Qualified mobile electronic signatures : Possible , but worth a try ?

Four years have passed since the EU directive on electronic signatures has been enacted by the European Union. By 2002, all EU member countries had to implement local legislation for electronic signatures. Development of products and applications in these countries so far, mainly focuses on signing with desktop PC’s on the basis of smart cards, issued by certification authorities. Several parties worked on mobile signing infrastructures, but as of today, no integrated implementation of qualified mobile signatures has occurred on the market. This raises the question whether qualified mobile signatures can be implemented at all and whether they can be implemented economically. This paper will analyse and conclude the possible conformance of mobile technology with the EU directive on mobile signatures and discuss economic implications for market scenarios. 1. The EU directive on Electronic Signatures In the directive 1999/93/EC of the European Parliament [EU_esig1999], legal requirements for a common introduction of electronic signatures in Europe were enacted. Within the following 18 months, the EU countries had to adopt the directive to create a harmonized legal system. The directive sets a framework of requirements for security of technology used for electronic signatures. Based on certificates issued by certification authorities, which certify public keys for a person registered by a registration authority, electronic signatures can be created with a so-called “secure signature creation device” (SSCD), carrying the private keys of a person. In Germany and Austria, the local implementation of the EU directive requires evaluation of the SSCD to be done against ITSEC E4 or CC EAL 4+ levels [FuFr2000]. For directory services, stringent 24/7 availability and durability is required. Revocation lists and other feasible technology must be available to all accepting parties of signed documents. The EU suggests the implementation of a public evaluation infrastructure under control of a government authority. Germany has already implemented a system of evaluation service companies, evaluation consulting companies and the Regulatory Authority for Telecommunications [RegTP] as the responsible government authority. The deployment of products so far focused on smartcards with evaluation against the requirements for lawful electronic signatures. Based on these, personal computer based signature applications have entered the market. These applications require smart card readers attached to the workstation, thereby preventing user mobility. Mobility of lawful electronic signatures is possible within the legal framework of the German signature legislation, as shown in [RFR2003]. This article will analyze the situation with the European perspective. 1 Chair of Mobile Commerce and Multilateral Security, Goethe-University, Frankfurt am Main, Germany 2 Member of "Enabling Technologies for Electronic Commerce" at the Darmstadt University of Technology and collaborator to constitutional design of technology (provet) at the University of Kassel. 2. Approaches for mobile signing infrastructures Two possible signing approaches in the mobile environment will be analyzed concerning their potential for conformance with the EU directive on electronic signatures: signatures created in centralized signing server environments located at service providers like mobile network carriers; and electronic signatures created inside the signer’s mobile device using a secure signature creation device. Furthermore, solutions using single or multiple smartcards are reviewed, where the conclusion is drawn that SIM-like security modules equipped with signature keys can be part of a law-conforming signing infrastructure. Server based electronic signatures Server based electronic signatures are signatures, that are created by a service provider for a specific user. With server based signatures it is essential to distinguish between signatures that have a corresponding certificate issued under the name of the customer and signatures with certificates issued under the name of the service provider or an employee of this provider. In the first case it is necessary that the customer transfers his private key to the service provider. However according to Art.2, 2(c) the signature has to be created by means that the signatory can maintain under his sole control to achieve the status of an advanced signature. By giving away his private key this premises can not be fulfilled. In the case of signatures whose certificates are issued under the name of the service provider you can not assume these to be legal signatures of the customer. They are signatures of the signature service provider and only enable an identification of the provider. Those signatures can achieve the status of advanced signatures with qualified certificates as long as they fulfill the requirements of Annex I and are provided by certification service provider who fulfills the requirements of Annex II. Therefore the signature service provider acts as an replacement for the customer. However based on the signature of the provider it can not be verified that the customer really authorized the signature. Neither the integrity nor the fact that he authorized it himself can be proven. There are possible technical solutions to accomplish the integrity and accountability of his authorization, but they would require a security environment on mobile devices that would enable the device to create qualified signatures by itself. Mobile device based electronic signatures Signatures can be created inside the mobile device using a secure signature creation device, which has to fulfill the requirements of Annex III. Using a multiple smart card solution, the signature smart card, certified by a certification provider, is inserted into the mobile device, which already contains the usual SIM-Card. Therefore the signature process takes place on the mobile device and the user is able to use basically any signature card available on the market. To ensure that the requirement of Art.2 2(c) can be met, it is necessary to have some sort of reliable access control to the signature functions. The usual pin used to control the access to the telephone functions is not sufficient, since users can keep their phones and SIMs unlocked for convenience. It would also be possible to use a single smart card that contains the SIM-telephone functions, as well as the secure signature creation device. This can be achieved either by leaving some free space on the SIM-card, on which the components of the signature creation device can be installed later on, or by shipping SIM-cards with preinstalled signature functionality that has to be initialized. In the first case problems will arise regarding who gets to certify the public key of the user. The mobile service provider, as issuer of the SIM-Card also wants to certify the signing functionality of the issued smartcard. The customer might want to use a different signature service provider. Within the scope of this article we are going to investigate the spectrum of possible shipment models for mobile signatures. 3. Mobility and Electronic Signing Using Signatures in mobile environments one has to take a look on what is specific about these situations. Mobile Signatures are made with mobile devices and therefore constraints have to be addressed that are not present in traditional signing infrastructures.