Electronic signature

Under an electronic signature is understood associated with electronic information data with which to identify the signatory and signature creator and can check the integrity of the signed electronic information. Usually it is in the electronic information to electronic documents. The electronic signature satisfies thus technically the same purpose as a handwritten signature on a paper document.

For certain areas, the national legislature additional requirements for electronic signatures. To meet in Germany only qualified electronic signatures pursuant to § 2 No. 3 Digital Signature Act ( Signatures ) the requirements for the electronic form in accordance with § 126a BGB, which can replace the statutory writing. Also obtained only with a qualified electronic signature provided electronic documents with the same evidential value as (paper) documents within the meaning of Code of Civil Procedure ( § 371a paragraph 1 ZPO). In the Austrian Signature Act, an electronic signature is even regarded as equivalent to a handwritten signature.

In cases where a qualified electronic signature is not required by law, documents which have 2 Signatures were provided with "only" an advanced electronic signature in accordance with § 2 no, but are also used visually for evidence as evidence in court.

• 6.1 Security
• 6.2 problems in practice
• 6.3 Limited European harmonization

• 8.1 Electronic waste detection methods

Definition for digital signature

Often used interchangeably, the terms " digital signature " and " electronic signature". However, this is incorrect. The term " digital signature " refers to a class of cryptographic (ie, mathematical ) method, while " electronic signature" is a purely legal term is. The term " electronic signature" was first used by the European Commission in a revised draft of the EU Directive 1999/93/EC so as not to couple the regulations to a particular technology; in an earlier draft was still the term " digital signature " has been used. The Directive and based on national signature laws of the Member States grasp the concept consciously wide ". , Electronic Signatures are data in electronic form which are attached to other electronic data or logically associated with, and serve the authentication " This definition includes, in addition digital signatures, other, not on cryptographic methods, especially on digital certificates based methods.

Legal framework

EC Directive

Starting point for the current signature legislation in the European Union is the EU Directive 1999/93/EC ( " Directive on Electronic Signatures "). This defines the specifications for electronic signatures regulations that have been implemented by the Member States and the other States of the European Economic Area national laws.

The signature Directive defines electronic signature technology neutral as data " attached to or logically associated with them, and which are used to authenticate " the other data. Each electronic document or a message appended name of the author or sender meets this definition. Other hand, a higher evidential value have advanced electronic signatures which make it possible to verify the authenticity and integrity of the signed data through it. Currently meet only on digital signatures based electronic signatures these requirements. Finally, the Directive covers advanced electronic signatures based on a qualified certificate and a secure-signature- creation device ( SSCD ) were created. The policy defined for this type of signatures Although no concept, but goes on essential points specifically address them; now the term has become Europe enforced qualified electronic signature almost everywhere.

The Directive sets out requirements for the issuance of certificates and other certification services. According to Article 2 No. 9 is a certificate "means an electronic attestation which links signature-verification data to a person and that person's identity is confirmed ". Certification services include, under Article 2, No. 11 and " other services related to electronic signatures ", eg directory services for certificates, identification and registration services for the issuance of certificates or time -stamping services. Special requirements, the signature policy to a qualified certificate. Firstly, it must be the exhibitor, specify the key holder and the scope of the certificate and enter the advanced electronic signature of the issuer; on the other hand, the exhibitor must meet extensive and far-reaching demands of safety and traceability of the issuance of the certificates.

The main provisions of the Directive on Electronic Signatures were that

Legal framework Germany

The electronic signature is regulated by several laws:

• Signature Act ( Signatures )
• Signature Ordinance ( the Ordinance )
• Civil Code ( BGB), especially the § § 125 et seq of the forms of legal transactions
• Administrative Procedure Act ( the Administrative Procedure Act, the federal and most countries), here especially § 3a for electronic communication and § 37 for electronic administrative act.
• Countless other laws, which were amended in 2001 by the conformability law.
• In addition, the European Union rules apply.
• 1 Act amending the Act on Digital Signature ( 1 SigÄndG )

Forms of electronic signature

The Signature Act, essentially taking on the definitions of the European Directive and is different as well as these between the following forms of electronic signatures:

The various forms of electronic signatures are available for different requirements on the signatures. Qualified signatures as the highest requirements in terms of creation of signature keys are provided for signature creation and Signaturprüfschlüsseln and certificates. In addition, the application components used in the signature generation must also meet certain requirements.

Requirements for simple electronic signatures

On a simple ( ie not advanced ) electronic signatures no special requirements. So true, for example, the indication of the author or sender without a digital signature as "simple " signature. In a civil case documents or files subject with simple electronic signatures of the evidence by the court, which is free in its evaluation. In case there is therefore on whether the signature scheme is used which is considered as evidence worthy of the court, which will, where appropriate, determined by experts. Simple electronic signatures may be used in accordance with § 127 BGB for free-form agreements.

