In order to vote, you need to be logged in!Acronym of the case:
Web address of the case:
Country of the case:
Posting Date:
Last Edited Date:
Author:
Project or service
Strategic initiativeDear Nikolaos Papas
I find it a bit hard to answer your question because we did not have these problems you described. Although, I can only describe the process in Estonian side. Ministry of Justice decided that we accept all digital signatures (certificates) in Company Registration Portal if these are equal to Estonian digital signature:
1. Tied to the personal document (ID-card) and to the person
2. Separate authentication certificate and qualified digital signature certificate on the card.
3. Certificate contains unique nationally issued personal identification number or alike.
Digital signature in Estonia has been in use since 2003. Most Estonians (over 90%) has an ID-card that contains digital certificates for authentication and digital signing. ID-card is a personal identification document and also electronic identification device to identify person in the Internet (http://www.pass.ee/index.php/pass/eng/id_card). Inside the certificate there is among other information a Personal Identification Number. This unique number is given to the person when he/she is born and it is unchangeable. With this unique number and qualified certificates person is always authenticated and related to other data (if available) in the e Commercial register. All the information in Estonian Government registers (Example Commercial register) are linked to a person (board member) record and a person record contains a Personal Identification Code thus linked to ID-card and natural person on the Internet.
From technical and logical point of view Estonian, Portuguese, Belgian and Finnish ID- card PKI systems are similar- Nation wide ID-card that contains certificates with unique personal identification code. This is why we choose those countries to be partners in this “proof of concept†cross-border DS project.
During the development phase some differences occurred: Finnish ID-card does not contain identification code inside cert. Another unique number that corresponds to Identification number is used instead. Therefore, a web service from Finnish Population register had to be used, to get the identification code to the Company Registration Portal when person accesses with Finnish ID-card. Information from Estonian population register is also used, when needed. To get the access to Finnish population register a contract was needed, no changes in the law.
Estonian digital signature law regulates that all digital signatures are equal to hand written signature and acceptable if these are qualified and time stamped (not exact words). Lawyers also explained that EU laws are in favour of cross border digital signature recognition. During the project we noticed that there are more technical problems than law obstacles. In fact, only few Estonian laws (regulations) were update to correspond to EU directives.
To retain the legal certainty in company registration process over the Internet, qualified digital signature that is equal to Estonian qualified digital signature (stated by the digital signature law) is needed. Before the system can accept foreign digital certificates the Estonian Ministry of Economic Affairs and Communications has to validate the foreign certificates and acquirement processes. This is one time process.
In technical view, in the signing process the web application (CReP) contacts Estonian CA (Certification Authority) OCSP (Online Certificate Status Protocol) service that in turn contacts foreign CA to receive the signature validation confirmation. With these OCSP services a digital signature is given. All OCSP services are open access for everyone. At the moment there are no special agreements between CA-s. In the future there is probably going to be some kind of agreement, but more in the sense of SLA(Service Level Agreement).
We had the chance to choose the partners to the Proof of Concept project. The qualification criteria was: qualified certificates attached to smart card (national ID-card) and unique personal identification number inside the certificate. We have not yet solved the problem of unqualified digital certificates. For company registration and bank deposit account opening in the Internet requires legal certainty and that is achievable with qualified digital signature (certificate)!
For us there were more technical obstacles than law related obstacles because EU directives regulate most of the problems you mentioned. Every service owner has to decide what kind (level) of certificates (digital signatures) are acceptable in the service.
Company_registra ... (36.73 KB)
Questions from readers
I just read your entry in the ePractice portal on the Cross-border digital signature case with high interest.
In the description you say that there are different types of digital signatures in the Member States (what makes it complicated for cross-border activities). You close this description with Lesson 1 - It is possible to accept digital signatures from other EU member state! All the problems where technical!
For my understanding: Lesson 1 is only correct in cases when qualified signatures are used; i.e. when they are available in a country?
The countries in your project all require qualified signatures to sign the application for a company registration and provide the organisational and technical infrastructure to issue and deal with qualified signatures. France or the Czech Republic for example could not take part in your project as they do not provide the organisational and technical infrastructure for qualified signatures and/or have additional legal requirements; is that correct?
I’m asking you because I’m currently concerned with the issue of recognition of electronic signatures in the topic of cross-border public procurement. Countries involved are Czech Republic, France, Spain and Sweden. From my point of view, first of all the different legal requirements make it impossible to allow for eSignature recognition. And in the second step, the technical issues need to be solved.
Looking forward to your answer.
X
Dear Mr X
Thank you for your letter. It is always good to get feedback.
I will try to answer your questions. However I am a business analyst and not PKI technical specialist, therefore the answers may be a bit shallow. In case you should need more detailed technical information, I may need to discuss these topics with my colleagues.
Different kind of digital signatures.
