Electronic Signature - Carleton University

superfluitysmackoverΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 6 μήνες)

80 εμφανίσεις









Electronic Signature

Research Paper







Class:


51.429B E
-

Commerce


Professor:

R. L. Campbell

Author:

Emilia Caprndova



Place:


Carleton University

Student no.:

31 22 81





Date:


February 28, 2002


2

1. Introduction

The Internet rule
s the world.


This idea is probably a bit strong and only a matter of opinion but it provides a lot issues
to think about. In just a matter of time our society will be absolutely dependent on
electronic devices, electronic communication and mail, electron
ic commerce and also
electronic signature.


This paper is dedicated to some issues about the electronic signature, starting with
questioning its importance and then coming through definitions and systems of how it
works. Although it explains some technical

information, they are explained in a user
-
friendly way.


The electronic signature is also viewed through model laws and publications of various
organizations: United Nations Conference on International Trade Law
1
, European
Union
2
, American Bar Associati
on
3

and also legislations of countries such as Canada
(federal and Ontario legislation), Germany, Czech republic and Slovak republic.


2. Why Do We Need Electronic Signature?

The question here is: why do we actually develop a new system of signing? What is

the
advantage of using an electronic signature?


The idea of electronic signature emerged hand in hand with the arrival of a new
computerized world. Although a couple of years had to pass until computers became a
necessary part of human life, the situatio
n today shows that we can hardly work without
them.


Computers and the Internet make life easier. They save money, time, labour, paperwork
and space. They help to prevent errors and make work more efficient. It is needed to enter
data to the computer only

once and sending them to somebody else can take as little as a
few seconds. Documents can be kept in an electronic form and don’t have to be put on
paper.


With the growth of more spread use of computers and especially Internet opportunities,
still more
and more communication and trade are done through these new devices. It is an
easier way to do business and to enter into contracts. The law, of course, has had to adapt
and respond to such a challenge.


One of the serious problems brought by the new era i
s how to deal with a need for a
contract that has to be in writing and signed. The Slovak
4

and Czech Civil Code
5

state in
subsection 40 (1), that if a legal act is not carried out in a way prescribed by a statute or
the agreement of the parties, it is void
. The written form has to only be used when there is
an expressed need for it


as in other legal systems. The civil code and other statutes then
ask for a written form e.g. in occasions of a guarantee, contracts of immovable property
or a testament.



3

In
Anglo
-
American legal systems Statutes of Frauds
6

mention situations, when contracts
have to be in writing and signed


e.g. contracts on real property, contracts that cannot be
carried out within a year or guarantees.
Subsection 2
-
201 (1) of the Uniform Co
mmercial
code
7

requires a contract for sale of goods for $500 or more, to be in writing and signed,
in order to be enforced at the court.
On the other hand, according to section 4, part I of
the new Ontario Sale of Goods Act
8

or article 11 of the Vienna Sa
les Convention
9
, a
contract for sale of goods doesn’t have this requirement.


However, nowadays society very often uses the written form, even though it is not
compulsory, and calls for establishing an opportunity that a contract formed by computer
means
and sent by the Internet will have the same value as a written and signed one.
Today we cannot only rely on trading partners and people we know, but very often we
deal with unknown parties. Therefore, we prefer to use the written form that can more
easily
confirm and enforce our contracts, communication or anything we find important.


When a written document should have a full legal power, it has to be signed.


Subsection 40 (3), of the Slovak Civil code states that a legal act (e.g. a document) is
valid,

when it is signed by the person carrying out this act. This signature can be replaced
with mechanical devices in occasions, when it is usual. This subsection’s importance is to
show the connection between the written form of a legal act and the necessity
of a
signature.


According to subsection 40 (4) of the Slovak Civil code this written form is maintained,
if the legal act is executed by teleprint, telegraphic, or electronic means, which enables it
to capture the legal act and determine the person, who
executed the legal act. This
subsection is helpful when a legal act should be signed with an electronic signature.


