Social Icons

twitterfacebookgoogle pluslinkedinrss feedemail

Pages

Wednesday, February 12, 2014

Last chance for #eIDAS REGULATION. That is, electronic signature

Since the middle of 2012 began to circulate a first draft of what should be a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on electronic identification and trust services for electronic transactions in the internal market.

This Regulation would replace and expand the current DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 December 1999 on a Community framework for electronic signatures.


Last January, I had the opportunity to attend the 3th Trust Service Provider Summit in Berlin.

Key speakers were Mr. Gérard Galler, policy officer at the European Commission, who explained the current status of that Regulation and the next steps and Stefan Altmeppen, representative of the Federal Ministry of Economics and Technology (Bundesministerium für Wirtschaft und Technologie), who explained Germany's position regarding the current proposal.

I do not intend to discuss here nor the content of the papers neither the current wording of the Proposal  and its implications, but it stage and the next steps. 

To be brief and concise, this regulation defines six electronic services to be ruled, namely:
  1. Electronic Signature
  2. Electronic Seal
  3. Electronic Time Stamp
  4. Electronic Documents
  5. Electronic Delivery Services
  6. Website Authentication

But not all member states believe that the whole six services have to be regulated. The common denominator are the first three service. All MS do agree to regulate them. Not so with the last three ones and this is what is currently being discussed at European level.

What things can change? 

It is argued, for example, that "Electronic document" is not a service, it is a definition and as much a format or set of formats to be accepted by European public administrations (remember the purpose of the Regulation, centered on "electronic transactions in the internal market."). I agree with this point, it is not a service, but the Regulation can close a standard definition (for Europe, and then there we go to conquer the Americas) and later, by implementing acts (implementing acts),  and it also can finish defining the acceptance-required formats.

For electronic delivery , it is not justified enough the issues presented , but I smell that threatens national monopolies or pseudo-monopolies such as "Posts and Telegraphs" or "Deutsche Post". Germany is especially critical with the current wording . Obviously I can not disagree more . This service should be standardized throughout Europe and further opening to competition of the private sector. Only in this way we will achieved efficiency.

Finally, the website authentication service, that is, just SSL certificates or a kind of EV SSL substitute called "qualified certificate for website authentication". As an ordinary citizen,  I do not care if it is regulated or not, if we are confident that the market regulates itself , but as a European and as a worker in the sector of electronic signatures, I am quite concerned that it is not regulated .

As a European because Europe is maybe the most committed continent to the electronic signature based on asymmetric cryptography, where we are powerful and, so, we should defend it (asymmetric cryptography based electronic signature) and promote it ... if we really think that this adds value to society.

As a worker in the sector, because industry self-regulation is actually a Microsoft, Mozilla and especially Google oligopoly (this three companies have an 85% market share and Chrome already has a 44%), that, taking advantage of their dominant position, they dictate standards that Certification Service Providers must hasten to comply. For instance, the CA / Browser Forum, published in less than a year five versions of its "Baseline Requirements", which, in short, are the requirements to be met by a Certification Services Provider issuing SSL certificates so that they are admitted in browsers by default. Can you imagine the work of these CSPs during that year, trying to adapt their certificates, services and processes every new change?

If finally the Regulation does not rule the requirements of SSL certificates, we will lose a great opportunity to balance negotiation power in improving Internet security.

What do I miss? 

The biggest thing I miss is the fact that the Advanced Electronic Signature based in Qualified Certificate is not explicitly regulated.

From my point of view, it is a type of signature that offers several advantages over the concepts of advanced electronic signature itself (AdES) and qualified electronic signature (QES), namely:

  • Regarding the first one, being the AdESQC based on a qualified certificate offers more guarantees linking and identifying the signatory (no need to remember the content and procedural requirements for a certificate to be considered as qualified.) This gives peace of mind to relying parties .
  • Regarding the QES , AdESQC does not have the drawbacks of secure signature-creation devices (SSCD). WE need to recall that the lack of usability has always been associated to the slow take-off of qualified electronic signatures , and we could say that 90 % of this lack of usability is because of the SSCD (Smartcard, reader , software, compatible operating systems and browsers , PIN , PUK and card locks , etc ...)
  • Finally, it seems that the trend , regarding both, electronic signature policies published by (Spanish) Public Administrations and the success of qualified electronic certificates issued on software (not a SSCD), is that the relationship between citizens and Public Administration is based on Advanced Electronic Signature based on Qualified Certificate (AdESQC).
Therefore, I think that giving a specific weight to AdESQC is beneficial to the countries, its Certification Service Providers (CSP) and increases the efficiency of Public Administration.


And when can this change? 

In this case, as important as what is when. Consider that between 22 and 25 May the European Parliament elections are held. This means that a month before the Parliament should be dissolved. 

Regulation is expected to be voted between 15 and 26 April, which means that a final version of it has to be ready in late February or at the latest, the first week of March. 

This has two implications:
  1. The current version of the Regulation may seem like an egg to a chestnut to the final one, so it's best to wait for the first half of March to look for a more closed to the final version wording. 
  2. That might be that, after all efforts, we are not in time, the voting goes to the next legislature and we lose the opportunity to approve the Regulation in the short term. 
That said, let we be attentive to the news on the Regulation in the coming weeks.

--
Do you think this is an interesting post? Just help me sharing it by clicking one of the buttons below.