1. Electronic Document &
Signatures
Joint International Doctoral degree in
Law, Science and Technology
http://www.last-jd.eu
Michele Martoni
Contract Professor at the University of Bologna
Ph.D. in IT Law | Lawyer
December 10, 2012, Bologna
2. 0. Roadmap
1) Electronic Identification
2) Identity theft and Data Value (Social
Engineering, OSINT, Phishing, Uncorrected
sharing of personal data - email, social
network, cloud computing services, etc.)
3) Technical Introduction
4) Document and Signing
5-6) Regulatory Framework (UE and Italian)
slide 2
3. 1. Electronic Identification
• Is there a way for remote certification of our
identity ? Yes !
• Is there a way to certify the integrity of an
electronic document ? Yes !
• We have technologies. We have norms. But
we need to be aware of the correct use !
• the risk is to use and to share our
informations in a way that allow the “abuse”
of these by third person
slide 3
4. 2. Identity theft & Identity fraud
• Identity theft is a form of stealing
someone's identity in which someone
pretends to be someone else by assuming
that person's identity.
• Identity theft is not always detectable by the
individual victims, according to a report
done for the FTC. Identity fraud is often but
not necessarily the consequence of identity
theft.
(1) http://en.wikipedia.org/wiki/Identity_theft
(2) Federal Trade Commission, 2006, Identity Theft Survey Report
slide 4
5. 2.1. Social Engineering
• Social engineering, in the context of security, is
understood to mean the art of manipulating people
into performing actions or divulging confidential
information (also personal).
• All social engineering techniques are based on
specific attributes of human decision-making known
as cognitive biases. These biases, sometimes called
bugs in the human hardware, are exploited in
various combinations to create attack techniques.
(1) http://en.wikipedia.org/wiki/Social_engineering_(security)
slide 5
6. 2.2. Phishing
• Phishing is a technique of fraudulently obtaining
private information.
• Typically, the phisher sends an e-mail that appears
to come from a legitimate business—a bank, or
credit card company—requesting "verification" of
information and warning of some dire
consequence if it is not provided.
• The e-mail usually contains a link to a fraudulent
web page that seems legitimate—with company
logos and content—and has a form requesting
everything from a home address to an ATM card’s
PIN code.
slide 6
7. 2.3. Personal data sharing
Ex. Facebook’s Statement of Rights and Responsabilities
Art. 2. Sharing Your Content and Information
You own all of the content and information you post on Facebook,
and you can control how it is shared through your privacy and
application setting. In addition:
For content that is covered by intellectual property rights, like photos
and videos (IP content), you specifically give us the following
permission, subject to your privacy and application settings: you
grant us a non-exclusive, transferable, sub-licensable, royalty-free,
worldwide license to use any IP content that you post on or in
connection with Facebook (IP License). This IP License ends when
you delete your IP content or your account unless your content has
been shared with others, and they have not deleted it.
(1) http://www.facebook.com/legal/terms
slide 7
8. 3. Technical Introduction
• The correct classification of the
electronic signatures institute requires
to start its examination from the
essence of this technology.
• Electronic signatures could be
complex and modern applications of
cryptography
slide 8
9. 3. Technical Introduction
• We can distinguish:
– Cryptography
– Cryptanalysis
• The run between cryptography and
cryptanalysis has led to the development of
increasingly sophisticated techniques.