The Czech Civil code has the same provisions as the Slovak one, except that by the
Czech Act on Electronic Signature
10

a new sentence was a
dded to subsection 40 (3). If a
legal act is carried out by electronic means, it may be signed electronically pursuant to
the Electronic Signature Act. In other words, legislations adapt to the possibility of using
a non
-

traditional way of signature.


Le
t’s take into account all the advantages of a contract in writing on the one hand and on
the other hand advantages of less paper work and easy, almost instantaneous and cheap
communication through the Internet and with the use of computers. Then the simple

result would be enabling a contract, formed by using computers and the Internet, to have
the same status and validity as if it were written on a paper and signed.


One possible solution to this problem could be with the use of an electronic signature that

should fulfill all the roles of a traditional handwritten signature.


3. What Is Electronic Signature?

The first thing we should mention is that an electronic signature is not the same as a
digital signature. A digital signature (more details are provided

in the chapter 4) is only

4

one of the possible technologies of an electronic signature. However, present statutes are
mostly enacted according to the digital signature technology.


One of the first electronic signature acts were passed the Utah Digital Sig
nature Act
(1995) in the region of North America or in Europe the German Act on Digital Signature
(1997). Other countries gradually adopted electronic signature acts. International
organizations issued their recommendations, model laws and guidelines. In O
ntario there
are two important acts that should be mentioned. On the federal level it is the Personal
Information Protection and Electronic Document Act
11

and on the provincial
-

the
Electronic Commerce Act
12
.


Let’s now discuss the legal definitions of t
he electronic signature.


An electronic signature, according to subsection 31 (1) of the Personal Information
Protection and Electronic Document Act in Canada, is: “
a signature that consists of one
or more letters, characters, numbers or other symbols in d
igital form incorporated in,
attached to or associated with an electronic document.”
12a
According to the majority of
definitions, an electronic signature can also be a typed name at the end of an e
-
mail or
even a scanned handwritten signature.


However, ho
w would we know that the e
-
mail was really signed by the person whose
name we read or whose scanned and sent handwritten signature was attached to an
electronic document? When looking at the definitions of the electronic signature
(sometimes referred to as

general), we find out, that those kinds of signatures as
mentioned before as examples are not very reliable and secure. There are problems with
identifying of the person who sent the document.


We have to be aware, that there are other types of electroni
c signatures. Article 2 (2) of
the EU directive provides us with another important definition of a special type of
electronic signature called an advanced electronic signature. This type of electronic
signature must meet four other requirements in addition

to the basic definition:

1.

link to the signatory
14
,

2.

identification of the signatory,

3.

creation by means that the signatory can maintain under his or her control,

4.

any change after signing an electronic document has to be obvious.


Subsections 31 (1) and 48 (1
) of the Personal Information Protection and Electronic
Document Act in Canada contain a similar definition for a secure electronic signature.


This higher type of electronic signature helps the receiver of an electronic document to
identify who he or she

is dealing with. The Internet is a very impersonal medium of
communication. It is, therefore, very important to know who the other communicating
party is. Especially if we don’t know him or her, because the Internet erases the physical
distances and bound
aries and supports trading with persons physically located in different
states. It would be very difficult to verify whether the party is not just a fake person. On

5

the other hand if we know the trading partner, it facilitates the verification of the ident
ity
of the person we are dealing with.


The receiver can be sure that there was no change in the message during the transmission.
The technology, on which the advanced electronic signature is built, should be reliable
enough, to inform the receiver about
even the smallest change of the electronic
document.


The sender of the message cannot deny sending the electronic document, because the
means by which the advanced electronic signature is created, is (or should be) in his sole
possession without access to

anybody else. However, an issue of securing these means
against disclosure to any other person can be raised.


Scholars mention also other types of electronic signatures such as: an electronic signature
using a qualified certificate, a qualified electroni
c signature, an enhanced electronic
signature and a qualified electronic signature with long


term validity
15
.


4. Digital Signature Technology

Digital signature is the most common technology used to create an electronic signature. It
is based on cryptogr
aphy and mathematical functions, using asymmetric keys


a private
(secret) key and a public key.


