Documents & Reports - All Documents | The World Bank



[pic]

WORLD BANK

REIMBURSABLE TECHNICAL ASSISTANCE

ITIDA

e-Signature and PKI Frameworks:

International Benchmarks

Final Report

WORLD BANK

TABLE OF CONTENTS

I. Executive Summary 3

II. Summary of Findings & Recommendations 5

III. Introduction & Background 6

IV. Overview of existing e-signature and PKI enabling environment in Egypt 8

A Legal Framework 8

B Institutional Arrangements 9

C Expected uses of e-signatures in Egypt 11

V. Benchmarking 12

A Enabling Environment issues 12

B PKI Implementation Issues 23

VI. Recommendations for strengthening Egypt’s e-signature and PKI enabling environment 36

A As Root CA, ITIDA should develop certificate standards policies 36

applicable to Egypt, and can use its existing relationships with is MoU 36

partners in this regard. 36

B Measures to limit the liability of ITIDA as Root CA 36

C Clarify which electronic transactions will be subject to PKI 36

D Training for lawyers and judges on e-signatures issues 37

E Introducing alternative dispute resolution processes for e-signature matters 37

F International Considerations 37

VII. Glossary 39

VIII. Annexes 41

IX. Bibliography 42

ANNEX 1 44

Annex 2 53

ANNEX 3 54

A United States 54

B State of Washington Pricing (2003) 58

|Executive Summary |

This report provides background information and experiences from other countries relative to their adoption and implementation of Public Key Infrastructure (PKI) electronic authentication systems, with particular attention to the underlying enabling environment and factors affecting use and uptake.

PKI is one technique used to ensure the security of electronic transactions and to authenticate users. PKI uses public key cryptography and X.509 certificates and provides a high level of security for electronic transactions.

Every country approaches the use of e-signatures differently. Even in EU Member States operating under a common set of community-wide Directives, each Member State has a different approach to use of e-signatures for official purposes, including PKI. Because the implementation of PKI is so situation-specific, meaningful apples-to-apples “benchmark” comparisons are difficult.

These different approaches mean that there are different implementation costs - as well as benefits - derived from the use of PKI, depending, for example, on the modality for issuing certificates (Root CA vs. outsourced CAs), the scope of use of PKI, as well as the systems used to deliver the digital certificates (e.g., smart cards vs. simple electronic file transfer). Because some countries use PKI for limited purposes, comparing “costs” with countries that chose to use PKI for more or broader purposes, or that use a different modality to deliver certificates, is difficult without discounting the full range of variables. Also, the “cost” of PKI should take into account the benefits to be achieved through the use of PKI systems.

In general, the single biggest cost is incurred in the establishment of the certification process. In the case of Root CAs (as is intended in Egypt) there is additional incremental cost for each certificate issued, but in other jurisdictions, this cost has been negligible.

Where countries have limited use of PKI, it is usually linked implicitly to a “weak/strong” signature application environment. “Strong” signatures (using PKI for example), are appropriate for some on-line transaction activities, requiring a high degree of verification, while “weak” signatures may be appropriate for others. The legal regime in Egypt contemplates such a differentiation, and the Government could consider which applications would be best suited for use of “strong” signatures using PKI.

Realizing the benefits of PKI will depend in part on the trust of users in the overall system. In part this trust will be based on the enabling environment, including the practices and policies of the Root CA.

A summary of findings and recommendations can be found in Section II. These recommendations are aimed at enhancing trust in the system, which should therefore encourage use. Clarifying the scope of application of PKI will be one factor affecting costs (and benefits).

|Summary of Findings & Recommendations |

|Introduction & Background |

This report is being delivered pursuant to the agreement (Agreement) between the Ministry of Communications and Information Technology of the Arab Republic of Egypt (MCIT) and the World Bank (Bank) for the provision by the Bank of technical assistance (RTA) to MCIT and certain of its affiliates. One of those affiliates is the Information Technology Industry Development Authority (ITIDA).

The purpose of this report is analyze international benchmarks regarding the enabling environment for e-signatures and PKI frameworks validating Egypt’s existing and emerging e-signature/PKI initiatives and (ii) make recommendations regarding strengthening the existing e-signature/PKI enabling environment in Egypt.

As discussed further in this report, the method for authenticating users of electronic signatures chosen in Egypt is based on public/private key infrastructure (PKI), although other methods are contemplated in Egypt’s legal enabling framework. PKI uses asymmetric encryption (as distinguished from symmetric systems, where the “secret” (private) key is known only to the party holding it, and that when matched with the “public key” (held by third party) forms a “pair” that ensure the authenticity of the data message. This system involves a 3rd party to ensure that the encryption of the data message attached to the signature has not been corrupted[1];

PKI is generally recognized as a preferred authentication method when high levels of certainty regarding the identity of the user are required.[2]

Other types of electronic authentication and their salient features are summarized below :

• symmetric encryption (pre-arranged shared cryptology where the same “key” is used to encrypt a data message at the point of origin and decrypt it at the receiving end, the secrecy of which must be maintained by both parties;

• passwords (this is a symmetric process and a common application is ATM technology);

• tokens (these are like passwords, insofar as the “password” is embedded in the “token” – these can be either physical tokens (cards) or electronic tokens);

• digital biometrics (such as retinal or other scanning requires agreed protocols and standards of hardware and software);

• secure closed systems (dedicated computer-to-computer links or private networks); and

• blended systems (for example, using one of the above digital technologies combined with an orthogonal confirmation, such as a telephone confirmation).

This report focuses on the PKI experiences of other countries that use PKI.

Methodological Note: This report is based primarily on desk research and on interviews conducted with ITIDA over two missions in September 2006 and March 2007. Further, telephone and email consultations were made with PKI administrators in Brazil and Canada.

|Overview of existing e-signature and PKI enabling environment in Egypt |

This chapter reviews (i) the existing legal enabling framework for the use of e-signatures/PKI in Egypt, (ii) the key institutional arrangements (functions and organization) of ITIDA within this enabling framework, and (iii) the main purposes for which e-signatures will be used in Egypt.

Legal Framework

The legal framework that establishes the basis for legal recognition of electronic signatures in Egypt consists of two primary instruments – Law # 15 of 2004 Regulating E-Signature and Establishing ITIDA (Law) and MCIT Decree # 109 of 2005 Issuing Executive Regulations of Law # 15 of 2004 (Decree).[3]

The Law establishes the legal functional equivalence of electronic signatures and electronic documents. The Law also establishes ITIDA and grants it certain powers, inter alia, in the area of e-signatures under the Law, including licensing of e-signature services and issuing digital certificates. Except for references to digital certificates (which are normally associated with PKI systems), the Law is technology neutral. In a departure from best practice in e-signature legislation globally, the Law does not contain a “party autonomy” provision which would enable the parties to a particular electronic transaction to establish a framework as between themselves of how they would authenticate each other. Also, the only “scope” provisions (i.e., a description of the types of transactions that the Law applies to and what types of activity are beyond its application) is the reference in article 14 of the Law to civil, commercial and administrative dealings.

The main legal instrument implementing the Law is the Decree. The Decree sets forth provisions regarding the establishment of so-called public and private key infrastructure (PKI) for purposes of authenticating the users of e-signatures and the content of electronic documents, including the role that ITIDA will play as the root certifying authority (Root CA) and in the regulating certificate service providers (CSPs). In that sense the Decree is not entirely technology neutral. While under the Law, there is no stated preference for the kind of legally recognizable e-signature, a PKI preference is emerging under the decree, though it is understood that use of PKI-based e-signatures will be mandatory. In principle this might mean that while other forms of electronic signature that otherwise meet the requirements under the Law, they might not be presumptively be granted legal functional equivalence to a wet ink signature on paper, requiring the party or parties to meet the burden of proof that the electronic signature was valid.

Institutional Arrangements

Under the Law and the Decree, ITIDA acts as the root certifying authority (Root CA) for issuing digital certificates in Egypt. ITIDA will ultimately determine the validity of every digital certificate in Egypt, and will certify “foreign”-issued certificates as well. ITIDA will license other entities to issue digital certificates as Certificate Service Providers (CSP), who in turn will issue digital certificates to end users in the private sector. On the public side, ITIDA will license a Government Certificate Authority (Gov CA) to issue digital certificates for official use. Figure 1 shows the organization of the Root CA structure. A “trust center” will be built around the Root CA that will operate around the clock, the physical attributes of which will ensure the highest degree of security for the operational integrity of ITIDA’s activities as Root CA.

Figure 1

[pic]

Source: ITIDA[4]

In this capacity ITIDA will be acting as the Root CA and will be licensing other CSPs. As part if its functions as Root CA, ITIDA will be operating a secure Root CA Trust Center. The Root CA Trust Center will be responsible for issuing certificates to CSPs, issuing smart cards, providing time stamping services and other matters related to the provision of electronic signatures. The Trust Center will be a secure psychical place within ITIDA consisting of a multiple layer, secure-entry facility, as well as layered security for access to the Root CA’s systems. Hardware and software for Key generation will not be linked to the Root CA’s other, Internet-related networked systems. The Root CA Trust Center will not issue certificates directly to end users.

ITIDA has entered into Memoranda of Understanding (MoUs) with Germany and Korea.

Figure 2

[pic]

Source: ITIDA[5]

Expected uses of e-signatures in Egypt

It is expected that digital signatures will be used in a wide variety of transactional contexts ranging from B-2-C to C-2-G and G-2-G transactions. C-2-G transactions range from drivers licensing to tax payments and beyond.

[ITIDA to Expand on contemplated uses of PKI and expected delivery mechanisms]

|Benchmarking |

This chapter evaluates different aspects of the e-signatures enabling environment and implementation in Austria, Brazil, Canada, Germany, Malaysia, Mauritius, Mexico, Singapore, South Africa, South Korea, Thailand and the United Kingdom as follows:

Enabling Environment issues:

➢ legal basis for use of PKI (institutional arrangement and scope of application)

➢ institutional arrangements (operational and functional attributes), role in certification process

➢ security (i.e. robustness of user authentication; weak vs. strong e-signature)

➢ “party autonomy”, and recognized authentication alternatives

➢ interoperability – cross border recognition and “cross-certification”

PKI Implementation Issues:

➢ applications for e-signatures PKI (for e-government processes)

➢ distribution of e-signatures (smart cards, soft tokens, “password”, etc.)

➢ cost of issuing certificates

The main lessons learned concerning each category and the relevance of these lessons to the situation in Egypt follow, and are supported with country examples. This benchmarking focuses on key issues of rolling out PKI-based e-signatures in Egypt.

Enabling Environment issues

A summary matrix of the benchmarking of the enabling environment is provided as Annex 1. The matrix shows, in tabula format, the findings for each country against the benchmarking criteria.

