ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation made on January 29...

Electronic Signature 3.0 The future is now

Breakfast Meeting of 29 January 2014

29/01/2014 Copyright Lexing 2014 ® Company Confidential 1

Introduction

Background – Deployment

Stakes – New forms of signature

Challenge – Compliance

29/01/2014 2 Copyright Lexing 2014 ® Company Confidential

Extract from LesEchos.fr – 28 01 2014


Widespread Use of Electronic Signature:

- Mutual banks are increasingly using it in their bank branches

- Objective: streamline the sale of

products via multiple channels

OUTLINE

1. State of Play,

by Dimitri Mouton, Demaeter

2. Choose the right signature …

if possible

3. Deploy without risk …

subject to the discretionary

assessment of courts


1. State of Play - Dimitri Mouton, Demaeter

1. A dreadful mess…

2. Digital signature 101

3. Trends


1.1 A DREADFUL MESS…


PKI

Electronic signature

Authentication

Private key

Public key

Commitment

IGC

RSA

2048 bits

RGS

Certificate

CA

3+ class

2 stars

Presumption of reliability

Tablet

Secured signature Advanced signature

Qualified certificate

Agreement on evidence

PIN code

Strong authentication

SMS

Identity theft

CRL

Timestamp

OCSP

X.509 V3

Registration authority

CSP

PSCO

RFC 3161

COFRAC

ANSSI

Electronic Signature Policy

PAdES

PDF/A

XAdES

PKCS#7

PKCS#12

French Act of 13 March 2000

French Decree of 30 March 2001

EU Regulation

CMS

Detached signature

java applet

Specific to signatory

Sole control

SSCD

Revocation

SHA256

Delegation

Signature management system

On the fly

OTP

Integrity

Non-repudiation

Guarantee of origin

Traceability

Qualified provider

Probative value

Alice and Bob


AND A VARIETY OF USES …


Public procurements

B-to-B contracts

Registrations

Social security declarations

Electronic commerce

Consumer agreements in branch Notary deeds

Electronic minutes

Certificate of conformity

Diplomas Deeds – Legality control

Deliberations

Public accounting (“Hélios”)

Building work notification

Network and pipelines

Online banking

Administrative formalities

Réseau Privé Virtuel des Avocats

Réseau Privé Virtuel de la Justice

Electronic commercial court

Official deeds

Chartered accountancy Tachograph

Employment contracts

Attendance sheets

Electronic claim form

Invoices

Bank POA

Electronic certified mail

Electronic voting


Types…

Scanned signature

Handwritten signature on tablets

Electronic signature “on the fly”


With or without

accreditation

With or without legal opinion

With or without stars


Components of a digital service

Including electronic signature


1.2 Electronic signature 101


Electronic signature: hands-on definition

An electronic signature is a signature…

… covering an electronic document.

Ink marks paper Cryptography guarantees a link between the signatory and the document


Certificate: What is it for?

• A certificate is an “ID card” issued

by a “Certification Authority” (CA) or

a “Certificate Service Provider” (CSP)

• It can serve as a tool to:

– authenticate (control access)

– sign (electronic signature, seal, timestamp)

– encrypt (confidentiality)


PKI

• PKI (Public Key Infrastructure), also known in French as “Infrastructure à clef publique” (ICP) or “Infrastructure de Gestion de Clefs” (IGC) is a:

Set of technical and human means

implemented to issue certificates

• Certification Authority (CA): in charge of the PKI – Establishes rules (Certification Policy)

– Is responsible for their compliance

• Registration Authority (RA): registers holders

• Certification Operator (CO): operates machines

• Revocation Authority, Validation Authority: perform additional roles.


Certificate lifecycle


• Technical generation:

– Fingerprint (hash) of the document

– Sealing by private key

• Additional elements:

– Signatory certificate and related certification chain

– Time-stamping token

– Proof of certificate validity (CRL or OCSP)

Signature process


Verification process

• Technical generation:

– Fingerprint of the document

– Fingerprint initially sealed

– Comparison between the two values


Validity of the certificate The document has been signed by the certificate holder…

But who is he?

