Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Lexing®, the first international network of lawyers dedicated to technology law, has been created on an initiative of Alain Bensoussan, the founder and managing partner of Alain Bensoussan-Avocats, a law firm headquartered in Paris (France) specialized in IT and new technologies.

Lexing® allows multinationals to benefit from the assistance of seasoned lawyers worldwide with established competence in the field of new technologies in their respective countries. Techniques and businesses are the same in all countries; the only differentiating factor is the law applicable to them.

Based on this observation, Alain Bensoussan has decided to set up a global network built on the same concept he successfully applied to his Parisian law firm to bring together lawyers who each combine unique expertise in technology and industry with a thorough knowledge of law. Leveraging the network, Lexing members are adept at providing clients with a global, tailor-made solution consistent with the legal rules of all countries. Besides their local language, most network members also speak English and French.

With lexing, Alain Bensoussan-Avocats and the network members service the needs of international clients or those with international needs. The lexing network offers international clients of each member the same high-quality services as they are used to have locally. The lexing network currently boasts 22 member law firms Legal news on the members’ respective countries is published on this blog and on the lexing pages of Twitter, Facebook, Linkedin and Google+.Practice Areas:

Expertise & Innovation
Founded in 1978, the Alain Bensoussan-Avocats law firm has acquired over 35 years unique expertise in technology law. It comprises a team of tech-savvy lawyers and counsels who take a hands-on approach of law, leveraging their solid skills in technology and industry and thorough knowledge of related law, thanks to a continuous watch of changes in technology and law.The firm offers a complete range of counseling, arbitration and litigation services covering the full spectrum of the technology area: Electronic banking and trading; Intellectual property; Industrial property; Merger & Acquisition; Tax law for digital companies; IT law; Internet law; Privacy and data protection; Electronic procurement; Computer crime; Digital press, media and communications; Electronic marketing; Electronic health; Telecommunications; Digital employment law; Information systems security; Risk & Compliance; Dematerialization; Electronic archives and records; Robot law; Nanotechnology law…

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this


  1. 1. Electronic Signature 3.0 The future is now Breakfast Meeting of 29 January 2014 29/01/2014 Copyright Lexing 2014 ® Company Confidential 1
  2. 2. Introduction Background – Deployment Stakes – New forms of signature Challenge – Compliance 29/01/2014 2Copyright Lexing 2014 ® Company Confidential
  3. 3. Extract from – 28 01 2014 29/01/2014 3Copyright Lexing 2014 ® Company Confidential Widespread Use of Electronic Signature: - Mutual banks are increasingly using it in their bank branches - Objective: streamline the sale of products via multiple channels
  4. 4. OUTLINE 1. State of Play, by Dimitri Mouton, Demaeter  2. Choose the right signature … if possible  3. Deploy without risk … subject to the discretionary assessment of courts  29/01/2014 4Copyright Lexing 2014 ® Company Confidential
  5. 5. 1. State of Play - Dimitri Mouton, Demaeter 1. A dreadful mess… 2. Digital signature 101 3. Trends 29/01/2014 5Copyright Lexing 2014 ® Company Confidential
  6. 6. 1.1 A DREADFUL MESS… 29/01/2014 6Copyright Lexing 2014 ® Company Confidential