Firstly, we should explain how a document can be encrypted and then point out how the
digital signature technology developed from this method. There are a l
ot of possible ways
to encrypt a message. Basically, for our purposes, we can differentiate between two types
of encryption


either using a symmetric key or using an asymmetric key. For easier
explanation of the processes, we will use names: Alice for the

sender, Bob for the
receiver and Eve for a third party, who wants to interfere the communication.
16


With the symmetric key method, the same key is used for encryption and also for the
decryption of a proposed message. However, this possibility brings an
issue that both
parties (Alice and Bob) must know the key and also an issue of the delivery of the key
from Alice to Bob. Of course, it is highly desirable that Eve will not have access to that
key. A problematic situation may be when the message should be

sent to more people and
the key has to therefore be disclosed to all of them (or different keys will be used). This
may cause the key for message encryption to no longer remain secret (or the need of
many keys makes the message sending inconvenient).


Th
ese problems seem to be abolished by using asymmetric cryptography. Both parties
that want to exchange messages have a pair of keys: a private key and a public key. A
message is first encrypted by Bob’s public key (known to Alice or anybody else). Then it
is sent to Bob. This encrypted message can only be read by Bob
-

the person having the
proper key pair (the private key). Only this private key can decrypt the message. If Eve
obtains a copy of this message, she cannot read it without decrypting it with Bo
b’s
private key. Therefore, the private key needs to be held highly confidential and known
only to Bob.


6


A similar way is used to sign electronic documents. The usage of keys is, however, in a
reversed order. Figure 1 shows the process of digital signatur
e creation, figure 2 explains
the verification process and an example of a digital signature is shown in figure 3.



Figure 1:

Digital Signature Creation




Message

Hash function Message Encrypt with Digital


digest signature


HASH 1 private key




Attaching





Message



digitally


signed






In or
der to sign an electronic document (figure 1), Alice creates a message digest (a
shortened message) by the usage of an algorithm termed as a “hash function”. This
message digest (for our purpose we can call HASH 1) is then encrypted with Alice’s
private ke
y and a digital signature is constituted. This digital signature is attached to the
electronic document and the document is sent to Bob.



Figure 2:

Digital Signature Verification






Message
Hash
function Message


digitally
digest


signed
HASH 2



Digital

Message


signature decryption digest


Separating with public key HASH 1









?


HASH 1 = HASH 2






7


When Bob receives the electronic document signed with a digital signature (figure 2), he
can verify whether it was really sent by Alice and whether or not E
ve has changed it
during the transmission. Again, a message digest is created from the electronic document
(we can call it HASH 2). The digital signature is separated from the electronic document
and then decrypted by the public key of Alice (that is known

to Bob or anybody else), in
order to know HASH 1. Then HASH 1 (obtained from the digital signature decryption) is
compared to HASH 2 (created by the hash function from the received document).


If the message digests (HASH 1 and HASH 2) are equal, it is c
onfirmed that the
electronic document was sent by Alice and it was not changed. If not, there is a signal
that something is wrong. Either Eve sent the message and signed it as she was Alice or
Eve has changed the message during the transmission.


Figure 3:

Example of a Digital Signature


Unlike a traditional handwritten signature, the digital signa
ture is always different. Even
a minimal change in the message results in a different message digest created by the hash
function. The signature is always based on a message. Therefore, it is not possible to sign
a message before it is written (compared to

e.g. a blank cheque).


When a message is digitally signed, it does not mean that it is encrypted. Eve, if she is
able to receive a copy of this message, can read it. In order to make the message
protected against Eve, Alice should encrypt the message wit
h Bob’s public key before
she signs it. Then, only Bob (we suppose that he merely knows his private key) is able to
decrypt the message and read it.


Although everything explained here may seem difficult, the signing process or the
process of encryption an
d decryption is done by a software program. The only thing that
Alice and Bob have to do is to click on an icon labelled “sign digitally,” “verify,”
“encrypt” or “decrypt”.


5. Other Technologies

<Signed Si
gID=1>



Contract of Purchase

I, Laura Johnson, promise to buy the copy of Leonardo da Vinci
painting, called Mona Lisa, from Peter Stevenson and pay him
$100 (one hundred Canadian dollars) on May 12, 2002 at his
residence house in Ottawa.

