The Initiative plans to hold two consultation meetings. The report of the first one which was reserved to invited experts and observers from European National Governments and National Standards Bodies and from a variety of international and European organizations with an interest in the broad subject area and the international standardization organizations, is provided in this page. The second one was an open meeting held on 1 July 1999.
The 1st consultation meeting was held on 24th February to discuss requirements for European electronic signature standardisation to feed in to the European Electronic Signature Standardization Initiative (EESSI).
At this workshop introductory presentations were given on EESSI and the current status of the Directive on Electronic Signatures. This was followed by panel sessions with brief presentations, followed by general discussion, from the viewpoint of:
The workshop was attended by approximately 60 invited representatives from government, user organisations and IT industry.
The meeting was opened by the Chairman of the ICT Standards Board, who described the background to EESSI (or zipped version) indicating the importance of supporting the internal market as well as positioning Europe within the international market, particularly for electronic commerce. A presentation was given from an MEP on progress on the Electronic Signature Directive through the European Parliament. This indicated that there was agreement on the basic issues although some questions were being discussed including concern over being technology neutral. A presentation from the "High Level Steering Group" (HLSG) chairman emphasised the need for "certainty" in the provision of electronic signatures. Finally, the chairman of the EESSI steering group outlined the objectives and time-scale of the EESSI. He emphasised the importance of an interoperable infrastructure and cross-border services which required the support of standardisation.
This panel included presentations on consumer concerns, the industry view, a government use of electronic signatures, a national smart card based identity system and academic work. This emphasised the urgent need to have at least one standardized solution that can meet mass market requirements. Currently, public key technology provided the best common solution and there were detailed issues that need to be addressed to meet current requirements using this technology. Trust is also an important factor. Two forms of service were identified: authentication and authorization which have differing requirements. It was considered that present law based on written signatures could not be directly applied to electronic signatures. Also, there was some discussion on whether the scope in the Directive was wider that an electronic equivalent to hand written signatures.
Mr. Gordon Langmann of the ANEC Secretariat (European Association for Co-ordination of Consumer Representation in Standardisation) gave a presentation of the needs of the consumer in an electronic environment. He stressed the need for secure authentication tools from a consumer protection perspective: The consumer should be certain about the identity of the merchant and of the integrity of the information. In the same time the consumer should be able to make use of high level secure authentication tools himself. The level of technical security required or recommended by the European draft directive is a minimum level which should certainly be met by the signature products. "Electronic" signatures should even be limited to "digital" signatures because they are currently the only secure authentication tools. The delivery of certification services should even be limited to licensed certification service providers to make sure an a priori control of the technical and organisational requirements these organisations have to meet.
(For more information, see Mr.
Langmann's rpesentation 
).
Mr Nick Mansfield, chairman of the ICX organisation, presented three statements to the expert team:
He emphasised the need to distinguish between ‘authentication’ services and ‘authorisation’ services. People are still confusing these two services. The EESSI should focus on ‘authentication’ services.
He stressed the importance of mass market software for enhancing secure authentication. If electronic signatures cannot be used by mass market software, there will be no general acceptance of these electronic signature technologies.
Standardisation is a main element for stimulating the market to produce signature products and services, and to use secure authentication methods for electronic information interchange.
Mr Alain Le Gall explained how the French government is implementing an infrastructure for secure information interchange between administration and citizens for administrative procedures, such as VAT declarations, based on standardised products and procedures. The contribution of Mr Le Gall shows that the government can play a very important role in stimulating the use of secure authentication tools.
Mr Le Gall sees three issues which have to be taken into consideration by the EESSI-team: The need for putting more signatures on the same electronic document, the time stamping features in order to solve non-repudiation issues, and the procedures and means to access CRLs
(For more information, see Mr
Le Gall's presentation 
).
Mr Anders L Johansson, senior archivist of the national tax board.
The Swedish National tax board will be using a single platform for communications, called SHS, to be used with different applications, like Magi, Puma, Duff-EX. It will be an in-house solution where the private keys will be delivered free of charge to the users. RSA keys (associated with MD5) will be used for the digital signature algorithm.
