Cryptography Reference
In-Depth Information
nology-neutral and should not focus only on these kinds of signatures. Since a
variety of authentication mechanisms is expected to develop, the scope of this
Directive should be broad enough to cover a spectrum of “electronic signatures,”
which would include digital signatures based on public-key cryptography as well as
other means of authenticating data.
40
The regulatory framework should thus, on the one hand, “create a clear
framework for generating trust in digital signatures, while, on the other
hand, remain sufficiently flexible to react to new technological develop-
ments.”
41
The reconciliation of these two objectives—capitalizing on the
“most recognized form of electronic signature” to rapidly establish a thriv-
ing market and establishing a framework flexible enough to accommodate
a broad range of technological solutions to authentication—proved a
major tension in the successive versions of the directive that circulated
between the various European bodies responsible for its enactment.
The final version, adopted on December 13, 1999, settled on a two-
tiered approach that distinguished between two kinds of electronic sig-
natures with different legal effects.
42
It first defined electronic signatures
as a generic method for providing authentication (without providing a
definition of that term): “Electronic signatures means data in electronic
form which are attached to or logically associated with other electronic
data and which serve as method of authentication.”
43
To this generic def-
inition, it added one for “advanced electronic signatures”: “An electronic
signature which meets the following requirements: (a) it is uniquely linked
to the signatory; (b) it is capable of identifying the signatory; (c) it is
created using means that the signatory can maintain under his sole control;
(d) it is linked to the data to which it relates in such a manner that any
subsequent change of the data is detectable.”
44
The definition succinctly captured the three security services of the
cryptographic signature model outlined earlier: requirement (b) provides
for the identification of the signatory, requirements (a) and (c) provide for
non-repudiation, through a presumption of control over the private key,
and requirement (d) provides for data integrity, through the ability of the
verification algorithm to detect modifications of a single bit to the message
after creation of the signature.
Each type of electronic signatures was attributed its own conditions
for admissibility and resulting legal effects. On the one hand, generic
electronic signatures provided the baseline case for nondiscrimination:
