- Legal recognition: the Directive stipulates that an electronic signature cannot be legally discriminated against solely on the grounds that it is in electronic form. If a certificate and the service provider as well as the signature product used meet a set of specific requirements, there will be an automatic assumption that any resulting electronic signatures are as legally valid as a hand-written signature. Moreover, they can be used as evidence in legal proceedings.
- Free circulation: all products and services related to electronic signatures can circulate freely and are only subject to the legislation and control by the country of origin. Member States cannot make the provision of services related to electronic signatures subject to mandatory licensing.
- Liability: the legislation establishes minimum liability rules for service providers who would, in particular, be liable for the validity of a certificate's content. This approach ensures the free movement of certificates and certification services within the Internal Market, builds consumer trust and stimulates operators to develop secure systems and signatures without restrictive and inflexible regulation.
- A technology-neutral framework: given the pace of technological innovation the legislation provides for legal recognition of electronic signatures irrespective of the technology used (e.g. digital signatures using asymmetric cryptography or biometrics.)
- Scope: the legislation covers the supply of certificates to the public aimed at identifying the sender of an electronic message. In accordance with the principles of party autonomy and contractual freedom it does, however, permit the operation of schemes governed by private law agreements such as corporate Intranets or banking systems, where a relation of trust already exists and there is no obvious need for regulation.
- International dimension: so as to promote a global market in electronic commerce the legislation includes mechanisms for co-operation with third countries on the basis of mutual recognition of certificates and on bilateral and multilateral agreements.
Another important requirement for public key cryptography to be practically useful is the secure distribution of public keys. If you are dealing with a small group of people, you could exchange public keys directly, say using a disk. This is rarely possible in real life where you may need to deal with a large number of complete strangers and need to be sure of their true identities. This is where digital certificates come in. A digital certificate is an assurance provided by a third party (called a Certification Authority), e.g. GlobalSign, Verisign, etc., that a public key indeed belongs to the purported owner. A digital certificate contains a public key, the name of the person (or organisation) that the key belongs to, and the whole thing is authenticated with a digital signature.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.