  7. 7. PKI Electronic signature Authentication Private key Public key Commitment IGC RSA 2048 bits RGS Certificate CA 3+ class 2 stars Presumption of reliability Tablet Secured signature Advanced signature Qualified certificate Agreement on evidence PIN code Strong authentication SMS Identity theft CRL Timestamp OCSP X.509 V3 Registration authority CSP PSCO RFC 3161 COFRAC ANSSI Electronic Signature Policy PAdES PDF/A XAdES PKCS#7 PKCS#12 French Act of 13 March 2000 French Decree of 30 March 2001 EU Regulation CMS Detached signature java applet Specific to signatory Sole control SSCD Revocation SHA256 Delegation Signature management system On the fly OTP Integrity Non-repudiation Guarantee of origin Traceability Qualified provider Probative value Alice and Bob 29/01/2014 7Copyright Lexing 2014 ® Company Confidential
  8. 8. AND A VARIETY OF USES … 29/01/2014 8Copyright Lexing 2014 ® Company Confidential
  9. 9. Public procurements B-to-B contracts Registrations Social security declarations Electronic commerce Consumer agreements in branch Notary deeds Electronic minutes Certificate of conformity Diplomas Deeds – Legality control Deliberations Public accounting (“Hélios”) Building work notification Network and pipelines Online banking Administrative formalities Réseau Privé Virtuel des Avocats Réseau Privé Virtuel de la Justice Electronic commercial court Official deeds Chartered accountancyTachograph Employment contracts Attendance sheets Electronic claim form Invoices Bank POA Electronic certified mail Electronic voting 29/01/2014 9Copyright Lexing 2014 ® Company Confidential
  10. 10. Types… Scanned signature Handwritten signature on tablets Electronic signature “on the fly” Electronic signature With or without accreditation With or without legal opinion With or without stars 29/01/2014 10Copyright Lexing 2014 ® Company Confidential
  11. 11. Components of a digital service Including electronic signature 29/01/2014 11Copyright Lexing 2014 ® Company Confidential
  12. 12. 1.2 Electronic signature 101 29/01/2014 12Copyright Lexing 2014 ® Company Confidential
  13. 13. Electronic signature: hands-on definition An electronic signature is a signature… … covering an electronic document. Ink marks paper  Cryptography guarantees a link between the signatory and the document 29/01/2014 13Copyright Lexing 2014 ® Company Confidential
  14. 14. Certificate: What is it for? • A certificate is an “ID card” issued by a “Certification Authority” (CA) or a “CertificateServiceProvider”(CSP) • It can serve as a tool to: – authenticate (control access) – sign (electronic signature, seal, timestamp) – encrypt (confidentiality) 29/01/2014 14Copyright Lexing 2014 ® Company Confidential
  15. 15. PKI • PKI (Public Key Infrastructure), also known in French as “Infrastructure à clef publique” (ICP) or “Infrastructure de Gestion de Clefs” (IGC) is a: Set of technical and human means implemented to issue certificates • Certification Authority (CA): in charge of the PKI – Establishes rules (Certification Policy) – Is responsible for their compliance • Registration Authority (RA): registers holders • Certification Operator (CO): operates machines • Revocation Authority, Validation Authority: perform additional roles. 29/01/2014 15Copyright Lexing 2014 ® Company Confidential
  16. 16. Certificate lifecycle 29/01/2014 16Copyright Lexing 2014 ® Company Confidential
  17. 17. • Technical generation: – Fingerprint (hash) of the document – Sealing by private key • Additional elements: – Signatory certificate and related certification chain – Time-stamping token – Proof of certificate validity (CRL or OCSP) Signature process 29/01/2014 17Copyright Lexing 2014 ® Company Confidential
  18. 18. Verification process • Technical generation: – Fingerprint of the document – Fingerprint initially sealed – Comparison between the two values 29/01/2014 18Copyright Lexing 2014 ® Company Confidential
  19. 19. Validity of the certificate The document has been signed by the certificate holder… But who is he? • Check the technical validity of the certificate. – If invalid  WARNING! • Review the certificate holder: – If I don’t trust this CA  WARNING! – If I trust this CA: • Compare the signature date with the certificate validity date • Check the Certificate Revocation List • Everything is OK if: the name on the certificate is the same as the signatory name. But Was the signatory empowered to sign? Is the document signed correct regarding its form? its substance?  Next step after technical verification: legal verification! 29/01/2014 19Copyright Lexing 2014 ® Company Confidential