• We can distinguish:
– Steganography
– Cryptography
slide 9
10. 3.1. Steganography
• physical occultation of the message
• the message is physically “invisible”
• high risk of prejudice in case of
interception
slide 10
11. 3.2. Cryptography
• semantic occultation of the content of
the message
• the message is “visible” but not
“understandable”
• key management become a priority
slide 11
12. 3.3. Symmetric cryptography
• The symmetric cryptography, also
known as private key encryption or
secret key, is that particular
cryptographic technique that involves
the use of a single key for the
encryption operation and for the
deciphering
slide 12
16. 3.4.1. Asymmetric cryptography
• The asymmetric encryption (public-key
cryptography) instead contemplates
the use of a pair of keys, a public key
and a private key. The principle of this
technique requires that what is
encrypted with one key can only be
decrypted with the other key of the
pair
slide 16
17. 3.4.2. Cryptographic keys
• One key (Kpriv) to encrypt
• One other key (Kpub) to decrypt
• Two different key but interconnected
• Private key (Kpriv) known only by
holder
• Public key (Kpub) known by
everyone
slide 17
18. 3.4.3. Chypertext
( KPUBBob)
Alice Bob
(KPUBAlice) ( KPUBBob)
(KPRIVAlice) ( KPRIVBob)
• Secrecy of content yes
• Authentication no
slide 18
19. 3.4.4. Signed text
( KPRIVAlice)
Alice Bob
(KPUBAlice) Dear Bob, ( KPUBBob)
(KPRIVAlice) I love you … ( KPRIVBob)
Alice
• Secrecy of content no
• Authentication yes
slide 19
20. 3.4.5. Signed Cyphertext
( KPRIVAlice)
( KPUBBob)
Alice Bob
(KPUBAlice) Dear Bob, ( KPUBBob)
(KPRIVAlice) I love you … ( KPRIVBob)
Alice
• Secrecy of content yes
• Authentication yes
slide 20
21. 3.4.6. Hash Function
• The problem of encryption by public
key infrastructure is the time necessary
for mathematic operations of
encryptions
• Hash Function is an algorithm that turns
a variable-sized amount of text into a
fixed-sized output (hash value or
digest).
slide 21
22. 4. Document and Signing
• Original concept of document
• Original concept of signing
(1) Martoni M., in Cyber Law, Suppl. 17 (december 2008), Italy, p. 138,
Kluwer Law International
slide 22
24. 5. U.E. Regulatory Framework
• Directive 1999/93/EC of the European
Parliament and of the Council of 13
December 1999 on a Community
framework for electronic signatures
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:en:HTML
slide 24
25. 5.1. Directive Scope
• to facilitate the use of electronic
signatures
• to contribute to their legal recognition
• to ensure the proper functioning of the
internal market
• It does not cover aspects related to
the conclusion and validity of
contracts or other legal obligations
slide 25
26. 5.2. Definitions|Electronic Signatures
• data in electronic form which are
attached to or logically associated
with other electronic data and which
serve as a method of authentication
slide 26
27. 5.2. Definitions|Advanced E.S.
• an electronic signature which meets the
following requirements:
– (a) it is uniquely linked to the signatory;
– (b) it is capable of identifying the signatory;
– (c) it is created using means that the signatory
can maintain under his sole control; and
– (d) it is linked to the data to which it relates in
such a manner that any subsequent change of
the data is detectable
slide 27
28. 5.2. Definitions|Signatory
• a person who holds a signature-
creation device and acts either on his
own behalf or on behalf of the natural
or legal person or entity he represents
slide 28
29. 5.2. Definitions|Sign.-creation data
• unique data, such as codes or private
cryptographic keys, which are used by
the signatory to create an electronic
signature
slide 29
31. 5.2. Definitions|Secure ... device
• a signature-creation device which
meets the requirements laid down in
Annex III
slide 31
32. 5.2. Definitions|Secure ... device
Annex III
1. Secure signature-creation devices must, by appropriate
technical and procedural means, ensure at the least that:
(a) the signature-creation-data used for signature generation
can practically occur only once, and that their secrecy is
reasonably assured;
(b) the signature-creation-data used for signature generation
cannot, with reasonable assurance, be derived and the
signature is protected against forgery using currently available
technology;
(c) the signature-creation-data used for signature generation
can be reliably protected by the legitimate signatory against
the use of others.