There is a concern to be able to read file formats a long time after. The use of the XML format is considered.
Prof. Jos Dumortier gave an overview of the status of legal initiatives on electronic signatures in the Member States. He put forward the idea that the German digital signature law should not be seen as a law, but as a legal standard. The aim of this German digital signature law is in fact to standardise the use of digital signatures used by natural persons. He also emphasised the difference between electronic signatures and digital signatures: Electronic Signatures are "all kinds of (electronic) substitutes for hand-written signatures", a Digital Signature is one technical solution, many other applications besides electronic signatures
A very important message to the EESSI-team was that, from a legal point of view, there is only a need to standardise digital signatures used for electronic signature purposes, i.e. as alternative for hand-written signatures.
(For more information, see Professor
Dumortier's presentation 
).
Focus was put on the need to promote the Interoperability between users of different countries and on the legal consequences of use of e-form and smart card instead of paper and pencil to distribute and sign documents. Presentations were given on the German, Italian, British and Finnish legislative initiatives. The importance of the global interoperability was highlighted. Particularly important requirements included support for certificate formats, certificate verification and cross certification. Time-stamping was also mentioned several times. Also, the need for the "trust" in the services supporting electronic signatures was considered vital for their adoption in the future marketplace. It was suggested that the market initially needed to be driven towards a solution through regulation and standardisation. Also, it was pointed out that certificates need to take into account privacy issues.
Hubertus Soquat - Min. Economics and technology (D)
He made special emphasis on the interoperability and the mechanisms the governments have to launch to enable it.
(For more information, see from Mr.
Soquat's presentation 1 & presentation 2 ).
Pierluigi Ridolfi - AIPA
The main topics of its presentation were validity period, Interoperability, qualified Certificate Service Providers (CSP), standardization, format of e-signature, format digital certificate.
(For more information, see Mr
Ridolfi's presentation ).
Gordon Manning - DTI (UK)
The main aspects of the UK situation were: promotion of electronic procurement, 25% of it will be electronic by 2002, 500MUSD of contracts by 2002, 12 MUSD by ’98, Electronic Bill will be used in April, Assent by the end of year 2000.
(For more information, see Mr
Manning's presentation ).
Aari Sapukki
Focus was put on Finish environment, legal framework, interoperability 
,
success access factors, pilots and private aspects.
Concluding message: No market without confidence; No trust without interoperability; No interoperability without standardisation; No standardisation without mutual understanding.
(See also from the Finish Ministry of Finance Mr
Matti Pulkinnen's presentation ).
This session involved presentations from a German notarial organisation, Sweden Post, a banking organisation, a provider of certification services and a European IT organisation (EEMA). The acceptability of standards and the legal uncertainty over use of cryptography were identified as key issues. A number of other areas were identified where detailed technical and qualitative standardization was required. It was considered that the market place still needs to obtain the "critical-mass" for the widespread adoption of electronic signatures. The availability of standards that can be commonly adopted will help towards achieving this critical mass. However, main obstacle is related to trusted business relations rather than technical.
Ms Sigrun Erber-Faller gave a presentation on the activities of the German notaries. She described notarial functions and their electronic delivery. She spoke of electronic land registration and vehemently bemoaned the German banks’ inability to supply appropriate data electronically. She also mentioned the German central data file for the storage of wills electronically (even death is now digital!).
(For more information, see Ms
Erber-Faller's presentation ).
Mr Lennart Malmström presented the activities of PostNet, a division of Sweden Post Ltd. Smart cards are being started to be used as electronic ID cards (eIDs). They are issued either by the Post Office or by banks. The Post Office is providing PostNet APIs as an enabler for applications. PostNet is a public service guaranteed by the Swedish Post which includes the software but also the certification service and the delivery of smart cards. In addition PostNet provides certificates for servers.
A PIN presentation is required for every signature. Standards for the content of an ID certificate as well as for certificate policy statements have been identified.
(For more information, see from Mr
Malmström's presentation ).
