(Retrieved from http://europa.eu.int/ISPO/legal/en/ecommerc/digsig.html)
United States
Pending legislation and Policy documents
Enabling Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure draft US paper
Cases of Cryptography
Bernstein v. US Dept. of State EFF "Legal Cases - Crypto" Archive | EFF announcement of Judge Patel's decision striking down parts of the export control laws as unconstitutional
Peter Junger's lawsuit over whether the First Amendment gives him the right to teach a class in which cryptography is detailed, if a foreign student is present.
Phil Karn's lawsuit over whether he can export some source code from Bruce Schneier's book "Applied Cryptography".
Utah
Utah Digital Signature Act
Working Documents
IAB and IESG statement on cryptographic technology and the Internet
Seminars
Scrambling for Safety Conference May 18, 1997
Articles
Cryptographie : les enjeux et l'état de la législation française
Valérie Sédallian
Out of Secrecy - a recent chronology of the realm of cryptography Gayle Sweeney
Überblick über Kryptographie-Regulierungen weltweit (von Ulf Möller)
Technical explanations - including commercial sites for CA’s.
Controlling and Securing Personal Privacy and Anonymity in the Information Society Esa Eklund
Digital Signatures and Smart Cards
Digicash - delivered at the 3rd International Smart Card Conference, "Free Trade, Free Card Markets?", Amsterdam, March 1996
Internet Security Netscape
Links to other sites
Summary of Electronic Commerce and Digital Signature Legislation McBride Baker & Coles
Crypto Law Survey Bert-Jaap Koops European Cryptography Resources
Encryption Policy Resource Page
RSA's Frequently Asked Questions About Today's Cryptography
Yahoo! - Computers and Internet:Security and Encryption
LABnews
Spain – Electronic signature legislation enacted
USA – New bill recognises validity of electronic signatures in interstate commerce
September - October 1999
ETSI – Electronic signature standardisation initiative
Italy - Publication of rules for the registration of Certification Authorities
France – Digital signature bill unveiled
July - August 1999
Australia – Electronic transactions bill allows use of digital signatures
May - June 1999
Italy - Technical rules on digital signatures published Argentina - Draft law on digital signatures released
March - April 1999
Argentina - Regulation for filing of income taxes through the Internet issued
Singapore - Electronic Transaction Regulations require secure digital signatures
France - New decrees on liberalisation of encryption products published
USA - Oregon publishes administrative rules for the voluntary registration of certification authorities
Australia - Walsh report on global cryptography debate
November - December 1998
United Nations - UNCITRAL Draft Uniform Rules on Electronic Signatures released
Argentina - Secretary of Public Administration adopts standards for the Public Key Infrastructure
Finland - Government releases guidelines concerning the national cryptography policy and statements on the use of cryptographic products
Arrangement - Telecoms equipment excluded from export control lists but crypto remains critical
Canada - Government outlines national cryptography policy
September - October 1998
Argentina - Digital Signature legislation enacted
USA - Senate passes bill allowing electronic filing of documents
Germany - Government Position Paper on the international recognition of digital signatures lays down high security requirements
July - August 1998
Denmark - Draft Bill On Digital Signatures released
Ireland - Government announces framework for public policy on cryptography and electronic signatures
USA - Court holds that publication of encryption software on a Web page is not covered by First Amendment
May - June 1998
European Commission - Directive on electronic signatures proposed
Spain - new telecommunications law allows use of encryption
US - Judicial investigation on export of strong encryption products
USA - E-Privacy Act would lift export controls on encryption products
March - April 1998
USA - Kentucky Digital Signature Act enacted
UK - DTI releases statement on encryption policy and key recovery
January - February 1998
Germany - Technical Catalogues for German Government Digital Signature Standard Voted Down at Hearing
USA - California issues Final Draft of Proposed Digital Signature Regulations
France - Decrees published on use of encryption
Canada issues Green Paper on Cryptography
USA - State of Utah licenses banking subsidiary as certification authority
USA- Civil liberty groups submit brief on encryption to the 9th Circuit Court of Appeals in the Bernstein v. State Department case
November 1997
ICC - The International Chamber of Commerce releases usage in electronic commerce and digital signatures
OECD - Security and Encryption are major components for dismantling the barriers to Global Electronic Commerce
October 1997
Germany - Further drafts of digital signature catalogues prepared
Italy - New implementing provisions of law on digital signatures expected to be adopted
USA - Committee rejects hardline encryption amendment
EC - New European Commission Communication on digital signatures and encryption
September 1997
Germany - Law on digital signatures approved
Malaysia - New law on digital signatures passed
USA - California court holds cryptography export controls unconstitutional
Appendix # 3
Glossary
Certificate
A token which underpins the principle of trust in ssl-encrypted transactions. The information within a certificate includes the issuer (the Certificate Authority that issued the certificate), the organization that owns the certificate, public key, the validity period (usually one year) of the certificate, and the hostname that the certificate was issued in respect of. It is digitally signed by the certification authority so that none of the details can be changed without invalidating the signature.
