For discussion of the draft Law on Electronic Digital Signature.

To discuss the draft Law on Electronic Digital Signature.

To discuss the draft Law on Electronic Digital Signature

From December 22 to 25, 1999 and from February 3 to 5, 2000, two international conferences, «RusCrypto-99» and «RusCrypto-2000», were held in the Moscow region settlement of Nepetsino. They were attended by leaders and leading specialists from scientific and educational institutions, banking institutions, investment and financial and industrial companies, as well as government and legislative bodies. The conferences discussed scientific, technological, legal, political and social issues of creating and using new information technologies based on the principles of modern cryptology. The presentations devoted to the draft Law on Electronic Digital Signature, submitted by the Government of the Russian Federation, aroused great interest among the conference participants.

Currently, under the influence of the development of the global Internet, world legislation is increasingly using the concept of electronic commerce — the conclusion of various international and domestic transactions via the Internet (this includes purchase and sale, delivery, product distribution agreements, investment contracts, insurance, banking services and other forms of industrial and business cooperation). The number of transactions concluded in this way is growing very rapidly. For example, according to statistics provided by the US Federal Trade Commission, the volume of trade transactions using the Internet is currently doubling every hundred days. In Russia, law and legal practice have responded promptly to the emergence of electronic commerce. In accordance with Article 5 of the Law on Information, Informatization and Information Protection, data that is received, stored, processed and transmitted using automated information and telecommunication systems may be recognized as documents having legal force. In this case, the legal force of such a document may, in particular, be confirmed by an electronic digital signature (EDS), which in electronic commerce (when using electronic documents and electronic transaction forms) should be a guarantee of the authenticity and validity of contractual obligations, as well as protection against their unilateral change or termination. This means that when concluding commercial contracts, an EDS is designed to implement the following legal principles:

• indicate who signed the document or message, and be difficult for reproduction by any other unauthorized person;

• identify what is signed and make it inappropriate to forge or change (without the possibility of detection) both the signature itself and the document signed by the EDS:

• perform a procedural role, i.e. symbolize the expression of the will of the party regarding the transaction (approval, permission, etc.), which confirms the legal validity of the transaction.

The new Law on Electronic Digital Signature is designed to develop and specify legal guarantees and mechanisms ensuring compliance with the above principles by participants in the electronic form of transaction. Six Russian government agencies took part in the development of its draft: the Ministry of Communications of Russia, FAPSI, the State Technical Commission, the Securities Commission, the Central Bank and the Ministry of Justice of Russia. At the same time, FAPSI began to solve problems related to EDS much earlier than other participants in this legislative process. Back in 1992, the Agency approached the Institute of State and Law of the Russian Academy of Sciences with a request to develop a legal model for the introduction of EDS into the practice of state document flow. In accordance with the draft Law on Electronic Digital Signature, submitted by the Government of the Russian Federation on January 27, 2000, it is proposed to use EDS to give an electronic document legal force equal to the legal force of a document on paper signed with a handwritten signature. The draft defines an electronic document as information presented in the form of a set of states of elements of electronic computing equipment or other electronic means of processing, storing and transmitting information that can be transformed into a form suitable for unambiguous human perception. In the draft, an EDS is understood to be a sequence of symbols obtained as a result of cryptographic transformation of the original electronic document using a private key and allowing confirmation of the integrity and immutability of this information, as well as its authorship, provided that a public key is used. Here, the public key is a publicly available sequence of symbols intended for verifying the EDS, and the private key is a sequence of symbols intended for generating the EDS and known only to the authorized person. Verification of the belonging of a specific public key to a specific user is carried out by so-called certification authorities, whose activities are subject to mandatory state licensing.

The draft Law on Electronic Digital Signature proposes that in all cases where a handwritten signature is required under current Russian legislation, it could be replaced by an EDS if the following conditions are met:

• a positive result of verification of the public key is obtained, the ownership and authenticity of which is confirmed by the relevant certificate (A key certificate is a document issued and certified by a certification authority, confirming the ownership of this key to a specific person.):

• the signatory is in lawful possession of the private key used to generate the EDS:

•The EDS has been generated and verified by an EDS tool (An EDS tool is a set of software and hardware tools that implement the function of generating and verifying an EDS.), certified in the established manner (A certificate for an EDS tool is a document certifying the compliance of this tool with special requirements and guaranteeing the possibility of using this tool as a tool for generating and verifying an EDS for a certain period of validity.).