A theme cutting across the different enabling environment issues the importance of creating and publishing certificate practices and policies, a key element in the non-legal part of the enabling environment for PKI. This is especially true in case of Root CAs, as will be the situation in Egypt. These practice statements and policies can cover the legal basis for the activity, the institutions involved in PKI and their respective obligations and responsibilities, operational requirements, as well as security controls, for example.[6]

1. Legal basis for use of PKI (institutional arrangement and scope of application)

With few exceptions (e.g., Australia), countries seeking to promote either approach (e.g. promoting the establishment of certificate issuers or accreditors) generally set out the requirements to become a certification authority (“CA”) by statute or regulation. Australia has chosen to forego the legislative route and to initiate a policy approach known as “Gatekeeper”[7], which provides the infrastructure in which government agencies can ensure the authenticity, integrity, and confidentiality of online activities. Any person or body that receives accreditation under Gatekeeper becomes a CA. It appears to date that a small number of agencies have received accreditation in Australia: eSign Australia Pty Ltd., The Australian Taxation Office, Health eSignature Authority Pty Ltd.[8] and Telstra Corporation Limited.

As regards the scope of application for e signature legislation, although a wide range of areas can be subject to e-signatures, most countries do provide for exclusions. For instance in Austria, the following transactions are excluded from the applicability of the e signature law: inheritance laws, legal transactions requiring officials certification, judicial or notarial authentication; land or companies registration or guarantee declarations. A similar exclusion is provided for in the e signature law of Singapore (See Annex 1). In Thailand, for example, the law applies to “all civil and commercial transactions except those excluded by a Royal Decree” thereby reserving to the authorities a wide discretion to determine the scope of the law’s applicability.

2. Institutional Arrangements

The role of institutions in the certification process can be two-fold. An institution may act as a certificate issuer or serve as an accreditation body for organizations seeking to become certificate issuers.

Two different accreditation methods exist, namely licensing and voluntary accreditation. While several U.S. states, Singapore and Malaysia have chosen to issue licenses to certification authorities, the United Kingdom, Germany, Ireland, South Africa and the Canadian province of Quebec have chosen a system of voluntary accreditation. An example of voluntary accreditation in the United Kingdom is tScheme[9]. The organization develops sets of criteria called Approval Profiles for commercially offered trust services. These profiles permit service providers - who can demonstrate that their services meet these sets of criteria - to use the tScheme approval mark. In order to obtain permission to use the mark, a trust service provider is assessed using the relevant profiles by an independent tScheme-recognized assessing body. Following independent certification of compliance with the tScheme criteria, the trust service is granted approval by tScheme Ltd, including the right to display the tScheme mark.

The two systems described above (tScheme in the U.K. and Gatekeeper in Australia) do not differ fundamentally in their approaches and actually impose similar criteria for those seeking to become authentication service providers.

Institutions, as noted above, may issue certificates. In the United States, the ACES[10] Program was created to facilitate access to government services offered by agencies through use of information technologies, including on-line access to computers for purposes of reviewing, retrieving, providing, and exchanging information. One organization, Operational Research Consultants, is authorized to act as a shared service provider and to provide digital certificates to US government institutions. In Canada, Public Works and Government Services Canada operates a Certification Authority as a shared service provider to federal government departments and is seeking to extend its client base to provincial governments as well.

Further complicating the description of the role of institutions in the management of digital certificates, is the fact that they may not issue certificates to end users or accredit certificate issuers but provide the “trust anchor” for the underlying Public Key Infrastructure (“PKI”).

Large PKIs often have a hierarchical trust model. This means that a common root Certificate Authority (“CA”) that signs the “signing” certificates of CAs that issue certificates to end users. Using a rough manufacturing analogy, the Root CA provides the machinery (signs the “signing certificate”) that permits wholesales to provide certificates to retailers who in turn provide it to customers. Customers trust the retailer because they know the Root CA is backing the “product”.

A hierarchical trust model provides the “trust” between different CA systems subordinate to the root and between different applications. An institution will be identified to serve as the policy authority for the PKI and operate the root CA. In controlling the Certificate Policy that governs the Root CA and by operating the Root CA itself, the institution maintains control over the PKI while allowing for distributed key and certificate management.

In India, one of the objectives of the Information Technology Act of 2000[11] is to promote trust in electronic environments. The Act creates the office of the “Controller of Certifying Authorities”, which has the responsibility of acting as a “Root” Authority to certify the technologies and practices of all the Certifying Authorities licensed to issue digital certificates. It also licenses Certification Authorities and acts as a regulator to ensure that legislative requirements are satisfied. Similarly in Singapore and Malaysia, the Minister appoints a Controller of Certification Authorities with a supervisory and monitoring role. In South Africa, the Director General of the Department of Communications acts as an Accreditation Authority with a similar supervisory and monitoring role as the Comptroller in Singapore.

In other jurisdictions, agencies may be provided with a more global “role” with respect to the issuance and management of digital certificates. In Tunisia, the National Digital Certification Agency was created to:

• Secure the electronic transactions and exchanges;

• Cross-certify or mutually recognize foreign Certification Authorities; 

• Manage digital certificates;

• License digital certification services providers;

• Evaluating cryptographic tools;

• Provide security solutions based on digital certification for networks and for Internet and Intranet services; and

• Provide training in digital signature, encoding techniques and public key infrastructure.[12]

The approach in Mauritius is similar to that taken in Tunisia. Under section 18 (z) of the Information and Communication Technologies Act 2001[13], the ICT Authority is to act as the Controller of Certification Authorities (“CCA”). The Controller of Certifying Authorities as the “Root” Authority certifies the technologies, infrastructure and practices of all the Certification Authorities licensed to issue digital certificates.[14]

Interoperability with other PKIs in other domains (e.g. financial, health) or in other countries can be at root level. See the section on Interoperability below.

So-called “Bridge CA s” provide facilitate one entity accepting certificates issued by another entity for a transaction by providing a connection between the PKI infrastructures of different institutions ensuring interoperability of those infrastructures and establishment and promotion of best practices and standardization.

While institutional aspects of the enabling environment are normally associated with formal, governmental organizations, private sector, industry led initiatives can also play a role. For example, the PKI Forum of Singapore[15], an industry led initiative, founded the Singapore PKI Technology Support Center (SPTC) for testing of PKI.

3. Security of Digital Certificates

The level of assurance associated with them determines the security associated with certificates. CAs often issue certificates having different levels of assurance or for different forms of key generation The type of certificate to be used is often associated with the purposes for which the certificates are intended to be used. Similarly, one might view the “strength” of signature is a function of the security associated with the certificate and the authentication of the certificate holder.

An important distinguishing characteristic between certificates is where key generation occurs and how it is stored (more on this in the next section). Another important distinguishing characteristic is the degree to which certificate holders are authenticated. Less secure certificates might have online authentication and browser key generation. More secure certificates might have in-person authentication with key generation occurring in tokens. The CA’s Certificate Policies are the documents that describe the degree of security to be associated with each level of assurance it offers with the certificates it issues. Certificate authorities often readily make their certificate policies available.

Canada’s federal model PKI certificate policies are available at:

. Those used by Canada’s Financial Transactions and Reports Analysis Centre (FINTRAC) are available at:

In the United States, the policy framework governing the public key infrastructure (PKI) component of the Federal Enterprise Architecture is available at:

. This policy framework incorporates six specific certificate policies: (i) a policy for users with software cryptographic modules, (ii) a policy for users with hardware cryptographic modules, (iii) a policy for devices, (iv) a high assurance user policy, (v) a user authentication policy, and (vi) a card authentication policy.

Australia’s PKI Framework has three Digital Certificate categories – Special, General and High Assurance for Individuals and businesses – which are mapped to the four levels of risk in the Australian Government e-Authentication Framework.[16] The Certificate Policy for Businesses can be found at:



Europe’s approach to digital certificates has been the most structured of such initiatives. The EU Signatures Directive[17] was adopted by the European Parliament and the Council in December 1999 with all 25 EU Member States implementing the general principles of the Directive by 2006. The main objective of the Directive was to create a Community framework for the use of electronic signatures and ensuring a basic legal recognition of electronic signatures. The results have been mixed to date.[18]

There are three types of signatures recognized under the Directive.

• “electronic signature”: a broadly defined concept, applicable to any authentication of information (e.g. a PIN, a name on an e-mail) as opposed to a person or organization;

• “advanced electronic signature”: principally digital signatures (issued be “untrusted or unknown” CA issuing digital certificates”\); and

• “qualified electronic signature”: not explicitly recognized as such in the Directive, this is advanced electronic signature based on a qualified certificate, created by a secure-signature-creation device and meeting technical requirements described in the Directive’s three annexes (issued by “trusted CA issuing digital certificates”).

In terms of the security of certificates, it is the qualified signatures, based on qualified certificates that offer signatures that are the most “acceptable” in terms of being linked to an identity. The “qualification” of the certificate goes to the quality of the certificate policy governing the authentication/registration of the certificate holder and the secure protection of the certificate (and keys) during the life of the certificate. The term “qualified certificate” is not used outside of Europe but the concept of minimum standards to which the issuer of the certificate must adhere is universally recognized. The “quality” of the certificate is linked to the “security” of the certificate and the practices of the CA.

It is worth noting here the recent conclusion of the UNCITRAL Working Group on E-commerce:

“PKI seems to be the authentication method of choice when strong evidence of identity and high legal certainty of the electronic signature is required. The use of PKI-enabled smart cards and the integration of digital certificate functions into application software, have made the use of this method less complicated for users. However, it is generally acknowledged that PKI is not required for all applications and that the choice of authentication method should be made on the basis of its suitability for the purposes for which it would be used.”[19]

In South Africa, the law provides for the presumption in favour of “advanced electronic signatures’. It states that “Where the signature of a person is required in law and such law does not specify the type of signature, that requirement in relation to a data message is met only if an advanced electronic signature is used.”[20]

4. “Party Autonomy”, and Recognized Authentication Alternatives

Generally, “party autonomy” is a common feature in most e-commerce legislation. Austria, Germany and Singapore, for example, specifically provide that use of e-signatures is voluntary.[21] In countries where party autonomy is not explicit, the legislation contains provisions from which one could discern that use of e-signatures would be voluntary. For instance, in Thailand, the Act provides that the requirements of the Act “[do] not limit that there is no other way to prove the reliability of an e signature.”[22] In South Africa, provisions of the law relating to e signatures fall under a part of the law which is mandatory and, therefore, e-signature provisions cannot be varied by the parties.[23]

5. Interoperability

Generally within one PKI domain, a document that is associated with a digital certificate (e.g. has been digitally signed) is validated by the CA that both the sender and recipient share. Interoperability is raised as an issue when the sender and recipient and in different domains and the recipient must rely upon his/her CA to establish trust with the other domain.