2. Secure signature-creation devices must not alter the data to
be signed or prevent such data from being presented to the
signatory prior to the signature process.
slide 32
33. 5.2. Definitions|Certificate
• an electronic attestation which links
signature-verification data to a person
and confirms the identity of that
person
slide 33
34. 5.2. Definitions|Qualified Certificate
• a certificate which meets the
requirements laid down in Annex I and
is provided by a certification-service-
provider who fulfils the requirements
laid down in Annex II
slide 34
35. 5.2. Definitions|Annex I
Qualified certificates must contain:
(a) an indication that the certificate is issued as a
qualified certificate;
(b) the identification of the certification-service-
provider and the State in which it is established;
(c) the name of the signatory or a pseudonym, which
shall be identified as such;
(d) provision for a specific attribute of the signatory to
be included if relevant, depending on the purpose
for which the certificate is intended;
slide 35
36. 5.2. Definitions|Annex I
(e) signature-verification data which correspond to
signature-creation data under the control of the
signatory;
(f) an indication of the beginning and end of the
period of validity of the certificate;
(g) the identity code of the certificate;
(h) the advanced electronic signature of the
certification-service-provider issuing it;
(i) limitations on the scope of use of the certificate, if
applicable; and
(j) limits on the value of transactions for which the
certificate can be used, if applicable.
slide 36
37. 5.2. Definitions|Annex II
Certification-service-providers must:
(a) demonstrate the reliability necessary
for providing certification services;
(b) ensure the operation of a prompt
and secure directory and a secure
and immediate revocation service;
(c) ensure that the date and time when
a certificate is issued or revoked can
be determined precisely;
slide 37
38. 5.2. Definitions|Annex II
(d) verify, by appropriate means in accordance with
national law, the identity and, if applicable, any
specific attributes of the person to which a qualified
certificate is issued;
(e) employ personnel who possess the expert
knowledge, experience, and qualifications
necessary for the services provided, in particular
competence at managerial level, expertise in
electronic signature techology and familiarity with
proper security procedures; they must also apply
administrative and management procedures which
are adequate and correspond to recognised
standards;
slide 38
39. 5.2. Definitions|Annex II
(f) use trustworthy systems and products which
are protected against modification and
ensure the technical and cryptographic
security of the process supported by them;
(g) take measures against forgery of
certificates, and, in cases where the
certification-service-provider generates
signature-creation data, guarantee
confidentiality during the process of
generating such data;
slide 39
40. 5.2. Definitions|Annex II
(h) maintain sufficient financial resources to operate in conformity with
the requirements laid down in the Directive, in particular to bear the
risk of liability for damages, for example, by obtaining appropriate
insurance;
(i) record all relevant information concerning a qualified certificate for
an appropriate period of time, in particular for the purpose of
providing evidence of certification for the purposes of legal
proceedings. Such recording may be done electronically;
(j) not store or copy signature-creation data of the person to whom the
certification-service-provider provided key management services;
(k) before entering into a contractual relationship with a person seeking
a certificate to support his electronic signature inform that person by
a durable means of communication of the precise terms and
conditions regarding the use of the certificate, including any
limitations on its use, the existence of a voluntary accreditation
scheme and procedures for complaints and dispute settlement. Such
information, which may be transmitted electronically, must be in
writing and in redily understandable language. Relevant parts of this
information must also be made available on request to third-parties
relying on the certificate;
slide 40
41. 5.2. Definitions|Annex II
(l) use trustworthy systems to store certificates
in a verifiable form so that:
- only authorised persons can make entries
and changes,
- information can be checked for authenticity,
- certificates are publicly available for retrieval
in only those cases for which the certificate-
holder's consent has been obtained, and
- any technical changes compromising these
security requirements are apparent to the
operator.
slide 41
42. 5.2. Definitions|Annex IV
Recommendations for secure signature verification
During the signature-verification process it should be
ensured with reasonable certainty that:
(a) the data used for verifying the signature
correspond to the data displayed to the verifier;
(b) the signature is reliably verified and the result of
that verification is correctly displayed;
slide 42
43. 5.2. Definitions|Annex IV
(c) the verifier can, as necessary, reliably
establish the contents of the signed data;
(d) the authenticity and validity of the
certificate required at the time of signature
verification are reliably verified;
(e) the result of verification and the signatory's
identity are correctly displayed;
(f) the use of a pseudonym is clearly
indicated; and
(g) any security-relevant changes can be
detected.
