FIM-Logo

Teleworking

 

Electronic Signatures for Teleworker

On December 13th 1999 the European Union approved a directive regarding electronic signatures, proving the whole union with a common legal framework for the use of signatures in electronic form. Austria was one of the first countries to implement this directive and the Austrian signature law is in effect since January 1st 2000. Electronic signatures are important for teleworking, as they allow to represent one aspect of physical presence (manual signature on a sheet of paper) to be transported to remote work an transfer over communication networks. Another advantage is, that one particular problem associated with electronic signatures (the presentation problem, see below) might lead to a standardization of document formats. This would help telework immensely, as data-exchange would be made much easier.

On this page some general remarks on signatures are presented, including a definition and some advantages and problems important for telework. Finally, you can find a collection of links to legal resources, technical standards for the implementation and certificate authorities.

Definition

The Austrian signature law defines "electronic signatures" as:
electronic data attached to or logically linked with other electronic data which serve to authenticate, that is establishing the identity of the signatory.
In this definition the main aspect of a signature is included, the connection between a document and an individual person.

Electronic signatures <-> Digital signatures

Electronic signatures have a very broad range and for example public key systems or signature dynamics can be used. However, in most cases only on subtype is used (and therefore the two names are often mixed; but the distinction should always be remembered): digital signatures. These consist of a private key (used for signing a hash-value of the document) and a public key (cited in a certificate, connecting this particular key to a unique person).

Problems

However, there are also some problems connected with signatures: They possess advantages, but they cannot fulfill each and every requirement and have their own problems. Some important ones of them are:
Presentation of the data to be signed: The signature is always applied to the binary data of a document, but not to the visual representation itself. If there are differences between them (e. g. different character sets, colors, macros changing the appearance, etc.), the signed document is valid, but is not what the signatory wanted (or believed) to sign. Because of this a secure viewer is needed, which guarantees that all information is presented and that the document will always be presented in the same form, regardless when and where it is viewed.
Uniqueness of the signed document: The signed document is signed, and so the "owner" can be traced, but it is not encrypted and there is no "copy-protection" included. It can be duplicated how often it is needed and is therefore not suited for certain applications, e. g. bearer certificates or other tasks requiring a unique original. This can only be emulated with a central repository, but this is outside the scope of signatures.

Signing documents

With electronic signatures documents can be signed so everybody can check who approved their content. This is important for telework, as in this case often no version on paper exists. Such documents could therefore not be used in connection with telework. A large area of application for this is the government, where a basic requirement is that the person approving a certain document can always be traced, also for a long time in the future. But the public sector is not the only area for the use of signatures, companies employing teleworkers can also profit from them: Tracing the origin and way of processing is much easier with signatures, as they are defined according to a set standard (easier programming) and modifications are always detectable after signing (Also a possibility to avoid transmission errors).

General advantages of a public key infrastructure (PKI)

Using digital signatures will in most cases require a public key infrastructure (PGP is not suited to producing legally binding signatures; no authority guarantees for the correctness of the data). This includes that every user, who whiches to create signatures, receives a (at least one) certificate, which is commonly stored on chipcards (at least for secure signatures). But this certificate can also be used for different things than just signing documents:
Logon: The certificate is usually stored on a chipcard. So logon is possible by simply inserting the chipcard. For a more secure logon, a single signature might be required to prove, that the certificate in the card is not a copied one. The advantage here is, that the chipcard is a physical object and exists only once. If it is missing it will be detected much earlier than when a password is disclosed.
User identification: If the teleworker accesses the companys data through a website, he can be automatically identified through his certificate (no logon necessary). An example for this is SSL (Secure Socket Layer). Also the connection can be secured through encryption to prevent eavesdropping. This is a very large advantage, as problems with implementing login, distributing and changing passwords or preventing unauthorized access disappear. Another very large advantage is, that no custom or special software is needed, only a common webbrowser and a secure server is required.
Simple encryption: As in the chipcard the private key according to the certificate is stored, encryption can be used very easily: There is no need to distribute a shared secret key or special private keys. The key used for signing (or another one stored in the chipcard; better for security) can be used for agreeing on a session key. At the same time, anyone getting access to the remote computer (even to his account) of the teleworker cannot decrypt the data as he has no access to the card and the contained private key.