Laura
Johnson,

</Signed>34A52454AB3764578CC18946A29870F40S13S54L67
Z198B240DCD462302I37784GS9802DE002342B212990BADG5
33360249C1D3207G74C162245D39</Signature>



8

There are possibilities other than the digital signature t
echnology, which have the same
aim


to replace a traditional handwritten signature and adapt to changing society and its
needs. We have already mentioned a typed name at the end of an e
-
mail, or scanned
traditional handwritten signature, that will be atta
ched to an electronic document. This
handwritten signature can also be created using biometric technology, similarly as
fingerprints, retinal scans or sound of voice. We should not forget to also mention
technologies such as a PIN and other secret codes.


Biometric
-
based technologies are less known than the digital signature, but there are a
number of companies that are working on using them. However, they are still more or
less on an experimental level. All these technologies are based on some biological
c
haracteristic. Their developers claim that unlike PIN or password, biometric
authentication systems cannot be stolen or lost, shared or forgotten and therefore increase
data security
17
.


6. Certificates and Certification Authorities

Let’s come back to the

technology of digital signatures. Suppose again, that Alice wants
to send an electronic document to Bob. She wants to make Bob sure that it is really her
who is sending the message. As described earlier, she signs the electronic document with
the digital
signature using her private key. In order for Bob to be able to verify whether
this document was really sent by Alice and was not changed during the transmission, he
needs to know Alice’s public key.


However, how can Bob be sure that a person who signed
the electronic document as
Alice and is sending him the public key to verify the signature, is really Alice? Eve could
have signed it with her private key and sent the message together with her public key
claiming that she was Alice. To avoid this situatio
n, Alice may give this public key to
Bob personally, but this way is quite inconvenient and not acceptable. Most times, Bob
will receive the public key through the Internet. Therefore, there is a need for some kind
of verification, who a certain public key

belongs to. There is a need for some authority to
confirm that this particular public key belongs to Alice.


One possible solution to this problem for Alice may be in obtaining a certificate issued by
a certification authority (a trusted third party) that

shows that this public key is hers. This
is how a majority of electronic signature acts solve this issue. The acts mention different
kinds of certificates and certification authorities.


Article 2 of the EU directive recognizes a certificate and a qualifi
ed certificate. A
certificate is described as “an electronic attestation which links signature verification data
to a person and confirms the identity of that person.”
18



A qualified certificate calls for special requirements. The EU directive defines it
in article
2 (10) as “
a certificate which meets the requirements laid down in Annex I and is
provided by a certification
-
service
-
provider who fulfills the requirements laid down in
Annex II

besides those needed under the definition of the certificate. It
is issued by a
certification authority that also needs to fulfill some laid down requirements.”
19


9


If Alice has a certificate, she will send the certificate to Bob with the message and her
public key. Bob can almost be sure that there is no problem. Howeve
r, Bob also wants to
be aware of the consequences if Alice’s certificate is invalid. Therefore, he needs to
check whether the certificate was valid at the time, when the electronic document was
signed. The date of validity is determined on the certificate.

Bob has to also find out,
whether the validity of Alice’s certificate was not revoked. He can verify the validity in a
Certification Revocation List of the particular certification
-
service
-
provider (the
certification authority that has issued the certific
ate).


A certification
-
service
-
provider (a certification authority), according to article 2 (11) of
the EU directive, means “an entity or a legal or natural person who issues certificates or
provides other services related to electronic signatures”.
It act
s as a trusted third party and
by signing the applicant’s public key certificate with its private key, it confirms the
identity of the owner of the certificate. The Czech Act on Electronic Signature also
mentions
accredited certification
-
service
-
provider.


7. Conclusion or Present Challenges

What are the challenges and problems of the electronic signature? If we want to be up to
date on the current technological trends, we face new expenses. The user of digital
signature will have to buy software to create
a pair of keys and to actually make message
digests and digital signatures. If the user wants to be credible to others, he or she needs to
get also a certificate (maybe more types).


There are also a number of criticisms to the most common method for elect
ronic
signature, the public key technology. It is claimed that the technology is not a hundred
percent reliable.