slide 43
45. 5.3. Market Access
1. Member States shall not make the
provision of certification services
subject to prior authorisation.
slide 45
46. 5.3. Market Access
2. Without prejudice to the provisions of paragraph 1,
Member States may introduce or maintain voluntary
accreditation schemes aiming at enhanced levels
of certification-service provision. All conditions
related to such schemes must be objective,
transparent, proportionate and non-discriminatory.
Member States may not limit the number of
accredited certification-service-providers for
reasons which fall within the scope of this Directive.
3. Each Member State shall ensure the establishment
of an appropriate system that allows for supervision
of certification-service-providers which are
established on its territory and issue qualified
certificates to the public.
slide 46
47. 5.3. Market Access
[...]
7. Member States may make the use of
electronic signatures in the public sector
subject to possible additional requirements.
Such requirements shall be objective,
transparent, proportionate and non-
discriminatory and shall relate only to the
specific characteristics of the application
concerned. Such requirements may not
constitute an obstacle to cross-border
services for citizens.
slide 47
48. 5.4. Legal Effects
1. Member States shall ensure that advanced
electronic signatures which are based on a
qualified certificate and which are created
by a secure-signature-creation device:
(a) satisfy the legal requirements of a
signature in relation to data in electronic
form in the same manner as a handwritten
signature satisfies those requirements in
relation to paper-based data; and
(b) are admissible as evidence in legal
proceedings.
slide 48
49. 5.4. Legal Effects
2. Member States shall ensure that an electronic
signature is not denied legal effectiveness and
admissibility as evidence in legal proceedings
solely on the grounds that it is:
- in electronic form, or
- not based upon a qualified certificate, or
- not based upon a qualified certificate issued by an
accredited certification-service-provider, or
- not created by a secure signature-creation device.
slide 49
50. 5.5. Liability
1. As a minimum, Member States shall ensure that by issuing a certificate
as a qualified certificate to the public or by guaranteeing such a
certificate to the public a certification-service-provider is liable for
damage caused to any entity or legal or natural person who
reasonably relies on that certificate:
(a) as regards the accuracy at the time of issuance of all information
contained in the qualified certificate and as regards the fact that the
certificate contains all the details prescribed for a qualified
certificate;
(b) for assurance that at the time of the issuance of the certificate, the
signatory identified in the qualified certificate held the signature-
creation data corresponding to the signature-verification data given
or identified in the certificate;
(c) for assurance that the signature-creation data and the signature-
verification data can be used in a complementary manner in cases
where the certification-service-provider generates them both;
(d) unless the certification-service-provider proves that he has not acted
negligently.
slide 50
51. 5.5. Liability
2. As a minimum Member States shall ensure that a certification-service-
provider who has issued a certificate as a qualified certificate to the
public is liable for damage caused to any entity or legal or natural
person who reasonably relies on the certificate for failure to register
revocation of the certificate unless the certification-service-provider
proves that he has not acted negligently.
3. Member States shall ensure that a certification-service-provider may
indicate in a qualified certificate limitations on the use of that
certificate. provided that the limitations are recognisable to third
parties. The certification-service-provider shall not be liable for
damage arising from use of a qualified certificate which exceeds the
limitations placed on it.
4. Member States shall ensure that a certification-service-provider may
indicate in the qualified certificate a limit on the value of transactions
for which the certificate can be used, provided that the limit is
recognisable to third parties.
