Guide on the Use of Electronic Signatures - Part 1: Legal and Technical Aspects

Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a community framework for electronic signatures [Dir.1999/93/EC] – referred to as the Directive in the remainder of this document – established a legal framework for electronic signatures and certificationservices in order to contribute to their legal recognition. It is laid down in article 5.1 that electronic signatures fulfilling certain quality metrics – so called qualified electronic signatures – satisfy the requirements of handwritten signatures. In article 5.2 a residual provision is given where electronic signatures are not denied legal effectiveness and admissibility as evidence in legal proceedings, even if the quality metrics of qualified electronic signatures are not met. The scope of this document is on the latter –electronic signatures that do not fulfil all the requirements laid down for qualified electronic signatures in article 5.1 of the Directive. The document therefore analyses the differences between cryptographic mechanism of digital signatures, qualified electronic signatures (according to article 5.1 of the Directive), and electronic signatures (according to article 5.2 of the Directive). In addition, a set of use cases of electronic signatures which do not fulfil some of the requirements laid down in article 5.1 are discussed in order to point out its effectiveness in ecommerce environments or in various application fields asking for authentication measures. In addition to the use cases, the evidence that is provided by electronic signatures is discussed. The electronic signatures and certification-services are broken up into its basic elements and the proof provided by each element is discussed from a legal perspective in order to establish the coherence between the technical elements and its legal effect. Part 2 of this CWA contains a Protection Profile (PP) for a Software Signature Creation Device [SCDev-PP] suitable for such general electronic signatures. This Protection Profile follows the provision of the Common Criteria (CC) [ISO 15408]. It is based on the [SSCD PP] that has been developed as a standard for devices that are capable of creating qualified electronic signatures.