ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation made on January 29...
-
date post
14-Sep-2014 -
Category
Business
-
view
119 -
download
2
description
Transcript of ELECTRONIC SIGNATURE_THE FUTURE IS NOW_ALAIN BENSOUSSAN LAW FIRM_presentation made on January 29...
Electronic Signature 3.0 The future is now
Breakfast Meeting of 29 January 2014
29/01/2014 Copyright Lexing 2014 ® Company Confidential 1
Introduction
Background – Deployment
Stakes – New forms of signature
Challenge – Compliance
29/01/2014 2 Copyright Lexing 2014 ® Company Confidential
Extract from LesEchos.fr – 28 01 2014
29/01/2014 3 Copyright Lexing 2014 ® Company Confidential
Widespread Use of Electronic Signature:
- Mutual banks are increasingly using it in their bank branches
- Objective: streamline the sale of
products via multiple channels
OUTLINE
1. State of Play,
by Dimitri Mouton, Demaeter
2. Choose the right signature …
if possible
3. Deploy without risk …
subject to the discretionary
assessment of courts
29/01/2014 4 Copyright Lexing 2014 ® Company Confidential
1. State of Play - Dimitri Mouton, Demaeter
1. A dreadful mess…
2. Digital signature 101
3. Trends
29/01/2014 5 Copyright Lexing 2014 ® Company Confidential
1.1 A DREADFUL MESS…
29/01/2014 6 Copyright Lexing 2014 ® Company Confidential
PKI
Electronic signature
Authentication
Private key
Public key
Commitment
IGC
RSA
2048 bits
RGS
Certificate
CA
3+ class
2 stars
Presumption of reliability
Tablet
Secured signature Advanced signature
Qualified certificate
Agreement on evidence
PIN code
Strong authentication
SMS
Identity theft
CRL
Timestamp
OCSP
X.509 V3
Registration authority
CSP
PSCO
RFC 3161
COFRAC
ANSSI
Electronic Signature Policy
PAdES
PDF/A
XAdES
PKCS#7
PKCS#12
French Act of 13 March 2000
French Decree of 30 March 2001
EU Regulation
CMS
Detached signature
java applet
Specific to signatory
Sole control
SSCD
Revocation
SHA256
Delegation
Signature management system
On the fly
OTP
Integrity
Non-repudiation
Guarantee of origin
Traceability
Qualified provider
Probative value
Alice and Bob
29/01/2014 7 Copyright Lexing 2014 ® Company Confidential
AND A VARIETY OF USES …
29/01/2014 8 Copyright Lexing 2014 ® Company Confidential
Public procurements
B-to-B contracts
Registrations
Social security declarations
Electronic commerce
Consumer agreements in branch Notary deeds
Electronic minutes
Certificate of conformity
Diplomas Deeds – Legality control
Deliberations
Public accounting (“Hélios”)
Building work notification
Network and pipelines
Online banking
Administrative formalities
Réseau Privé Virtuel des Avocats
Réseau Privé Virtuel de la Justice
Electronic commercial court
Official deeds
Chartered accountancy Tachograph
Employment contracts
Attendance sheets
Electronic claim form
Invoices
Bank POA
Electronic certified mail
Electronic voting
29/01/2014 9 Copyright Lexing 2014 ® Company Confidential
Types…
Scanned signature
Handwritten signature on tablets
Electronic signature “on the fly”
Electronic signature
With or without
accreditation
With or without legal opinion
With or without stars
29/01/2014 10 Copyright Lexing 2014 ® Company Confidential
Components of a digital service
Including electronic signature
29/01/2014 11 Copyright Lexing 2014 ® Company Confidential
1.2 Electronic signature 101
29/01/2014 12 Copyright Lexing 2014 ® Company Confidential
Electronic signature: hands-on definition
An electronic signature is a signature…
… covering an electronic document.
Ink marks paper Cryptography guarantees a link between the signatory and the document
29/01/2014 13 Copyright Lexing 2014 ® Company Confidential
Certificate: What is it for?
• A certificate is an “ID card” issued
by a “Certification Authority” (CA) or
a “Certificate Service Provider” (CSP)
• It can serve as a tool to:
– authenticate (control access)
– sign (electronic signature, seal, timestamp)
– encrypt (confidentiality)
29/01/2014 14 Copyright Lexing 2014 ® Company Confidential
PKI
• PKI (Public Key Infrastructure), also known in French as “Infrastructure à clef publique” (ICP) or “Infrastructure de Gestion de Clefs” (IGC) is a:
Set of technical and human means
implemented to issue certificates
• Certification Authority (CA): in charge of the PKI – Establishes rules (Certification Policy)
– Is responsible for their compliance
• Registration Authority (RA): registers holders
• Certification Operator (CO): operates machines
• Revocation Authority, Validation Authority: perform additional roles.
