An Analysis of International Electronic and Digital Signature Implementation Initiatives

A Study Prepared for the Internet Law & Policy Forum (ILPF)
September, 2000
by

ILPF and the authors seek public comment on this analysis and welcome additional information and corrections concerning the initiatives discussed in this report. We particularly encourage readers to submit information about new implementation initiatives that are not discussed in this analysis. Any comments should be sent to the ILPF at admin@ilpf.org.

EXECUTIVE SUMMARY

Many jurisdictions have been setting up implementation schemes designed to provide technical guidance to allow the general legal framework for electronic authentication to work in practice. Such schemes may include (1) national and international standards for electronic authentication products and services; (2) regulatory schemes for the supervision, accreditation, and certification of particular authentication products and services; and (3) guidelines, best practices, and similar documentation for the operation of electronic authentication systems. Such schemes may be set forth in national legislation, international or regional regulatory principles, guidelines drafted by commercial or policy organizations, or other initiatives.

When one looks more closely at such schemes, a number of trends emerge:

• Information about them is often difficult to come by.
• The majority of countries with laws on electronic authentication have not yet developed detailed standards, although a number are working on them.
• In those countries where accreditation or certification schemes for electronic authentication exist, the vast majority at least purport to be "voluntary". On the other hand, many laws require the use of accredited Certification Service Providers ("CSPs") in transactions with the government, which can have a powerful effect in forcing a particular standard or accreditation procedure on the market.
• While almost all the laws give basic legal effect to electronic signatures independent of the technology used, very often the most important legal effects are only recognized when the certificate is issued by a service provider that is accredited or certified in some way, or that meets certain standards.
• A number of countries are currently struggling with the issue of whether to establish a supervisory body for all authentication products and services.
• Many countries also require CSPs to register in some way before starting their activities.
• In countries where standards are adopted or in the process of being adopted, it is often difficult to ascertain the extent to which they are truly international in nature.

It seems that the evolving definition of "accreditation," "certification," and "standardization" in the context of electronic authentication is a flexible one, which should be implemented in national systems in a way which furthers truly international and interoperable electronic commerce.

However, the evidence so far is that both the plethora of such initiatives, and the way they are being implemented, is not developing in a way which would optimize the use of electronic signature technologies. Nearly every country has at least initiated a national accreditation, certification, or standardization scheme for electronic signature products and services, which could lead to a Babel that imperils international legal interoperability. There is also evidence that some of them are not as "international" as they purport to be, and that there is sometimes more governmental involvement in what are supposedly "private sector" standards than is warranted. In part, of course, this reflects a determination on the part of some governments to seize the initiative in this field even before a strong private-sector market has emerged.

