Europe takes lead on e-sigs
- By Diane Frank
- Oct 16, 2000
Just because agencies and corporations in the United States can legally
apply electronic signatures to online transactions does not mean they have
the technical ability to prevent fraudulent use of those signatures.
European countries, which face the same situation, have taken the lead
in developing a common standard for electronic signatures, and the European
Union is finalizing technical standards from which the U.S. government might
The standard defines two levels of security or "assurance" that organizations
might apply to electronic signatures, depending on the sensitivity of the
transaction. Under the 1999 directive, the European Union laid out two levels
* Basic electronic signatures that can be used for the minimum level
of transactions where the participants simply want to ensure that the people
at the other end can verify their identities.
* Qualified certificates, in which the electronic signature is only
one part of the authentication and authorization information stored on the
Defining such levels of assurance is key to electronic commerce, European
Ideally, an electronic signature should be voided if someone intercepts
and tampers with an electronic transaction. But without electronic signature
standards, an organization receiving an electronically signed transaction
cannot be 100 percent confident that the other party has taken adequate
measures to protect that transaction.
Without a reasonable minimum level of assurance, electronic transactions
will not gain the necessary trust and confidence for widespread use, and
electronic signatures will be abandoned before they have a chance to be
proven, said Frank Jorissen, deputy vice president of international operations
at Utimaco Safeware Group in Belgium and a member of the European Electronic
Signature Standardization Initiative Steering Group.
The European Commission created the European Electronic Signature Standardization
Initiative (EESSI) following the EU's December 1999 directive detailing
the need for a legal validity of electronic signatures based on technical
But neither U.S. law nor the EU directive considers the technical standards
that would support the legal validity.
The EESSI Steering Group has contacted other organizations that have
begun to wrestle with this problem, such as the Internet Engineering Task
Force (IETF), the World Wide Web Consortium (W3C) and the American Bar
Association. But these organizations' efforts are, "at this stage, not necessarily
sufficient," according to statements from the steering group.
The problem with differentiating among the many security levels now
available through electronic signatures is the same one that agencies and
businesses in the United States are facing.
Those who use services that require electronic signatures must trade
off between having strong security that will be complex, take up bandwidth
and take users longer to connect and making an application user-friendly
and less secure, Jorissen said, speaking last month at the Information Security
Solutions Europe conference in Barcelona, Spain.
"What we have now is security, but it is not secured," he said.
The EESSI's technical group, under the European Telecommunication Standards
Institute, has developed a draft of the technical requirements for qualified
certificates, the comment period for which closed last week.
The draft is still based on international common certificate standards
such as X.509, which is used by security providers such as RSA Security
Inc., Entrust Technologies and Baltimore Technologies, and emulates what
the IETF and W3C have done to determine how the extra authorization information
should be attached to the certificate.
Using open standards like this is important, said Stefan Santesson,
chief technology officer at AddTrust in Sweden and a member of both the
EESSI technical task force and the IETF. It will allow the EU-qualified
certificate to be much like the "quality stamp" on a physical identification,
like a passport, that can be accepted by businesses and agencies anywhere
around the world to mean a certain level of security assurance, he said.