29/01/2014 15 Copyright Lexing 2014 ® Company Confidential
Certificate lifecycle
29/01/2014 16 Copyright Lexing 2014 ® Company Confidential
• Technical generation:
– Fingerprint (hash) of the document
– Sealing by private key
• Additional elements:
– Signatory certificate and related certification chain
– Time-stamping token
– Proof of certificate validity (CRL or OCSP)
Signature process
29/01/2014 17 Copyright Lexing 2014 ® Company Confidential
Verification process
• Technical generation:
– Fingerprint of the document
– Fingerprint initially sealed
– Comparison between the two values
29/01/2014 18 Copyright Lexing 2014 ® Company Confidential
Validity of the certificate The document has been signed by the certificate holder…
But who is he?
• Check the technical validity of the certificate.
– If invalid WARNING!
• Review the certificate holder:
– If I don’t trust this CA WARNING!
– If I trust this CA:
• Compare the signature date with the certificate validity date
• Check the Certificate Revocation List
• Everything is OK if: the name on the certificate is the same as the signatory name.
But
Was the signatory empowered to sign?
Is the document signed correct regarding its form? its substance?
Next step after technical verification: legal verification!
29/01/2014 19 Copyright Lexing 2014 ® Company Confidential
Example: Adobe Reader signature
29/01/2014 20 Copyright Lexing 2014 ® Company Confidential
Signature formats
• AdES = Advanced Electronic Signature
• 3 formats:
– PAdES = PDF format
– CAdES = CMS / PKCS#7 format
– XAdES = XML format
• Choice is to be made according to the constraints of the project
• All allow to include the same elements
29/01/2014 21 Copyright Lexing 2014 ® Company Confidential
Various levels of certificates
• The level of security offered by a certificate depends on:
– the registration procedures
– the token holding the private key (physical/software)
– the commitments of the Certification Authority
• The different levels set by the French General Security Reference
System (RGS) correspond to legal realities:
* Remote Registration
Software token
“Simple” electronic signature
** Face-to face registration
Physical token
“Secure” electronic signature
*** Face-to face registration
Secure physical token
Qualified certificate
“Presumed reliable” electronic signature
29/01/2014 22 Copyright Lexing 2014 ® Company Confidential
Trust rules
• Trust means you feel secure
• But trust does not mean you don’t need to be careful!
Weak Chain of Trust Strong Chain of Trust
29/01/2014 23 Copyright Lexing 2014 ® Company Confidential
1.3 TRENDS
29/01/2014 24 Copyright Lexing 2014 ® Company Confidential
“Autonomous” electronic signature
• The signatory
purchased a certificate
from a CA
• He possesses an
electronic signature tool
on his workstation
• He autonomously signs
on his workstation
29/01/2014 25 Copyright Lexing 2014 ® Company Confidential
Electronic signature by applet
• The signatory
purchased a certificate
from a CA
• The signature tool is
included in the service
• The signatory signs
on his workstation
when using the service
29/01/2014 26 Copyright Lexing 2014 ® Company Confidential
Server
“On the fly” electronic signature (1/4)
• The signatory has
no certificate and
no e-signature tool
• The server displays
the contracts and
he gives his agreement
29/01/2014 27 Copyright Lexing 2014 ® Company Confidential
Server
• The server
checks the identity
of the signatory
by sending him a
challenge by SMS
“On the fly” electronic signature (2/4)
29/01/2014 28 Copyright Lexing 2014 ® Company Confidential
Server
“On the fly” electronic signature (3/4)
• The server generates a dual signature key
• It generates a certificate in the name of the signatory
• It uses the private key to sign the document
• Then it destroys the private key
29/01/2014 29 Copyright Lexing 2014 ® Company Confidential
Server
“On the fly” electronic signature (4/4)
• Document is signed
on the server!