The draft Law on Electronic Digital Signature defines the storage periods for both the keys themselves and their certificates: it lists the mandatory identification attributes of any electronic document and provides information that must always be present in the key certificate. And if additional attributes of an electronic document can be established by the relevant regulatory legal acts governing the organization of office work, then other data about the key owner, in addition to those listed, can be included in the key certificate only with the consent of this owner.

When using digital signature tools by state authorities and local governments, private keys must be generated and distributed by an authorized federal body or legal entities acting on behalf of this body. When using digital signature tools in civil circulation and by individuals, private keys must be generated and distributed by the persons using digital signature tools. If necessary, the generation and distribution of private keys under an agreement may be entrusted to a certification center. The draft Law on Electronic Digital Signature allows the use of digital signature tools without resorting to the services of certification centers. In this case, the relationship between digital signature users is established by an agreement, the main terms of which are:

• keeping private keys and design features of the digital signature tool used secret:

• compliance with the rules for using the digital signature tool:

• distribution of the risk of losses incurred as a result of using an unreliable digital signature:

• establishment of the rights and obligations of the parties to compensate for damage caused by the use of a faulty or poor-quality digital signature. In accordance with the draft Law on Electronic Digital Signature, the certification authority is obliged to block the digital signature key certificate in the following cases:

• at the request of the key owner:

• upon detection of unreliable information in the certificate;

• upon receipt of information about a violation of the secret of the key and the design features of the digital signature device;

• by a reasoned decision of the authorized federal body:

• before the termination of the activities of the certification center or before the transfer of powers to another center.

The draft Law on Electronic Digital Signature provides for many other nuances related to the legislative regulation of the process of using EDS by state and local government bodies, legal entities and individuals. However, despite the apparent thoroughness of the development of the provisions of this legislative draft, experts noted some of its shortcomings.

Conference participants noted that the project developers had not quite correctly assessed the capabilities of the digital signature. Judging by the text, they perceived it as a direct analogue of a handwritten signature. Meanwhile, due to its «mechanical» nature, the digital signature is more reminiscent of a seal than a handwritten signature. It is known that, in accordance with established practice, a seal has a significantly lower evidentiary effect than a handwritten signature, since the fact that it was put by an unauthorized person is almost impossible to prove in court. Considering that the digital signature will be put on documents by a computer, one can expect a mass compromise of keys. Some users of digital signatures will inevitably be negligent in maintaining confidentiality: write down their private keys anywhere, trust them to other people, lose them, and so on. One should also consider the possibility of compromising keys by introducing bookmarks, using protocol analyzers and other methods of unauthorized access. It is important to note that the compromise of a private key is usually detected only as a result of its unauthorized use, and it is virtually impossible to prove the unauthorized use «retroactively». The view of an EDS as a complete analogue of a handwritten signature, reflected in the draft law, inevitably leads to the fact that the benefit from forging or stealing an EDS can be very high. An intruder who has gained access to a private key can authorize any transaction on behalf of its owner. This makes hacking an EDS a very profitable business, which will undoubtedly lead to dire consequences. The solution is seen in using an EDS exclusively within the framework of a system of contracts that limit its applicability (for example, by establishing the so-called trust limit for an EDS — the upper limit for the total monetary amount of a contract that can be signed using an EDS).

The conference participants assessed the idea of ​​mandatory state certification of digital signature tools as unnecessary. Certification in the form in which it is formulated in the draft Law on Electronic Digital Signature does not guarantee anything to users (for example, in the form of guarantees of the certification organization) and can serve to impose far from the best digital signature tools without hope for any compensation in case of losses incurred. In addition, certification creates additional problems when using foreign developments. In the end, if the certification of encryption tools is somehow motivated by the fight against crime, then the certification of digital signature tools is generally meaningless. In principle, the use of an uncertified digital signature tool is quite acceptable. But then its owner is obliged to publicly announce the absence of a certificate. Otherwise, he is liable for losses incurred by the user of the corresponding public key and arising as a result of his use of an uncertified tool. But if an digital signature tool is used that is known to have no certificate, then the risk of losses should be distributed between the owners of the public and private keys.