Electronic Signature in Lithuania

1
Electronic Signature in Lithuania
Gytis Nemanis Information Society Development
Committee under the Government of the Republic of
Lithuania
2
Electronic Signature Law (1)

• Came into force on 11 July, 2000 and is based on
  the Directive 1999/93/EC of the European
  Parliament and of the Council of 13 December 1999
  on a Community framework for electronic
  signatures
• Changes of Electronic signature law were made on
  6 June, 2002

3
Electronic Signature Law (2)

• The law regulates the creation, verification, and
  validity of electronic signature, signature
  users rights and obligations, establish the
  certification services and requirements of their
  providers and the rights and functions of the
  institution of electronic signature supervision
• Technological neutrality principle is held and
  several general principles of PKI are defined
• Amendment of Electronic signature law the main
  changes focus on the force of signature when
  agreed between parties and possibility to sign in
  behalf of the legal person

4
Electronic Signature Law (3)

• Secure-electronic signature created by a
  secure-signature creation-device and based on a
  qualified-certificate which is valid , shall have
  the same legal force that a hand-written
  signature in written documents has and shall be
  admissible as evidence in court
• If parties agree - electronic signature will have
  the same force that a hand-written signature in
  written documents has and shall be admissible as
  evidence in court (amendment of Electronic
  signature law on July 6, 2002)

5
The Informational Society Development Committee
under the Government of the Republic of Lithuania

• The Informational Society Development Committee
  was established on the 1 July, 2001
• By the Resolution Nr. 568 the Government of the
  Republic of Lithuania on April 27, 2002 has
  transferred function of Electronic signature
  supervision institution to the Informational
  Society Development Committee

6
Directive 1999/93/EC
The law on electronic signatures June 11, 2000
(amended on June 6, 2002)
ETSI, (EESSI ) standards

Legislative functions
Supervision body (Information Society
Development Committee) April 23, 2002
Registration of service providers
Voluntary accreditation
Supervision
7
Levels of standardization and regulation

• E.g. Germany, Italy EU Directive National
  implementation
• Level 1
• Level 2
• Level 3
• Level 4
• Source European Electronic Signature
  Standardization Initiative (EESSI) Final report
  of the EESSI expert team 20 July, 1999

Signature Law
Directive
National legislation
Ordinance
Annexes
National decree (high-lev reqs)
Supervision
Technical Rules
International functional and quality standards
Conformity assessment
Standards
International interoperability standards
8
Lithuanian standards regulating electronic
signature infrastructure

• LST ETSI TS 101 456 Policy requirements for
  certification authorities issuing qualified
  certificates
• LST ETSI TS 101 733 Electronic signature
  formats
• LST ETSI TS 101 861 Time stamping profile
• LST ETSI TS 101 862 Qualified certificate
  profile
• LST ETSI TS 102 023 Policy requirements for
  time-stamping authorities
• LST ISO IEC 17799 Information technology
  Code of practice for information security
  management
• LST CWA 14168 Secure signature-creation
  devices EAL4
• LST CWA 14170 Security requirements for
  signature creation applications
• LST CWA 14171 Procedures for electronic
  signature verification

9
Lithuanian standards regulating electronic
signature infrastructure (follow-up)

• LST CWA 14167-1 Security requirements for
  trustworthy systems managing certificates for
  electronic signatures Part 1 System security
  requirements
• LST CWA 14167- 2 - Security requirements for
  trustworthy systems managing certificates for
  electronic signatures Part 2 Cryptographic
  module for CSP signing operations Protection
  profile (MCSO-PP)
• LST CWA 14167-3 - Security requirements for
  trustworthy systems managing certificates for
  electronic signatures Part 3 Cryptographic
  module for CSP key generation services
• LST ISO 90012001 Quality managements systems.
  Requirements
• LST ISO/IEC 15408 Information technology
  Security techniques Evaluation criteria for IT
  security
• Part 1 Introduction and general model
• Part 2 Security functional requirements
• Part 3 Security assurance requirements