• For the next signature,
a new certificate
will be generated
29/01/2014 30 Copyright Lexing 2014 ® Company Confidential
Server
Virtual smart card (1/3)
• The signatory does not need an electronic signature tool
• His certificate is stored on the server in a secure area (HSM)
• The server displays the contract and he gives his agreement
29/01/2014 31 Copyright Lexing 2014 ® Company Confidential
Server
• The server
checks the identity
of the signatory
by sending him a
challenge by SMS
Virtual smart card (2/3)
29/01/2014 32 Copyright Lexing 2014 ® Company Confidential
Server
Virtual smart card (3/3)
• Document is signed
on the server!
• For the next signature,
the same certificate
will be used
29/01/2014 33 Copyright Lexing 2014 ® Company Confidential
Server
Signature on a tablet
• Clients see the contract when in the bank branch or in store
• They affix their handwritten signature on the tablet
• An electronic signature is generated “on the fly” in addition to the handwritten signature
29/01/2014 34 Copyright Lexing 2014 ® Company Confidential
Server
Electronic seal
• Documents are produced via an automated process and sent to the server
• The server has a certificate in the name of the legal entity
• The electronic seal is an “electronic signature” of the legal entity
• It can be affixed automatically
29/01/2014 35 Copyright Lexing 2014 ® Company Confidential
Server
THE Trend …: “rematerialization”
First name Last Name
Address
Invoice
From XYZ
amounting to a proof of domicile
Services……………… €123
“First name Last name Address XYZ €123”
29/01/2014 36 Copyright Lexing 2014 ® Company Confidential
First name Last Name
Address
Invoice
From XYZ
amounting to a proof of domicile
Services……………… €123
Exploitation of 2D-DOC code
“First name Last name Address XYZ €123”
Technical verification Visual verification
29/01/2014 37 Copyright Lexing 2014 ® Company Confidential
2. How to choose the electronic signature?
1. Regulation on Digital
process
1. Absence of choice
2. Choice
29/01/2014 38 Copyright Lexing 2014 ® Company Confidential
2.1 REGULATION ON DIGITAL PROCESS
29/01/2014 39 Copyright Lexing 2014 ® Company Confidential
Prerequisites: Regulation
Le papier sauf … Electronic law
Paper required
unless...
agreement on
evidence
Obligation to
process electronic
documents
Right to
create electronic
documents
Law of 13 March 2000
(e-signature/e-evidence)
Before 2000 Law of 21 June 2004
(LCEN)
Law of 4 August 2008
(modernization of economy)
Agreement on
evidence
ad
probationem
French State
required to receive
electronic invoices
ad
validitatem
Order of 8 December 2005
(e-government)
29/01/2014 40 Copyright Lexing 2014 ® Company Confidential
Yes, it is possible, but … 3 scenarios
Prefilled e.g.: pay slip or declaration of interest
Imposed e.g.: electronic certified mail
Free … for the moment
41 29/01/2014 Copyright Lexing 2014 ® Company Confidential
And even if it is possible …
“Art. 1316-4 of Civil Code is not everything…”
“Whereas the employer complains that the judgment found that the dismissal was unfair, whereas
according to the ground of appeal, if a party contests the authenticity of an email, it is up to the judge
to determine whether the conditions laid down in articles 1316-1 and 1316-4 of the Civil Code for the
validity of an electronic document or signature are met;
Whereas by asserting that the manager of AGL Finances “is the author and the sender" of an email
whose authenticity was contested, on the grounds that the employer [did] not prove that the sender’s
address mentioned on the email is wrong or that the company mailbox has been hacked" and that “in
any event, such a hacking could not be attributed to Ms. X...”, without checking, as it was required to
do, whether that email had been established and maintained in conditions that guarantee its integrity
and whether it contained an electronic signature resulting from the use of a reliable identification
process, the Court of Appeals decision has no legal basis under Articles 287 of the Code of Civil
Procedure , 1316-1 and 1316-4 of the Civil Code;
But the provisions invoked by the ground of appeal are not applicable to an email produced to prove a
fact, as its existence can be established by any means of evidence, which are assessed at their
discretion by the trial judges; accordingly the ground of appeal is unfounded.”
French Cour de Cassation, social chamber, 25 Sept. 2013
42 29/01/2014 Copyright Lexing 2014 ® Company Confidential
First Thing First…
• Do you need to prove a right or a fact?
