A major and frequently recurring point of debate is the relationship between electronic signatures and authentication. In practice, it frequently occurs that a person is requested to authenticate himself in an e-government application, after which he may exchange certain documents freely and without any further technical steps. This method of proceeding (which is common in many countries, but which is particularly prevalent in e.g. the United Kingdom120, the Netherlands121, Norway122 and Malta123) is often signalled as an electronic signature, both by the national experts and by the public sector application owners. However, there is some debate as to whether or not such a process can be considered an electronic signature in the sense of the Directive .
A significant number of experts are of the opinion that this is the case. The reasoning behind this is typically twofold. First of all, it is clear that PKI processes are often124 used to authenticate the user, with the same ultimate goal as a traditional username/password authentication process. Indeed, the identification of the signatory is one of the key benefits that an electronic signature offers over a hand written signature, since the use of a certificate allows the signatory to be identified (to the extent that the CA that issued the certificate is trusted, of course). Secondly, the Directive explicitly defines the electronic signature as ‘data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication’ (article 2.1, emphasis added). Thus, there is a legal basis for the link between authentication and e-signatures125.
However, for the purposes of the present study, which focuses on the act of signing specific data and not on PKI processes in general, the ‘authentication’ process referred to in the Directive can in our view only refer to data authentication, understood as the corroboration that the origin and integrity of data is as claimed126; and not to entity authentication127.
We argue against the extension of the notion of a signature to include entity authentication processes, both for practical and for philosophical reasons. In legal practice, a signature has traditionally been only one of many ways in which a person can confirm his identity, express his consent, effect non- repudiation, and a myriad of other functions which are traditionally ascribed to signatures. The signature has been given a specific legal status in most jurisdictions, although other ways of obtaining the same legal result are usually (but not always) allowed. It is therefore not surprising that e- government applications would show the same degree of flexibility, and permit other solutions than
120
Principally via the Government Gateway scheme; see http://www.gateway.gov.uk/
121
Principally via the DigiD scheme; see http://www.digid.nl/
122 Principally via the authentication solutions supported by the Alt-inn portal; see http://www.altinn.no/ 123
Principally via the eID solutions supported by the MyGov portal; see http://www.mygov.mt
124 But not always; username/password systems are also in common use for lower security type
applications.
125
This perspective is also taken in the paper ‘Regulating a European eID – A preliminary study on a regulatory framework for entity authentication and a pan European electronic ID for the Porvoo e-ID
Group’ by Thomas Myhr. See
http://www.fineid.fi/vrk/fineid/files.nsf/files/7431D844D1C359F9C225711F004553CB/$file/Thomas_My hr_report.pdf
126
See inter alia the Modinis eIDM Glossary, https://www.cosic.esat.kuleuven.be/modinis- idm/twiki/bin/view.cgi/Main/GlossaryDoc#4_5_1_Data_authentication
127 See also the ELSIGN Study (The Legal and Market Aspects of Electronic Signatures report) in this
electronic signatures to serve the same function. This does not mean in our opinion that such other solutions can be readily considered to be signatures.
Indeed, if entity authentication could be said to be a form of signature on the grounds that it can obtain similar results, the traditional value attached to signatures in many legal frameworks would be in peril. After all, if one can be said to have electronically ‘signed’ a document after suitably secure electronic entity authentication, then it seems one must also accept that a paper document should be considered ‘signed’ if a person has merely handed it in after authenticating himself in another suitable fashion (e.g. after ID card verification, or simply after visual identification by someone familiar with the provider of the paper document). Paper documents should by this logic be considered ‘signed’, even if there is ostensibly no signature attached to the document. This is not the case: both in the paper and in the electronic context (as witnessed by the definition of the electronic signature in the Directive), a signature is always ‘attached to or logically associated with’ the signed document. The latter element should therefore be the deciding factor when determining whether an electronic signature in the sense of the Directive is used: whether or not the authentication information was attached to or logically associated with specific other data by the signatory with a view of signing it.
These considerations should of course not be interpreted to mean that entity authentication should not be considered as an invalid operating method in e-government applications, or indeed that we would consider it to be somehow inadequate or less suitable than an electronic signature. As in any other legal field, a signature has its purposes and its uses in e-government, but it should never be considered to be a requirement when a different solution offers the necessary guarantees. We merely wish to emphasise that in cases of pure entity authentication, we find that no signature is actually used, and that applications using purely entity authentication are therefore strictly speaking out of scope for this study.
This is also the opinion that was held tacitly or explicitly by most of the national correspondents and national experts. As a global indicator of this fact, we can refer to the tables in sections 4.1.7 and 4.1.8, which deal respectively with multi- and single factor authentication. The former list is quite short, and the latter nearly empty. None the less, it is clear that these solutions are highly common in most countries. Their systematic underreporting seems to be indicative of the fact that these solutions are indeed not seen in most cases as electronic signatures but as entity authentication tools.
Thus, the main driver behind entity authentication as a proxy for electronic signatures seems to be user friendliness and flexibility, rather than any philosophical or political preference. It has been noted by several experts that entity authentication is retained as a proxy for electronic signatures for the simple reason that it is considered ‘good enough’ in terms of safety and reliability, and that additional requirements would encumber the underlying processes excessively in a manner that would offer little added value.