Translation and commentary by Christopher Kuner
Comments: This paper, which has been agreed upon among different Ministries, represents the German government’s position on the international recognition of digital and electronic signatures, and will likely be used as the basis for international negotiations (for example, on the EU Draft Directive, at UNCITRAL, and in bilateral negotiations). Despite the title "Draft", the paper is believed to be identical with the final version that was to be made public at the beginning of September.
The Draft represents a step backwards for international recognition of digital signatures, for the following reasons:
- The draft restates the German government’s insistence that a uniform security standard is necessary for all uses of digital signatures, despite the fact that different uses have different security requirements.
- It assumes that security can only be assured by detailed, government-approved security procedures for CAs and digital signature products.
- The draft puts too much emphasis on the "dangers" posed by digital signatures (as noted in a footnote, the government has simultaneously prepared a paper on the "dangers" posed by insecure digital signatures).
- The government’s conception for mutual recognition is unrealistic and assumes that other States will all have central root CAs (as under the German Digital Signature Law) and centralized registration facilities, which is unlikely in most cases.
- The paper discounts the importance of so-called "electronic" signatures (not based on asymmetric cryptography), despite the fact that German companies are among the market leaders in the segment (e.g., biometrics).
It is not clear from the paper whether the government’s scheme for international recognition would only cover cases in which digital signatures are to be used to satisfy written form requirements, or recognition of all "foreign" digital signatures. The former would make more sense, since there is no per se hindrance under German law for a "foreign" digital signature being accepted in court; however, the paper may be part of a plan to force the market to accept the procedure under the German Digital Signature Standard as a de facto standard, also outside Germany.
TRANSLATION
International Legal Recognition of Digital Signatures
Draft of August 28, 1998
1 Need for Regulation
(1) Need for unification and regulation exists internationally in particular regarding electronic commerce. This includes in particular electronic commerce in goods and services, including transactions between merchants and consumers, and among consumers.
(2) A national and international need for regulation of digital signatures exists solely concerning their trustworthiness. In particular, a legal framework is necessary for the construction and erection of a (compatible) security infrastructure with a uniform organisational and technical security standard. The trustworthiness which is thereby attained offers the possibility of internationally
1. creating practical trust in commerce as well as in communication between companies, private persons, and administrative agencies,
2. legally allowing a "digital form" with digital signature as the equivalent to "written form" with hand-written signature, and
3. legally recognising digital documents with a digital signature under the above security standard so that they can be used in court.
The coupling of legal consequences to digital signatures under the standard must be left to special legal provisions. It is the task of the member states and of international organisations to allow a "digital form" with digital signature in addition to "written form" in those legal provisions over which they have jurisdiction.
(3) A weak security standard makes it easier to forge signatures and falsify signed data, with the danger that new technologies will in general be discredited.
(4) The requirement for a lasting wide use of digital signatures is justified trust, which results directly from this security standard and not from liability rules for consequential damages that cannot be estimated resulting from insecure digital signatures. An unlimited assumption of liability is impossible, since the scope of potential damage cannot be estimated (with one private signature key, for example, ten or ten million digital signatures can automatically be generated for different purposes).
2 Proof of High Security Standard
(1) A demonstrable high security standard for digital signatures is a guarantee of trust in legally-binding transactions. Only such a standard may create legal certainty which promotes commerce. Legally-binding transactions require a demonstrably high security standard.
(2) Other procedures for digital or "electronic" signatures can still be permitted, and can be agreed upon between the parties as they wish. There is no need for international regulation in this regard.
3 Guaranteeing the Security Standard
(1) In order to guarantee a demonstrably high security standard for digital signatures, the following is required:
1. Precise security requirements for
a) offerers of certification services and
b) technical components for digital signatures
2. Examination and confirmation of the fulfilment of security requirements
a) according to recognized criteria
b) by independent expert instances and
3. effective control of
a) offerers of certification services and
b) examination and confirmation instances.
(2) The security requirements must
1. on the one hand allow room for different innovative solution and
2. on the other hand be sufficiently precise in order to avoid large discrepancies in the quality of the security of digital signatures.
4 Mutual Recognition based on the Principle of the "Place of Origin"
(1) The so-called "principle of the place of origin" applies for the mutual recognition of digital signatures. If the fulfilment of the common security standard is confirmed in a member state, then all further member states recognize this.
(2) The recognition includes
1. digital signatures and certificates,
2. offerers of certification services and
3. the examination and confirmation of the security of
a) offerers of certification services and
b) technical components for digital signatures.
(3) The guarantee of the (contractually) agreed security standard requires close cooperation of the national regulatory authorities. For example, mutual examinations or international inspections by mixed expert groups from the member states could be agreed upon.
5 Central Registration Authorities
For the (practical) examination of internationally-recognized digital signatures, it is necessary that states maintain central registration instances to which all policy-conform certificates may be traced back and thereby be identified as such.
6 Electronic and Digital Signatures
(1) Neither practical nor possible theoretical uses for "electronic signatures" are known. A need for regulation thus exists only for digital signatures, which have been practically tested for many years in closed advisory groups. The asymmetric cryptographic process upon which they are based makes it possible to reliably determine both the integrity and the author of data.
(2) The opening for other technical solutions which is sought for "electronic signatures" must practically lead to a dead end and also – because of lack of concreteness – only to (avoidable) uncertainty.