature that is § § uniquely linked to the signatory; Identification capable of identifying the signatory; created using means that the signatory can Confidentiality maintain under his sole control; and linked to the data to which it relates in such a manner that any subsequent change of the data is detectable; Integrity

Regulatory Framework -Act 9 July 2001 “qualified certificate" certificate which meets the requirements laid down in Annex I and is provided by a CSP who fulfils the requirements laid down in Annex II;

Regulatory Framework -Act 9 July 2001 Annex I: requirements qualified certificate • • an indication of qualified certificate; the identification of the CSP and Member State the name of the signatory or a pseudonym provision for a specific attribute of the signatory to be included if relevant, depending on the purpose for which the certificate is intended; an indication of the term; the identity code of the certificate; the advanced electronic signature of the CSP issuing it; limitations on i) the scope of use or ii) limits on the value of transactions

Regulatory Framework -Act 9 July 2001: Annex II: requirements CSP - qualified certificate • • • Must be reliable and ensure the proper functioning of a directory and revocation service; Verify the identity and any specific attributes of the person to which a qualified certificate is issued; Use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them; Take measures against forgery of certificates; Maintain sufficient financial resources Precise terms and conditions regarding the use of the certificate

Regulatory Framework -Act 9 July 2001: Liability of CSP (art. 14) CSP of qualifiad certificates is liable for damage caused to any entity or legal or natural person who reasonably relies on that certificate: • the accuracy of all information • the assurance that the signatory identified in the qualified certificate held the signature-creation data corresponding to the signature-verification data given or identified in the certificate; • for assurance that the signature-creation data and the signature-verification data can be used in a complementary manner in cases where the certification-service-provider generates them both; • In relation to a failure to register revocation of the certificate; AND the CSP does not prove that he has not acted negligently.

Supervision & Accredition ü Ministry of Economic Affairs ü Procedure described in the Royal Ordinance of 6 December 2002 on the accreditation of Certification Service Providers (CSP) • Audit : cf. the requirements • BE. SIGN accreditation is valid for three years

Final remarks Q &A Thibault. verbiest@ulys. bet www. ulys. net www. droit. be www. internet-observatory. be