Mr Steve Thomas presented the activities of the APACS (Association for Payment Clearing Services, in the UK). APACS members are the banks and thus they can be classified as a " closed community ". Traditionally in this community the relying party and the certification authority roles are both played by the bank, whereas in the commercial world they are independent. Several requirements for standards have ben identified: A standard for harmonising the x.509 v3 certificate content; Harmonised protocols supporting certificate management; Harmonised security requirements for establishment of CA's; Harmonised legal framework on electronic signatures; A clear and clearly accepted standard on signature.
(For more information, see Mr
Thomas's presentation ).
Mr. Christian Buysschaert (Technical Manager of GlobalSign) presented
the activities of GlobalSign. Certificates are produced for users,
but also for servers and enterprises. In addition " Object
Publishing certificates " allowing the authentication
of digital objects, like software, are also provided.
An interesting point relates to the liability of the certification
authority. A certification authority is NOT liable for the use of
the certificate by whatever application, but only for the verification
of the identity at the time of registration, the reliability of
the information placed in the certificate and the prompt revocation
of the certificate.
Currently reliability relates to the " classes ", which conditions are all vendor dependent. Globally accepted quality/security standards are needed for: Protocols/Formats (SSL/TLS, SMIME, etc.); Industry standards (RFC, PKIX, PKCS, etc.); Cryptographic hardware; Client applications; Server applications; Registration/Certification Authorities.
(For more information, see Mr.
Buysschaert's presentation ).
Mr Chris Taper (ICL, UK) presented the activities of the EEMA. Although it was indicated that a signature should be as easy as the click of a mouse, this might contradict the principle that a signature should not happen by mistake. The important points are the following: it is important to be sure of what is being signed;a critical mass of applications needs to be achieved.
(For more information, see Mr
Taper's presentation ).
Presentations were given on current standardisation activities and their views on further requirements. This included activities of the American Bar Association, ETSI, the IETF and the World Wide Web Consortium. This identified a number of ongoing activities in Europe and around the world of relevance to EESSI including both general guidelines as well as detailed interoperability standards, much of which is still ongoing.
Mr. Robert Temple (British Telecom) gave a presentation on the activities of the American Bar Association.
The following activities were identified of relevance to EESSI: Digital signature guidelines published in 1999; PKI Accreditation Guidelines; Model PKI Audit Programme; - Certificate Service Agreements; Global warning and notices. There were close links between the activities and the PKIX part 4 (certificate policies and practices) which is likely to influence future work.
Mr. Mike Kenning (British Telecom, chair ETSI security TTP sub-group) presented the activities of the ETSI Security TTP (trusted third party) sub-group which is currently working on technical standards for electronic signatures to support business transactions. This group carried out investigations into requirements for electronic signatures before the directive had been drafted. Mr. Kenning indicated that non-repudiation policies were an important requirement identified by the group which was not currently being addressed. The ETSI group will be shortly producing draft standards for electronic signatures, which could provide a useful input to EESSI.
(For more information, see Mr
Kenning's presentation ).
Mr. Denis Pinkas (BULL, member of EESSI project team) presented the relevant activities of the IETF as well as ISO/IEC JTC1 SC27, RSA's PKCS specification's and the Open Group.
Subsequent discussions identified: The need to push suppliers to adopt standards since they often give no market advantage; - The need to make further selections to achieve interoperability.
(For more inormation, see Mr
Pinkas's presentation ).
Mr. Stephan Santesson (Accurata) presented one activity of the IETF of particular relevance to EESSI, qualified certificates. This specifies the use of X.509 public key certificates for electronic signatures equivalent to written signatures. He also mentioned an activity of the IETF on security of EDI (EDIINT).
(For more information, see Mr
Santesson's presentation ).
Mr. Josef Diel (W3C) described the work of the World Wide Web consortium. Of particular relevance is the workshop planned for 15/16 April on signed XML.
The meeting highlighted the concern for urgent action on standardisation both to provide technical interoperability as well as qualitative standards for assurance of the "trust" in supporting services. This needs to be able to operate in the international market place. Whilst it was recognised that there was a major concern that the Directive be technology neutral it was considered that there was a most urgent need to work towards a single common solution. It was the general view that public key cryptography was the current market choice. Concerns were expressed on the lack of a common legal framework, and the need to clarify the relationship between legal and technical aspects.