This has both technical and non-technical aspects. Technically, PKI applications must conform to technical standards in order to be able to access accurate directories which indicate the purpose, quality and status of digital certificate used to sign the document. The non-technical aspect requires the establishment of a relationship between the domains or Cas. This means mutual recognition and a technical connection. Technically, this means there are four options for conveying recognition of a CA: hierarchical CA certificates, cross-certificates, certificate trust lists and a bridge CA. This paper does not propose to examine in detail these different approaches but notes them to indicate the interoperability approach taken by different governments.

When discussing PKI Interoperability, there is a preference towards the bridge CA model both in Europe (see below) and North America.[24] The principle objective of any bridge CA is to serve as a “stable” third party to co-ordinate and promote PKI interoperability by whatever means necessary. Individual governments, accreditation agencies and CAs do not have sufficient motive, skills or resources to deliver and maintain interoperability.

Complicating matters is that there is there is no universal model to adopt or recommend for CAs within a domain. There is some doubt that any country starting a PKI should start with a “bridge model”. Experience to date in the US and Canada would seem to suggest that while a bridge system between CAs eventually is needed, governments start by using a single certificate authority within government as a shared service provider (as opposed to different institutions having different CAs and trying to connect them together).

As the term suggests, PKI is about infrastructure – an enabling platform to permit the development of secure e-government or e-commerce. It is not technology to easily deploy. The establishment of one or more CAs is a challenging task given the complexity of the technology and the need to support and/or develop applications that utilize the technology.

It is arguable that the cost of deploying a CA (and associated certificate management) together with the need for trained personnel and interoperability (in connecting two or more Cas) should lead to the deferment of a central bridge CA model and reliance on one CA to issue certificates for a number of institutions using a shared/common service provider model.

There does not appear to be a clear consensus on the best interoperability model below the bridge CA level. In the Canada and the United States, at the federal level, there are bridge Cas. When a PKI cross-certifies with a bridge CA, a Relying Party can trust that PKI’s digital certificates at the Level(s) of Assurance asserted by those certificates. A list of organizations that have cross-certified with the US Bridge CA may be found in Annex B.

It is important to note that the US Federal Bridge CA accepts the Certificate Policies as submitted by the CAs – an approach that requires Relying Parties to make their own trust decisions as to whether or not to accept the digital certificate.

In Europe, officials of institutions participating in networks of the inelegantly titled Interoperable Delivery of pan-European eGovernment Services to Public Administrations, Businesses and Citizens (“IDABC”) use digital certificates issued by the IDABC PKI. The EU tried (or is trying) a different approach in using a bridge CA: establishing the necessary trust relationships through the distribution of certificate trust lists, digitally signed by the bridge CA. A report on trust list usage, together with the architecture and a pilot program, were developed as of 2004.[25]

The following summary table provides some international examples of interoperability.[26]

| |Root CA / Hierarchy |Cross Certification |Cross Recognition |Bridge CA |Certificate Trust List |

| | |(Mesh) | | | |

|Brief Description |An organised chain of|Cas certify each |Cas/PKI domains agree |A central bridge CA |A list of trusted CAs is |

| |Cas, run from the top|other as peers |to recognise each |manages |distributed |

| |down. | |other’s certificates |interoperability | |

| | | | |between all other Cas | |

|Role |Technical mechanism |Technical mechanism |Political and |Technical mechanism to |Technical mechanism to |

| |to convey |to convey |contractual process of |convey recognition. May|convey recognition. |

| |recognition. |recognition. May also|establishing |also have role in | |

| | |have role in |recognition. |managing recognition. | |

| | |establishing | | | |

| | |recognition. | | | |

|Working examples |Global – Identrus | |Asia – PAA |US Federal Bridge |EU – Government Bridge |

| |Germany – RegTP | |Australia – Gatekeeper |EU – Commercial Bridge | |

| | | |/ Angus | | |

|Agreement required |Tight agreement from |Only between CAs as |Political co-operation |Consensus of CAs to use|Only useful if publisher |

| |the beginning |needed | |bridge |already has authority |

|Technical |Yes – fully |Yes – but may require|PKIs remain separate at|Bridge can play a role |Requires another |

|interoperability – |interoperable |significant |technical level |in managing |mechanism to establish |

|design stage | |modifications | |interoperability |recognition (eg Cross |

| | | | | |Recognition) |

|Technical |Yes – fully |Yes – fully |Requires use of other |Partial technical |Yes – fully interoperable|

|interoperability – real|interoperable |interoperable |tools (eg Trust Lists) |interoperability only –| |

|time operation | | |to achieve technical |stronger if used with | |

| | | |interoperability |other tools (eg Trust | |

| | | | |Lists) | |

|Costs |Low – simple, easy |High – each pair of |Low-Medium – |Medium – bridge CA has |Low, but varies with |

| |system |CAs must go through |co-ordinating body must|significant workload |modes of use |

| | |expensive process to |enforce rules and audit| | |

| | |cross-certify |participants | | |

|Scalability |Medium – short and |Low – full mesh has |Medium – no technical |Medium-High –limiting |High – simple, direct |

| |certain certification|n2 pairs, |barriers, but |factor is bridge |trust |

| |paths back to trusted|certification paths |challenging |workload | |

| |root |may be long |administrative | | |

| | | |co-ordination | | |

|Security risks |High – single breach |Low – single breach |Low – depending on |Medium – breach of |Medium – depending on |

| |of root brings down |may have no effect on|level of technical |bridge brings down |implementation, may be |

| |network, subordinate |others, or may |integration, probably |network, but |lag between security |

| |CAs must be |fragment network |no effect on network |participants can still |breach and list update |

| |re-certified | | |operate on their own | |

Most countries provide in their laws for cross-certification and cross border recognition of certificates, even if subject to certain conditions being met. The laws in Austria and Germany have guidelines on the recognition of foreign certificates one of which is that such certificates must meet the requirements for the issuance of certificates under the EU Directive.[27] This is mainly the case with certificates originating from non EU states. Certificates from EU member states are considered equivalent to domestic (qualified) e signatures. In other countries, foreign certificates are treated on an ad hoc, case–by-case basis. In South Africa and Singapore, the power is reserved for the Minister responsible to recognize foreign CAs from particular countries through regulations published in the Gazette. Surprisingly in Mauritius, the law is silent on either cross-border or any provisions on interoperability.

PKI Implementation Issues

1. Applications

Most digital signature applications are generally integrated with business applications. Often the digital certificate is not obvious and is otherwise “below the surface” and not visible to the user. Because of this, the digital certificate is often a “general purpose” certificate, which is used to identify the user in a relatively wide range of transaction types. The epass in Canada serves as an example, where the CA issues a certificate to the user but the government institution does the mapping between the digital certificate and identity.

Five years ago, web-based applications were the most popular PKI applications in the market followed by server certificate authentication. Organizations preferred key pair solutions (server certificates) compared to hardware type solutions (tokens) mainly due to its ease of implementation. Now, with two-factor authentication becoming more “mainstream”, the use of a physical item (e.g. tokens, smart cards, grid card) may increase.

Most digital certificates issued today are used in a relatively limited range of applications. A lot of the digital certificate applications are e-government related. Generally there is a dearth of applications available that will use digital certificates.

Software often can select and invoke the appropriate certificate automatically, without user intervention. This is beneficial in making the user’s experience of digital certificates (and the associated key management) relatively painless and seamless for the user. However, a serious question to consider is how well can the technology be implemented into existing information technology infrastructures. The “plus” side of this is that the use of third party PKI service providers becomes a more attractive option for organizations and government institutions.

The applications that can use digital certificates vary but can be broadly placed in a series of categories

• Authentication, through the verified issuance of a digital certificate.

• Verification of integrity, through the use of valid digital signature keys contained in a digital certificate;

• Authorization, through the use of a valid digital signature keys contained in a digital certificate; and

• Confidentiality, through the use of a valid encryption keys contained in a digital certificate.

Authentication may consist of confirming the identity of a natural person or a machine or the source of a document or code. Verification of integrity may apply to the contents of an electronic document or to the executable code.

Digital signatures may serve as the electronic equivalent of “wet” or “paper-based” signatures. In a large number of jurisdictions, the equivalency of such signatures has been confirmed in law. For example, in Austria, the use of a secure electronic signature meets the legal requirements for a hand-written signature under the Federal Elextronic Signature Law.[28] The German law provides that use of a qualified e-signature meets the legal requirement for a hand-written signature.[29] A requirement in law that a document or information must be in writing is met, in South Africa, if the document or information is “in the form of a data message”.[30] A similar provision is contained in the Mauritius e signature law.[31]

Illustrations of how digital certificates are used can be seen in a number of different countries.

(a) Finland

In Finland, the Population Register Centre and, a mobile telephone provider, TeliaSonera Finland, are issuing the “State Citizen Certificate” to enable secure mobile communications and commerce. The Citizen Certificate is included in SIM cards, which permit mobile phone users to authenticate themselves for both public and private sector services. The Citizen Certificate card was made available in January 2005.[32]

Finnish government employees are being issued “Chip ID cards”. The photo ID cards contain a digital certificate, which permits authentication of network users and their usage rights; encryption of email and documents; and a digital signature. Uses include access control systems, teleworking, passage control and physical identification[33]

More specific applications include:

• Online change of address[34]

• Electronic Birth Registration[35]

• Online tax filing[36]

(b) Canada

The federal government created and made available its “epass” in September 2002 to further its e-government objectives. An epass is a “zero footprint” digital certificate issued and downloaded to a client’s computer each time a secure Internet transaction is initiated, and remains downloaded only during that transaction. The certificate, once validated by the government department responsible for the program, ensures that the client will be automatically recognized during future transactions with the department.

An epass is used with a program that requires both the Government of Canada and the user to be authenticated. Users are allowed to have a different epass for each epass-enabled Service.

The first provider of epass-enabled service was the Canada Revenue Agency (“CRA”). As of March 2007, fifty-nine of sixty-five programs on-line across twenty-two Canadian federal government departments are epass-enabled. These include:

• CRA’s MyAccount and My BusinessAccount;

• Service Canada’s Record of Employment; and

• Foreign Affairs Passport Online

Some statistics of interest include:

• Over 2.4 million epasses were issued as of February 2007.