The certification-service-provider shall not be liable for damage resulting
from this maximum limit being exceeded.
slide 51
52. 5.6. International Aspects
1. Member States shall ensure that
certificates which are issued as
qualified certificates to the public by a
certification-service-provider
established in a third country are
recognised as legally equivalent to
certificates issued by a certification-
service-provider established within the
Community if some conditions are
realized.
slide 52
53. 6. Italian Regulatory Framework
• D.Lgs. 82/2005, Codice
dell’Amministrazione Digitale (CAD)
http://www.digitpa.gov.it/cad
• D.P.C.M. 30/03/2009, Regole tecniche
in materia di generazione, apposizione
e verifica delle firme digitali e
validazione temporale dei documenti
informatici
http://www.digitpa.gov.it/sites/default/files/normativa/DPCM_30-mar-09_0.pdf
slide 53
56. 6.3. Definitions|Copy and Duplicate
1. informatics copy of analogical
document: the electronic document
with contents identical to the
analogical document that inspired
• for example transcription with word
processor of paper (hand-written)
notes or oral notes
slide 56
57. 6.3. Definitions|Copy and Duplicate
2. informatics copy image of analogical
document: the electronic document
with contents and forms identical to
the analogical document that
inspired
• for example scan of paper
document
slide 57
58. 6.3. Definitions|Copy and Duplicate
3. informatics copy of electronic
documents: the electronic document
with content identical to that of the
document from which it is drawn on
computer with different sequence of
binary values
• for example file translated in a
different format (from .doc to .pdf)
slide 58
59. 6.3. Definitions|Copy and Duplicate
4. duplicate: the electronic document
obtained by storing, on the same
device or on different devices, the
same sequence of binary values of
the original document
• for example “cut & paste”
slide 59
60. 6.4. Definitions|Electronic Signature
• l'insieme dei dati in forma elettronica, allegati
oppure connessi tramite associazione logica ad altri
dati elettronici, utilizzati come metodo di
identificazione informatica
• the set of data in electronic form
attached to or logically associated
with other electronic data, used as a
method of informatics identification
(authentication)
slide 60
61. 6.5. Definitions|Advanced E.S.
• insieme di dati in forma elettronica allegati oppure connessi a un
documento informatico che consentono l’identificazione del
firmatario del documento e garantiscono la connessione univoca al
firmatario, creati con mezzi sui quali il firmatario può conservare un
controllo esclusivo, collegati ai dati ai quali detta firma si riferisce in
modo da consentire di rilevare se i dati stessi siano stati
successivamente modificati
• set of data in electronic form attached to or
associated with an electronic document that
enable identification of the signatory of the
document and provide the unique connection to
the signatory, created using means that the
signatory can maintain exclusive control, linked to
the data to which that signature refers to allow to
detect whether the data have been subsequently
modified
slide 61
62. 6.6. Definitions|Qualified E.S.
• un particolare tipo di firma elettronica avanzata
che sia basata su un certificato qualificato e
realizzata mediante un dispositivo sicuro per la
creazione della firma
• a particular type of advanced
electronic signature that is based on a
qualified certificate and created by a
secure device for the creation of
signature
slide 62
63. 6.6.1. Certification Authority
• The digital signature technology ensure that in the
process of sign was used the private key connected
to the public key used for verification.
• The certification of the key has the different function
to connect the public key to an identified person.
• The certification, in the case of the digital signature,
is the result of the informatics procedure, applied to
the public key and detectable by the validation
systems, that ensures the correspondence between
public key and subject holder to whom it belongs, it
identifies the period of validity of that key and the
expiry date of the certificate
slide 63
64. 6.6.1. Certification Authority
• Simple C.A.
• Qualified C.A.
• Accredited C.A.
– Different qualities
– Different procedures to become C.A.