• Check the technical validity of the certificate.

– If invalid WARNING!

• Review the certificate holder:

– If I don’t trust this CA WARNING!

– If I trust this CA:

• Compare the signature date with the certificate validity date

• Check the Certificate Revocation List

• Everything is OK if: the name on the certificate is the same as the signatory name.

But

Was the signatory empowered to sign?

Is the document signed correct regarding its form? its substance?

Next step after technical verification: legal verification!


Example: Adobe Reader signature


Signature formats

• AdES = Advanced Electronic Signature

• 3 formats:

– PAdES = PDF format

– CAdES = CMS / PKCS#7 format

– XAdES = XML format

• Choice is to be made according to the constraints of the project

• All allow to include the same elements


Various levels of certificates

• The level of security offered by a certificate depends on:

– the registration procedures

– the token holding the private key (physical/software)

– the commitments of the Certification Authority

• The different levels set by the French General Security Reference

System (RGS) correspond to legal realities:

* Remote Registration

Software token

“Simple” electronic signature

** Face-to face registration

Physical token

“Secure” electronic signature

*** Face-to face registration

Secure physical token

Qualified certificate

“Presumed reliable” electronic signature


Trust rules

• Trust means you feel secure

• But trust does not mean you don’t need to be careful!

Weak Chain of Trust Strong Chain of Trust


1.3 TRENDS


“Autonomous” electronic signature

• The signatory

purchased a certificate

from a CA

• He possesses an

electronic signature tool

on his workstation

• He autonomously signs

on his workstation


Electronic signature by applet

• The signatory

purchased a certificate

from a CA

• The signature tool is

included in the service

• The signatory signs

on his workstation

when using the service


Server

“On the fly” electronic signature (1/4)

• The signatory has

no certificate and

no e-signature tool

• The server displays

the contracts and

he gives his agreement


Server

• The server

checks the identity

of the signatory

by sending him a

challenge by SMS



Server


• The server generates a dual signature key

• It generates a certificate in the name of the signatory

• It uses the private key to sign the document

• Then it destroys the private key


Server


• Document is signed

on the server!

• For the next signature,

a new certificate

will be generated


Server

Virtual smart card (1/3)

• The signatory does not need an electronic signature tool

• His certificate is stored on the server in a secure area (HSM)

• The server displays the contract and he gives his agreement


Server

• The server

checks the identity

of the signatory

by sending him a

challenge by SMS



Server


• Document is signed

on the server!

• For the next signature,

the same certificate

will be used


Server

Signature on a tablet

• Clients see the contract when in the bank branch or in store

• They affix their handwritten signature on the tablet

• An electronic signature is generated “on the fly” in addition to the handwritten signature


Server

Electronic seal

• Documents are produced via an automated process and sent to the server

• The server has a certificate in the name of the legal entity

• The electronic seal is an “electronic signature” of the legal entity

• It can be affixed automatically


Server

THE Trend …: “rematerialization”

First name Last Name

Address

Invoice

From XYZ

amounting to a proof of domicile

Services……………… €123

“First name Last name Address XYZ €123”


First name Last Name

Address

Invoice

From XYZ

amounting to a proof of domicile

Services……………… €123

Exploitation of 2D-DOC code

“First name Last name Address XYZ €123”

Technical verification Visual verification


2. How to choose the electronic signature?

1. Regulation on Digital

process

1. Absence of choice

2. Choice


2.1 REGULATION ON DIGITAL PROCESS


Prerequisites: Regulation

Le papier sauf … Electronic law

Paper required

unless...

agreement on

evidence

Obligation to

process electronic

documents

Right to

create electronic

documents

Law of 13 March 2000

(e-signature/e-evidence)

Before 2000 Law of 21 June 2004

(LCEN)

Law of 4 August 2008

(modernization of economy)

Agreement on

evidence

ad

probationem

French State

required to receive

electronic invoices

ad

validitatem

Order of 8 December 2005

(e-government)


Yes, it is possible, but … 3 scenarios

Prefilled e.g.: pay slip or declaration of interest

Imposed e.g.: electronic certified mail

Free … for the moment

41 29/01/2014 Copyright Lexing 2014 ® Company Confidential

And even if it is possible …

“Art. 1316-4 of Civil Code is not everything…”