TABLE OF CONTENTS

PART I INTRODUCTION		6
	1. Background	6
	2. The ILPF International Consensus Principles	8
	3. Goals of this paper	9
PART II ANALYSIS		12
PART III TABLE OF DIGITAL AND ELECTRONIC SIGNATURE IMPLEMENTATION INITATIVES		16
	1 INTERNATIONAL ORGANIZATIONS AND BUSINESS ENTITIES	17
	i) IDENTRUS	17
	ii) International Chamber of Commerce (ICC)	17
	iii) International Telecommunication Union (ITU)	18
	iv) Internet Engineering Task Force (IETF)	19
	v) Internet Law & Policy Forum (ILPF)	20
	vi) UNCITRAL Model Law on Electronic Commerce	20
	vii) UNCITRAL Model Rules on Electronic Signatures	21
	2 EUROPEAN UNION	22
	i) EESSI (EU-wide standardization initiative)	22
	3 EUROPE (EU Member States)	24
	i) AUSTRIA	24
	ii) BELGIUM	25
	iii) DENMARK	25
	iv) FINLAND	26
	v) FRANCE	26
	vi) GERMANY	27
	a Statutory Scheme	27
	b ISIS	27
	vii) GREECE	28
	viii) IRELAND	28
	ix) ITALY	30
	ix) LUXEMBOURG	31
	xi) THE NETHERLANDS	31
	xii) PORTUGAL	32
	xiii) SPAIN	32
	xiv) SWEDEN	33
	xv) UK	33
	a CLOUD COVER	33
	b T-Scheme	34
	4 EUROPE (non-EU)	35
	i) CZECH REPUBLIC	35
	ii) SLOVAKIA	35
	iii_ SWITZERLAND	36
	5 NORTH AMERICA	36
	i) CANADA	36
	a Uniform Electronic Commerce Act (UECA)	36
	b Personal Information Protection and Electronic Documents Act	37
	c Ontario Electronic Commerce Act (ECA)	37
	d Saskatchewan Electronic Information and Documents Act	38
	ii) UNITED STATES	38
	a Electronic Signatures in Global and National Commerce (E-SIGN) Act	38
	b Uniform Electronic Transactions Act (UETA)	38
	c RSA Data Security, Inc	39
	d National Institute of Standards and Technology (NIST)	39
	e Federal Public Key Infrastructure (FPKI) Steering Committee	40
	f National Automated Clearinghouse Association (NACHA)	41
	g American Bar Association (ABA)	41
	h American Bar Association (ABA)	42
	6 SOUTH AMERICA	42
	i) ARGENTINA	42
	ii) COLOMBIA	42
	iii) CHILE	44
	iv) ECUADOR	44
	v) PERU	44
	7 ASIA	45
	i) AUSTRALIA	45
	ii) HONG KONGv	46
	iii) JAPAN	47
	iv) SINGAPORE	47

PART I.     INTRODUCTION

1.     Background

Over the past few years, changes in law and advances in technology have dramatically altered the landscape of electronic authentication. Although use of the technology is not yet widespread, electronic authentication holds the promise of fostering, at a minimum, a modest transformation in online commerce to, at a maximum, a radical shift in the way business is conducted. Digital signatures and the operation of public key infrastructures ("PKIs") promise drastically-reduced transaction costs in virtually every sector of business. Companies and consumers alike welcome the day when the click of a button can complete high-value transactions that previously required hours of deliberation and hundreds of documents.

While the benefits of authentication technologies have long been apparent, the method of achieving these commercial gains has been decidedly less obvious. Legislatures and regulatory agencies around the world have taken various and divergent approaches in their effort to take advantage of these emerging technologies. Much of this divergence stems from the simple fact that these technologies have yet to fully evolve. Electronic signatures currently claim only limited acceptance in the marketplace; thus, policy-makers are left with the task of predicting how e-signatures will be used, rather than reacting to how they are used. Differing policies reflect differing assumptions about the future of these technologies and how best to influence them.

A review of legislative and regulatory activity reveals three basic approaches. [1] The first, a minimalist approach, aims to facilitate the use of electronic signatures generally, rather than advocate a specific protocol or technology. The primary motivation is to remove existing legal obstacles to the recognition and enforceability of electronic signatures and records. This is ordinarily done by ensuring that electronic signatures and records fulfill existing legal requirements for tangible signatures. To the extent that there are any legislative or regulatory judgments involved in this approach, they are generally limited to defining the circumstances under which an electronic signature will fulfill any such requirements, with a goal of establishing a standard of proof. To this end, the minimalist approach focuses on verifying the intent of the signing party rather than on developing particularized forms and guidelines.

The second approach tends to be more prescriptive. Here the motivation often stems from a desire to establish a legal framework for the operation of PKIs - whether or not other forms of secure authentication are included or permitted - as well as a reflection of form and handwriting requirements that apply in the offline world. Legislation and regulations enacted under this approach often share the following characteristics: adoption of asymmetric cryptography as the approved means of creating a digital signature; imposition of certain operational and financial requirements on certificate authorities ("CAs"); prescription of the duties of key holders; and definition of the circumstances under which reliance on an electronic signature is justified. This prescriptive approach allows legislatures and regulatory agencies to play a direct role in setting standards for and influencing the direction of new technologies.

