Social Icons

twitterfacebookgoogle pluslinkedinrss feedemail


Thursday, July 25, 2013

ISACA, Barcelona, electronic signature and an audit guide, part 2

As I commented a week ago, on June 4, ISACA's Barcelona chapter (ES) conducted the session "Electronic Signature" in which I was fortunate to participate as a speaker.

In this post I continue discussing market trends exhibited there.

It moves between two extremes in the implementation model:

  1. The classic, based on certificates in cryptographic smart card + card reader or cryptographic token.
  2. The cloud service model with keys who knows where, eventually in a hardware security module (HSM)

Between the extremes there are intermediate solutions, obviously. The first model provides more legal guarantees, it is safer (I have my keys, with me, in my wallet) but is more complex (ironmongery is needed) and if the number of users grows, more expensive (variable cost is important.)

On the other hand, the second model is much more convenient and easier to implement, but does not offer much security and legal validity as evidence is generally lower (see details at I'm siiiiiiiigning in the cloud ...)

electronic or digital signature, depending on the regionFrom my point of view, the question is not WHETHER or not Europe will admit centralized electronic signature (in a HSM, for example), but WHEN. If Europe wants to be competitive, may have to stop protecting its major manufacturers of cryptographic cards and allow the market to become more dynamic.

Regarding to regions, Catalonia has followed CATCert model, more flexible and dynamic, with certificates in software, different profiles and key escrow service. At Spanish level, it has been opted for a pure type 1 model, ie eID in smart card + a reader that you get where you can (or, at times, free at police stations) and PIN and middleware hell.

At European level there are different implementations and interpretations of the Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, with HSM-based, classical and proprietary solutions (again, more details I'm siiiiiiiigning in the cloud ...)

Latin America has followed an approach more like the European legislation that the American, which has facilitated beside cultural ties, that Spanish companies could export their services, products and expertise overseas.

In the USA, as I commented in An electronic signature  bridge between continents, it seems that solutions pivot around two options: capture of handwritten signature in a face to face process, for the private sector, or electronic signature based on PKI for federal agencies. I do not want to bore you commenting again the same as in the aforementioned entry.

The future

The future of electronic signature goes, from my point of view, for two ways: first, already mentioned, the "centralized" signature, clarifying that access to the same or activation key for signing shall be done from the mobile phone.

The second, by lowering the level of signature required for the transactions with the public administration. We have to go, not only in Spanish, to that the vast majority of procedures can be performed with advanced electronic signature (FA), requiring qualified electronic signature (FR) only for a few legal formalities with a really heavy legal load and electronic signature, let's say, "ordinary" (FO) to mere very low impact queries (here, the definitions of FR, FA and FO.)

from qualified electronic signature to advanced one

On the other hand, we must not fall into the trap of "risk analysis" for everything. Do not begin to define levels, sub-levels and meta-levels and as many signatures and authentication mechanisms.

And finally I'll talk on the "Guide for auditing Systems that have been deployed electronic signature" on a third and final entry, hoping it is published. So ...

... it will be continued ...

Do you think this is an interesting post? Just help me sharing it by clicking one of the buttons below.