Are electronic signature assumptions realistic

338
-1

Published on

A retrospective analysis of basic legal and technical assumptions that were laid at base of EU Directive 1999/93/EC on electronic signatures and subsequent technical standards (CWA). See http://ipsec.pl/ for more details.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
338
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Are electronic signature assumptions realistic

  1. 1. Are electronic signatureassumptions realistic? Paweł Krawczyk IPSec.pl
  2. 2. The Directive• Equivalency to handwritten signature – Which hadwritten signature? • At $10 CC purchase? At wedding contract? At car dealer? At notary? At church?• Sole control of the owner (AdEs 2.2c) – Reality – Polish article 47• Utopia that turned into fetish
  3. 3. Technical standards• CWA 14170:2004„A typical environment for the first case might be the home or the office, where the individual or the company has direct control of the SCS (e.g. an SCS implemented in a mobile phone). In this case, the security requirements may be met by organisational methods put in place or managed by the signer, and the technical means to ensure achievement of the security requirements may be more relaxed.”
  4. 4. Computer in home or office?• Direct control??• In XXI century???• This could be valid in 70’s – Pre-BBS, pre-FidoNet, pre-Internet• Reality of „direct control” – RDP, XDMCP, SSH, PoisonIvy... – Direct control from Romania over server in Australia with proxy in USA
  5. 5. Results• The Smartcard – €150’000 CC certificate, DPA protection, tamper-proof Is then inserted into...• The Signature Creation System – Pirated Windows, no patches, on admin account and out-of-date antivirus
  6. 6. QCA’s response• „Attack is possible, but only if using software non-compliant with recommendations found in „User manual” delivered with QCA products”
  7. 7. All about antivirus
  8. 8. SEALED 2007• “Study on the standardisation aspects of eSignature”“The view of PKI taken in these documents is still based on the views from the 1970s and 1980s (an off-line world!) that have to some extent failed in the 1990s for various reasons”
  9. 9. What works out there?• Username and • Trusted email – PEC password (UK) (IT), De-mail (DE),• Server-based OCES (DK), TSCP signature (MobiTrust, (USA) Trusted Profile, OCES • Risk-based II) authentication (e-• SMS password Deklaracje) (banks) • 3rd party (EchoSign,• Software digital DocuSign) signature (UK, DK, PL – e-Sąd)• OTP tokens (banks)
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×