• Over 50,000 businesses use the online Record of Employment service

• Over 6 million logons by business clients in 2006.[37]

(c) United States

According to a December 2003 study prepared by the Office of Management and Budget in the United States[38] 20 of the 24 agencies reported that they were undertaking a total of 89 PKI initiatives. These initiatives represented a significant investment, estimated at about $1 billion. The report identified a number of challenges for the implementation of PKI-enabled applications within the American government.[39]

(d) European Union

In Europe, given the existence of the EU Signatures Directive and issuers of qualified certificates, a number of e-government applications are used in conjunction with “electronic ID cards”. In providing on-line access to government services, these cards have three main functionalities: identification, authentication and signing. In Belgium, for example, approximately 1.3 million electronic ID cards have already been activated.[40]

Overall, the “market” for digital certificates and the associated signatures has been slow to develop. Part of the problem is technical (the complexity of PKI systems; the lack of interoperability between different domains); part is simply the demand for trusted third parties (the Cas) authenticating an identity for general purposes. Application “owners” have little reason to develop multi-application uses for digital certificates

Most uses of digital certificates occur in “closed” PKI systems where all the parties are somehow known to each other (e.g. the issuer is the institution with whom the certificate holder is or will become a client). From a privacy perspective, this is not a bad thing but it means that digital certificates are often used for only one application. In Canada, the federal government’s epass service is based on the CA not knowing the identity of the certificate holder.

(e) Asia

In Asia, the Asia PKI Forum is an organization established to promote PKI interoperability in the Asia/Oceania Region. Membership consists of the Macao Post and PKI Forums from Korea, China, Japan, Chinese Taipei, Singapore, Hong Kong and Thailand.

The Forum divides itself into a series of working groups to address technical and policy issues.

• Legal Infrastructure Working Group issues an annual report concerning cross-border e-commerce;

• Business Case/Applications Working Group addresses issues concerning the development of an international e-business infrastructure through Asia PKI Forum;

• Interoperability Working Group addresses PKI interoperability issues;

• World Wide Collaboration Working Group facilitates information sharing and collaboration concerning PKI as well as ICT security between the Forum and other organizations

In 2005, the Business Case/Applications Working Group issued an “Asia PKI Application Case Book”, which highlights the various business models in Asia using PKI technology. At that time, and without significant changes since then, the technology is mainly used for online authentication in e-government and e-banking contexts. The report is available at: under the heading “Resources”.[41]

An illustration of the pace of application deployment can be seen in this quote from the report on Japan:

“However, while the PKI utilization in the B2G field is moving forward, PKI

utilization for e-commerce in the fields of B2B and B2C is not making as much

progressing as initially expected. Though it is true that about 20 private

businesses have adopted the designated certification services that are

described by the Electronic Signature Law and have issued Public Key

Certificates, the majority of these certificates are not used for e-commerce

between private companies. Rather, they are mainly used in the B2G field

for electronic government services on the local and national level.”

In Korea, the outlook is expressed more positively:

“Internet Banking

All banks deployed licensed certificate authentication system. If a customer has to transfer his money online, the customer must sign digital signature using his licensed certificate. Some banks enhance the level of control by blocking to see the transaction of an account if they haven’t a certificate.

Online Stock trading

All securities deployed licensed certificate authentication system. If a

customer has to trade his stock or transfer money online, the customer has to

log-in by submitting digital signature using his licensed certificate. A customer

can submit digital signature for transaction each time.

E-Government

The government services web sites for civil petition, many types of certificate

issuance, notification of internal work process, etc. With licensed certificate,

people submit their digital signatures when it is needed and access related

information, get certificates by printing, and request civil petition.

E-Commerce

When they use credit card on the Internet shopping mall site, they have to

submit digital signature if the total price of the product exceed 300,000

Korean Won. It is now applied to major two credit card companies, but

supposed to apply to every credit card company from October 2005. It is expected to block illegal usage of credit cards.”

Specific examples of applications can be seen in:

• Korea: Education: Confidentiality and Integrity for School/Student Information

• Korea: Education: Parental Approval Via Digital Signature

• Korea : E-Commerce : Digital Content Authentication

• Japan: Healthcare: Medical And Healthcare Network

• Japan: E-Commerce: Electronic Account Receivables For Small-Medium Enterprises”

• Chinese Taipei: E-Government: PKI Applications In E-Government

(f) Africa

Tunisia has established a very modern approach to the use of digital certificates, ocusing on e-government, e-commerce and e-banking applications to date. Applications include e-filing for taxes[42]; online payment accounts[43]; server certificates for merchant web sites[44] and on-line banking[45]. In South Africa, the law provides for the acceptance of filing and issuing of documents by public institutions. However, the law further sets out various conditions (specific to the use of e signatures in public bodies) within which this can be done to ensure security and confidentiality.[46]

The emphasis in deploying any PKI or establishing a CA is to ensure that the emphasis is on the business application and not on the PKI technology itself. A digital certificate is a means to an end – secure online transactions/communication. This means that the identification of the certificate holder has to be reasonable in the context of the application for which its use is sought. This in turn argues for a reasonable “mapping” of application to level of assurance in the certificate. A high assurance certificate is not needed for a low risk transaction in a closed PKI environment. As a result, one area to consider is how to facilitate enrolment of certificate holders.

2. Distribution of Certificates

A digital certificate is simply an electronic file, digitally signed by a CA that contains certain elements or “values” such as the certificate name and usage, certificate holder information, the public key itself, an expiration date, and the name of the CA that generated the certificate.

It is perhaps obvious, but the security provided by digital certificates is only as good as the security provided for the storage and use of the private keys. Digital certificates can be stored on the user’s computer, in software modules, or on hardware devices like smart cards or other hardware. The choices then are essentially distributing digital certificates in either software or hardware form.

Certificates stored on a computer hard drive are the least expensive means of storing a certificate but also the least secure. Essentially, a browser generates the private and public keys. The certificates and private keys are then stored in PIN-protected, encrypted files on hard drives. The browser performs functions such as encryption/decryption and digitally signing electronic documents using those certificates and private keys.

Smart cards/tokens/devices contain a microprocessor and memory and provide the most secure solution because keys are generated on the card or device with the certificates and private keys are stored in an encrypted file on the card, token, or device. The encryption/decryption and digital signing functions are performed on the card or device. As a result, the private keys are never exposed outside the device.

These devices come in different forms including:

• Smart cards with card reader that generally connect to computers through a Universal Serial Bus (USB) port or through a PCMCIA card slot;

• USB token that plug directly into a Universal Serial Bus (USB);

• Fingerprint devices; and

• Embedded-in-the-computer security chips.

The eventual choice in the distribution of digital certificates is a function of security as well as the application for which the certificate is required for encryption or signature purposes. Digital certificates and their associated keys are generally used by web browsers and e-mail clients for user authentication and/or digital signatures. This means they will need to be stored so that they can be easily retrieved by the user for these functions. If the application (or perhaps more accurately the information being accessed or used by the application) is more sensitive then additional security requirements may dictate the use of “devices” to hold the certificate (e.g. smart card or token). It is important to emphasize that the security is not really for the certificate but the keys associated with them.

Apart from anecdotal examples already included in this report, little hard comparative data were discovered about either the numbers of certificates issues or the volume of electronic transactions using such certificates. [47] Information regarding the operations of certification authorities or certification service providers, including details of the number of certificates issued (by whom when and how distributed), the transaction volume and the costs for issuing certificates is limited on public websites of the countries surveyed. As a result, we have not been able to establish any comparative pattern of the costs or distribution mechanism or transaction volume among these countries. In Austria, for example, a number of accredited Certificate Service Providers (“CSP”) (2) supervise the activities, in turn, of a number of other CSPs (6) who have issued thousands of Qualified Certificates (“QC”). In Germany, some 23 accredited CSPs have some tens of thousands of digital certificates. And in Malaysia, for example, some 22 million smart cards using a PKI system have been issued, for use in more than a dozen applications.

3. Cost of Issuing Certificates

The development of a system to provide digital certificates can be easily characterized as an “infrastructure” cost. Calculating any return on investment (“ROI”) for digital certificates alone is difficult.[48] Any ROI often has to be linked to the application(s) that the digital certificate is intended to support and how the certificate assists in the shift for the current business process to an electronic process or a more secure electronic process. Information on the pricing of certificates is often not readily available.[49] Usually, in terms of cost, the fixed and variable cost of producing certificate no. 1 is the total cost of establishing the Certification Authority issuing the certificate. The marginal cost of producing certificate no. 2 is zero (this leaves aside any licensing fees associated with certificate production).

It is somewhat axiomatic to suggest that the higher the trust to be placed in a digital certificate, the higher the cost of the certificate. The cost of managing a certificate is the global cost of producing the certificate, registering the holder of the certificate and then maintaining the certificate throughout its lifecycle, which may include “helpdesk” support.

The OASIS Paper describes the various costs according to a “digital certificate supply chain” (see figure 3), and breaks down costs according to each element in the chain.

Figure 3

Box 1[50]

It is important to note that how one approaches the subject of verification of identity will influence cost/pricing of certificates. As an example, the issuance of certificates through the epass program in Canada is done electronically; the verification of identity is done online through the use of shared secrets between the institution and the client seeking to register a digital certificate with that institution. This is a lower cost exercise than if the client had to present him/herself to an individual and provide tangible proof of identity.

Pricing and “cost” determinations have many variables associated with them and there is no simple answer without detailed analyses of each of the variables in each situation. Additionally, because of the distributed nature of the cost of using PKI across platforms and for different purposes, even CA operators may not accurately know the overall cost of the PKI.

In another example, the U.K. Government initiated a biometric-based national ID card program.[51] The program was criticized both on the basis of too-low cost estimates and questionable technological assumptions of using biometrics. Regarding cost, an independent evaluation estimated that costs would be more than double Government estimates. On technical grounds, the use of biometrics was criticized as being unproven technology, and the reliance on a single database was criticized as too risky for the protection of personal data. An ancillary lesson learned from the U.K. experience is the importance of clearly identifying the purpose for which an electronic authentication system is to be used.

|Recommendations for strengthening Egypt’s e-signature and PKI enabling environment |

The following findings and recommendations are intended to build on the foundation for PKI provided in Law and the Decree. In that sense they are aimed at enhancing the trust and confidence of users in the system in order to encourage use. They are also aimed at helping to identify where in the “certificate supply chain” costs may be incurred, and to isolate and reduce downstream costs (actual and hidden costs).

As Root CA, ITIDA should develop certificate standards policies

applicable to Egypt, and can use its existing relationships with is MoU

partners in this regard.

One key element in the non-legal part of the enabling environment for PKI, especially in cases of Root CAs, is the existence and publication of a Certification Practice Statement and Policy that will govern the issuing and use of digital certificates. These practice statements and policies will cover the legal basis for the activity, the institutions involved in PKI and their respective obligations and responsibilities, operational requirements, as well as security controls, for example.

