An Open Forum was held in Brussels on July 1st to discuss the content of the draft report of an Expert Team produced in the framework of the EESSI (European Electronic Signature Standardization Initiative).
Under a mandate from the European Commission, the Expert Team was requested to prepare the ground for the necessary standardization activities by identifying the standardization needs in support of the emerging legal framework for electronic signatures in the European Union, based on an assessment of existing standards and technical specifications in this area.
This Open Forum
was a follow to a first
consultation meeting on the same subject, held in Brussels last
February. At that time, the discussion had identified a number of
standards-setting requirements to be used as background material
for the present debate. However, this time, the Expert
Team’s draft report 
constitutes an official deliverable
for EESSI, highlighting concrete areas of standardization and putting
forward specific recommendations for the achievement of priority
objectives.
The aim of the Forum was to launch the debate on the proposals of the draft report and to submit the first conclusions on standards-setting priorities to public scrutiny.
The core part of the first session was focused on the presentation of the draft report, as deployed per chapter and per standardization key-area by each member of the Expert Team. In the second session, the findings of the Expert Team were discussed in three panel discussions. Two panellists were appointed for each panel to address the first questions to the Expert Team, and the floor followed with relevant remarks and interventions.
The Forum was attended by approximately 170 invited representatives of public authorities, national standards bodies and industry market players involved in products and services for Electronic Signatures.
Mr. Claude Boulle, Chair of EESSI and Chairman of the meeting, welcomed the participants and presented the phased evolution of the EESSI. He further stressed the importance of the four principles upon which this initiative is built: its industry driven nature aiming at reconciling market needs with the legal requirements of the future Directive; its pertinence to respond to actual market demands and practices by putting forward solid and interoperable standards-setting solutions; its international dimension based on both European and overseas activities; finally, its disclosed and transparent character with regard to the on-going and planned work programme.
The keynote speech was given by Mr. Magnus Lemmel, Acting Director General of DG III – Industry of the European Commission. After emphasising the « focal role » of EESSI as a self-regulatory activity, he stressed the need to introduce standards by using open, secure and reliable standards-setting mechanisms, in order to ensure market legitimacy according to the legal requirements of the draft Directive on Electronic Signatures. For EESSI to attain its full potential, three conditions had to be fulfilled: effective involvement and active participation of all parties concerned with the Electronic Signatures broad subject area, openness and transparency for all initiatives taken under the auspices of EESSI, encouragement of global, internationally accepted solutions.
The to-date results of the initiative demonstrate that the EESSI is prepared to comply with these principles and justify the continuance of the work under a new mandate. As a step forward is also to be envisaged the setting up of a strong and credible institutional framework. In this context, the Commission fully supports the launch of the two co-operative mechanisms (the "Electronic Signature Standardization Industry Advisory Group" and the "International Electronic Signature Forum") that are put forward in the draft report.
Mr. Patrick
Van Eecke, Researcher at the Catholic University of Leuven (KUL,
Belgium) and specialised in the legal aspects of Electronic Signatures,
presented the first part
of the draft report . His analysis concentrated on the
implications of the Draft Directive on Electronic Signatures from
the perspective of industry and the standardization community.
Next, Mr. Hans Nilsson from iD2 technologies, leader of the Project Team with a broad experience of security and authentication issues, described the overall framework of the proposed electronic signature standardization work.
The technical background of the report was outlined in detail in relation to three subject areas:
As an epilogue, the high priorities on the basis of the proposed work areas were pinpointed with the recommendation to carry them out in an open working environment ensuring international co-ordination and promotion.
The panellists’ interventions and the viewpoints expressed by the rest of the attendees were structured on the three main standardization fields identified by the experts.
Mr. Joseph Dumortier, Professor in IT & Telecommunications Law at K.U.L, Belgium, and Mr. Simon Bailey, Business Development Director from Inter Clear Service Limited, UK, posed the first questions to the Expert Team as panellists.
It was explained that Certification Service Providers (CSPs) issuing qualified certificates are considered in the Directive as one single category. The Expert Team has preferred to set as a short-term goal the attainment of a certain quality level covering equally all the components of CSP(s) issuing qualified certificates taken as a whole, rather than to split up this category into different sub-categories. However, a possible break-down could be envisaged in the longer term.
As far as the certificates holders are concerned, it was emphasised that the directive does not restrict the legal effect of Electronic Signatures only to natural persons but enables recognition of signatory powers even of legal entities. However, if and to what extent legal persons will also be entitled to sign with legal binding consequences in the near future, is a matter for the Member States to decide at the time of the implementation of the Directive into the national laws.
Concerns were also expressed on the introduction of indirect and direct accreditation models for the provision of certification services. With regard to the direct accreditation model it should be examined, for instance, which entity or body would be capable of taking up this kind of assignment. Whether or not this issue would be entrusted to the European and to the national accreditation bodies, the Expert Team emphasised the need to promote a coherent accreditation model at European level, so as to avoid the risk to end up using very different conformance assessment-schemes in different countries, and thus preventing easy cross-recognition around Europe.