• Free proof or imposed proof
– Imposed = civil matters
– Free … more or less everything else
• criminal, administrative, employment matters
29/01/2014 43 Copyright Lexing 2014 ® Company Confidential
The question is therefore…
1. Do I need it? (investment management)
2. If you can move mountains, you can move molehills… (risk management)
29/01/2014 Copyright Lexing 2014 ® Company Confidential 44
2.2 ABSENCE OF CHOICE…
29/01/2014 Copyright Lexing 2014 ® Company Confidential 45
Example of a “no choice” scenario
To be presumed reliable within the meaning of above-mentioned
Article 2 of Decree of 30 March 2001, the electronic signature
procedures available to judges, registry officers and persons
authorized under Article R. 123-14 of the Code of Judicial
Organization must meet the three stars (***) level of the
General Security Reference System (RGS). In addition, the
signature must be secure and be created by a secure process
certified in accordance with the conditions laid down in Article 3
of said Decree. The procedure for filing and registration of the
identification and credentials data of these persons is subject to
the initiative and responsibility of the Ministry of Justice.
French Order of 18 October 2013 on electronic signature of court decisions issued in civil matters by
the Cour de cassation
46 29/01/2014 Copyright Lexing 2014 ® Company Confidential
Another example… with less legalese
• “The documents of administrative authorities may be subject to an electronic
signature. The latter is validly applied only by use of a method, compliant with
the rules of general security framework referred to in Article 9 point I, which
allows identification of the signatory, guarantees the link of the signature with
the document to which it is attached and ensures the integrity of said
document.”
• “The electronic certificates issued to administrative authorities and their agents
in order to ensure their identification in the context of an information system are
subject to a validation by the State under conditions laid down by decree.”
Ordinance 2005-1516 du 8-12-2005 on the electronic exchanges between citizens and administrative
authorities (Art. 8)
47 29/01/2014 Copyright Lexing 2014 ® Company Confidential
2.3 TIME TO CHOOSE!
48 29/01/2014 Copyright Lexing 2014 ® Company Confidential
A complex reality
• 4 legal concepts (Decree of 30 March 2001)
– Simple
– Secured + Digital
– Presumed reliable
• Geographical approach:
– Advanced (Dir. 1999/93/EC of 13 December 1999) Secure (Decree of 30 March 2001)
– Digital signature / Electronic signature
• At least 3 technical realities:
– RGS: one star (*)
– RGS: two stars (**)
– RGS: three stars (***)
RGS = General Security Reference System
3 DEGREES OF RELIABILITY
=
3 SIGNATURES
29/01/2014 49 Copyright Lexing 2014 ® Company Confidential
Where choice is possible …
Click
Electronic signature
Secured electronic signature
Digital signature
Electronic signature presumed reliable
50 29/01/2014 Copyright Lexing 2014 ® Company Confidential
Basic method
Create evidence
• One signatory / Several signatories
• One document / a series of documents
• One channel/ Multi-channel
• Geographic distance
Administer evidence
• Produce it in urgency (summary procedure)
• Produce it in specific conditions (criminal; supervising entities)
Manage dispute
• Electronic signature presumed reliable – High risk for evidence to be contested
• Amount is high and risk for situation to be deadlocked
• Amount is not the essential element (high risk for low value contracts to be contested)
• Be careful of false hopes - Technical expertise ahead
29/01/2014 51 Copyright Lexing 2014 ® Company Confidential
Legal prerequisites
Contractual commitments
Legal provisions
( “LCEN” Act)
Public/Private
sector
29/01/2014 52 Copyright Lexing 2014 ® Company Confidential
Choosing a solution means choosing…a provider
Choosing a solution means choosing…a provider
Decision
Legal & technical
prerequisites
Contractual commitments
Maintenance of standards
and certifications
Insurance coverage
29/01/2014 53 Copyright Lexing 2014 ® Company Confidential
3. Legal security
1. Backbone
2. Upstream security
3. Downstream security
29/01/2014 54 Copyright Lexing 2014 ® Company Confidential
3.1 BACKBONE:
AGREEMENT ON EVIDENCE
29/01/2014 55 Copyright Lexing 2014 ® Company Confidential
Legal approach
• “Where a statute has not fixed other principles,
and failing a valid agreement to the contrary
between the parties, the judge shall regulate the
conflicts in matters of documentary evidence by
determining by every means the most credible
instrument, whatever its medium may be.”
French Civil Code, Art. 1316-2
29/01/2014 56 Copyright Lexing 2014 ® Company Confidential
Escalation of “powers”
Law
Agreement
Judge
29/01/2014 57 Copyright Lexing 2014 ® Company Confidential
Concept of “validity”
Substance
Enforceability
Access
B to C
B to B
A to C
29/01/2014 58 Copyright Lexing 2014 ® Company Confidential
A real organization …
Agreement on evidence
Traceability Policy
Time Stamping Policy
Security Policy
Certification Policy
Archives Policy
XXX Policy
29/01/2014 59 Copyright Lexing 2014 ® Company Confidential
Another question...