Measures to limit the liability of ITIDA as Root CA

Since ITIDA will be acting as Root CA in Egypt, in the absence of other constitutional, administrative or statutory protections, ITIDA should consider the manner in which liability will be apportioned between ITIDA, as Root CA, and users for erroneous certificates, forged signatures, certificates issued on false pretences, or errors in certificate repository or CRL, for example.

Clarify which electronic transactions will be subject to PKI

Currently, under the Law and the Decree, it is envisaged that there will be a hierarchy of electronic transactions. The Decree, for example, provides for electronic signatures (which are the equivalent of “strong” signatures, the underlying transaction of which will presumably be subject to PKI) and electronic documents and writing (which are the equivalent of “weak” signatures). Both are given legal effect under the Law and Decree. However, by clarifying which kinds of electronic transaction activities ITIDA expects will be subject to PKI, ITIDA can also better understand the cost and benefit structure of implementation of PKI in Egypt. In this regard it is understood that a key element of this will be the awareness raising campaign, which is the subject of the next phase of the World Bank RTA with ITIDA. This campaign should also foster trust and confidence and enhance greater use of the systems made available under the PKI regime.

Training for lawyers and judges on e-signatures issues

Another part of the awareness–raising campaign, and an essential part of enabling environment will be training of lawyers and judges in the different policy, legal as well as technical aspects of PKI.

Introducing alternative dispute resolution processes for e-signature matters

Related to the foregoing issues of trust, confidence and awareness, and because of the unique issues involved in the use and application of PKI in certain electronic transactions, it will be beneficial to ensure the speed and certainty with which disputes related to PKI are resolved.

International Considerations

The United Nations General Assembly recently approved the opening for signature of the UNCITRAL Convention on Electronic Contracting (Convention).[52] The Convention applies to cross border e-commerce activity, and therefore falls outside the focus of this report, insofar as the scope for the report deals with use of e-signatures within Egypt. However, the Convention raises a least one interesting issue with respect to the Law in Egypt. The Convention contains a “party autonomy” provision that permits the parties to a transaction (or a series of transactions) to determine their own protocols – as between the parties – that will apply in terms of authentication. The Law only provides that foreign certificates (i.e., PKI-based e-signatures) can be recognized in Egypt. However, as noted in 4.A, above, the Law does not have a party autonomy provision. Therefore, in terms of cross-border authentication, foreign parties not relying on PKI-based authentication cannot be assured that their electronic contract will be automatically granted legal validity. It does not necessarily mean that the contract would be voided, but the burden of proof would shift to the party claiming validity of the e-signature. Finally, if Egypt were to ratify this Convention, it may need to do so on the basis of an exception to the Convention’s party autonomy provisions.

|Glossary |

| |“Business to Consumer” – refers to a commercial electronic transaction between a natural |

| |person and an economic enterprise |

|B-2-C | |

| | |

| | |

|Bridge CA | |

|C-2-G | |

| |“Citizen to Government” – refers to a non-commercial or official electronic transaction |

| |between a natural person and a governmental organization |

|Certificate | |

|CRL | |

|G-2-G | |

| |“Government to Government” – refers to an electronic transaction between two governmental |

| |organizations |

|Private Key |(1) The key of a signature key pair used to create a digital signature. |

| |(2) The key of an encryption key pair that is used to decrypt confidential information. In |

| |both cases, this key must be kept secret. |

|Public Key |The key of a signature key pair used to validate a digital signature. |

| | |

| |The key of an encryption key pair that is used to encrypt confidential information. In both |

| |cases, this key is made publicly available normally in the form of a digital certificate. |

|Public Key Infrastructure (PKI) |A set of policies, processes, server platforms, software and workstations used for the |

| |purpose of administering certificates and public-private key pairs, including the ability to |

| |issue, maintain, and revoke public key certificates. |

|Root CA |In a hierarchical PKI, the CA whose public key serves as the most |

| |trusted datum (i.e., the beginning of trust paths) for a security |

| |domain. |

|X.509 |In cryptography, X.509 is an ITU-T standard for PKI. X.509 specifies, amongst other things, |

| |standard formats for public key certificates and a certification path validation algorithm. |

| |[53] |

|Annexes |

Annex 1 – Country Benchmarking Matrix

Annex 2 – Brazil – Examples of Digital Certificates

Annex 3 – Examples of Cost Structures

|Bibliography |

Campbell, Dennis, (2005), “E-Commerce and the Law of Digital Signatures”

Certification Practice Statement, Version 1.1, 2001, Korean Information Security Agency,

Dekker, Cliffe, “E Commerce in South Africa”, available at:

Diodati, Mark and Blum, Dan, “Reference Architecture Technical Position, Public Key Infrastructure”, The Burton Group 2007, available at: http//guests/content/dss/testdrive/techpositions.asp

Dumortier, Jose et al, “The Legal and Market Aspects of Electronic Signatures” (the “EU Report”).

Fischer, Georges, “E –Commerce Law in Brazil”, available at:

Guizzo, Eric, January 2006 “Britain’s Identity Crisis:Proposed biometric ID cards won’t prevent fraud or terrorism”, IEEE Spectrum, , available at:

Koanantakool, Thaweesak, “Electronic Commerce Development in Thailand’ available at:

Lodder, Arno and Kaspersen, Henrik, ed (2002), “E-Directives: Guide to European Union Law on E-Commerce”

Lweis, Jamie and Blum, Dan, 1999, “Public Key Infrastructure: Architecture and Concepts”, The Burton Group,

Mazeo, Mirella, “Digital Signatures and European Laws” also available at:

OECD Recommendation on OECD Guidance for Electronic Authentication, available at: sti/security-privacy

PKI Assessment Guidelines, American Bar Association, Information Security Committee, Section of Science and Technology Law, 2003

Possible future work on electronic commerce Comprehensive reference document on elements required to establish a favorable legal framework for electronic commerce: sample chapter on international use of electronic authentication and signature methods, UNICTRAL, ACN.9/630/Add.3, available at: (UNCITRAL Future Work).

Smith, Brian W. and Kiefer, Kimberly B., April 1999, 116 “"Recent Developments in Electronic Authentication: the Evolution Role of the Certification Authority”, Banking Law Journal 341

United Nations Convention on the Use of Electronic Communications in International Contracts, adopted by the General Assembly on 23 November 2005, available at:

van Cutsem, Jean-Pierre, “E Commerce in the World- Aspects of Comparative Law”

Wilson, Stephen, (2005), “Guidelines on how to determine Return on Investment in PKI”, OASIS PKI White Paper, Version 1.4.

General References

Baker & Mckenzie:

For E signature in South Korea:

For E signature legislation in Mexico (in Spanish), see:

For E signature/commerce legislation in Mauritius, see:

(August 29, 2003)









On list on countries with e signature legislation, see:

.mu/portal/goc/ncb/file/eta.pdf

ANNEX 1

ENABLING ENVIRONMENT BENCHMARKING MATRIX

AUSTRIA

|Legal Basis |Austrian Federal Electronic Signature Law (2000); Applicable to “closed systems, insofar as the |

| |parties within the system have agreed” and in open transactions with courts and other |

| |authorities. |

| |Exceptions: legal transactions under family and inheritance laws; legal transactions requiring |

| |official certification, judicial or notarial authentication, land or companies’ registration; |

| |guarantee declarations |

|Institutional Arrangements |The Law includes duties for Certification Service Providers to issue certificates; the Law has |

| |provisions on the supervision of these CSPs by the Telekom Control Kommission (TCK). Prior |

| |authorization is specifically prohibited. CSPs require no special permit to establish their |

| |activities but all CSPs must notify the TCK which acts as a supervisory and monitoring body, |

| |supervising all CSPs |

|Security |The law provides for “Basic” and “Secure” –AES and which are based on “Qualified Certiciates” |

| |and created with security requirements |

|Party Autonomy |Up to parties to agree |

|Interoperability |The Law has guidelines on the acceptance of foreign certificates. Certificates from EU countries|

|(cross border recognition) |are tantamount to Austrian certificates. Certificates from third party countries, which can be |

| |validated in Austria, are recognized. Qualified certificates from third party countries are |

| |recognized if conditions similar to EU Directive are fulfilled, and provided their validity can |

| |be verified. |

|Interoperability |Interoperability promoted through open specifications and voluntary standards |

|(cross certification) | |

|E Government |E signature legislation (the 2000 Law) is silent. But e-transactions in government are governed|

| |separately by the “E Government Act” |

BRAZIL

|Legal Basis |There are no specific laws in Brazil that deal with electronic commerce. In the absence of |

| |specific laws, electronic contracts are governed by the general principles set out in the 1916 |

| |Brazilian Civil Code (CC), the 1850 Brazilian Commercial Code and the 1990 Brazilian Consumer |

| |Code (Consumer Code), among other relevant statutes[54].Several statutes regulate the use of e |

| |signatures; But an E signature Bill is still pending before Congress |

|Institutional Arrangements |A Government/Private sector committee regulates all Certification Service Providers activities. |

| |But there are other lower level entities that regulate the issuance of certificates |

|Security |In some, especially bank operations |

|Party Autonomy |Brazil laws with a bearing on the e signature provide the possibilities of the parties to elect |

| |whether to use e signature |

|Interoperability |Efforts are underway to achieve cross border interoperability; there is also a committee to |

| |promote internal operability. But note that Brazilian law does not associate the legal validity |

| |of a document with the use of a specific certification or e-signature system provided that the |

| |parties accept an alternative means of confirming authenticity and integrity. Thus, there are no|

| |specific rules in Brazil that regulate the validity of foreign e-signatures or certifications. |

|E Government |E signature applications used in Banks (including Central bank) and government entities (e.g. |

| |tax revenue authority) |

CANADA

|Legal Basis |The Personal Information Protection and Electronic Documents Act is the Federal law; there are |

| |various provincial laws on e-signatures, but these statutes do not apply to elections |

| |legislation, wills and trusts, powers of attorney, documents relating to interest in land |

| |matters and negotiable instruments |

|Institutional Arrangements | |

|Security | |

|Party Autonomy |The legislation does not require use without a person’s consent; parties can opt out. |

|Interoperability |There seems to be no provision in the federal law relating to recognition of foreign |

|(cross border recognition) |certificates and electronic signatures. The legislation does contain, however, provisions on |

| |place of sending and receipt of electronic communications |

|Interoperability | |

|(cross certification) | |

|E Government | |

GERMANY

|Legal Basis |Law on Framework Conditions for Electronic Signatures; unless prescribed by law, e signature use |

| |is voluntary |

|Institutional Arrangements |Certification Service Providers could be natural persons or legal entities who issue certificates.|

| |No need for approval to operate certification services but must be accredited by “Competent |

| |Authority” under Germany’s Telecommunications law; the ‘Competent Authority’ issues accredited |

| |CSPs with qualified certificates they need; Competent Authority is responsible for supervising the|