  20. 20. Example: Adobe Reader signature 29/01/2014 20Copyright Lexing 2014 ® Company Confidential
  21. 21. Signature formats • AdES = Advanced Electronic Signature • 3 formats: – PAdES = PDF format – CAdES = CMS / PKCS#7 format – XAdES = XML format • Choice is to be made according to the constraints of the project • All allow to include the same elements 29/01/2014 21Copyright Lexing 2014 ® Company Confidential
  22. 22. Various levels of certificates • The level of security offered by a certificate depends on: – the registration procedures – the token holding the private key (physical/software) – the commitments of the Certification Authority • The different levels set by the French General Security Reference System (RGS) correspond to legal realities: * Remote Registration Software token “Simple” electronic signature ** Face-to face registration Physical token “Secure” electronic signature *** Face-to face registration Secure physical token Qualified certificate “Presumed reliable” electronic signature 29/01/2014 22Copyright Lexing 2014 ® Company Confidential
  23. 23. Trust rules • Trust means you feel secure • But trust does not mean you don’t need to be careful! Weak Chain of Trust Strong Chain of Trust 29/01/2014 23Copyright Lexing 2014 ® Company Confidential
  24. 24. 1.3 TRENDS 29/01/2014 24Copyright Lexing 2014 ® Company Confidential
  25. 25. “Autonomous” electronic signature • The signatory purchased a certificate from a CA • He possesses an electronic signature tool on his workstation • He autonomously signs on his workstation 29/01/2014 25Copyright Lexing 2014 ® Company Confidential
  26. 26. Electronic signature by applet • The signatory purchased a certificate from a CA • The signature tool is included in the service • The signatory signs on his workstation when using the service 29/01/2014 26Copyright Lexing 2014 ® Company Confidential Server
  27. 27. “On the fly” electronic signature (1/4) • The signatory has no certificate and no e-signature tool • The server displays the contracts and he gives his agreement 29/01/2014 27Copyright Lexing 2014 ® Company Confidential Server
  28. 28. • The server checks the identity of the signatory by sending him a challenge by SMS “On the fly” electronic signature (2/4) 29/01/2014 28Copyright Lexing 2014 ® Company Confidential Server
  29. 29. “On the fly” electronic signature (3/4) • The server generates a dual signature key • It generates a certificate in the name of the signatory • It uses the private key to sign the document • Then it destroys the private key 29/01/2014 29Copyright Lexing 2014 ® Company Confidential Server
  30. 30. “On the fly” electronic signature (4/4) • Document is signed on the server! • For the next signature, a new certificate will be generated 29/01/2014 30Copyright Lexing 2014 ® Company Confidential Server
  31. 31. Virtual smart card (1/3) • The signatory does not need an electronic signature tool • His certificate is stored on the server in a secure area (HSM) • The server displays the contract and he gives his agreement 29/01/2014 31Copyright Lexing 2014 ® Company Confidential Server
  32. 32. • The server checks the identity of the signatory by sending him a challenge by SMS Virtual smart card (2/3) 29/01/2014 32Copyright Lexing 2014 ® Company Confidential Server
  33. 33. Virtual smart card (3/3) • Document is signed on the server! • For the next signature, the same certificate will be used 29/01/2014 33Copyright Lexing 2014 ® Company Confidential Server
  34. 34. Signature on a tablet • Clients see the contract when in the bank branch or in store • They affix their handwritten signature on the tablet • An electronic signature is generated “on the fly” in addition to the handwritten signature 29/01/2014 34Copyright Lexing 2014 ® Company Confidential Server