Requirements for advanced electronic signatures

For an advanced electronic signature takes § 2 No. 2 Signatures essentially the definition of the Directive: An advanced signature must with a unique - basically secret - signature key, which must be the signature creator during signature creation available, and means that under his sole control are have been created. In addition, the signature creator if required must be identifiable. This is done either through the signature creator assigned test keys or possibly by means during the signature-creation of captured biometric signatures.

The term " signature key " is also not necessarily refer only to cryptographic keys, and for identifiability of the signature creator a certificate is not mandatory, so that for example also with PGP and stored on the disk signature key (soft PSE) advanced electronic signatures can be created.

In the lawsuit advanced electronic signatures are treated the same way as "simple" electronic signatures as objects of appearance, ie the relating to the signature party must prove that digital signature and identification feature are real. Advanced electronic signatures can be used in accordance with § 127 BGB for free-form agreements.

Requirements for qualified electronic signatures

Only documents with a qualified electronic signature according to § 2 No. 3 Signatures can be used as an electronic form to replace a required by law to written form on paper, see § 126 a BGB. In accordance with the European Directive, a qualified electronic signature is an advanced electronic signature based on a force at the time of their production qualified certificate and created by a secure-signature -creation device ( SSCD ) was created. The signature key may thereby be saved and applied solely in SSEE, and conformity of SSCD with the requirements of the Digital Signature Act must be checked and confirmed by a recognized body. In contrast, for qualified electronic signatures a testing and confirmation of the signature application component, which signature software, driver and smart card reader includes, not mandatory, but is at least a manufacturer's declaration necessary, in which the respective manufacturer, the conformity of the component to the Signature Act and Ordinance pursuant to § 17 Signatures confirmed. Such a manufacturer's declaration will be published later by the Federal Network Agency in the Federal Gazette, but is already being submitted to the Agency sufficient.

In addition, a distinction is made in qualified electronic signature, from which provider issued the certificate and the signature keys are generated. A distinction is made between non-accredited providers, and with accreditation by the Federal Network Agency. According Signature Act, each provider of certificates for qualified electronic signatures must meet certain requirements with respect to the data center operated by it. The provider can obtain a certificate that his data center meets the highest safety requirements. First there's the testing by a recognized certification body ( the Federal Office for Information Security (BSI) or a private certification body ). If this determines that the security requirements by the provider or the provider of data center ( in this context also referred to as a trust center ) are met, certifies the Federal Network Agency its safety. The owner of the data center may now refer to as accredited and receives for its certification services qualified certificates from the certification authority of the Federal Network Agency in Germany, the trusted root (root CA) in the Public Key Infrastructure (PKI ) is for qualified certificates.

For use in the practice

The Civil Code allows the replacement of the prescribed by law - ie not voluntary - in writing (within 5% of all signed agreements or declarations ) by the electronic form, unless otherwise provided by law (§ 126 BGB). The electronic form is maintained when added to the electronic document, the name of the signatory / signer and provided with a qualified electronic signature ( § 126a BGB).

For free-form arrangements that do not require by law to be in writing, but are written for reasons of evidence voluntarily in writing and signed or signed, the contractor may for electronic documents a different signature form agree, either a "simple" or advanced electronic signature select ( § 127 BGB).

Approved for qualified electronic signatures cryptographic algorithms to be approved and published by the Federal Network Agency. There are also approved for a qualified electronic signature products are listed.

Certification services require approval, but must be declared. When the display is to show that and how the legal requirements (financial financial security, reliability, expertise ) are met.

Legal framework Switzerland

The electronic signature is regulated by the Federal Law on certification services in the field of electronic signature ( CSES ) and Regulation on certification services in the field of electronic signature ( VZertES ). The Code of Obligations ( OR) provides in Article 14, paragraph 2 and Article 59a to an equality of ZertES - compliant electronic signatures and handwritten signature in the area of statutory procedural requirements and the liability of the owner of the signing for the careful handling of the keys before. ZertES, VZertES and the corresponding OR - amendment came into force on 1 January 2005.

A significant difference from the legislation in the EU Signature Directive is that for a legal effect of the mentioned bonds legal standards each recognition ( EU terminology: Accreditation ) of the respective certification service is provided by a certification authority. So it needs in Switzerland legally compliant electronic signature of a recognized certification service, while in the EU only legally compliant signature is assumed and the accreditation of so remains voluntary. The recognition or accreditation is an acknowledgment that the service meets the certification requirements of the Act.