| |Act and CSPs. Germany utilizes a Bridge CA. |

|Security |“Basic” –AES (same requirements as in the Directive) and Qualified Signatures (AES based QC and |

| |created by an SSCD) |

|Party Autonomy |Unless prescribed by law, use of e signatures is voluntary |

|Interoperability |E signatures for which a foreign certificate has been issued by an EU member country or a |

|(cross border recognition) |signatory to Treaty on European Economic Area are the equivalent of qualified e signatures in |

| |Germany if they correspond to EU Directive on e signatures. There are additional requirements for |

| |e signatures from third party countries. |

| | |

|Interoperability |Several bodies have been established to promote interoperability |

|(cross certification) | |

|E Government |Yes |

| |Additional requirements: long term provable signatures are mandatory for publics entities for a |

| |few public administration applications |

MALAYSIA

|Legal Basis |Digital Signature Act 1997 |

|Institutional Arrangements |Minister appoints a Controller Of Certification Authorities for the purposes of monitoring and |

| |overseeing the activities of certification authorities. It is mandatory for Certification |

| |Authorities to be licensed; Minister has the power to set qualification requirements for CA; the|

| |Act also restricts the use of the term “certification authority”; contains many regulations on |

| |revocation/refusal of license |

|Security |The Act has several provisions on security of signatures, liability and control of private key; |

| |presumptions in favour of valid signatures; law is based on public key infrastructure |

|Party Autonomy |Variation by agreement is permissible |

|Interoperability |Controller may recognize, by order published in the Gazette, certification authorities licensed |

|(cross border recognition) |or otherwise authorized by governmental entities outside Malaysia that satisfy the prescribed |

| |requirements |

|Interoperability |No provisions |

|(cross certification) | |

|E Government | |

MAURITIUS

|Legal Basis |Electronics Transactions Act (2000); applies to electronic records and electronic signatures to |

| |a transaction but does not apply to wills, negotiable instruments, power of attorney or real |

| |property contracts |

|Institutional Arrangements |The Act establishes the public office of Controller of Certification Authorities responsible for|

| |licensing and monitoring Certification Authorities |

|Security |Secure electronic signatures provided for; there is a presumption in favour of electronic |

| |signatures; trusted CA |

|Party Autonomy |Parties are at liberty to vary provisions of the Act |

|Interoperability | |

|(cross border recognition) | |

|Interoperability | |

|(cross certification) | |

|E Government |The Act provides for the use and recognition of e signatures and records in the public sector |

MEXICO

|Legal Basis |2003 E signatures Code under the Code of Commerce, a federal statute, with wide sphere of |

| |application. No specific exceptions as to what documents may not be subject to the law |

|Institutional Arrangements |CSP are heavily regulated in Mexico and there are stringent requirements to be met to be a CSP. |

| |The Secretariat of Economy is entrusted with enforcing the Code’s provisions. It acts as an |

| |Accrediting Authority; CSPs must obtain prior accreditation from the Secretariat and must notify|

| |it of the beginning of their certification services activities within 45 days. |

|Security |The Code provides for ‘reliable’ and ‘advanced’ signatures with different requirements. |

| |Presumption is in favour of reliable signatures. Note that unlike other countries or the Model |

| |Law, the Code establishes requirements that certificates must meet for them to be valid. |

|Party Autonomy |Although the Code does not make reference to parties’ rights to contractually modify or exclude |

| |the applicability of its provisions, its generally considered that parties can amend or derogate|

| |from the provisions to the extent not contrary to order public |

|Interoperability |Foreign Certificates/signatures recognized on the principle in recognizing the legal effects of |

|(cross border recognition) |foreign certificates or e signatures, only their reliability is relevant. A foreign certificate |

| |will have same effect as Mexican certificate if it complies with the level of reliability of |

| |Mexican certificates. |

|Interoperability | |

|(cross certification) | |

|E Government |Public transactions are covered under the law |

SINGAPORE

|Legal Basis |Electronic Transactions Act (the “Act”) of Singapore aims to eliminate barriers to electronic |

| |commerce resulting from uncertainties over writing and signature requirements |

| |Exceptions: Doesn’t apply to laws requiring writing or signatures in wills, negotiable |

| |instruments, indentures/power of attorney, contract of sale or conveyance of real property |

|Institutional Arrangements |Certification Authority (CA) issues certificates to prospective subscribers; it is not mandatory |

| |but done on request. (Seems there are benefits for licensed CSP); CA prescribes duties of |

| |Subscribers; Minister appoints Controller of CAs for certifying/monitoring CAs |

|Security |See provisions under Part VI (person relying on e signature assumes the risk. The Act provides for|

| |different treatment for “electronic signatures” and for “secure electronic signatures” which are |

| |more secure and are given additional presumptions (e.g. of integrity, of the authority of person |

| |who created it etc). |

|Party Autonomy |Parties are free to vary any provision of the Act |

|Interoperability |Yes: Minister may, by regulations, provide that Controller of CAs recognize foreign CAs that |

|(cross border recognition) |satisfy the requirements for e signature certificates under the Act |

|Interoperability | |

|(cross certification) | |

|E Government |Any ministry or department of Government that accepts the filing of documents/issues permits, |

| |licenses or approvals or provides for method and manner of payment, may do so by electronic |

| |records/form |

SOUTH AFRICA

|Legal Basis |The Electronic Communications and Transactions Act, 2002 (the “Act”); If type of signature not |

| |specified, advanced e signatures recognized; The Act is not mandatory; Applies to any data message|

| |or electronic transaction except where legislation provides otherwise |

|Institutional Arrangements |The Director-General of Department of Communications acts as Accreditation Authority; but |

| |accreditation is voluntary; AA plays supervisory or monitoring role |

|Security |Provides for “advanced” e signatures unless the parties require otherwise |

|Party Autonomy |Provisions of e signatures fall within a part of the Act which is mandatory and cannot be varied |

| |by agreement. |

|Interoperability |Minister may (by notice in Gazette) recognize accreditation or authentication products/services |

|(cross border recognition) |from any foreign jurisdiction |

|Interoperability | |

|(cross certification) | |

|E Government |E Government services are recognized: any public body that accepts the filing of documents or |

| |requires that documents be created or issues any permit/license or approval or provides for a |

| |manner of payment may do so through data messages or electronic means |

SOUTH KOREA

|Legal Basis |Has two laws: The Basic Law on Electronic Commerce and the Electronic Signature Act (1999) |

|Institutional Arrangements |The Act mandates the Government (Ministry of Information) to designate an authorized |

| |certification authority to ensure the security and reliability of electronic commerce and to |

| |promote sound transactions. The Act designates KISA (Korean Information Security Agency) as the |

| |body responsible for supervising e signature certification services. |

|Security |The Act distinguishes between accredited electronic signatures (based on an accredited |

| |certificate and meeting specified security requirements) and other e signatures. |

|Party Autonomy | |

|Interoperability |The Act provides that the Ministry of information shall promote activities aimed at achieving |

|(cross border recognition) |smooth interoperability of e signatures, domestically and internationally. |

|Interoperability |The Act provides that the government may enter into agreements with other foreign governments |

|(cross certification) |for mutual recognition of e signatures. Such agreement shall grant “the same legal status or |

| |effect” to a foreign CA or e signatures or certificate issued by a foreign CA as the Korean |

| |certificate or e signature. |

|E Government |An “E Government Act” was enacted to promote efficiency in public services |

THAILAND

|Legal Basis |Electronic Transactions Act; applies to all civil and commercial transactions except those |

| |expressly excluded by a Royal Decree |

|Institutional Arrangements |There is an Electronic Transactions Commission (consisting of Minister and others appointed by |

| |Cabinet) with authority to “issue rules or notifications relating to e signature” in compliance |

| |with the Act; ETC has duty to monitor and supervise e transactions business; |

| |To maintain “financial and commercial stability “ and “strengthening the credibility” of e |

| |transactions, Royal Decree may require prior notification/registration of CSPs |

|Security |Ordinary e signatures provided for; |

|Party Autonomy |The requirements in the Act on e signatures “does not limit that there is no other way to prove |

| |the reliability of an e signature” |

|Interoperability |An e signature created/used in a foreign country shall have same legal effect as those created in |

|(cross border recognition) |Thailand if the level of reliability used in creating or using such e signature is not lower than |

| |as prescribed in the Act |

|Interoperability |Promoted: Certificate of e signature is effective regardless of geographic location of where |

|(cross certification) |certificate is issued or the e signature is created or used; and regardless of geographic location|

| |of place of business of issuer of certificate or signatory. |

|E Government |The Act applies to transactions (applications, payments, permissions, registrations etc) of the |

| |affairs of the State or State agency; |

| |Additional Requirement: Royal Decree may require the CSP to the public to notify or apply for |

| |registration or prior to commencement of business with public sector |

UNITED KINGDOM

|Legal Basis |Electronic Communications Act 2000 ; The Electronic Signatures Regulations 2002; and also the |

| |Electronic Commerce (EC Directive) Regulations 2002; the e signature regulations are not limited|

| |in their scope of application |

|Institutional Arrangements |Secretary of State oversees/ reviews the carrying on of activities of |

| |certification-service-providers who are established in the United Kingdom and who issue |

| |qualified certificates to the public |

| |Prior authorization of CSPs is not prohibited. but there is no notification for CSPs; CSPs |

| |subject to supervision; CSPs on tScheme are monitored for adherence to Code of Conduct. the law |

| |does not mention voluntary accreditation, but there’s an industry voluntary self regulated |

| |scheme (tScheme) |

|Security |Provides for two types of signatures: “Basic” and AES similar to the EU Directive; also note: |

| |Certificate and Qualified Certificate are provide for with different requirements |

|Party Autonomy |English law places great deal of emphasis on freedom to contract. Thus parties may agree to |

| |contract out of any of the provisions |

|Interoperability |None specific provision[55]. But note that the definition of “Qualified Certificate” under the |

|(cross border recognition) |Regulations does not make reference to the jurisdiction of the certificates incorporation thus |

| |there is nothing to limit the scope of the legislation to “domestic” e signatures only[56] |

|Interoperability |Equal treatment of signature technologies is recognized |

|(cross certification) | |

|E Government |Available; there are specific requirements for the use of e signatures in the public sector. A |

| |government ‘gateway’ has been established to provide a centralized registration for e government|

| |services |

Annex 2

Brazil Examples of Digital Certificates

• Sistema de Pagamentos Brasileiro

o Central Bank

• e-CPF and e-CNPJ / Certificados Digitais

o Secretaria da Receita Federal ( all federal tax and some social contributions )

• Nota Fiscal Eletrônica

o Ministério da Fazenda ( ICMS, it is a VAT like tax divided among Federal Governrnent and States )