  35. 35. Electronic seal • Documents are produced via an automated process and sent to the server • The server has a certificate in the name of the legal entity • The electronic seal is an “electronic signature” of the legal entity • It can be affixed automatically 29/01/2014 35Copyright Lexing 2014 ® Company Confidential Server
  36. 36. THE Trend …: “rematerialization” First name Last Name Address Invoice From XYZ amounting to a proof of domicile Services……………… €123 “First name Last name Address XYZ €123” 29/01/2014 36Copyright Lexing 2014 ® Company Confidential
  37. 37. First name Last Name Address Invoice From XYZ amounting to a proof of domicile Services……………… €123 Exploitation of 2D-DOC code “First name Last name Address XYZ €123” Technical verification Visual verification 29/01/2014 37Copyright Lexing 2014 ® Company Confidential
  38. 38. 2. How to choose the electronic signature? 1. Regulation on Digital process 1. Absence of choice 2. Choice 29/01/2014 38Copyright Lexing 2014 ® Company Confidential
  39. 39. 2.1 REGULATION ON DIGITAL PROCESS 29/01/2014 39Copyright Lexing 2014 ® Company Confidential
  40. 40. Prerequisites: Regulation Le papier sauf …Electronic law Paper required unless... agreement on evidence Obligation to process electronic documents Right to create electronic documents Law of 13 March 2000 (e-signature/e-evidence) Before 2000 Law of 21 June 2004 (LCEN) Law of 4 August 2008 (modernization of economy) Agreement on evidence ad probationem French State required to receive electronic invoices ad validitatem Order of 8 December 2005 (e-government) 29/01/2014 40Copyright Lexing 2014 ® Company Confidential
  41. 41. Yes, it is possible, but … 3 scenarios Prefilled e.g.: pay slip or declaration of interest Imposed e.g.: electronic certified mail Free … for the moment 4129/01/2014 Copyright Lexing 2014 ® Company Confidential
  42. 42. And even if it is possible … “Art. 1316-4 of Civil Code is not everything…” “Whereas the employer complains that the judgment found that the dismissal was unfair, whereas according to the ground of appeal, if a party contests the authenticity of an email, it is up to the judge to determine whether the conditions laid down in articles 1316-1 and 1316-4 of the Civil Code for the validity of an electronic document or signature are met; Whereas by asserting that the manager of AGL Finances “is the author and the sender" of an email whose authenticity was contested, on the grounds that the employer [did] not prove that the sender’s address mentioned on the email is wrong or that the company mailbox has been hacked" and that “in any event, such a hacking could not be attributed to Ms. X...”, without checking, as it was required to do, whether that email had been established and maintained in conditions that guarantee its integrity and whether it contained an electronic signature resulting from the use of a reliable identification process, the Court of Appeals decision has no legal basis under Articles 287 of the Code of Civil Procedure , 1316-1 and 1316-4 of the Civil Code; But the provisions invoked by the ground of appeal are not applicable to an email produced to prove a fact, as its existence can be established by any means of evidence, which are assessed at their discretion by the trial judges; accordingly the ground of appeal is unfounded.” French Cour de Cassation, social chamber, 25 Sept. 2013 4229/01/2014 Copyright Lexing 2014 ® Company Confidential
  43. 43. First Thing First… • Do you need to prove a right or a fact? • Free proof or imposed proof – Imposed = civil matters – Free … more or less everything else • criminal, administrative, employment matters 29/01/2014 43Copyright Lexing 2014 ® Company Confidential
  44. 44. The question is therefore… 1. Do I need it? (investment management) 2. If you can move mountains, you can move molehills… (risk management) 29/01/2014 Copyright Lexing 2014 ® Company Confidential 44
  45. 45. 2.2 ABSENCE OF CHOICE… 29/01/2014 Copyright Lexing 2014 ® Company Confidential 45