The Swiss Accreditation Service (SAS ) publishes a list of recognized certification services. Currently, Swisscom ( Switzerland ), QuoVadis Trustlink Switzerland, the Swiss Sign AG of Swiss Post and the Federal Office for computer science and telecommunications ( BIT) recognized provider of certification services (as of Sept 2013).

Legal framework Austria

Austria was the first country that implemented the Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures.

The basis for the recognition of electronic signatures in Austrian law the Digital Signature Act. This differed to 2008 between the (simple) electronic signatures and secure electronic signature, which essentially corresponded to the qualified electronic signature in Germany. On 1 January 2008, an amendment to the Digital Signature Act came into force. Now exist in Austria in addition to the simple one advanced and qualified electronic signature. The simple electronic signature is defined in § 2 No. 1 Oesig and is no different from the German system. The advanced electronic signature can be found in § 2, No.3 Oesig and must meet the requirements of the simple electronic signature, additional requirements. You must only be assigned to the signatory (signatory ), to enable the identification of the signatory, are created using means that are under the sole control of the signatory and be so linked to the data to which it refers, that any subsequent change the data can be determined. The newly added § 2 3A on Oesig now calls the qualified electronic signature and adjusts the term previously used the secure electronic signature to the term used in the Signature Directive to technical term. But content to match even the secure signature.

The Federal Act on regulations to facilitate electronic transactions with public bodies (E -Government Act ) allows the use of a citizen card with secure electronic signature for participation in electronic administrative procedures. As an interim solution, in accordance with § 25 to December 31, 2007 alternatively an administrative signature are used, their specific requirements are specified in the administrative signature Regulation. This temporary solution will not be extended, so that since 1 January 2008 mandatory safe or qualified electronic signatures in e-government is prescribed.

Technical implementation

Due to the broad and technology- neutral definition, electronic signatures by completely different technical procedures can be implemented. Thus, the details of the sender in an e -mail, already constitute an electronic signature is also a closed via the Internet, including an electronic signature, provided that appropriate procedures, such as a password prompt, the contract duly attested by a particular person.

Advanced or even qualified electronic signatures that allow a reliable identification of the signatory and must show a subsequent change of the data can only be realized with digital signatures in conjunction with digital certificates from a public-key infrastructure (PKI). In these methods, a key pair is used. A key is used for signature generation can be used ( signing key ) and a key for the test ( signature verification ). For qualifying signatures the assignment of asymmetric key pairs in accordance with the German Signature Act is mandatory.

In advanced signatures, identifying the signatory is not bound to a certificate. Thus, in addition to certificates and other identifying characteristics, such as captured during the signature generation process handwritten signatures are used.

For use in the practice

Expiration of an electronic signature with a digital signature:

• Separate files
• Includes container file that Nutzdatei and signature
• Contain signature in Nutzdatei, as for example in PDF or XML

Long-term security of digital signatures

With new or improved methods of cryptanalysis and more powerful computers, the efficiency of attacks increases to a digital signature method such as RSA over time. And therefore the meaningfulness of - - The security of a digital signature is limited in time.

For this reason, today issued certificates are usually not more than three years valid, which means that the assigned signature key after the expiry of the certificate may no longer be used (some signing software refuses to set a signature with an invalid certificate). However, the age of electronic data is not practically determinable. Documents could be backdated therefore readily by years or even decades, without this being detectable. A backdating can be done for example by changing the system time of the computer used. If it is possible for a counterfeiter after years to calculate the signature key from the public certificate, it can thus provided a document dated back with a fake qualified electronic signature.

(§ 4 of the Ordinance ) after the end of the validity period allow by providing a public certificate directory - In Germany, the provider must verifiability of the certificates for five years - accredited provider for 30 years. After the verification of the certificate can be impossible.

Even if a certificate is already long is invalid or the associated therewith signature key is no longer used are documents that have been signed within the validity period, still quite valid.

The problem is to prove suitability of electronic signatures after the expiry of the certificate. In the literature, the opinion is held that the prima facie evidence ( a burden of proof ) the authenticity of an electronic signature with accreditation can not relate to the fact that the signature was created before the expiry of the certificate, as proof of Signierzeitpunktes for those which based on the signature, is easily possible and therefore needs no burden of proof. With the expiry of the certificate must therefore be one that is based on a signature, fully prove that the signature was placed before that date. This can be done by a Nachsignierung or by a time stamp.

In the case of archived, signed documents, a signature of the archive itself, or any part thereof to secure the documents contained therein.

In the case of electronic invoices and other business documents shall in accordance with the generally accepted accounting principles, the obligation to file bills for 10 years auditable. If this condition is ensured by an appropriate electronic archive, a re-signing of the individual documents is not necessary as a tamper-proof archive guarantees the immutability of the documents held in the archives.

