Versions Compared

Old Version 6

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Relying Parties (those parties trusting in a document with a digital signature) are provided with an electronic signature that is in general the equivalent of a wet signature, excluding a few transactions, e.g. those that need a notary anyway.
  • There no or only very limited approaches to multilevel security. Some eID-projects assume a single level (like the Austrian citizen card) or the signature law provides a limited selection, like advanced and electronic signature.
  • To establish trust in the certificate authority there is a requirement for "sufficient financial provisions". E.g. in Austria 700,000 € minimum nominal stock capital and 300,000 € in liability coverage according to [Signaturverordnung 2008].
  • The duties of the CA are basically to keep the root key secret, vet the identity of the subject and provide a revocation service.
  • The duty of the signatory is to keep its private key secret, and sign only using certified equipment as listed by the CA.
  • The details with the burden of proof will be clarified in court decisions 10-15 years after the system is established. As one can predict now, this will not be any time soon.
  • The system can be applied in different sectors, like B2B, B2C, C2G etc.

                  Estonia: The Vanity Project of national eID

Estonia had money and political will as promising start conditions: It is a small country with 1,4 million citizens. Preparing the 2004 EU-participation, there was an urgent need to put EU infrastructures subsidies into good use and the option to create a lot of administrative structures from scratch after the departure from the USSR. A mandatory national ID-card was equipped as smart cards to facilitate both physical and electronic authentication. Internet, mobile and telebanking adoption was at the highest in Europe. Even e-voting was established, whereas activists in countries like Germany and Netherlands plagued lawmakers and lobbyists with security deficiencies and fundamental legal concerns.

...

Yet Estonia's citizens and businesses did not pick up digital signature to any significant level. Although more than 80% of the population has PKI, its adoption rate is much slower than expected.

                  Lessons (that could be) learned

  • Free is not equaled successful. Users do not want too much friction in their processes, and security is hard to sell. Promoting a uniform approach for authentication using digital signatures failed.
  • Projects promoted by the government are inclined to prioritize Business-to-Government and Citizen-to-Government over B2B. However, the number of transactions with the government per year is insignificant for businesses and citizens in most cases.
  • General attempts to solve duty, risk and liability management are very difficult.
    • Mapping an established “token” such as the wet signature to an electronic signature without considering the differences violates the requirements of users and specific business processes.
    • Putting a large technical and legal burden on a user might not withstand challenge at court.
    • Relying parties might have a substantial risk, too. Implementations might not identify invalid signatures or invalid certificates. Even if a broken signature is detected, it is is hard to predict how the liability can be enforced at court.