Clause?
Contract?
29/01/2014 60 Copyright Lexing 2014 ® Company Confidential
Organizing an agreement on evidence
Recitals
Article 1 Definitions
Article 2 Effect – Enforceability
Article 3 Term – Limitation periods
Article 4 Purpose
Article 5 Scope
Article 6 Identification
Article 7 Authentication
Article 8 Integrity
Article 9 Durability
Article 10 Storage
Article 11 Time Stamping
Article 12 Traceability
Article 13 Signature
Article 14 Liability
Article 15 …
29/01/2014 61 Copyright Lexing 2014 ® Company Confidential
Having an agreement on evidence is not enough;
Need to organize evidence and access to evidence
Evidence record
Evidence trial
Agreement on evidence
Vision of
the situation
Technical
justification
Legal basis Basis
Organization
of evidence
Access to
evidence
29/01/2014 62 Copyright Lexing 2014 ® Company Confidential
3.2 LEGAL BUILD
(UPSTREAM SECURITY)
29/01/2014 63 Copyright Lexing 2014 ® Company Confidential
Feasibility study
(Yes or No)
Legal impact study
(Go or No Go)
Legal basis
(public sector – e-government)
Compliance review (legal opinion)
Electronic document
management policy
Platform terms of access
(on line)
Employee information
Data Protection Authority (CNIL)
Insurance
29/01/2014 64 Copyright Lexing 2014 ® Company Confidential
Risk of “legal bug”
Do not get confused…
Agreement related to evidence
Agreement related to
digital process
29/01/2014 65 Copyright Lexing 2014 ® Company Confidential
3.3 LEGAL RUN
(DOWNSTREAM SECURITY)
29/01/2014 66 Copyright Lexing 2014 ® Company Confidential
Delegation of electronic signature
Terms of use of e-signature
book
IS Policy (adaptation)
Internal Audit (reliable audit trail)
Provider governance
Provider audit
Legal watch
Right of access unit
Crisis management
29/01/2014 67 Copyright Lexing 2014 ® Company Confidential
4. BUT IS IT ENOUGH?
29/01/2014 68 Copyright Lexing 2014 ® Company Confidential
Security aspects of digital process
Electronic Signature
Identity management
Certificates
Confidentiality
Archiving
Traceability
Time Stamping
29/01/2014 69 Copyright Lexing 2014 ® Company Confidential
Security is everybody’s business
• Application developers must take account of security…
• But a global vision is needed!
• Involvement and responsible attitude from each stakeholders is essential for
technical and legal security measures to be fully efficient.
29/01/2014 70 Copyright Lexing 2014 ® Company Confidential
Find out more…
29/01/2014 71 Copyright Lexing 2014 ® Company Confidential
Next Breakfast Meeting
Mayors and MPs:
How to protect your e-reputation & name
February 12, 2014
Speakers:
Virginie Bensoussan-Brulé & Claudine Salomon
29/01/2014 72 Copyright Lexing 2014 ® Company Confidential
29/01/2014 73 Copyright Lexing 2014 ® Company Confidential
Contact
Photos & Illustrations Credits Networking©Scott Maxwell-Fotolia.com informatique data room réunion
binary stream©Mike Kiev-Fotolia.com
Emblème France©illustrez-vous-Fotolia.com
Road to Success - Up Arrow©iQoncept-Fotolia.com
Businessman entering the labyrinth©Scanrail-Fotolia.com
Dessins tirés de Sécurité de la dématérialisation © Stéphane Torossian – http://graphiste-free-lance-sato.jimdo.com
Lexing is a registered trademark of Alain Bensoussan Selas
Demaeter is a registered trademark of Demaeter Sarl
Me Eric Barbry
Head of the Digital Law Practice Group
Tel +33 (0)6 13 28 91 28
Me Polyanna Bigle
Head of ISS & Electronic Documents Department
Tel +33 (0)6 42 32 16 09
Mr. Dimitri Mouton – Demaeter
Consultant expert in dematerialisation & security
Tel +33 (0)6 59 10 99 37
[email protected] – www.demaeter.fr
29/01/2014 74 Copyright Lexing 2014 ® Company Confidential