• Bank Services

o Bradesco

o Bradesco

o Unibanco

• Labor Courts e- DOC

• Federal Courts

• Superior Education / Ministério da Educação

o

o

o

• Caixa Economica Federal ( social programs )

o

• Insurance Brokers / Insurance Services

o

o

• Notarial Services

o

o

• Agrobusiness

o

ANNEX 3

Examples of Costs Structures

A. United States

Note: The full table is available online at:

|  |Commercial |Government |

|Description |Clin # |

| |Digita|0051a |  | 0002 |  | |

| |l | | | | | |

| |Signat| | | | | |

| |ure | | | | | |

| |Certif| | | | | |

| |icates| | | | | |

| |  |500 to 1,000  |  |$75.00 |  |$72.00 |

| |  |1,001 to 10,000 |  |$65.00 |  |$63.00 |

| |  |10,001 to 25,000 |  |$45.00 |  |$44.00 |

| |  |over 25,000 |  |$35.00 |  |$34.00 |

| |Encryp| 0051b |  |  |  | |

| |tion | | | | | |

| |Certif| | | | | |

| |icates| | | | | |

| |(no | | | | | |

| |escrow| | | | | |

| |) | | | | | |

| |  |500 to 1,000  |  |$75.00 |  |$72.00 |

| |  |1,001 to 10,000 |  |$65.00 |  |$63.00 |

| |  |10,001 to 25,000 |  |$45.00 |  |$44.00 |

| |  |over 25,000 |  |$35.00 |  |$34.00 |

| |Digita| 0051c |  |  |  | |

| |l | | | | | |

| |Signat| | | | | |

| |ure | | | | | |

| |Certif| | | | | |

| |icates| | | | | |

| |, ID | | | | | |

| |Proofi| | | | | |

| |ng by | | | | | |

| |Govern| | | | | |

| |ment | | | | | |

| |  |500 to 1,000  |  |$45.00 |  |$44.00 |

| |  |1,001 to 10,000 |  |$40.00 |  |$39.00 |

| |  |10,001 to 25,000 |  |$35.00 |  |$35.00 |

| |  |over 25,000 |  |$30.00 |  |$29.00 |

| |Encryp| 0051d |  |  |  | |

| |tion | | | | | |

| |Signat| | | | | |

| |ure | | | | | |

| |Certif| | | | | |

| |icates| | | | | |

| |, ID | | | | | |

| |Proofi| | | | | |

| |ng by | | | | | |

| |Govern| | | | | |

| |ment | | | | | |

| |(no | | | | | |

| |escrow| | | | | |

| |) | | | | | |

| |  |500 to 1,000  |  |$45.00 |  |$44.00 |

| |  |1,001 to 10,000 |  |$40.00 |  |$39.00 |

| |  |10,001 to 25,000 |  |$35.00 |  |$35.00 |

| |  |over 25,000 |  |$30.00 |  |$29.00 |

| |Certif| 0051e |  |  |  | |

| |icates| | | | | |

| |, | | | | | |

| |Enterp| | | | | |

| |rise | | | | | |

| |Servic| | | | | |

| |e | | | | | |

| |Level | | | | | |

| |Agreem| | | | | |

| |ent2, | | | | | |

| |(no | | | | | |

| |escrow| | | | | |

| |) | | | | | |

| |  |User 101 to 500 |  |$110.00 |  |$105.00 |

| |  |User 501 to 1,000 |  |$80.00 |  |$77.00 |

| |  |User 1,001 to 5,000 |  |$60.00 |  |$58.00 |

| |  |User 5,001 to 10,000 |  |$45.00 |  |$44.00 |

| |  |User 10,001 to 25,000 |  |$35.00 |  |$34.00 |

| |  |over 25,000 |  |$25.00 |  |$24.00 |

| |Agency Application Certificate |  |N/A |0003 |$150.00 |

| |Supplemental PKI Services |  |N/A |0004 |refer to |

| | | | | |GS-35F-164J |

| |Technology Updates |  |N/A |0005 |refer to |

| | | | | |GS-35F-164J |

| |Ad Hoc Data Collection, Analysis, and Dissemination |  |N/A |0006 |refer to |

| | | | | |GS-35F-164J |

|Component and Code Signing certificates (Level 3)1 |Per Certificate |

| |Application Digital Signature Certificates |0052a |$500.00 |0008a |$490.00 |

| |Application Encryption Certificates |0052b |$500.00 |0008a |$490.00 |

| |Domain Controller Certificates |0052c |$500.00 |0008a |$490.00 |

| |Code Signing Certificates (includes FIPS 140 - 1/2 Level 2 Hardware |0052d |$500.00 |0008a |$490.00 |

| |Token) | | | | |

|Hosted Certificate Validation Services |Monthly |

| |Certif|0053a |  |0009a |  | |

| |icates| | | | | |

| |OCSP | | | | | |

| |Valida| | | | | |

| |tion | | | | | |

| |Respon| | | | | |

| |der | | | | | |

| |Servic| | | | | |

| |e | | | | | |

| |(Month| | | | | |

| |ly) | | | | | |

| |  |1,001 to 10,000  |  |$13,200.00 |  |$12,000.00 |

| |  |10,001 to 25,000 |  |$26,400.00 |  |$24,000.00 |

| |  |25,001 to 50,000 |  |$52,800.00 |  |$48,000.00 |

| |  |over 50,000 |  |$105,600.00 |  |$96,000.00 |

|  |Certificate Validation Transaction Based3 |

| |  |Validation Volume under 100,000 |  |$1.35 |  |$1.261212 |

| |  |Validation Volume 100,000 to 250,000 |  |$1.15 |  |$1.051010 |

| |  |Validation Volume 251,000 to 500,000 |  |$1.00 |  |$0.892984 |

| |  |Validation Volume 501,000 to 1,000,000 |  |$0.85 |  |$0.758719 |

| |  |Validation Volume 1,000,000 to 5,000,000 |  |$0.75 |  |$0.657019 |

| |  |Validation Volume 5,000,000 to 10,000,000 |  |$0.65 |  |$0.579669 |

| |  |Validation Volume 10,000,000 to 25,000,000 |  |$0.60 |  |$0.520882 |

| |  |Validation Volume 25,000,000 to 50,000,000 |  |$0.55 |  |$0.4765550 |

| |  |Validation Volume over 50,000,000 |  |$0.50 |  |$0.443775 |

| |  |Validation Volume over 100,000,000 |  |  |  |$0.420489 |

|Relying Party Certificate Validation Enabling Kits4 |Per Kit |

| |Server Kit (for Web Servers, Mail Servers, etc) |0054a |$5,280.00 |0010a |$4,800.00 |

| |Enterprise Windows Domain Controller Kit |0054b |$2,640.00 |0010b |$2,400.00 |

| |Client Kit (IE, Outlook, Outlook Express) |Per Kit |

| |  |10 User Kit |0054c |$550.00 |0010c |$500.00 |

| |  |50 User Kit |0054d |$2,090.00 |0010d |$1,900.00 |

| |  |250 User Kit |0054e |$8,140.00 |0010e |$7,400.00 |

| |  |1000 User Kit |0054f |$20,900.00 |0010f |$19,000.00 |

| |Certificate Registration Kit for User Database |0054g |$16,500.00 |0010g |$15,000.00 |

|Training/Registration Services one (1) day training (Maximum class size of 10) |Per Day |

| |LRA Training and Certification of trusted individuals in your |0055a |$2,500.00 |0011a |$2,300.00 |

| |organization to streamline registration process | | | | |

| |Recovery Process associated with an (optional) tailored |0055b |$2,500.00 |0011b |$2,300.00 |

| |organizational private key archival and recovery system for | | | | |

| |encryption private keys | | | | |

| |PKI Sponsor training and certification of trusted individuals in an |0055c |$2,500.00 |0011c |$2,300.00 |

| |organization to request, renew and use component certificates | | | | |

| |Code Signing Attribute Authority (CSAA) training and certification of|0055d |$2,500.00 |0011d |$2,300.00 |

| |trusted individuals granted signature authority for an organization | | | | |

| |to authorize applications or individuals for a code-signing | | | | |

| |certificate | | | | |

| |Key Recovery Official Training and certification of trusted |0055e |$2,500.00 |0011e |$2,300.00 |

| |individuals in accordance with the requirements of the U.S. | | | | |

| |Government Key Recovery Policy (KRP) | | | | |

| |On-site Registration Authority Daily Rate, per day |0055f |$2,500.00 |0011f |$2,300.00 |

|Technology Support |Per Hour |

| |Expert Level Hourly Labor Rate |0056a |$305.00 |  |refer to GSA |

| | | | | |Schedule |

| |Senior Level Hourly Labor Rate |0056b |$205.00 |  |refer to GSA |

| | | | | |Schedule |

| |  |Per Year |

| |Gold Technical Support for all supplies and services5 |0056c |20% of total |0012a |20% of total cost |

| | | |cost | | |

| |Platinum Technical Support for all supplies and services6 |0056d |30% of total |0012b |30% of total cost |

| | | |cost | | |

|User Hardware Tokens (FIPS 140-1/2 Level 2)7 |Per User |

| |Smartcard (Token, USB Reader, and Software) |0057a |$102.50 |0013a |$100.50 |

| |USB Token (Token, Reader, and Software) |0057b |$80.50 |0013b |$78.50 |

B. State of Washington Pricing (2003)

Source: State of Washington, Master Contract T00-Mst-001 For Certification Authority And Public Key Infrastructure Services, Schedule A – Authorized Product And Price List, July 2003

Initial Certificate Pricing For High and Intermediate Assurance Level Certificates, prices below include the cost of hardware and software cryptographic modules as required by the Washington State Certificate Policy. Standard Assurance Level Certificates use an Internet Browser or Roaming software client to manage and protect Private Keys and Certificates and therefore do not require the purchase of special hardware or software for Private Key protection.