Publications (Overview)

Michael Sonntag: Electronic Signatures for Legal Persons. In: Hofer Susanne, Beneder Manfred (Ed.): IDIMT'00. 8th Interdisciplinary Information Management Talks. Linz: Universitätsverlag Rudolf Trauner 2000, 233-256 (Also as SYSPRO 72/00, August 2000)

International

Robertson, R., Smedinghoff, T.: Illinois Law Enters Cyberspace: The Electronic Commerce Security Act. In: Illinois Bar Journal. http://www.isba.org/member/june99lj/p308.htm (11/30/2000)

Baker, S., Yeo, M.: Survey of International Electronic and Digital Signature Initiatives. In: Internet Law & Policy Forum. http://www.ilpf.org/digsig/survey.htm (11/30/2000)

Austria

Nöcker, G.: Urkunden und EDI-Dokumente, Computer und Recht 3/2000, 176

Lang, M., Buben, K.: Rechnungen im E-Commerce, datamatics 4/2000, 20

Scheibl, E.: Elektronische Signatur, e-commerce. Erfolgreiches Business im Internet 1/2000, 16

Denk, P., Aigner, C.: Sign On. Digitale Signaturen und Internet-Recht in der Praxis, Telekommunikations Report 1/2000, 22

Lenstra, A., Verheul, E.: Selecting Cryptographic Key Sizes, DuD. Datenschutz und Datensicherheit 3/2000, 166

Mayer-Schönberger, V.: Bedauerlich: Signatur-Dienstleister nach der SigV, ecolex 2/2000, 130

Forgó, N.: Was sind und wozu dienen digitale Signaturen?, ecolex 4/1999, 235

Brenn, C.: Verbürgung durch mouse-click?, ecolex 4/1999, 243

Forgó, N.: Sicher ist Sicher? - Das Signaturgesetz, ecolex 9/1999, 607

Jud, W., Högler-Pracher, R.: Die Gleichsetzung elektronischer Signaturen mit der eigenhändigen Unterschrift, ecolex 9/1999, 610

Hammer, V.: Signaturprüfungen nach SigI, DuD. Datenschutz und Datensicherheit 2/2000, 96

Menzel, T., Schweighofer, E.: Das österreichische Signaturgesetz. Umsetzung des EG-Richtlinienvorschlages in einem österreichischen Signaturgesetz, DuD. Datenschutz und Datensicherheit 9/1999, 503

Baum, M.: Die elektronische Identität? Der Name als Zertifikatsbestandteil - ein Interpretationsvorschlag, DuD. Datenschutz und Datensicherheit 9/1999, 511

Bertsch, A., Pordesch, U.: Zur Problematik von Prozeßlaufzeiten bei der Sperrung von Zertifikaten, DuD. Datenschutz und Datensicherheit 9/1999, 514

Bizer, J., Bleumer, G.: Pseudonym, DuD. Datenschutz und Datensicherheit 1/1997, 46

Fox, D.: Gateway: Signaturschlüssel-Zertifikat, DuD. Datenschutz und Datensicherheit 2/1997, 106

Fox, D.: Fälschungssicherheit digitaler Signaturen, DuD. Datenschutz und Datensicherheit 2/1997, 69

Roßnagel, A.: Das Signaturgesetz. Eine kritische Würdigung des Gesetzesentwurfs der Bundesregierung, DuD. Datenschutz und Datensicherheit 2/1997, 75

Dobbertin, H.: Digitale Fingerabdrücke. Sichere Hashfunktionen für digitale Signaturen, DuD. Datenschutz und Datensicherheit 2/1997, 82

Timm, B.: Signaturgesetz und Haftungsrecht, DuD. Datenschutz und Datensicherheit 9/1997, 525

Zieschang, T.: Sicherheitsrisiken bei der Schlüsselzertifizierung, DuD. Datenschutz und Datensicherheit 6/1997, 341

Fox, D.: Zu einem prinzipiellen Problem digitaler Signaturen, DuD. Datenschutz und Datensicherheit 8/1997, 386

Hein, W., Rieder, M.: Digitale Signatur in den USA. Stand der Gesetzgebung und Praxis, DuD. Datenschutz und Datensicherheit 8/1997, 469

Bizer, J.: Elektronisch signiertes Dokument, DuD. Datenschutz und Datensicherheit 12/1993, 700

Fox, D.: Zu einem prinzipiellen Problem digitaler Signaturen, DuD. Datenschutz und Datensicherheit 7/1998, 386

Miedbrodt, A.: Regelungsansätze und -strukturen US-amerikanischer Signaturgesetzgebung, DuD. Datenschutz und Datensicherheit 7/1998, 389

Erber-Faller, S.: Notarielle Funktionen im elektronischen Rechtsverkehr, DuD. Datenschutz und Datensicherheit 12/1994, 680

Bizer, J.: Das Schriftformprinzip im Rahmen rechtsverbindlicher Telekooperation, DuD. Datenschutz und Datensicherheit 4/1992, 169

Fallenböck, M., Schwab, G.: Zu der Charakteristik und den Rechtswirkungen elektronischer Signaturen: Regelungsmodelle in den USA und Europa, Medien und Recht 6/1999, 370

Mayer-Schönberger, V., Pilz, M., Reiser, C., Schmölzer, G.: Sicher & echt: Der Entwurf eines Signaturgesetzes, Medien und Recht 3/1998, 107

Pordesch, U.: Risiken elektronischer Signaturverfahren, DuD. Datenschutz und Datensicherheit 10/1993, 561

Grimm, R.: Kryptoverfahren und Zertifizierungsinstanzen, DuD. Datenschutz und Datensicherheit 1/1996, 27

Brisch, K.: Gemeinsame Rahmenbedingungen für elektronische Signaturen. Richtlinienvorschlag der Europäischen Kommission., Computer und Recht 8/1998, 492

Schumacher, S.: Digitale Signaturen in Deutschland, Europa und den U.S.A. Ein Problem, zwei Kontinente, drei Lösungen?, Computer und Recht 12/1998, 758

Legal documents

Austria

Signature law (German)

Signature order (German)

Inofficial translation of the Signature law (English)

Inofficial translation of the Signature order (English)

Ministerial draft and Statements to it (German)

Government bill (Including annotations; German)

Report of the legislative committee (German)

Germany

Current Signature law (Art. 3 IuKDG) (German)

Proposal for amendment (German)

Europe

Both languages are authentic.

Signature directive (German)

Signature directive (English)

Materials to the signature directive

Links

Austria

A-SIT (Zentrum für sichere Informationstechnologie - Austria / Secure Information Technology Center - Austria): Confirmation institute according to § 19 SigG

Telekom-Control (TKC)

Certification authorities

Austria

A-sign (Datakom)

TrustSign (e-Sign; A-Trust): Not accredited!

AD Cert (Arge Daten)

net.surance Security (EA Generali)

CryptoConsult (Mag. Ulrich Latzenhofer)

Globalsign (Belsign Austria; Innovation Systems Informationstechnologie GmbH): Not accredited! Should be accredited in Belgium according to the TKC.

International

Verisign

Thawte (Now Verisign subsidiary)

Standardization/Frameworks

Bundesamt für Sicherheit in der Informationstechnik - Projektbüro Digitale Signatur (BSI; Germany)

European Telecommunications Standards Institute - Draft on Electronic Signature Standards (ETSI)

FIM Homepage Teleworking page Top of page [Back to FIM-Homepage] [Back to Teleworking page] [Top of page]

Mail sonntag@fim.uni-linz.ac.at

Last modified: 13 August, 2002, by MVS