Certification Authority
A third party organization which is used to confirm the relationship between a party to the https transaction and that party's public key. Certification authorities may be widely known and trusted institutions for internet-based transactions, though where https is used on companies’ internal networks, an internal department within the company may fulfill this role.
Cipher
Any encryption algorithm. Ciphers can be classified according to whether they are
symmetric or public key algorithms, and by whether they operate on their data as a stream or divided into blocks.
Client-side certificate
SSL has an optional feature which allows the client (for example the browser and its user) to authenticate itself to the server by means of a certificate. Some servers will disallow connections unless they are authenticated in this way.
DES (Data Encryption Standard)
A symmetric key block cipher algorithm developed by IBM and adopted as a standard in the US in 1975.
Digital signature
A use of public key cryptography to authenticate a message. The private key is used, showing that the signature must have been made by the owner of that key. A
secure hash of the entire document is signed, so that any change to the document will invalidate the signature.
Http
The Hyper Text Transfer Protocol is the protocol used between a Web browser and a server to request a document and transfer its contents. The specification is maintained and developed by the World Wide Web Consortium.
Https
Https is ordinary http exchanged over an SSL encrypted session.
Microsoft
See www.microsoft.com
Netscape
The owner of a certificate can set up their own certification authority to sign it themselves, instead of having a recognized third-party certification authority do so. To do this they have to create a public key/private key pair for use in making the signature in addition to the key to be certified in the certificate. This is a valid way of setting up certification for use in a closed environment in which the users know the certifying organization and are prepared to install its signing key in their browser. Other users, who have no relationship with the organization concerned, are unlikely to accept this type of certificate. Compare Private Key
The part of the key in a public key system which is kept secret and is used only by its owner. This is the key used for decrypting messages, and for making digital signatures.
Protocol
A protocol is an algorithm, or a step-by-step procedure, carried out by more than one party. Examples are network protocols, in which the steps are intended to ensure reliable transmission of information, or cryptographic protocols, in which the aim is to maintain some form of security relationship between the parties.
Public Key
The part of the key in a public key system which is distributed widely, and is not kept secure. This is the key used for encryption (as opposed to decryption) or for verifying signatures. Compare private key
Public Key Cryptography
A public key cipher is one in which the key used for encryption is different from the one used for decryption. Although the keys are related, it is not possible to
calculate the decryption key from only the encryption key in any reasonable amount of computation time. In most practical systems, the public key system is used for encoding a session key which is used with a symmetric system to encode the actual data. The same concept is used for making digital signatures, where the secret key is used to make the signature, and the public key is used to verify it.
RSA and DSA are examples of public key algorithms.
RSA
RSA is a public key cipher which can be used both for encrypting messages and making digital signatures The letters stand for the names of the inventors: Rivest,
Shamir and Adleman. The company RSA Data Security Inc. takes its name from this algorithm, and has acquired the rights to the patents which cover it.
Self-signed Certificate
Self-signing is one way for the owner of a certificate to sign it themselves instead of having a recognized certification authority do so. In a self-signature, the certificate is digitally signed by the very same key whose public part appears in the certificate data. In other words, the signature can be verified using the public key contained in the certificate. This is unlikely to be trusted by anyone wishing to use the certificate as proof of ownership of the corresponding public key.