  46. 46. Example of a “no choice” scenario To be presumed reliable within the meaning of above-mentioned Article 2 of Decree of 30 March 2001, the electronic signature procedures available to judges, registry officers and persons authorized under Article R. 123-14 of the Code of Judicial Organization must meet the three stars (***) level of the General Security Reference System (RGS). In addition, the signature must be secure and be created by a secure process certified in accordance with the conditions laid down in Article 3 of said Decree. The procedure for filing and registration of the identification and credentials data of these persons is subject to the initiative and responsibility of the Ministry of Justice. French Order of 18 October 2013 on electronic signature of court decisions issued in civil matters by the Cour de cassation 4629/01/2014 Copyright Lexing 2014 ® Company Confidential
  47. 47. Another example… with less legalese  • “The documents of administrative authorities may be subject to an electronic signature. The latter is validly applied only by use of a method, compliant with the rules of general security framework referred to in Article 9 point I, which allows identification of the signatory, guarantees the link of the signature with the document to which it is attached and ensures the integrity of said document.” • “The electronic certificates issued to administrative authorities and their agents in order to ensure their identification in the context of an information system are subject to a validation by the State under conditions laid down by decree.” Ordinance 2005-1516 du 8-12-2005 on the electronic exchanges between citizens and administrative authorities (Art. 8) 4729/01/2014 Copyright Lexing 2014 ® Company Confidential
  48. 48. 2.3 TIME TO CHOOSE! 4829/01/2014 Copyright Lexing 2014 ® Company Confidential
  49. 49. A complex reality • 4 legal concepts (Decree of 30 March 2001) – Simple – Secured + Digital – Presumed reliable • Geographical approach: – Advanced (Dir. 1999/93/EC of 13 December 1999) Secure (Decree of 30 March 2001) – Digital signature / Electronic signature • At least 3 technical realities: – RGS: one star (*) – RGS: two stars (**) – RGS: three stars (***) RGS = General Security Reference System 3 DEGREES OF RELIABILITY = 3 SIGNATURES 29/01/2014 49Copyright Lexing 2014 ® Company Confidential
  50. 50. Where choice is possible … Click Electronic signature Secured electronic signature Digital signature Electronic signature presumed reliable 5029/01/2014 Copyright Lexing 2014 ® Company Confidential
  51. 51. Basic method Create evidence • One signatory / Several signatories • One document / a series of documents • One channel/ Multi-channel • Geographic distance Administer evidence • Produce it in urgency (summary procedure) • Produce it in specific conditions (criminal; supervising entities) Manage dispute • Electronic signature presumed reliable – High risk for evidence to be contested • Amount is high and risk for situation to be deadlocked • Amount is not the essential element (high risk for low value contracts to be contested) • Be careful of false hopes - Technical expertise ahead 29/01/2014 51Copyright Lexing 2014 ® Company Confidential
  52. 52. Legal prerequisites Contractual commitments Legalprovisions ( “LCEN” Act) Public/Private sector 29/01/2014 52Copyright Lexing 2014 ® Company Confidential Choosing a solution means choosing…a provider
  53. 53. Choosing a solution means choosing…a provider Decision Legal & technical prerequisites Contractual commitments Maintenance of standards and certifications Insurance coverage 29/01/2014 53Copyright Lexing 2014 ® Company Confidential
  54. 54. 3. Legal security 1. Backbone 2. Upstream security 3. Downstream security 29/01/2014 54Copyright Lexing 2014 ® Company Confidential
  55. 55. 3.1 BACKBONE: AGREEMENT ON EVIDENCE 29/01/2014 55Copyright Lexing 2014 ® Company Confidential
  56. 56. Legal approach • “Where a statute has not fixed other principles, and failing a valid agreement to the contrary between the parties, the judge shall regulate the conflicts in matters of documentary evidence by determining by every means the most credible instrument, whatever its medium may be.” French Civil Code, Art. 1316-2 29/01/2014 56Copyright Lexing 2014 ® Company Confidential
