A retrospective analysis of basic legal and technical assumptions that were laid at base of EU Directive 1999/93/EC on electronic signatures and subsequent technical standards (CWA). See http://ipsec.pl/ for more details.
2. The Directive
• Equivalency to handwritten signature
– Which hadwritten signature?
• At $10 CC purchase? At wedding contract?
At car dealer? At notary? At church?
• Sole control of the owner (AdEs 2.2c)
– Reality – Polish article 47
• Utopia that turned into fetish
3. Technical standards
• CWA 14170:2004
„A typical environment for the first case might be the home
or the office, where the individual or the company
has direct control of the SCS (e.g. an SCS
implemented in a mobile phone). In this case, the
security requirements may be met by organisational
methods put in place or managed by the signer, and the
technical means to ensure achievement of the
security requirements may be more relaxed.”
4. Computer in home or office?
• Direct control??
• In XXI century???
• This could be valid in 70’s
– Pre-BBS, pre-FidoNet, pre-Internet
• Reality of „direct control”
– RDP, XDMCP, SSH, PoisonIvy...
– Direct control from Romania over server
in Australia with proxy in USA
5. Results
• The Smartcard
– €150’000 CC certificate, DPA protection,
tamper-proof
Is then inserted into...
• The Signature Creation System
– Pirated Windows, no patches, on admin
account and out-of-date antivirus
6. QCA’s response
• „Attack is possible, but only if using
software non-compliant with
recommendations found in „User
manual” delivered with QCA
products”
8. SEALED 2007
• “Study on the standardisation
aspects of eSignature”
“The view of PKI taken in these documents
is still based on the views from the
1970s and 1980s (an off-line world!)
that have to some extent failed in the
1990s for various reasons”
9. What works out there?
• Username and • Trusted email – PEC
password (UK) (IT), De-mail (DE),
• Server-based OCES (DK), TSCP
signature (MobiTrust, (USA)
Trusted Profile, OCES • Risk-based
II) authentication (e-
• SMS password Deklaracje)
(banks) • 3rd party (EchoSign,
• Software digital DocuSign)
signature (UK, DK, PL
– e-Sąd)
• OTP tokens (banks)