Inventory of Approaches to Authentication and Certification in a Global Networked Society

• Pagine: 103-203

Page 103

Unclassified DSTI/ICCP/REG (99) 13/FINAL.

Organisation de Cooperation et de Developpement Economiques OLIS: 04-oct-1999

Organisation for Economic Co-operation and Development Dist.: 05-oct-1999

Or. Eng.

DIRECTORATE FOR SCIENCE, TECHNOLOGY AND INDUSTRY

COMMITTEE FOE INFORMATION, COMPUTER AND COMMUNICATIONS POLICY

Working Party on Information Security and Privacy

INVENTORY OF APPROACHES TO AUTHENTICATION AND CEETIFICATION IN A GLOBAL NETWORKED SOCIETY

82311

Document complet disponible sur OLIS dans son format d'origine

Complete document available on OLIS in its original format

Page 104

@Context for the inventory

@@Snap-Shot View

This report has been prepared by the Working Party on Information Security and Privacy based on input supplied by Member countries. It represents a "snap-shot" view of OECD Member country approaches to authentication and certification on global networks, including information about laws, policies and initiatives, in both the public and private sectors and at the national, regional and international levels, as reported by Member countries as of July 1999. It is important to note that in many Member countries these approaches are still being developed, in light of evolving technologies, and in consideration of work underway at the European Union and international level. This inventory should be considered a work-in-progress report that represents the ongoing information exchange among the members of the Working Party.

@@Private Sector Role

The Group of Experts recognises the leading role of the private sector in the development and use of authentication and certification technologies and mechanisms in the electronic environment. Technologies and business models for authentication and certification are continuing to develop on a global scale, and the private sector has begun to outline frameworks and develop model systems for specific technology applications. The rapid pace of technological evolution and the diverse models for authentication and certification that are currently emerging in Member countries make it difficult to adequately survey the private sector activities in this area. Therefore, this inventory does not include a separate chapter focusing on private sector initiatives. However, where countries have reported on the activities of their private sector actors, this has been included as part of the national approach section. The proceedings of the Joint OECD-Private Sector Workshop on Electronic Authentication contain significant information about private sector initiatives in this area.

Copyright OECD, 1999

Applications for permission to reproduce or translate all or part of this material should be made to:

Head of Publications Services, OECD, 2 rue Andre-Pascal, 75775 Paris Cedex 16, France.

Page 105

DSTI/ICCP/REG(99)13/FINAL

@Inventory of approaches to authentication and certification in a global networked society

@@Overview

Authentication is used in the electronic environment to establish Identity or privileges, or as part of payment mechanisms, for Instance through the use of a password or smart card, or by using a cryptographic, shared secret or biometric technique. Certification mechanisms can provide assurances about information in the -electronic environment to reduce uncertainty in electronic transactions between parties or systems. For instance, a trusted source could attest to some fact to provide a way to determine that the Information is veriflably connected to a transacting party. Where authentication relies on cryptography technologies, a certification mechanism could be used to link the public cryptographic key with an individual or entity. A wide variety of technologies and mechanisms are available to authenticate and certify various elements of electronic transactions, and a number of different architectural models are under consideration In OECD countries.

As OECD countries turn their attention to developing policies and laws to facilitate electronic commerce, they are looking at issues related to authentication and certification in a global networked society. Conflicting eatioeal solutions for electronic authentication and certification could have an impact on the development of global electronic commerce. The OECD plays a role In this area by providing a venue for ongoing Information exchange in order to clarify the issues related to authentication and certification and provide a solid basis for ongoing International co-operation In this area. The ICCP Committee's Working Party on Information Security and Privacy continues the dialogue Involving governments, business and industry, and user representatives to examine more fully the technologies and diverse models for authentication and certification to facilitate global electronic commerce which are currently in use or emerging In Member-countries. This Inventory of Approaches to Authentication and Certification in a Global Networked Society continues the survey of activities in OECD countries related to authentication and certification on global networks. Including Information about laws, policies and Initiatives In the public and private sectors, and at the national, regional and International levels. Specifically, the report looks at:

- Private contractual agreements

- Technology requirements

- Standards, and

- Certification authorities.

Page 108

@Questions for framing input to the revised inventory

The following questions have been identified by Member countries to assist Delegations in framing their written input to the inventory, For the purposes of this inventory, "digital signature" means electronic authentication based on public key cryptography, and "electronic signature" means any signature in electronic form,

@@General

Following upon the October 1998 Ministerial Declaration on Authentication for Electronic Commerce, has your country taken any steps to amend, where appropriate, technology or media specific requirements in current laws or policies that may impede the use of information and communication technologies and electronic authentication mechanisms, giving favourable consideration to the relevant provisions of the 1996 UNCITRAL Model Law on Electronic Commerce? If yes, please describe.

1. Does your country have a specific law or regulation concerning digital signatures, electronic signatures, or other kinds of electronic authentication? If yes, please give reference information,

2. In the absence of a relevant law, regulation or standard, does your country recognise at the national or sub-national level any published criteria, the observance of which render electronic documents or signatures admissible for evidentiary purposes? If yes, please give reference information.-

3. Is there a public or private sector body in your country that issues digital certificates for public use? If yes, please describe,

4. Does your country use authentication technologies or mechanisms in the electronic delivery of government services to citizens? If yes, please describe,

5. Are there any initiatives, studies, proposed legislation or rules, or other activities currently underway or under consideration - in the public or private sectors - in the area of authentication and certification in your country? If yes, please describe,

6. Are there private sector models for electronic authentication that are in operation or under development in your country? If yes, please describe,

7. Please provide, where possible, contact points at the national level where readers of the inventory report could direct follow up questions.

   @@Private contractual agreements

8. What is the effect of your country's law or regulation on private contractual agreements concerning the use and recognition of digital signatures, electronic signatures, or other kinds of electronic authentication?

   Page 109

9. Are parties free to agree to standards, procedures, and uses that differ from those set forth In national laws and regulations?

10. If they enter into an agreement that sets standards, procedures, or uses that differ from those set forth in national laws and regulations, may the parties use the national legal system to attempt to attain redress under the terms of the contract?

11. Do any evidentiary standards apply to evidence of validity and authenticity offered to a judicial or administrative proceeding in your country? If so, what methods of proof are available?

    @@Technology requirements

    If you answered "yes" to Number 2, above:

12. Does your country's law or regulation specifically approve a particular kind of electronic authentication technology or mechanism? If so, what is the effect of your country's laws or regulations on the use of an electronic authentication mechanism that is not specifically approved? Do your country's laws or regulations preclude or disadvantage a party using an authentication method other than one specifically approved?

13. Are parties using electronic authentication methods other than one specifically approved by law or regelation able to establish the validity and authenticity of that method by offering evidence of its reliability in a judicial or administrative proceeding? If so, is the access to judicial or administrative proceedings predicated on any requirement of local partnership or establishment of one of the parties?

14. Does your country's law or regulation identify certain electronic authentication technology as "secure"? If so, please describe.

15. Does your country's law or regulation differentiate between levels of security? If so, how? What are the legal consequences of this distinction?

16. Does your country's law or regulation set forth technical requirements for components or systems for electronic authentication? If so, how are these technical requirements determined? Are the requirements mandatory, or are they provided only as guidance?

17. Does your country's law or regulation require that technical components or systems used in electronic authentication be accredited or...