  57. 57. Escalation of “powers” Law Agreement Judge 29/01/2014 57Copyright Lexing 2014 ® Company Confidential
  58. 58. Concept of “validity” Substance Enforceability Access B to C B to B A to C 29/01/2014 58Copyright Lexing 2014 ® Company Confidential
  59. 59. A real organization … Agreement on evidence Traceability Policy Time Stamping Policy Security Policy Certification Policy Archives Policy XXX Policy 29/01/2014 59Copyright Lexing 2014 ® Company Confidential
  60. 60. Another question... Clause? Contract? 29/01/2014 60Copyright Lexing 2014 ® Company Confidential
  61. 61. Organizing an agreement on evidence Recitals Article 1 Definitions Article 2 Effect – Enforceability Article 3 Term – Limitation periods Article 4 Purpose Article 5 Scope Article 6 Identification Article 7 Authentication Article 8 Integrity Article 9 Durability Article 10 Storage Article 11 Time Stamping Article 12 Traceability Article 13 Signature Article 14 Liability Article 15 … 29/01/2014 61Copyright Lexing 2014 ® Company Confidential
  62. 62. Having an agreement on evidence is not enough; Need to organize evidence and access to evidence Evidence record Evidence trial Agreement on evidence Vision of the situation Technical justification Legal basis Basis Organization of evidence Access to evidence 29/01/2014 62Copyright Lexing 2014 ® Company Confidential
  63. 63. 3.2 LEGAL BUILD (UPSTREAM SECURITY) 29/01/2014 63Copyright Lexing 2014 ® Company Confidential
  64. 64. Feasibility study (Yes or No) Legal impact study (Go or No Go) Legal basis (public sector – e-government) Compliance review (legal opinion) Electronic document management policy Platform terms of access (on line) Employee information Data Protection Authority (CNIL) Insurance 29/01/2014 64Copyright Lexing 2014 ® Company Confidential
  65. 65. Risk of “legal bug” Do not get confused… Agreement related to evidence Agreement related to digital process 29/01/2014 65Copyright Lexing 2014 ® Company Confidential
  66. 66. 3.3 LEGAL RUN (DOWNSTREAM SECURITY) 29/01/2014 66Copyright Lexing 2014 ® Company Confidential
  67. 67. Delegation of electronic signature Terms of use of e-signature book IS Policy (adaptation) Internal Audit (reliable audit trail) Provider governance Provider audit Legal watch Right of access unit Crisis management 29/01/2014 67Copyright Lexing 2014 ® Company Confidential
  68. 68. 4. BUT IS IT ENOUGH? 29/01/2014 68Copyright Lexing 2014 ® Company Confidential
  69. 69. Security aspects of digital process Electronic Signature Identity management Certificates Confidentiality Archiving Traceability TimeStamping 29/01/2014 69Copyright Lexing 2014 ® Company Confidential
  70. 70. Security is everybody’s business • Application developers must take account of security… • But a global vision is needed! • Involvement and responsible attitude from each stakeholders is essential for technical and legal security measures to be fully efficient. 29/01/2014 70Copyright Lexing 2014 ® Company Confidential
  71. 71. Find out more… 29/01/2014 71Copyright Lexing 2014 ® Company Confidential
  72. 72. Next Breakfast Meeting Mayors and MPs: How to protect your e-reputation & name February 12, 2014 Speakers: Virginie Bensoussan-Brulé & Claudine Salomon 29/01/2014 72Copyright Lexing 2014 ® Company Confidential
  73. 73. 29/01/2014 73Copyright Lexing 2014 ® Company Confidential
  74. 74. Contact Photos & Illustrations Credits Networking©Scott informatique data room réunion binary stream©Mike Emblème France© Road to Success - Up Arrow© Businessman entering the labyrinth© Dessins tirés de Sécurité de la dématérialisation © Stéphane Torossian – Lexing is a registered trademark of Alain Bensoussan Selas Demaeter is a registered trademark of Demaeter Sarl Me Eric Barbry Head of the Digital Law Practice Group Tel +33 (0)6 13 28 91 28 Me Polyanna Bigle Head of ISS & Electronic Documents Department Tel +33 (0)6 42 32 16 09 Mr. Dimitri Mouton – Demaeter Consultant expert in dematerialisation & security Tel +33 (0)6 59 10 99 37 – 29/01/2014 74Copyright Lexing 2014 ® Company Confidential