10
Legal Acts Regulating Electronic Signature in
Lithuania

• Electronic signature law
• Acts confirmed by the Government (prepared by the
  Committee)
• requirements for certification-service-providers
  issuing qualified-certificates
• requirements of signature equipment
• procedure of registration of certification-service
  -providers issuing qualified-certificates
• procedure of electronic signature supervision

11
Legal Acts Regulating Electronic Signature in
Lithuania (Follow-up)

• Acts confirmed by the Committee
• requirements of the procedure of signature
  verification
• requirements and procedure of voluntary
  accreditation for certification-service-providers
• procedure of time-stamping services
• procedure of registration persons who get
  qualified-certificates and consultation for them

12
Requirements for Certification Service Providers
Issuing Qualified Certificates

• Based on the Annex II of the Directive 1999/93/EC
• Functions of service providers
• Registration
• Creation of qualified certificates
• Administration of certificate's data and its
  revocation
• Requirements for internal administration
• Approved and publicly promulgated regulations of
  certification proceedings
• Registration
• High education and qualified specialists
• Civil liability assurance

13
Requirements for Certification Service Providers
Issuing Qualified Certificates

• Requirements on service providing
• Purvey information about certificates any time
• Record date and time of certificate's creation,
  suspension and revocation
• Reserve information set by certificate's rules
• Liability of service providers
• Because of restriction of requirements,
  registration can be suspended or revoked
• Damage shall be compensated according to the
  procedure established by laws
• Reference to LST ETSI TS 101 456 standard

14
Requirements of Signature Equipment

• Sets requirements for devices used by service
  providers
• Measures and components for certification service
  only
• Sheltered from unauthorized changes
• Secure technical and crypto graphical safety of
  executable functions
• Control every action that can influence work of
  certificates operating system
• Trustworthy system which is assured to EAL4 or
  higher
• Manufacturers declaration or conformity
  certificate of accredited authority
• Reference to Lithuania standards LST CWA 14167-1
  and LST CWA 14167-2

15
Requirements of Signature Equipment

• Sets requirements for signature creation devices
• Secure signature creation device, ensured by
  password and/or biometrical data
• Trustworthy cryptographical and data formative
  algorithms
• Manufacturers declaration or conformity
  certificate of accredited authority
• Trustworthy system which is assured to EAL4 or
  higher
• Reference to Lithuania standards LST CWA 14168
  and LST CWA 14170
• Reference to Directive 1999/93/EC Annex 3
• Sets requirements for signature verification
  devices
• Trustworthy verify electronic signature
• Any security-relevant changes can be detected
• Reference to Lithuania standards LST CWA 14171
• Reference to Directive 1999/93/EC Annex 4

16
The Procedure of Registration of Certification
Service Providers Issuing Qualified Certificates

• Objective of service providers registration
  collect information about service providers to
  ensure supervision of electronic signature
• Sets procedure of application submission
• Data and documents of service provider
• Terms of application examination
• Ability to correct or renew data and documents
• Registration is promulgated by the order of the
  Committee Director
• Notice in writing about possible suspension of
  registration
• Suspension of registration, in case, notified
  defects are not removed
• Revocation of registration, in case, notified
  defects are not removed in additional terms

17
Procedure of Electronic Signature Supervision

• Defines relations between the Committee and
  certification service providers
• Objective of supervision qualified
  certification service providers issuing qualified
  certificates or which purvey facilities related
  to qualified certificates
• Objectives of supervision
• Take part in implementation of national policy in
  electronic signature sphere
• Coordinate activities of qualified service
  providers
• Supervise how service providers observe
  determined requirements
• Pursue compatibility of electronic devices in
  national and international scale
• Measures of supervision
• Preparation of legal acts
• Registration and accreditation of service
  providers
• Succession of certificates data when service
  provider stops activities
• Reports to parliament and government
• Sets objectives and

18
Thank You
Gytis Nemanis Information Society Development
Committee under the Government of the Republic of
Lithuania
Gedimino pr. 11 LT-2039 Vilnius Lithuania Ph.
(370 2) 663972 Fax. (370 2) 663980 e-mail
info_at_ivpk.ltWEB www.ivpk.lt