In Estonia the documents are signed with special software called Digidoc (http://www.sk.ee/pages.php/020305010101). The outcome of the signing process is file *.ddoc, similar to zip container. With Digidoc software any file(s) or document(s) can be signed and encrypted. Today it is possible to use this special format, but in the future it is possible to sign PDF or ODT documents without the Digidoc software(under development). The point is that when someone sends digitally signed application to other country the receivers does not know how to read it, as it requires special software. Within Estonian users this is not a problem because everyone knows where and how to get this free software. So in Estonia only Estonian way of digital signing is accepted. If anyone sends us a digitally signed document that is signed with different software, we do not understand it and we do not accept it (not yet anyway). In case of foreign digital signature the reader does not know if the digital signature is equal to Estonian digital signature or not. To solve this problem the system lets applicants to sign documents inside our Internet portal (https://ettevotjaportaal.rik.ee/). This way the system can control the signing process with trusted digital signature creation application and this way the output format is also controlled (.ddoc). The output can be archived to the Commercial register digital archive for long time(relatively) archiving. Signing process also includes time stamping (in OCSP response).
In technical view, in the signing process the web application contacts Estonian CA (certification authority) OCSP service that in turn contacts foreign CA to receive the signature validation confirmation.
Therefore to accept foreign users to establish new legal entities in Estonian Company registration portal it was necessary to check that the foreign ID-card has government support (associated with the person/identification document) and that the certificates (one for authentication and second for digital signing) in the smart card are qualified. This way we can produce qualified digital signatures (equal to Estonian digital signature defined in the digital signature law).
Estonian ID-card certificates and digital signature are qualified.
To retain the legal certainty in company registration process over the Internet, qualified digital signature that is equal to Estonian qualified digital signature (stated by the digital signature law) is needed. Before the system can accept foreign digital certificates the Estonian Ministry of Economic Affairs and Communications has to validate the foreign certificates and acquirement processes. This is one time process.
So the answer to your question- Yes, for company registration the system only accepts qualified digital signatures. For authentication other types of certificates or passwords can be used. For example in authentication process Estonian major banks internet access passwords (code cards or code calculators) are also accepted. It is the question of trust.
The question of will.
When the project was started we discovered that lawyers thought that the obstacle in recognizing a foreign digital signature lies in the technical side and IT-specialist thought that the obstacle lies in the law side. So we came to the kick-off meeting and realised that there are obstacles in both sides. However we managed to overcome all the problems.
Estonian digital signature law regulates that all digital signatures are equal to hand written signature and acceptable if these are qualified and time stamped (not exact words). Lawyers also explained that EU laws are in favour of cross border digital signature recognition. During the project we noticed that there are more technical problems than law obstacles. In fact, only few laws (regulations) were update to correspond to EU directives. In technical side we had to change the technical solution 3 times (start over) and we incorporated with Estonian CA (Certification Authority www.sk.ee) to make this project technically possible.
The solution is not totally ready. The project was met to be proof of concept with low budget. We managed to prove that it is possible to make this solution work. Eventually we saw a better technical solution- solution that requires more resources. When we receive the funding, we will continue to improve the solution, but for now it works as expected.
To conclude my story, the cross-border digital signature recognition project works in Estonian Company Registration Portal and the technical solution is also adoptable to other internet portals. For us this was not impossible, because we had the will of our minister of justice Mr Rein Lang and well motivated technical team. If there is will there is way! In addition to our Estonian partner AS Sertifitseerimiskeskus (www.sk.ee) , we also had good partners from Portugal (www.itij.mj.pt), Belgium (www.certipost.be), Finland (www.fineid.fi) and Lithuania(www.omnitel.lt- MobileID).
However, your problem is bit more complex. We had the chance to choose the partners to our project . The qualification criteria was qualified certificates attached to smart card (national ID-card) and unique personal identification number inside the certificate. We have not yet solved the problem of unqualified digital certificates. For company registration and bank deposit account opening in the Internet requires legal certainty and that is achievable with qualified digital signature (certificate)!
Yours sincerely,
Ingmar Vali
key issue
I think this a key issue for e-gov. I'm waiting for something similar for the interoperability of our systems and not only in Europe.
Best wishes for the project!
Legal/Administrative Issues?
Whilst the subject matter itself is very interesting, I find it hard to believe that "the only problems encountered were technical". From experience, cross-border activities in the identity management domain throws up a multitude of legal, administrative and political issues that are a mountain to climb, in comparison with the fairly irrelevant technical issues associated with such transactions (technology allows you to do anything you want; it is outside restrictions (legal, policy, etc.) that does not allow you to do anything you want).
You have failed to provide any information on these issues, and how these have shaped the architecture of your solution. In particular, I would like to see how you approached the problem of government agencies in certain countries refusing to provide identity details, which makes verification of identity from these countries quite difficult.
Also, what consensus was reached with regards to the type of Certification Authorities that are approved by the individual governments? The fact that each country has its own digital signature standards goes back to the very problem that the governments essentially didn't trust each other's CAs. I am very interested to see how you tackled these non-technical issues.