<<< Brute forcing symmetric keysMy presentation at Cryptonite >>>

The European Commission is performing a review of Directive 1999/93/EC on electronic signatures. The text of the latest proposal can be found here.

While this is still a proposal, it is in an advanced state (first reading) of the law making process of the EU. Chances are very high that this will be in effect, at most minor, cosmetic changes are expected.

My key observations:

  • This is not a directive anymore, but a regulation. An EU regulation is immediately enforceable, while directives need to be transposed into national law. - I like this change, this could make some order in the chaotic jungle of national e-signature regulations in member states.

  • The Regulation is planned to become effective on the 1st of July 2016, and also repeals the current Directive 1999/93/EC.

  • The new text would introduce the concept of an identification scheme, which describes how each member state identifies their citizens.

  • It introduces new 'trust services' which could be provided by trust service providers. (The current Directive contains only one trust service, the certification service, i.e. the service for issuing certificates for electronic signatures.) The new trust services are as follows:

    • Validation service. This means there would be dedicated service providers for validating electronic signatures. - I understand the reasons for this but I still do not like the concept of having dedicated service providers for this, I think it makes it all too complicated. An end user should be able to validate a signature on her machine.

    • Time stamping. In order to properly verify an electronic signature, you need a point of time when the signature already existed. Preferably this is close to the time the signature was created. This is why time stamping goes hand in hand with e-signatures in some member states, while other member states do not have this concept at all. - I like the idea of regulating time stamping on an EU level.

    • Electronic seals. Electronic signatures were supposed to be signatures of natural persons only. However, there is a business need for 'signing' documents by a legal person (e.g. by a company or by a governmental organization), some member states already included this in their legislation, while some others did not. The Regulation plans to provide a solution for this, and it calls the signature of a legal persons a 'seal'. - I like this, solution, it fulfills a real business need.

    • Preservation service. The preservation service provider stores documents with electronic signatures in a special way so that their signatures can be validated on the long-term, even when previously secure cryptographic algorithms become obsolete. - I think this is rather an area of application and should not be in this regulation.

    • Electronic registered delivery service. This service is for proving that a certain electronic document has been delivered to a certain party. - Again, I think this is another area of application and should not be in this regulation.

    • Website authentication, essentially the issuance of SSL certificates. - This is the part of PKI that works in practice. Actually, it works without EU-wide legislation. I am not sure why this legislation is needed here.

    Each service can be provided on a 'qualified' level; 'qualified' service providers are supervised more closely, and thus provide a stronger legal effect. (The rule of thumb is that a service provided by a 'qualified' service provider is presumed to be provided 'well', and the opposite needs to be proven.)

  • There is a strong emphasis on the security of service providers, and on EU-wide cooperation for registering service providers and sharing information on them (via so-called trust lists). There is also a strong emphasis on breach notification.

  • Some almost technical rules appear in the proposed regulation. For instance, it is stated that a signature is verified with respect to the time a signature is created. Today only the German law contains such a statement.

To sum it up, the proposed regulation makes no radical change to the rules of the Directive. It enhances the current framework with a lot more trust services and integrates some lessons learned.

The Commission started the review of the Directive because of lack of progress in the field of electronic signatures since 1999. The current regulation is not considered good enough, and the Commission is trying to solve this by regulating a much broader field - along the similar principles the current regulation is created.

I reckon there are reasons for the lack of growth regarding electronic signatures. (With the main reason being the lack of areas where signatures could be used.) I do not see the proposal addressing these reasons and I do not see the proposal trying to come up with a paradigm for regulation which is different from the one that has already failed in the past.

Edited to add (2014-05-03): While this is just a proposal, chances are high that this will become effective, at most minor, cosmetic changes are expected.


The corresponding entry in Hungarian...


This is my personal website, opinions expressed here are strictly my own, and do not reflect the opinion of my employer. My English blog is experimental and only a small portion of my Hungarian blog is available in English. Contents of my blog may be freely used according to Creative Commons license CC BY.