Secure Creation Device
Qualified Electronic Certificate
Certification Service Providers
Comment
The French legal framework for electronic signatures is now complete. A ministerial order which establishes the regime for the qualification of electronic certification providers and accreditation for evaluation organizations was issued on May 31 2002.
For an electronic signature to have the same legal force as a handwritten signature, it must use a reliable identification process which guarantees the link between the signature and the document to which it applies. A presumption of reliability will apply when the electronic signature is secure - that is, when it meets the following criteria:
- It is uniquely linked to the signatory;
- It was created using means within the sole control of the signatory; and
- It is linked to the document to which it relates so that any subsequent changes to the document would be detectable.
In order to ensure the fulfilment of these criteria, a decree of March 20 2001 provides that the electronic signature must be created using a secure creation device and have a qualified electronic certificate. These apparently simple requirements have evolved (as a result of the regulatory process) into a complex regulatory regime involving a host of parties and organizations at various stages in the process. The ministerial order of May 31 2002 establishes who is qualified to act as a certification service provider, the only type of entity allowed to issue qualified electronic certificates.
In order to be deemed secure, the creation device (hardware and/or software) must:
- ensure, using appropriate technical means and processes, that (i) the electronic signature data cannot be duplicated, (ii) the confidentiality of the data is preserved, and (iii) the data is sufficiently protected by the signatory from any third-party utilization;
- protect the electronic signature against falsification; and
- not alter the content of the document to be signed nor hinder the signatory's full knowledge of the document prior to signing it.
The creation device must be certified as complying with all these requirements, after evaluation by an accredited evaluation centre and approval by the Central Office for IT Security (DCSSI), a government agency within the Prime Minister's Office in charge of encryption and other IT security matters. Evaluation centres are accredited by this authority or, subject to certain conditions, equivalent organizations in other member states of the European Union.
Qualified Electronic Certificate
An electronic signature created through a secure creation device must be approved through the issue of a qualified electronic certificate. This certificate, which is an electronic document attesting to the link between the signature verification data and the signatory, must be issued by a certification service provider (CSP).
Certification Service Providers
In compliance with Article 3 of the Electronic Signature Directive (1999/93/EC), the decree does not require CSPs to obtain authorization prior to providing certification services. They must simply comply with the terms of Article 6 of the decree, which mainly relate (i) to the reliability of a CSP's staff members, procedures and services, and (ii) to its obligations of client confidentiality and information provision.
However, if a CSP has been accredited by an accreditation centre, then it benefits from a legal presumption of compliance with the requirements of Article 6 of the decree. This strong incentive is likely to ensure that most certification service providers will seek accreditation.
In order to be accredited, a CSP must apply to an accreditation centre, which has itself been approved by COFRAC (the French accreditation committee) or an equivalent organization of another member state of the European Union, and pay the accreditation centre's fees, which are not established by the regulations. The accreditation centre must verify that the CSP's service standards meet the requirements of Article 6 of the decree, as well as the norms and practices of the certification service provision industry.
The accreditation centre must issue a detailed report and decide whether to issue a certificate of accreditation. The report must be made available to the DCSSI upon request, while the accreditation certificate is made available to anyone upon request. CSPs will probably have to renew their accreditation yearly.
Further, the authentication service provided by the CSP falls within the scope of the encryption regulations. As a result, the CSP is required to file a prior declaration with the DCSSI.
This complex procedure would appear to be both costly and burdensome for CSPs, which may limit the numbers of CSPs and accreditation organizations. Another factor is the issue of liability. At present, no law expressly addresses the liability of CSPs. Given the sensitive nature of a CSP's role and the potential liabilities it faces, it is important to supplement the existing regulatory regime with provisions regarding the scope of liability, based on those in the directive.
In this respect, the rules set forth by the directive can be seen as protective of the CSPs' interests, since they state that providers will not incur liability in the absence of negligence and may include certain liability limitations in their agreements (subject to compliance with Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts).
However, the directive also provides that a CSP must bear the burden of proof on the question of negligence. These provisions were largely reproduced in the draft Law on the Information Society that was presented to the French parliament by the Jospin Government, but which is currently under review by the Raffarin government.
For further information on this topic please contact Bradley L Joslove at Franklin by telephone (+33 1 45 02 79 00) or by fax (+33 1 45 02 79 01) or by email ([email protected]).