How reliable is the digital signature technology? Is it possible to find out the private key
from the public key? There can be a lack of trus
t by people to use this technology,
because once we realize that somebody can derive our private key from the disclosed
public, the whole digital signature system and also electronic commerce and
communication through internet will be challenged. Therefore
, we have to be sure that
when we begin to use the digital signatures, we will have no doubt that it is working. Is it
possible to be absolutely sure that a fraud will not happen? On the other hand, people
were also reluctant to use bankcards when they wer
e first issued. There was a fear of
possible misuse, as it is now with buying goods and services through the Internet, when
the credit card number needs to be disclosed.


However, there has been a successful attack on the digital signature recently.
20
Cze
ch
cryptologists found some very serious weaknesses in the OpenPGP (PGP = pretty good
privacy) format that is used in applications for the encryption and decryption of
electronic messages. The result of this attack is a possibility to find out the private
key
from the public key. The issue of security of the digital signature technology remains,
therefore, open.



10

Another challenge comes with a question: How can Alice protect her private key against
Eve or anybody else? We know that nowadays the world of the

Internet is also the world
of hackers. What if Eve obtains Alice’s private key and starts to sign electronic
documents under Alice’s name? Is the disclosure on the Certification Revocation List of
a certificate loosing its validity sufficient? What if Ali
ce does not find out that Eve has a
copy of her private key? Can we trust this new way of signing introducing something
artificial to our life? A document signed electronically is somehow depersonalized. The
digital signature is not based on much of our pe
rsonal involvement. Anybody can sign a
message and send it from our computer while we are not vigilant enough, while we leave
our computer for a couple of minutes without locking it by need of a password. And are
our computers protected enough against pote
ntial external attacks? When we log on the
Internet through a cable modem or by any other way, do we all use firewalls, detectors to
find out that somebody is trying to access our computer without authorization?


Another problem is with the certification
authorities and their trustworthiness. The
signing of the certificate by the certification authority with its private key, states who a
certain public key belongs to. In question are internal processes of administration,
security of data of the certificati
on authority, quality of its certification policy, its
certification performance directive and also a question who can become this trusted third
party.


Countries have realized that traditional trade and communication will sooner or later be
substituted b
y electronic means. An electronic signature gives the opportunity, to solve
the issues of a need for a document to be in writing and signed. It should identify the
signatory, authenticate him or her or confirm the content of electronic documents. There
are

number of technologies that can be used for a creation of an electronic signature The
most common is the digital signature technology, known also as the public key
cryptography. Most of the statutes on electronic signatures operate with this technology.
A
s we can also see, the theory is easier than the practice. Although there are number of
model laws and almost every state has its act on electronic signature, the new technology
is not used yet. There are number of challenges and unsolved issues. Is the di
gital
signature technology reliable? What about the consumer protection against unauthorized
obtaining of someone’s private key? How should certification authorities administrate
certificates and still maintain high standards of security and reliability?


And here we come to the statement on the beginning of this paper and we can ask: does
the Internet really rule the world?


8. Notes

1
The United Nations Commission on International Trade Law, further called
UNCITRAL, is a legal body within the United Nat
ions. Throughout its existence, it has
adopted a number of model laws. For our purposes there are UNCITRAL model law on
electronic signatures, 2001 and UNCITRAL model law on electronic commerce, 1996
and additional article 5 bis, 1998.




11


2
Under the law o
f the European Union, we understand the law of the European
Community, because the European Union itself is not a legal entity. It has adopted
Directive 1999/93/EC of the European Parliament and of the Council on a Community
framework for electronic signat
ures
, further called the EU directive.


3

American Bar Association issued: Digital Signature Guidelines: Legal Infrastructure for
Certification Authorities and Secure Electronic Commerce, further labelled as the
American Bar Association guidelines.


4
Act
40/1964 Civil Code, as amended, valid in the Slovak republic, further mentioned as
the Slovak Civil Code. This act was issued in the times of existence of Czechoslovakia,
therefore, the Civil Codes in the Slovak and Czech republic have the same basis and a
re
very similar. However, there are some different amendments since 1993, when
Czechoslovakia split up into the Czech republic and the Slovak republic.


5
Act 40/1964 Civil Code, as amended, valid in the Czech republic, further called the
Czech Civil Code.


6
An example of them is the Ontario legislation: Statute of Frauds,
R.S.O. 1990, c. S
-
19.


7

The Uniform Commercial Code is, as a federal code of law, valid in every state of the
United States except Louisiana.


8

Sales of Goods Act, R.S.O. 1990, c. S
-
1,

amended by: 1993, s. 27, Sched.; 1994, s. 27,
s. 54


9

United Nations Convention on Contracts for the International Sale of Goods, 1980
(Vienna Sales Convention)


10

Act 422/2000 on Electronic Signature and on the Amendment to Some Other Related
Acts (Cze
ch republic), further labeled as Czech Act on Electronic Signature.


11

Personal Information Protection and Electronic Document Act,
2000, c. 5


12

Electronic Commerce Act,
S.O. 2000, c. 17


12a
Here are some other definitions of the electronic signature t
aken from different
sources.


Article 1 (1) of the Ontario Electronic Commerce Act

contains the same definition for the
electronic signature as provides the federal legislation.


According to article 2 (1) of the EU directive it means: “data in electronic
form which are
attached or logically associated with other electronic data and which serve as a method of
authentication.” This definition compared to the Canadian one goes a bit further and talks

12

about the purpose of this signature
-

to verify the sender,

similarly as the UNCITRAL
one.


The UNCITRAL Model Law on Electronic Signature in Article 2 (a) provides the
following definition: “Electronic signature means data in electronic form in, affixed to or
logically associated with, a data message, which may
be used to identify the signatory in
relation to the data message and to indicate the signatory’s approval of the information
contained in the data message”


In Germany the Act on Digital Signature from 1997 in subsection 2 (a) explains a digital
signature

as follows: “For the purposes of this Act digital signature shall mean a seal
affixed to digital data which is generated by a private signature key and establishes the
owner of the signature key and the integrity of the data with the help of an associated

public key provided with a signature key certificate of a certification authority or the
authority according to § 3 of this Act.” As we can see, the act is called the Act on Digital
Signature and not on Electronic and also the definition is one of the dig
ital signature.
There are also acts of many other countries using the notion digital rather than electronic.
Germany’s definition is quite different from the previous definitions. It is detailed and
contains more conditions for a general electronic signatu
re. However, it does not
recognize any other types of electronic (digital) signatures. The difference of this act
from the EU and the UNCITRAL model laws in understandable, because it was created
in 1997 far before the model laws were laid down.


The new a
ct in Germany on Electronic Signature from 2001 almost identically follows
the EU directive (also the term digital was changed into electronic). Subsection 2 (a) of
the Part 2 defines the electronic signature as: “data in electronic form which are attached

with other electronic data and which serve as a method of authentication.”


The Act on Electronic Signature and on the Amendment to Some Other Related Acts of
the parliament of Czech republic took the definition of the electronic signature from the
EU dir
ective: “
electronic signature shall refer to data in electronic form which are
attached to a data message or which are logically associated therewith and which enables
the identity of the signatory in relation to the data message to be verified.” The diff
erence
in the words used is only a matter of double translation of the definition. This was taken
from the server of the Office for Personal Data Protection (in Czech republic):
http://www.uoou.cz/eng/22
7_2000.php3


The government Bill on Electronic Signature in the Slovak republic, in its subsection 2
(b), follows the previous definitions offered by the EU directive and UNCITRAL model
law. The electronic signature is “a network of electronic data create
d by signatory,
attached to another network of electronic data or associated with it, which enables to
identify the signatory in his relation to the signed chain/network of electronic data.”


Similar view as the first German act shows the second Bill on El
ectronic Signature in
Slovak republic. It is the bill presented by a member of parliament. Subsection 3 (1)

13

describes the electronic signature as: “an information attached to or logically associated
with an electronic document, which has to fulfill the fol
lowing criteria:

a)

it is not possible to create it effectively without the knowledge of the private key
and the electronic document,

b)

on the basis of this information and the public key belonging to the private key
used by its creation, it is possible to veri
fy, that the electronic document, to which
it is attached, or otherwise logically associated with, is identical with the
electronic document used for its creation.

