Social Icons

twitterfacebookgoogle pluslinkedinrss feedemail


Tuesday, May 14, 2013

Legislator: no null rule (with common sense)

Electronic or digital signature (mostly in ES) is not only a source of efficiency for businesses or governments, but also for countries. Not surprisingly, their development is a priority of the European Commission and from many countries around the world.

But in order to be able to use electronic signatures with legal guarantees, so you can replace the handwritten signature or other authentication mechanisms of the identity of the parties, expression of will or integrity of information exchanged, it is necessary to legislate.

And not only it is necessary to legislate, it is also highly recommended legislate in line with other countries if we want businesses in our country or region to be competitive in a globalized environment, if we want to facilitate foreign trade and if we want all, government, businesses and citizens can take advantage of economies of scale.

Besides a coordinated legislative process, or at least aligned with other existing legislation, it is also necessary to be based on standards, specifications and best practices, either mandatory or widely accepted, depending on the region.

Some of these rules or standards are:

  • RFC 3647 (IETF PKIX): Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework.
  • ETSI TS 102 042 (ETSI): Technical Specification. Policy requirements for certification authorities issuing public key certificates.
  • CWA14167-1 (CEN): Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements.
  • WebTrust for CA (AICPA/CICA): WebTrust Program for Certification Authorities.
  • ...

Basically, the regulatory process should consider the following points:

  1. Development of the law itself, being very important a section of straightforward definitions. Any ambiguity on this point will generate further distrust in companies and citizens and consequently a slow deployment of electronic signatures.
  2. Development of regulations to implement the previous law.
  3. Development of a procedure for approving potential suppliers or certification services providers  specifying the legal requirements of: form of corporation, capacity and financial standing, technical and personnel resources, operational and procedural, etc ...
  4. Eventual development of the body that is responsible for conducting or supervising the processes of approval and maintenance of approvals.
  5. Implementation of a continuous process of research and updating of the above, especially point 3.
For all this, to have the support of experienced staff in the different phases, ensures uniformity throughout the process, clear and explicit definition of each point and an alignment with international best practices.

Do you think this is an interesting post? Just help me sharing it by clicking one of the buttons below.