However, a signature by the owner is still useful, especially when the owner is a
certification authority which must be trusted for independent reasons, as it restricts the possibilities for malicious or accidental changes to the details contained in the certificate. Compare Secret Key
Confusingly sometimes used to mean the private key of a public key system, and also sometimes used (in contrast to "public key") to refer to a symmetric key system.
Server Signature
The string usually returned as part of servicing each http request that gives the name and version of the web server software being used.
Shttp
Secure Hypertext Transfer Protocol, provides security at the document level rather than the connection level as provided by SSL. This protocol is not widely used.
SSL (Secure Socket Layer)
A protocol developed by Netscape for encrypted transmission over TCP/IP networks. It sets up a secure end-to-end link over which http or any other application protocol can operate. The most common application of SSL is https
for ssl-encrypted http.
Thawte
Thawte is a South African company which acts as a certificate authority. On December 20, 1999, it was acquired by Verisign.
Verisign
Verisign is the dominant certificate authority on the internet at the present time, though many of its certificates are signed as RSA Data Security. Early versions of
trusted certificate authority, and this more or less mandated that people wishing to use certificates on the internet need to obtain them from Verisign, and use server software that had been accredited by Verisign.
Appendix # 4
A list of Certificate Authorities in Various Countries. Derived from
http://www.qmw.ac.uk/~tl6345/ca.htm
Africa:
• Thawte Consulting - South Africa
• South African Certification Authority - South Africa (Verisign International Affiliate)
Asia: • Japan:
• Initiative for Computer Authentication Technology (ICAT)
• Thawte CA sponsored by MEDIX Inc.
• Verisign Japan KK (Verisign Internatioanl Affiliate)
• Korea: • CrossCert • SoftForum • Malaysia: • Digicert • MTrust • Singapore:
• Controller of Certification Authorities
• Taiwan:
• Hitrust (Verisign International Affiliate)
Europe:
• Europe-Wide CAs:
• GlobalSign Network of CAs:
• European Union Projects:
• AD AEQUITATEM - Spain (Part of the INFOSEC AEQUITAS Proyect.)
• EuroPKI Top Level CA (ICE-CAR Project)
France Germany Greece
Hungary Ireland Italy
Luxembourg The Netherlands Portugal
Slovenia Spain Sweden
Switzerland United Kingdom
• Austria:
• a-sign (Datakom GmbH)
• Globalsign Austria (Globalsign Network)
• Belgium
• Belsign (Globalsign Network)
• Belgacom E-Trust
• Isabel (Interbank Standards Association Belgium) In French and Dutch.
• Denmark:
• KMD-CA (In Danish)
• Teledanmark certifikat.dk (in Danish)
• France:
• Certplus (Verisign International Affiliate)
• Thawte Francophone
• Germany:
• PCA of the German Research Network (cooperating with the ICE-TEL project but not a part of it).
• DFN - PCA
• IN-CA: Individual Network e.V.:
o List of regional IN-CAs of the Individual Network e.V.
• c't - Krypto-Kampagne:
• TC TrustCenter:
• IKS Certification Authority:
• GeFökoM CA
• Rus Test Certification Authority (RTCA) (in German)
• Deutschland Chamber Association of Digital Acceptance (DE-CODA) (in German)
• Greece:
• Globalsign Greece (Globalsign Network)
• Hungary:
• Netlock Ltd. (in Hungarian)
• Software and Systems Engineering Limited (Certification products) Ireland
• Italy:
• Certification Authority Tin (Telecom Italia Net) - in Italian
• Societ` Interbancaria per l'Automazione S.p.A. (SIA) - Italy: "Non-profit company delivering infrastructural services (like e.g. data transportation, cryptographic key management, etc.) to the whole community of italian banks, including X.509v3 certification services." SIA CA Pilot Project. (In Italian)
• SSB - Societ à per i Servizi Bancari S.p.A.
• Globalsign Italy (Globalsign Network)
• Alinet Italia
• Finital S.p.A.