Criticism

Security

A forgery of the signature can only be reliably excluded if suitable software is used to create and to verify the signature. The difficulty here is that is difficult to determine whether this condition is actually met. Only the signature can not be viewed if it was actually created with secure technical components. Therefore, the German signature law defined in § 17 also requirements for products for qualified electronic signatures.

Generally, a software is needed to verify the signature. The software on a PC can contain virtually always also known as malware. A really reliable test whether the software actually meets the specifications and has not been manipulated, is very expensive. Here usually security mechanisms of the operating system and / or signatures are used to the software.

Problems in practice

Often the aspects of the consideration of the security is reduced to purely mathematical and technical aspects. Almost all pilot projects show that the human factor is weighted too low. Not yet in sight seems really affordable and pragmatic handling of lost or forgotten secret signature card numbers. In the test region Flensburg the 10,000 - field test of the electronic health card ( health card ) in March 2008 was stopped: " From 25 physicians in 17 practices that voluntarily denied the test phase locked 30 percent of their health professional card, because they partout no longer at the could remember 6-digit signing PIN. 10 percent of them opened their new medical card irreversible. "

The hope of providers of signature cards since 2002 is already resting on the ELENA procedure (formerly Job Card). It is according to the wishes of the federal government encourage the use of digital signatures and would the desire of providers of signature cards by, the state should finally create mandatory use cases. In this context, the media re-engage more with the digital signature and the challenges of implementation. Possible alternatives for the forgotten secret numbers or lost signature cards pointed to a report of the Germany radio on June 28, 2008. The currently proposed approach would have either a softening of security and data protection causes or would require a highly complex and hardly affordable method. Be considered either master key could access all merit certificates to the employees of the central storage location, or a multi-stage Umschlüsselungsverfahren.

In recent years, the signature cards with them and get the digital signatures on electronic signatures competition field. Increasingly frequent and sophisticated are the deals for a trusted digitizing of handwritten signatures. The electronic sign on the computer is no longer to realize alone with chip card and security number. It has everywhere its fields of application, where the so-called " gewillkürte writing " is used today. Among lawyers understand the mutual commitment to a paper document with handwritten signature as evidence. Meanwhile, banks are even gone over to capture in processes such as opening a bank account during the signature process handwritten signatures on a signature pad digitally and these biometric data as identification features - and thus as a certificate replacement - in electronic applications (eg PDF forms ) with the digital signature linked to embed. In Austria business enterprises have the opportunity for secure online process, a number of open source modules of the platform Digital: to use Austria as eg for the use of electronic signatures in e-bills deduct input. Furthermore, the Austrian Federal Chancellery offers a testing service for testing of electronically signed documents.

Limited European harmonization

Despite the currently identified by the signature policy the same legal relevance has an electronic signature is not available in all countries. Although a qualified signature in all countries is defined as legally equivalent to a handwritten signature, but the legal relevance of a handwritten signature to the States varies considerably. Therefore, a user is the legal relevance of a qualified electronic signature from another Member State can not assess, as long as he does not know the local regulations for handwritten signature.

An extreme example is the UK, where a handwritten signature has no beyond an indication of status; it is merely a piece of evidence whose probative value of the case is to be decided on case. For this reason, the British government saw no need to include arrangements for equality of qualified electronic signatures to handwritten signatures into national laws. Not even the concepts of secure signature creation device and the qualified electronic signature were included in the British legislation.

Differences are also apparent in the question of whether qualified certificates and advanced electronic signatures can only be assigned to individuals or organizations. As the EC Directive is not clear on this point, this question is dealt with differently in the various Member States. This raises the question of whether, for example, in Belgium issued for a company qualified certificate and based on these signatures in Germany are recognized.

Another problem is that the individual countries themselves in many areas ( in Germany, for example, in social legislation ) only qualified signatures whose certificates issued by an accredited certification service provider. Since the requirements and procedures for accreditation at national level varies widely, this requirement makes it difficult for a provider accreditation market access for foreign certification service provider.

EHR - German Electronic Identity Card allows qualified electronic signature

The new German ID card has been issued since 1 November 2010 in credit card with chip card and includes the activatable a fee Capability to serve as signature - creation device for qualified electronic signatures. The federal government hopes thus a distribution of the electronic signature. However, whether the citizens to take the costs on themselves, so the state can save money remains to be seen.

Examples of legally required qualified electronic signature

Electronic waste detection methods

As part of the German Ordinance is mandatory since 1 April 2010 that the waste disposal each transport hazardous waste qualified electronic sign (electronic waste detection method eANV ). By no later than February 1, 2011 meets this regulation also true for waste producers and waste transporters.