“Whereas the employer complains that the judgment found that the dismissal was unfair, whereas

according to the ground of appeal, if a party contests the authenticity of an email, it is up to the judge

to determine whether the conditions laid down in articles 1316-1 and 1316-4 of the Civil Code for the

validity of an electronic document or signature are met;

Whereas by asserting that the manager of AGL Finances “is the author and the sender" of an email

whose authenticity was contested, on the grounds that the employer [did] not prove that the sender’s

address mentioned on the email is wrong or that the company mailbox has been hacked" and that “in

any event, such a hacking could not be attributed to Ms. X...”, without checking, as it was required to

do, whether that email had been established and maintained in conditions that guarantee its integrity

and whether it contained an electronic signature resulting from the use of a reliable identification

process, the Court of Appeals decision has no legal basis under Articles 287 of the Code of Civil

Procedure , 1316-1 and 1316-4 of the Civil Code;

But the provisions invoked by the ground of appeal are not applicable to an email produced to prove a

fact, as its existence can be established by any means of evidence, which are assessed at their

discretion by the trial judges; accordingly the ground of appeal is unfounded.”

French Cour de Cassation, social chamber, 25 Sept. 2013


First Thing First…

• Do you need to prove a right or a fact?

• Free proof or imposed proof

– Imposed = civil matters

– Free … more or less everything else

• criminal, administrative, employment matters


The question is therefore…

1. Do I need it? (investment management)

2. If you can move mountains, you can move molehills… (risk management)


2.2 ABSENCE OF CHOICE…


Example of a “no choice” scenario

To be presumed reliable within the meaning of above-mentioned

Article 2 of Decree of 30 March 2001, the electronic signature

procedures available to judges, registry officers and persons

authorized under Article R. 123-14 of the Code of Judicial

Organization must meet the three stars (***) level of the

General Security Reference System (RGS). In addition, the

signature must be secure and be created by a secure process

certified in accordance with the conditions laid down in Article 3

of said Decree. The procedure for filing and registration of the

identification and credentials data of these persons is subject to

the initiative and responsibility of the Ministry of Justice.

French Order of 18 October 2013 on electronic signature of court decisions issued in civil matters by

the Cour de cassation


Another example… with less legalese

• “The documents of administrative authorities may be subject to an electronic

signature. The latter is validly applied only by use of a method, compliant with

the rules of general security framework referred to in Article 9 point I, which

allows identification of the signatory, guarantees the link of the signature with

the document to which it is attached and ensures the integrity of said

document.”

• “The electronic certificates issued to administrative authorities and their agents

in order to ensure their identification in the context of an information system are

subject to a validation by the State under conditions laid down by decree.”

Ordinance 2005-1516 du 8-12-2005 on the electronic exchanges between citizens and administrative

authorities (Art. 8)


2.3 TIME TO CHOOSE!


A complex reality

• 4 legal concepts (Decree of 30 March 2001)

– Simple

– Secured + Digital

– Presumed reliable

• Geographical approach:

– Advanced (Dir. 1999/93/EC of 13 December 1999) Secure (Decree of 30 March 2001)

– Digital signature / Electronic signature

• At least 3 technical realities:

– RGS: one star (*)

– RGS: two stars (**)

– RGS: three stars (***)

RGS = General Security Reference System

3 DEGREES OF RELIABILITY

=

3 SIGNATURES


Where choice is possible …

Click


Secured electronic signature

Digital signature

Electronic signature presumed reliable


Basic method

Create evidence

• One signatory / Several signatories

• One document / a series of documents

• One channel/ Multi-channel

• Geographic distance

Administer evidence

• Produce it in urgency (summary procedure)

• Produce it in specific conditions (criminal; supervising entities)

Manage dispute

• Electronic signature presumed reliable – High risk for evidence to be contested

• Amount is high and risk for situation to be deadlocked

• Amount is not the essential element (high risk for low value contracts to be contested)