Unlike the old German act from 1997, this act then also defines an advanced electronic
signa
ture. An important condition of this advanced electronic signature is the issuing of a
qualified certificate.


14
Article 2(2) of the EU directive defines signatory as “a person who holds signature
-
creation device and acts either on his own behalf or on be
half of the natural or legal
person or entity he represents”.


15
http://cryptoworld.certifikuj.cz

(Article by: Vondruska, P: Types of electronic
signatures, located on the server of the Cryptoworld Journal
)


16
These names are often used in explanations of the digital signature technology.


17

http://www.cybersign.com

(Website of corporation providing an electronic signature
technology based on the biometric signat
ure verification). “The biometric (handwritten
signature) technology uses electronic signature data which is input with a pen that senses
timing changes in electromagnetic waves and input force as the handwritten signature is
written. The signature is inke
d on a commercially available input device, allowing to use
electronic signatures to authorize electronic documents.”


18
Similar definitions of the certificate provide the UNCITRAL model law, the new
German and Czech legislations on Electronic Signatures
and also the Slovak
governmental Bill on the Electronic Signature. The Slovak Bill on the Electronic
Signature by the Member of Parliament does not define a certificate directly.


19

According to Annex I of the EU directive, qualified certificates must esp
ecially
contain: the identification of the certification
-
service
-
provider and the State in which it is
established, the name of the signatory, signature
-
verification data (public key of the
applicant), validity of the certificate, the identity code of the
certificate, the advanced
electronic signature of the certification
-
service
-
provider issuing it, limitations on the
scope of use of the certificate, if applicable and limits on the value of transactions for
which the certificate can be used, if applicable.


Certification
-
service
-
providers issuing qualified certificates must fulfill requirements set
up in Annex II of the EU directive. To these requirements belong especially: reliability
for providing certification services, security, date and time of revocat
ion needs to be
determined precisely and verification the identity of the applicant.



14

20

http://www.securityfocus.com/cgi
-
bin/library.pl?cat=2

(Article by Klima, V., Rosa, T.:
Attack on

Private Signature Keys of the OpenPGP format, PGP TM Programs and Other
Applications Compatible with OpenPGP, located on the website of the Security Focus
company)


9. Bibliography

Acts: Model laws

Directive 1999/93/EC of the European Parliament and of th
e Council on a Community
framework for electronic signatures

UNCITRAL model law on electronic commerce, 1996 and additional article 5 bis, 1998

UNCITRAL model law on electronic signatures, 2001



Acts: Electronic Signature

Act 422/2000 on Electronic Sign
ature and on the Amendment to Some Other Related
Acts (Czech republic)

Act on Digital Signature
, 1997 (Germany)

Act on Electronic Signature, 2001 (Germany)

Bill on Electronic Signature (by government, Slovak republic)

Bill on Electronic Signature (by membe
r of parliament, Slovak republic)

Electronic Commerce Act,
S.O. 2000, c. 17

Personal Information Protection and Electronic Document Act,
2000, c. 5


Acts: Other

Act 40/1964 Civil Code, as amended (Czech republic)

Act 40/1964 Civil Code, as amended (Slovak
republic)

Sales of Goods Act, R.S.O. 1990, c. S
-
1, amended by: 1993, s. 27, Sched.; 1994, s. 27, s.
54

Statute of Frauds,
R.S.O. 1990, c. S
-
19

Uniform Commercial Code

United Nations Convention on Contracts for the International Sale of Goods, 1980


Books

B
auer, F.L.: Decrypted Secrets: Methods and Maxims of Cryptology, Springer
-
Verlag,
Berlin Heidelberg, 1997

Pfitzmann, B.: Digital Signature Schemes: General Framework and Fail
-
Stop Signatures,
Springer
-
Verlag, Berlin Heidelberg, 1996


