Title: SUMMARY AND CONCLUSIONS

Summary and Conclusions

This chapter on public-key infrastructure (PKI) and electronic signatures has covered a basic explanation of the technical infrastructure and the functional principals of cryptographic algorithms used for electronic signing. Basic standards, definitions and terms including those introduced by the European Directive 1999/93/EC have been described in light of their importance in the on-going development of PKIs.  

In chapter cryptographic signature schemes for various areas of application have been described. In this chapter solutions to meet security requirements and the implementation of additional functionality such as non-deniability (undeniable signature scheme), forgery proof (fail-stop signature scheme) or included encryption (signcryption scheme) are explained.

Security and privacy aspects of PKI and electronic signatures are discussed in chapter . Security problems arise mainly from the use of general purpose machines for signing (secrecy of the private key may be compromised), the concept of trust in hierarchical systems (who trusts whom for what?) and interoperability and compatibility aspects (such as certificate revocation, adoption of the X.509v3 standard for the internet and name schemes in cyberspace). In addition the limited validity of key pairs raises a number of problems with e.g. the resigning of longer valid contracts or digital archives. The solution to those problems requires some technical effort and raises the costs of the infrastructure required for electronic signatures.

From the privacy perspective the linkability of a certificate with the holder making her or him highly traceable when signing documents or transactions is the main problem of current PKI implementations. The concept of pseudonymous certificates was not very well adopted by the EU member states. Alternatively today’s pseudonymous signature digital credentials have been suggested as an improvement of pseudonymity for certificates used within PKI. 

Chapter introduces the types of electronic signatures defined in the Directive 1999/93/EC. The legal requirements, legal effects and the probative values for these signatures have been described. Legal provisions on a European level on the use of pseudonyms for electronic signatures have also been discussed. The intent of the European legislator towards pseudonymous electronic signatures is concluded. Essentially, the European legislator wanted to ensure, that the member states would not prevent certification service providers from indicating pseudonyms in certificates while at the same time leaving them the choice to give legal effect to pseudonymous signatures. Certificate providers should be obliged to communicate their conditions to the signatory; they could indicate limitations in a qualified certificate which have to be recognisable to third parties.

The requirements of a service provider which offers pseudonymous certificates have also been concluded. Notably, they are liable for the damage resulting from any inaccuracy and incompleteness of the information contained in the certificates.  

Using the established economic model of diffusion of technologies into a market, the following chapter compares currently available electronic signatures with five key factors of success in the market defined for technological products and solutions. While a good performance towards compatibility and complexity with today’s PKI is observed, the relative advantage against investigated substituting solutions, triability and observability need substantial improvements, at least in some European member states. This matches with the observed diffusion of electronic signatures in the investigated European markets. From the economic perspective, the diffusion of PKI in the European market has been notably less successful than expected. This chapter suggests six concrete measures to improve the diffusion into the market:

• To shift costs in order to achieve a fair distribution 

• Measures to reach the critical mass of users 

• Increasing awareness and knowledge about this technology 

• To especially target the user group called ‘early adopters’ 

• To increase triability e.g. by trial versions of electronic signatures 

• To further reduce complexity of the private infrastructure required 

Chapter presents a case study on mobile signatures using the high market penetration of mobile phones. Two approaches are presented: (1) a server based approach that is independent from the client and (2) a client based approach using an improved SIM-card. Technical aspects, basic designs and typical processes needed for mobile signing are presented and discussed. This chapter concludes with a number of possible applications including multilateral secure financial transactions and integration in a user controlled digital identity management system.