A number of questions addressed the importance of elaborating guidance material and pragmatic rules to establish a certain level of security for CSPs. The introduction of minimum operational standards for PKI implementation, in relation to the revocation process, or of minimum liability requirements that it would be appropriate for PKIs to have, illustrate issues that remain to be examined in a second stage of the current exercise.
In particular, it was stressed that concerning the adequacy or inadequacy of BS 7799 to ensure the expected level of security management of the CSP, the Expert Team considered that this standard could be used as a generic one that provides an appropriate security level when more detailed constraints are not to be imposed on a CSP. Nevertheless, the precise definition of the level of security requirements for CSP(s) and, consequently, the review of BS 7799 alone or in combination with other standards or guidelines constituted one of the priorities to be discussed in a next phase.
Last but not least, several lessons could be drawn up from the German experience. Apart from a more detailed legal framework in the area of Electronic Signatures, this provides a good example of concrete self-regulatory initiatives (i.e. a project on interoperability guidance in the field of digital signatures). The latter are recognised as implementation tools of the Directive in Germany, but they could also be viewed as a first quality national input to initiatives taken at the European level, mainly by the "Electronic Signatures Committee" defined in the Directive.
Mr. Mark Stirland, Principal Consultant from the Barclays Bank, UK and Mr. Arnaud Fausse, E-commerce and Information Security Product Manager from Schlumberger Smart Cards Products, initiated the dialogue for this panel.
The issue of automatic signature generation was raised, with criticisms that the draft report does not provide for technical support in relation to the recognition of "corporate" signatures. It was explained that the legal effect of electronic signatures created by machines is not clearly resolved by the Directive, especially in the framework of qualified electronic signatures. But even in this area, it is up to the Member States to see how far they are willing to recognise in their internal legislation implementing the Directive legal effects of signatures created by machines.
It was also
asked if and how far standards that are already operational, namely
the U.S. standards FIPS 140-0 and PKCS, could equally be recognised
in all their versions at the European level. This question is implicitly
connected with the development of international standards, an issue
to be explored in a second phase of this initiative.
Other concerns emphasised the need to ensure a high level of security
for Electronic Signature creation devices, with recommendations
to introduce the smart cards being already in use for banking operations
and to implement on them the signature-creation application. The
Expert Team mentioned that the Directive addresses only the signature
creation device without its operating environment but recognised
that the later will also need to be addressed. As mentioned in the
report, when smart cards are used then the Annex III can be easily
fulfilled but this does not mean that other technologies cannot
be used.
Concerning the declaration process in relation to an enhanced security level guaranteed by the system, it was reaffirmed that this issue would be subject to further considerations but, in the first place, it was up to the industry sector to take steps to resolve it in practice.
A number of interesting issues were raised by the two panellists, Mr. Wolfgang Schneider from GMD (Association for Mathematics and Data Processing), Germany, and Mr. Vesa Vatka, Special Analyst from the Population Register Centre of Finland.
In terms of interoperability, there is already a wide range of drafts, recommendations and even "standards" produced in areas such as IETF. However, the present standards (PKIX, PKCS etc.) do not cover all needs (i.e. the issue of long-term, layered signatures identified in the report). In the same context and apart from the question of available software, the platforms, on which all this standards-setting work should take place, raised concerns about their adequacy to provide results corresponding to the European needs.
On the other hand, little was also mentioned in the report on the standardization requirements for smart cards and other hardware tokens; additionally, the role the APIs should play in inter-relation to other interoperable standards was partly invoked. At the current stage, the Expert Team supports the idea that a right combination of already existing standards, for instance of the PKCS-11 (API standard for cryptographic module) with PKCS-15 (standard for storage of various keys and certificates on hardware tokens) could adequately fulfil interoperability requirements in the area of smart cards. As indicated in the report, this needs to be cross-checked.
As far as the Card Accepting Devices (CADs) are concerned, it was clarified that the issue actually relies on a two-fold approach: the pure interoperability item with regard to smart card readers, which is for industry to handle -perhaps based on certain guidance for the adoption of right standards- and the security requirements for smart card readers as such. It is reckoned that a set of minimum security requirements have to be drawn up; this is a work item for the next phase to deal with.
Mention was also made of current work in DIN (the German Standards Body) to provide an interoperable standard for smart cards in Germany. However, the need to promote some solutions for cross-recognition of interoperable standards at European level was pinpointed.
Finally, the suggestion to envisage standardization work in the field of archiving (meaning in a broad sense notary services) was rejected, at least in the framework of the current standards-setting priorities. Archiving is for the time being handled by companies or organisations as a local matter, and is provided as an in-house service, according to each company’s own way of information storage. It is however obvious that if, in the longer term, archiving services are exclusively entrusted to an independent third party, there would be a possibility to envisage standardization of the archiving process.
Ms. Isabelle Valet-Harper, Vice-Chair of the ICT Standards Board, gave the closing speech. She focused on the role of the ICT Standards Board, especially when initiating the Electronic Signature Standardization Initiative. She also presented the follow-up of this action on the basis of the up-to date approved work and time schedule agreed by the ICTSB members. The next steps will be further discussed and approved by the ICTSB members on the basis of the Expert Team’s recommendations and the results of the present discussion.