Journals

Dodd, J.C., H
ernandez, J.A.: Contracting in Cyberspace, Computer Law Review &
Technology Journal, Summer 2000

http://cryptoworld.certifikuj.cz

(Article by: Vondruska, P: Types of electronic signatures,
located on the se
rver of the Cryptoworld Journal)

http://www.law.unsw.edu.au/unswlj/ecommerce/mccullagh.html

(Article by: McCullagh,
A., Little, P., Caelli, W.: Understand the Past to Develop the F
uture, the University of
South New Wales Law Journal)


15

http://www.tilj.com/content/ecomarticle07100001.htm

(Article by: Kelley, J.: Electronic
Signature Act (ESIGA), The Internet Law Journ
al, July 2000)

http://www.urich.edu/~jolt/v6i2/note2.html

(Article by: Lupton, W.E, The Digital
Signature: Your Identity by the Numbers, The Richmond Journal of Law and
Technology, Volume VI, Iss
ue 2, Fall 1999)


Internet

http://canada2.justice.gc.ca/en/cons/jeh/adamache.html

(Article by: Adamache, M.:
Digital Signature


Legal Issues, located on the server of the Canadian Dep
artment of
Justice)

http://lois.justice.gc.ca/en/

(Consolidated Statutes and Regulations located on the server
of the Canadian Department of Justice)

htt
p://profs.lp.findlaw.com/signatures/

(Article by:
Smedinghoff, T.J., Bro, R.H.:

Electronic Signature Legislation located on the Findlaw server)

http://www.abanet.org/scitech/ec/isc/dsgfree.
html

(Digital Signature Guidelines: Legal
Infrastructure for Certification Authorities and Secure Electronic Commerce located on
the server of the American Bar Association)

http://www.cybersign.com

(Website of cor
poration providing an electronic signature
technology based on the biometric signature verification)

http://www.e
-
laws.gov.on.ca/

(Consolidated Statutes and Regulations of Ontario located
on the server maintain
ed by the Government of Ontario)

http://www.e
-
podpis.sk/

(Electronic signature information located on a Slovak website)

http://www.etsi.org/sec/el
-
sign.htm

(Inform
ation on electronic signature located on the
server of the European Telecommunication Standards Institute)

http://www.gcnstateandlocal.com/vol19_no19/news/2408
-
1.html

(Article by:

Daukantas,
P.: What apps are out there to help you?, located on the server of the

Government
Computer News)

http://www.i.cz/onas/tisk4.html

(Press Article by: Votruba, M.: Cryptologists of the
Czech company

ICZ found out a serious security weakness of an international
importance, located on the website of the ICZ company in Czech republic)

http://www.informatika.sk/e
-
podpis/

(Electronic signature issues an
d support of the bill
on Electronic Signature of a member of parliament located on the website of the Slovak
Information Society)

http://www.mbc.com/ecommerce/ecom_overview.asp

(
Legal overview

about e
-
commerce and electronic signature located on the server of the McBride Baker & Coles
company)

http://www.mbc.com/ecommerce/ItecPubs.asp

(Article by: Zanger, L.M.: Electronic
contracts: Som
e of the Basics, located on the
server of the McBride Baker & Coles
company)

http://www.mbc.com/ecommerce/ItecPubs.asp

(Article by: Zanger, L.M: The Federal E
-
Sign Law: The Electronic Signatures in

Global and National Commerce Act, located on
the
server of the McBride Baker & Coles company)

http://www.securityfocus.com/cgi
-
bin/library.pl?cat=2

(Article by Klima, V., Rosa, T.:
Att
ack on Private Signature Keys of the OpenPGP format, PGP TM Programs and Other
Applications Compatible with OpenPGP, located on the website of the Security Focus
company)


16

http:/
/www.ssrn.com/update/lsn/cyberspace/lessons/contr05.html

(Article by: Lessig, L.,
Post, D. and Volokh E.: The Requirement of a signed contract, located on the server of
the Social Science Research Network)

http://ww
w.uncitral.org

(the server of the United Nations Commission on International
Trade Law)

http://www.uoou.cz/

(Information on electronic signature
-

a Czech website located on
the server of the
The Office for Personal Da
ta Protection)