
The European Union is updating its electronic signature laws - Tomte
http://www.theverge.com/2016/6/30/12066886/eu-european-union-electronic-signature-laws-eidas
======
selmat
E-signature is great. I am not sure what service level is across Europe, but
in my country it is half-baked due to:

1) software or plugins for signing should be available for free

2)All authorities have to accept same key (here in my country is huge problem
with this. Governement offices and institutions accept different keys. Banks
doesnt accept anything at all.)

3) Connected systems needs to be automated. its not acceptable to have manual
verification and 12 hours sync between e-private-mailboxes (not fully related
to esign).

4) if i can send form signed with e-signature it has to be delivered with
appropriate automated feedback (meesage delivered,accepted,rejected)

5) they force users to use windows, internet explorer and expensive software,
timestamps.

~~~
d33
What's your country?

~~~
AReallyGoodName
Sounds like Australia. The government forced business owners to use AUSKey for
all goverment-business online communication. It was exactly as he described.

[https://abr.gov.au/AUSkey/AUSkey-
explained/](https://abr.gov.au/AUSkey/AUSkey-explained/)

~~~
mianos
It's a real joke down under. Considering Chrome's market share: "Chrome and
Edge browsers are not compatible with AUSkey."

------
kalleboo
This is actually pretty neat. In Sweden our "BankID" digital signature system
is really popular (using digital signature files or 2FA to do your taxes, log
into your bank or apply for credit cards), and it's always kinda odd when I
notice the kind of backwards half-assed solutions used in other countries.
Having it all work intra-nationally would be really cool!

~~~
Bromskloss
> Having it all work intra-nationally would be really cool!

You mean _internationally_, right, or did I miss something?

~~~
redbeard0x0a
It wouldn't necessarily mean _internationally_ because countries outside of
the EU wouldn't be required to work with the system.

It would only work intra-nationally (scoped to the member states of the EU (as
an oversimplification)).

~~~
Bromskloss
Just so that we are on same page:

\- "international" = "between nations"

\- "intranational" = "within a nation"

Right?

~~~
octagonal
Correct. Which is strange, because both "intern" and "intra" mean as much as
"internal". I never understood why "externational" isn't a word.

~~~
Gmo
it's not intern, but inter, which does not mean internal at all but "between"

------
Rafert
Part of eIDAS is e-signatures for things like documents, the other part is
interoperability between the eID systems of the member states so that e.g.
Dutch farmers living near the border can use their eHerkenning[1] account to
log in to Belgian government services and vice versa.

[1]: [https://www.eherkenning.nl/english/how-does-it-
work/](https://www.eherkenning.nl/english/how-does-it-work/)

------
Tomte
I think that means that my Estonian e-residency card will actually be on equal
footing with the (expensive) "qualified signature" cards issued by some German
trust centers.

------
cleeus
On the one hand, eIDAS (the e-signature part) is definitely a good thing as it
will replace a lot of weak national signature laws with something modestly
safe. On the other hand it will also replace strict signature laws (e.g.
german) with something much weaker. In the core of e-signatures is the so
called human-machine transfer (Schneiers term). A human expresses his legal
declaration of intent through a machine. In germany this required a
(certified) qualified signature unit and software which de-facto meant
certified smartcard from certified trustcenter with secure pin entry (on the
card-reader, not the computer).

According to eIDAS this can be replaced with much more weaker forms like
server-side keys and signature after 2FA. And this is where folks from
DocuSign (and others) will come in and place cryptographic signature on
documents exchange for username+password+click (maybe with 2FA, I doubt that).

So you formerly needed smartcard (possession) with PIN (knowledge). Now you
may only need username+password (knowledge) and maybe a second factor like
mobile phone. I doubt that having control over a smartphone is on the same
security level as control over a class 2/class 3 smartcard reader.

~~~
Loic
eIDAS has different levels of _trust_ and a service (from a country or
company) can require a _high_ level of trust to perform an operation, for
example using a smartcard.

For German speaking people, you have some pretty well put together
documentation on the new eIDAS directives here:
[https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eIDAS...](https://www.bsi.bund.de/DE/Themen/DigitaleGesellschaft/eIDAS/eIDAS_node.html)

~~~
cleeus
I didn't read anything about the notion of trust levels in the directives
text. Can you point me to the law?

As far as I can see, any signature that is/appears to be qualified (regardless
how it came to life) is considered equal to a signature under notary oversight
(at least in germany) and shifts the burden of proof. This is heavy!

------
csense
Does anyone know exactly what this is in technological terms? I'm thinking
maybe it's a PKI that assigns an ECDSA private key to each EU resident?

Then their talk about timestamping makes me think maybe there's a blockchain
involved?

~~~
icebraining
Many EU states are already issuing keypairs to their citizens, usually in a
smartcard that is their national ID. This initiative is supposed to get states
to recognize each others' keys.

There's not blockchain; entities can simply sign a timestamp to a document,
and then people and other entities can either trust it or not. From what I
understand, a private company can be licensed as an "verified" timestamper,
and then sell its services to other companies or individuals.