• Be careful of false hopes - Technical expertise ahead


Legal prerequisites

Contractual commitments

Legal provisions

( “LCEN” Act)

Public/Private

sector


Choosing a solution means choosing…a provider

Choosing a solution means choosing…a provider

Decision

Legal & technical

prerequisites

Contractual commitments

Maintenance of standards

and certifications

Insurance coverage


3. Legal security

1. Backbone

2. Upstream security

3. Downstream security


3.1 BACKBONE:

AGREEMENT ON EVIDENCE


Legal approach

• “Where a statute has not fixed other principles,

and failing a valid agreement to the contrary

between the parties, the judge shall regulate the

conflicts in matters of documentary evidence by

determining by every means the most credible

instrument, whatever its medium may be.”

French Civil Code, Art. 1316-2


Escalation of “powers”

Law

Agreement

Judge


Concept of “validity”

Substance

Enforceability

Access

B to C

B to B

A to C


A real organization …


Traceability Policy

Time Stamping Policy

Security Policy

Certification Policy

Archives Policy

XXX Policy


Another question...

Clause?

Contract?


Organizing an agreement on evidence

Recitals

Article 1 Definitions

Article 2 Effect – Enforceability

Article 3 Term – Limitation periods

Article 4 Purpose

Article 5 Scope

Article 6 Identification

Article 7 Authentication

Article 8 Integrity

Article 9 Durability

Article 10 Storage

Article 11 Time Stamping

Article 12 Traceability

Article 13 Signature

Article 14 Liability

Article 15 …


Having an agreement on evidence is not enough;

Need to organize evidence and access to evidence

Evidence record

Evidence trial


Vision of

the situation

Technical

justification

Legal basis Basis

Organization

of evidence

Access to

evidence


3.2 LEGAL BUILD

(UPSTREAM SECURITY)


Feasibility study

(Yes or No)

Legal impact study

(Go or No Go)

Legal basis

(public sector – e-government)

Compliance review (legal opinion)

Electronic document

management policy

Platform terms of access

(on line)

Employee information

Data Protection Authority (CNIL)

Insurance


Risk of “legal bug”

Do not get confused…

Agreement related to evidence

Agreement related to

digital process


3.3 LEGAL RUN

(DOWNSTREAM SECURITY)


Delegation of electronic signature

Terms of use of e-signature

book

IS Policy (adaptation)

Internal Audit (reliable audit trail)

Provider governance

Provider audit

Legal watch

Right of access unit

Crisis management


4. BUT IS IT ENOUGH?


Security aspects of digital process

Electronic Signature

Identity management

Certificates

Confidentiality

Archiving

Traceability

Time Stamping


Security is everybody’s business

• Application developers must take account of security…

• But a global vision is needed!

• Involvement and responsible attitude from each stakeholders is essential for

technical and legal security measures to be fully efficient.


Find out more…


Next Breakfast Meeting

Mayors and MPs:

How to protect your e-reputation & name

February 12, 2014

Speakers:

Virginie Bensoussan-Brulé & Claudine Salomon


Contact

Photos & Illustrations Credits Networking©Scott Maxwell-Fotolia.com informatique data room réunion

binary stream©Mike Kiev-Fotolia.com

Emblème France©illustrez-vous-Fotolia.com

Road to Success - Up Arrow©iQoncept-Fotolia.com

Businessman entering the labyrinth©Scanrail-Fotolia.com

Dessins tirés de Sécurité de la dématérialisation © Stéphane Torossian – http://graphiste-free-lance-sato.jimdo.com

Lexing is a registered trademark of Alain Bensoussan Selas

Demaeter is a registered trademark of Demaeter Sarl

Me Eric Barbry

Head of the Digital Law Practice Group

Tel +33 (0)6 13 28 91 28

[email protected]

Me Polyanna Bigle

Head of ISS & Electronic Documents Department

Tel +33 (0)6 42 32 16 09

[email protected]

Mr. Dimitri Mouton – Demaeter

Consultant expert in dematerialisation & security

Tel +33 (0)6 59 10 99 37

[email protected] – www.demaeter.fr


ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation made on January 29...

Business

Transcript of ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation made on January 29...