|High and Intermediate Assurance Level Certificates |

|Prices below include the Annual Subscription Service Fee*, two Certificates (one for signing and one for encryption), plus one of the |

|following hardware or software cryptographic (key protection) module combinations. Costs for encryption key recovery services vary, and are |

|listed in “Other Services” below: |

|High |Intermediate |Standard |

|Hardware-Based Key Protection Solutions |

|Datakey Model 330 Smartcard, Smartcard Reader and Software |$131.00 |$121.00 |N/A |

|Rainbow Technologies iKey2032 USB Key Fob, Software |$85.00 |$75.00 |N/A |

|Rainbow Technologies iKey2032 USB Key Fob, Software and USB Extension Cable |$90.00 |$80.00 |N/A |

|Standard Assurance Level Certificates |$10.00 |

|Browser-Based Certificates | |

|Price includes the Annual Subscription Fee*, and issuance of a single signing Certificate (which may also be used for | |

|authentication and access control). Browser-based Standard Assurance Level Certificates are stored in a workstation’s browser and| |

|requires the use of Microsoft Internet Explorer (IE) Version 5.xx or higher or Netscape Version 4.7 or higher browser that | |

|support 128-bit encryption (browser is not included in the price). Key recovery services are not offered for browser-based | |

|Standard Assurance Level Certificates. | |

|Roaming Certificates |

|Price includes the Annual Subscription Fee*, and issuance of a single signing Certificate (which may also be used for authentication and |

|access control). Uses an unlimited-use downloadable “roaming” client to allow an individual to access their Private Key and digital |

|Certificate from any compatible workstation connected to the Internet. Uses a familiar user name and password interface and provides the user |

|the ability to reset their password up to five times per year. Requires Windows 98 or higher and Internet Explorer 5.xx and higher or Netscape|

|4.7. Key recovery services are not offered for Standard Assurance Level Roaming Certificates. |

|Certificate Renewal Pricing |

|Prices below assume that, in the case of High and Intermediate Assurance Level Certificates, the hardware or software cryptomodule, as |

|required by Washington State Certificate Policy, has already been obtained. Prices below pertain to policy-compliant Subscribers who are |

|renewing their Certificates for another year, or who need to replace a previously-issued Certificate. |

|High and Intermediate Assurance Level Certificates |

|Prices below include the Annual Subscription Fee* and two Certificates (one for signing and one for encryption). Costs for encryption key |

|recovery services vary, and are listed in “Other Services” below: |

|High |Intermediate |Standard |

|Hardware-Based Key Protection Solutions |

|Datakey Model 330 Smartcard. Smartcard Reader and Software |$35.00 |$25.00 |N/A |

|Rainbow Technologies iKey2000 USB Key Fob, Software |$35.00 |$25.00 |N/A |

|Standard Assurance Level Certificates |$10.00 |

|Browser-Based Certificates | |

|Price includes the Annual Subscription Fee*, and issuance of a single signing Certificate (which may also be used for | |

|authentication and access control). Browser-based Standard Assurance Level Certificates are stored in a workstation’s browser and| |

|requires the use of Microsoft Internet Explorer (IE) Version 5.xx or higher or Netscape Version 4.7 or higher browser that | |

|support 128-bit encryption (browser is not included in the price). Key recovery services are not offered for browser-based | |

|Standard Assurance Level Certificates. | |

|Roaming Certificates |$10.00 |

|Price includes the Annual Subscription Fee*, and issuance of a single signing Certificate (which may also be used for | |

|authentication and access control). Uses an unlimited-use downloadable “roaming” client to allow an individual to access their | |

|Private Key and digital Certificate from any compatible workstation connected to the Internet. Uses a familiar user name and | |

|password interface and provides the user to reset their password up to five times per year. Requires Windows 98 or higher and | |

|Internet Explorer 5.xx and higher or Netscape 4.7. Key recovery services are not offered for Standard Assurance Level Roaming | |

|Certificates. | |

*Annual Subscription Service Fee Includes: Customer Service Support, Directory Services, Maintenance Fees for All Components, Online Registration, Subscriber Agreement, Unlimited Repository Access 24x7 for CRL checking, Revocation Services, Certificate Validity Period of One Year.

Encryption Key Recovery Services for High and Intermediate Assurance Level Certificates are available as provided in “Other Services”

-----------------------

[1] Both the UNCITRAL model laws on e-Commerce and on Digital Signatures contemplate the use of, although are not based on the exclusive use of PKI mechanisms. PKI is well-suited for “e-commerce” transactions among and between parties not known or with no prior relation to each other.

[2] ACN.9/630/Add.3 - Possible future work on electronic commerce Comprehensive reference document on elements required to establish a favorable legal framework for electronic commerce: sample chapter on international use of electronic authentication and signature methods, UNICTRAL, available at: (UNCITRAL Future Work).

[3] Both available at:

[4]

[5] Ibid.

[6] See, e.g., Certification Practice Statement, Version 1.1, Korean Information Security Agency, 2001. See,also , PKI Assessment Guidelines, American Bar Association, Information Security Committee, Section of Science and Technology Law, 2003, for a general overview of policy content and guidelines.

[7]

[8] This organization is transitioning into Medicare Australia later in 2007.

[9]

[10] Access Certificates for Electronic Services

[11] Available online at: See section 18(b) for Root Certifying Authority role and section 20 for role as National Repository of Digital Signature Certificates.

[12] For further information, visit:

[13] Available at:

[14] See

[15] .sg .

[16] The authentication framework can be found at .

[17] Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a

Community framework for electronic signatures, OJ L 13, 19.1.2000, p.12 .

[18] See Report From The Commission To The European Parliament And The Council, Report On The Operation Of Directive 1999/93/Ec On A Community Framework For Electronic Signatures, March 2006.

available at:

[19] UNCITRAL Future Work, at para. 13(c), p. 9.

[20] Section 13(1) of the Electronic Communications and Transactions Act, 2002.

[21] Section I §1(2) of Federal Electronic Signature Law of Austria; Section §1(2) of German Electronic Signatures Law and Section 5 of Electronic Transactions Act of Singapore; Section

[22] Section 26 of Thailand’s Electronic Transactions Act (2001)

[23] Part 1 of Chapter III of Electronic Communications and Transactions Act; see also D. Campbell, E Commerce and the Law of Electronic Signatures, p. 567

[24] Slightly dated but I believe still a valid conclusion. See Stillson K D, Public Key Infrastructure Interoperability: Tools and Concepts, The Telecommunications Review 2002

[25] See Bridge/Gateway Certification Authority Page at:

[26] This table is found in at:

[27] Section 24 of Austria’s Federal Electronic Signature Law; and Section 23 of German’s Law on Framework Conditions for Electronic Signatures

[28] Section 2 §4(1)

[29] See D. Campbell E Commerce and the Law of Electronic Signatures, p. 240

[30] Section 12 of Electronic Communications and Transactions Act (2002)

[31] Sections 5 and 6 of the Electronic Transactions Act (2000) of Mauritius.

[32] See News report at:

[33] E-Government in Finland 2007. Available at:

[34] See:

[35] See

[36] See

[37] See “Secure Channel and e-business Standards”. Presentation by Bob Sunday, Office of Chief Information Officer, Government of Canada, available at: isacc.ca/isacc/_doc/Book21-2007/ISACC-07-37304.ppt

[38] While this OMB report is somewhat dated, an extensive literature search provided this as the only document discussing US e-government initiatives that use PKI.

[39] See Highlights document available at: . The full report is available at:

[40] See “Electronic Identity Being Consciously Promoted in Europe and Around the World” available at:

[41] Given the difficulty in locating the document, a copy will be provided to you under separate cover.

[42] See

[43] See

[44] See

[45] See

[46] See section 28 of South Africa’s Electronic Communications and Transactioons Act, 2002.

[47] The figures provided here are drawn from data available at the public websites in these countries.

[48] For an interesting discussion on the subject of “calculating” PKI ROI, see, e.g., “Guidelines on how to determine Return on Investment in PKI”, available at: published by eh OASIS PKI Group (OASIS Paper).

[49] An illustration of pricing, the cost of obtaining identity and encryption certificates under the ACES program in the United States from one service provider, and examples of pricing for certificates issued by the Washington State Certification Authority are provided in Annex 3.

[50] See, OASIS Paper,

[51] See, Eric Guizzo, “Britain’s Identity Crisis: Proposed biometric ID cards won’t prevent fraud or terrorism”, IEEE Spectrum, January 2006.

[52] United Nations Convention on the Use of Electronic Communications in International Contracts, adopted by the General Assembly on 23 November 2005, available at:

[53] See:

[54] Geoges Fischer article, p.166

[55] EU report p. 216

[56] Campbell, E Commerce and E signatures, p. 663

-----------------------

[pic]

Adapted from OASIS PKI White Paper

End

user

Registration

Application

• As Root CA, ITIDA should develop certificate standards policies applicable to Egypt, and can use its existing relationships with its MoU partners to assist in that regard.

• Consider measures to limit the liability of ITIDA as Root CA

• Clarify which types of electronic activities will be subject to PKI (“electronic signatures” under Egyptian law) and which activities (“electronic writings/documents”) will not require PKI– allowing choice of authentication measure appropriate to the level of security desired.

• Consider training for lawyers and judges on e-signatures issues.

• Consider introducing alternative dispute resolution processes for e-signature matters.

• Consider introducing “party autonomy” and reconcile with UNCITRAL Convention on Electronic Contracting.

Key

Media

CA

RA

Certificates

Four types of cost can be identified and need to be estimated to determine the Total Cost of Ownership for a PKI system:

A. Fixed Establishment Costs

B. Variable Establishment Costs

C. Fixed Annual Costs

D. Variable Annual Costs

Application related - All costs associated with PKI enablement of the Application, including planning and designing, ‘shopping around’ for a CA solution, acquiring any necessary PKI toolkits and ‘glueware’, and integrating PKI components with the application. In supply chain parlance, the Application is the eventual ‘consumer’ of certificates, and sits at the end of the supply chain.

End user related - All costs associated with supporting end users, including help desk, education, and the marketing efforts frequently undertaken to promote the benefits of PKI. Note that some costs are borne directly by the user; for example, the user may need to spend time and money presenting in person to a Registration Authority (RA).

Certificates - The cost of certificates themselves. Outsourced CA service providers and CA software vendors usually charge a fee per certificate, which can be paid by application scheme operators on behalf of the users (and possibly passed on) or paid directly by the users themselves.

RA - Costs associated with front-end registration. Internal enterprise RAs operated for example by an organization’s HR or customer service department might utilise regular office staff and accommodation, with little or no incremental cost. A bureau style third party RA on the other hand, providing general purpose identity certificates may have significant set-up, infrastructure and staffing costs. Third party RAs may have to make provision (or purchase insurance) to cover potential liability for errors and omissions.

CA - Costs associated with the backend Certification Authority operation. Investment in security, cryptographic systems, infrastructure, personnel, facilities and compliance related activities will be required in line with the risk profile of the PKI’s business application, and the scale of the user population. Enterprise CAs supporting internal applications might be implemented using commodity software products and operated within the organization’s IT shop. On the other hand, a commercial third party CA could require purpose built facilities, site redundancy, and major independent audits, as well as provision or insurance to cover potential liabilities incurred by the CA operation.

Key media - Costs of the media in which end user private keys are conveyed. Can be close to zero for simple soft certificates, or can entail license fees for roaming soft certificate solutions. Additional hardware expenses might be associated with certain media like smartcards where readers may be required.

69473

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download