– Different level of the certification services
slide 64
65. 6.6.2. Electronic Certificate
• Electronic Certificates
– electronic certificates are now defined such as
electronic certificates that connect the identity
of the holder to the data used to verify electronic
signatures
• Qualified Certificates
– qualified certificates are electronic certificates
comply with the requirements envisaged in
Annex I of the Directive and issued by
certification meets the requirements provided in
Annex II of the Directive
slide 65
67. 6.7. Definitions|Digital Signature
• un particolare tipo di firma elettronica avanzata basata su un certificato
qualificato e su un sistema di chiavi crittografiche, una pubblica e una
privata, correlate tra loro, che consente al titolare tramite la chiave privata e
al destinatario tramite la chiave pubblica, rispettivamente, di rendere
manifesta e di verificare la provenienza e l'integrità di un documento
informatico o di un insieme di documenti informatici
• a particular type of advanced electronic signature
based on a qualified certificate and a system of
cryptographic keys, one public and one private,
related to each other, which allows the holder using
the private key and the recipient using the public
key, respectively, to make manifest and verify the
origin and integrity of an electronic document or a
set of electronic documents
slide 67
70. 6.8. Legal Effects
• Art. 20.1 bis CAD
– L'idoneità del documento informatico a
soddisfare il requisito della forma scritta e il suo
valore probatorio sono liberamente valutabili in
giudizio, tenuto conto delle sue caratteristiche
oggettive di qualità, sicurezza, integrità ed
immodificabilità, fermo restando quanto disposto
dall’articolo 21.
– The suitability of the electronic document to
satisfy the requirement of written form and its
probative value can be freely evaluated in
judgment, in view of its objective characteristics
of quality, safety, integrity and immutability,
subject to the provisions of Article 21.
slide 70
71. 6.8. Legal Effects
• Art. 21.1 CAD
– Il documento informatico, cui è apposta una
firma elettronica, sul piano probatorio è
liberamente valutabile in giudizio, tenuto conto
delle sue caratteristiche oggettive di qualità ,
sicurezza, integrità e immodificabilità.
– The electronic document, which is signed with a
electronic signature, in terms of evidence is freely
estimated in judgment, in view of its objective
characteristics of quality, safety, integrity and
immutability.
slide 71
72. 6.8. Legal Effects
• Art. 21.2 CAD
– Il documento informatico sottoscritto con firma elettronica
avanzata, qualificata o digitale, formato nel rispetto delle
regole tecniche di cui all'articolo 20, comma 3, che
garantiscano l'identificabilità dell'autore, l'integrità e
l'immodificabilità del documento, ha l'efficacia prevista
dall'articolo 2702 del codice civile. L'utilizzo del dispositivo
di firma si presume riconducibile al titolare, salvo che questi
dia prova contraria.
– The electronic document signed with an advanced
electronic signature, qualified or digital, format in
compliance with the technical rules [...], to ensure the
identification of the author, integrity and immutability of
the paper, has the effectiveness of Article 2702 of the
Italian Civil Code. The use of the signature device is
assumed due to the owner, unless he proves otherwise.
slide 72
73. 6.8. Legal Effects
• Art. 21.2 bis CAD
– Salvo quanto previsto dall’articolo 25, le scritture
private di cui all’articolo 1350, primo comma,
numeri da 1 a 12, del codice civile, se fatte con
documento informatico, sono sottoscritte, a
pena di nullità, con firma elettronica qualificata
o con firma digitale.
– Except as provided in Article 25, the private
documents referred to in Article 1350, first
paragraph numbers from 1 to 12, of the Civil
Code, if done with electronic documents are
signed, under penalty of nullity, with qualified
electronic signature or with digital signature.
slide 73
74. 6.9. Time Stamping
• The result of the informatics procedure which is
attributed to one or more electronic documents, a
date and a time enforceable against third parties
• The timestamp has another important function. It
allows to extend the value of the certificate of
digital signature beyond the normal period of
validity. This is on condition that the signature is
associated with a timestamp, enforceable against
third parties, at an earlier time than the suspension,
expiration or revocation of the certificate.
slide 74
75. Thank you
Michele Martoni
Contract Professor at the University of Bologna
Ph.D. In IT Law
Lawyer
michele.martoni@unibo.it | www.unibo.it
www.michelemartoni.it