~~~
yawaramin
Every country that is issuing machine-readable passports is effectively
issuing a keypair (stored in the passport's machine-readable chip). See:
[http://www.icao.int/Meetings/TAG-MRTD/Documents/Tag-
Mrtd-15/...](http://www.icao.int/Meetings/TAG-MRTD/Documents/Tag-
Mrtd-15/P_Butler.ppt)

------
nickpsecurity
I think they should only be allowed with HSM's, from cheap smartcards to full-
on tamper-resistant, if it's anything of significant value unless someone opts
out of them. The amount of compromises of PC's, servers, and web apps means I
trust an electronic signature way less than a physical one. Need extra
security especially on the RNG's, timestamps, keys, and signatures.

Note: It will probably help that the best providers of inexpensive, secure
IC's are European and already all over those markets.

~~~
MichaelGG
If the host PC is compromised, does a cheap smartcard help? Just capture the
PIN (like you would a password when they logon to their bank) and replay at
will? Maybe if the user is very careful to only keep their smartcard in for
the minimum time required it helps.

So long as other bank protections are in place, it shouldn't be a step
backwards. If it's used to move all liability to the consumer though, then
it's a problem.

~~~
cleeus
If you use a smartcard, you should use a class2/class3 card reader with pin-
pad and never enter the pin on you computer. So the machine can replace the
hash that is to be signed, but cannot intercept and replay the PIN.

~~~
nickpsecurity
It's not always possible but should be whenever possible. The concept is
called a trusted path: an unspoofable, un-interceptable interface between the
user and the security-critical part of the system. Was required for all high-
assurance security under the Orange Book. Still used in some HSM and payment
sectors.

Example for other readers on p4 under Luna PCI and Igenico reader that looks
like it's a kid's pocket calculator haha:

[https://www.keyon.ch/de/Produkte-Loesungen/SafeNet-
HSM/HSM_T...](https://www.keyon.ch/de/Produkte-Loesungen/SafeNet-
HSM/HSM_TrueHardware-basedKeyManagement_NextGenPKIApps_FB_-EN-_web.pdf)

[http://www.smartcardsource.com/contents/en-
ca/Ingenico_myleo...](http://www.smartcardsource.com/contents/en-
ca/Ingenico_myleo.pdf)

------
PerfectElement
Genuine question: how do companies like DocuSign, HelloSign, etc. provide
eSignatures without any kind of key authentication? Are they really legally
binding?

~~~
yoo1I
The first time I was researching this some time last year, because a client
wanted this, I almost fell off of my chair.

The recommended "solutions" all of which were being used at least somewhere in
the mortgage industry were convoluted processes around people either drawing
their signatures with their mouse, uploading a scan of their signature as a
picture, or, the most ridiculous, just typing their name and then (optionally)
choosing a cursive font so it _looks_ like a fancy signature.

This, of course, is robbing the signature of all of it's original intent of
reproducability by just a single person to, you know, prove that you signed
yourself, and replaces it, usually, with the ability to receive mail to a
certain email address and might as well just consist of a "secure" link to the
document and an OK button.

All of these solutions were claimed to be legally binding according to the
ESIGN act [0].

I am really glad we ended up not integrating.

[0]
[https://en.wikipedia.org/wiki/Electronic_Signatures_in_Globa...](https://en.wikipedia.org/wiki/Electronic_Signatures_in_Global_and_National_Commerce_Act)

~~~
slapshot
If you want to verify the identity of a signature, get a notary or a witness.
Signatures were never intended for that.[fn]

Signatures became common as a legal formality in an age when many people were
illiterate and signed their name with an "X" (which is still legal in the US).
As with everything else in the US, there's a ton of racial history around the
"X" signature that isn't relevant here, other than it's been known for
hundreds of years that a plain signature isn't enough to verify the identity
of the signer.

Instead, the signature came about as a formality to make clear to everyone
involved that the person signing a document intended it to have legal effect.
It's the difference between writing a note saying "I'll sell you my house for
$100" and a signed contract --- there might be a question whether you intended
the note to be binding, but there's no question that you intended a signed
contract to be binding.

[fn] By contrast, things like signet rings that were able to produce easy-to-
verify but hard-to-copy wax impressions have been used for identity
verification. Same for name stamps in certain parts of the world.

(edit: stray formatting)

~~~
yoo1I
I'll readily admit my ignorance on the finer points of signatures and what you
wrote makes sense to me, but using the hope that an email address will reach
the intended recipient, and the intended recipient only, as your trust anchor,
the whole system is basically no better than sending an email that says

> If you agree to buy this house for $100, just click reply, type your name
> and then hit send.

All the fancy PDF displays and contract-signing-skeumorphisms just create a
fuzzy-warm feeling, but don't actually do anything.

Which seemed a little odd to me as a way to authorize parts of a mortgage.

~~~
lstamour
Not sure how these companies work, but what if you could click a link over SSL
to view signing details, IP address and what email address the user had
validated, etc.? If you combine that with your own validation process before
handing them over to the e-signature folks, wouldn't that be enough?

------
the_mitsuhiko
The Austrian version has a horrible UI. I really hope that with this someone
goes in and makes it look less crappy.