• Luxembourg:
• Globalsign Luxembourg - Chambre de Commerce du Grand-Duché de Luxembourg Certification Service Provider (CSP) (Globalsign Network)
• The Netherlands:
• Roccade (Verisign International Affiliate)
• PTT Post with KeyMail
• KPN Telecom (VeriSign International Affiliate)
• NLsign
• DigiNotar
• Interpay (SET Certificates)
• Portugal:
• Certipor (Sociedade Portuguesa de Certificados Digitais, S.A.)
• Multicert (SIBS - Sociedade Interbancária de Serviços)
• Slovenia:
• Slovenian SI-CA
• Spain:
• Internet Publishing Services (IPS)
• Siscer
• Fundación para el Estudio de la Seguridad de las Telecommunicaciones (FESTE)
• Agencia de Certificación Electrónica (ACE)
• Cámbra de Comerç de Barcelona (Barcelona Chamber of Commerce)
• Sweden:
• COST
• PostNet
• Switzerland:
• Entrust Europe
• United Kingdom:
• Endorse (Barclay Bank)
• BT Trustwise (Verisign International Affiliate)
• The Global Trust Register
• Inter Clear
• TrueTrust (Salford University)
• Globalsign UK (Globalsign Network)
• Viacode (Royal Mail CA)
• Messaging Direct - Certification Products (previously - Isode)
Middle East:
• Globalsign Lebanon (Globalsign Network)
South America:
• Argentina Governmental PKI and Licensing Authority o Argentina Ministry of Economy
o Government Pilot CAs
• Certisign - Brazil (Not a CA any longer but a Verisign Registration Authority)
North America: • Canada:
o Entrust - Certification Products o Keywitness
o OnWatch Key Management Centre
o Silanis Technology (Electronic and Digital Signature Products) o XCert
o VPN Tech Inc. (Verisign International Affiliate)
• United States of America: o AlphaTrust.com
o ARINC (airlines and aircraft operators) o Certco (Certification Products).
o eOriginal, Inc.
o Entegrity Solutions Corporation (Certification Products and Services) o Equifax Secure, Inc.
o PenOP - Signature Dynamics Authentication Technology
o Utah Digital Signature Program and Licensed CAs and Repositories: Digital Signature Trust Company
Universal Secured Encryption Repository Company (USERFirst) Arcanvs
The Usertrust Network Verisign
o SET Certificate Authority o SUN Certification Authorities o TradeWave Corporation
o Utah Digital Signature Authority
o Valicert (Complementary service to CAs) o Verisign
o Verisign SET Certification Authority
o Washington Electronic Authentication Web Site IDCertify
Verisign Arcanvs
Appendix #5
ELECTRONIC TRANSACTIONS --
LAWS & REGULATIONS Derieved from http://www.bakerinfo.com/ecommerce/articles-t.htmE-Commerce Practice Manual. Baker & McKenzie has teamed up with Practical Law Company to
produce a global E-Commerce Practice Manual - a unique guide to online trading in 14 key jurisdictions. The Manual contains practice notes, which identify key generic issues and cross-refer to detailed country-specific information on the jurisdictions covered, checklists and precedents drafted in generic style which can easily be adapted to fit local law
requirements. Baker & McKenzie clients are able to order copies of the two-volume loose- leaf Manual at a discounted rate of £350 (US$560) usual price £475 (US$755). To order your copy of the Manual and view a sample chapter online, simply click here.
The Legal Requirements for Creating Secure and Enforceable Electronic Transactions -- Article by Thomas J. Smedinghoff, Baker & McKenzie, Chicago office. Updated September 3, 2002 (RTF Version)
Electronic Bill Presentment and Payment: A Quiet E-Commerce Revolution -- Article by R. Allen
Naude, Baker & McKenzie, Miami office.
Moving With Change: Electronic Signature Legislation as a Vehicle for Advancing E-Commerce Article by Thomas J. Smedinghoff and Ruth Hill Bro Baker & McKenzie, Chicago Office, published in The John Marshall Journal of Computer & Information Law, Vol. XVII, No. 3, Spring 1999 at 723