The record on adoption of these approaches falls closely in line with the systems of law in which each has evolved. Traditional common law countries - e.g., Canada, the United States, the United Kingdom, Australia, and New Zealand - have tended toward a minimalist approach. The United States, despite initial contrasting approaches among individual states, has largely resolved the tension by opting for the minimalist approach on a national level. The recently-adopted Electronic Signatures in Global and National Commerce Act ("E-SIGN") represents an affirmation of the minimalist approach. The law gives electronic signatures the same legal validity as traditional paper signatures and explicitly forbids the denial of an electronic agreement simply because it is not in "writing." To prevent conflicting state level approaches, the law further forbids any state statute or regulation that limits, modifies, or supersedes E-SIGN in a manner that would discriminate for or against a particular technology. Of course, states can preserve (or adopt) laws that offer an approach slightly different from that of the new federal law, but only where that variance is consistent with the overall terms of E-SIGN.

In contrast, civil law countries have tended to opt for the prescriptive approach. For example, the original German Digital Signature Law established stringent technical standards for what types of digital signatures are to be deemed "secure." Italy took this a step further by conveying legal effect only to signatures that have been authenticated by a licensed CA. Other nations including Argentina and Malaysia have enacted similar legislation outlining the circumstances in which digital signatures may be used.

Some jurisdictions have also begun to realize that the first two approaches are not necessarily mutually exclusive, and so have adopted a third approach. The result has been a "two-tier" approach representing a convergence and synthesis of the two approaches. This consolidated approach generally takes the form of enacting laws that prescribe standards for the operation of PKIs, and concomitantly take a broad view of what constitutes a valid electronic signature for legal purposes. The virtue of this approach is that it achieves legal neutrality by granting at least minimum recognition to most authentication technologies, while at the same time creating a better-defined, more predictable legal environment by incorporating provisions for an authentication technology of choice.

This "two-tier" approach has found increasing support, most notably in the European Union. At the minimalist level, the EU Digital Signatures Directive prohibits EU Member States from denying legal effect to an electronic signature solely on the grounds that it is in electronic form, or on the grounds that it does not satisfy the standards set forth elsewhere in the directive for "advanced" electronic signatures. At the prescriptive level, the Directive affirmatively requires the Member States to give legal effect to "advanced electronic signatures" that are based on "qualified certificates" and that are created by "secure signature creation devices." Singapore’s Electronic Transactions Bill takes a similar approach, and distinguishes between technologies based on levels of security by establishing one legal treatment for "electronic signatures," and another for "secure electronic signatures." The "electronic signatures" are generally given minimum legal effect, while the "secure electronic signatures" are entitled to an additional presumption of integrity, a presumption that the signature is that of the person with whom it is associated, and a presumption that the user affixed the signature with the intent of signing or approving the document.

Despite increasing reliance on the "two-tier" or "hybrid" method, there remains a wide divergence between the minimalist and prescriptive approaches. This international - and in some cases even domestic - policy divergence could severely limit the recognition and interoperability of electronic signatures and certificates across borders, with far-reaching consequences. For instance, as the Organization for Economic Cooperation and Development has recognized in its own work to identify the barriers to electronic authentication, the growth of competing legal and technical frameworks could result in an intricate and unworkable maze of conflicting standards; divergent legal requirements could effectively erect barriers to international trade; and a system in which each country prescribes its own standards could inhibit mutual recognition and cross-certification requirements.

2.     The ILPF International Consensus Principles

Motivated by the belief that "legal interoperability" is essential to realizing the potential gains of electronic commerce, the ILPF has devised a set of International Consensus Principles on Electronic Authentication[2] designed to create a predictable legal environment. Based on a "crystallization" of salient policy principles from electronic authentication regulations around the world, the Principles attempt to cut a middle ground between the divergent approaches. Since many of the considerations articulated in the Principles are relevant when analyzing implementation initiatives for digital and electronic signatures, the Principles are quoted here:

REMOVE LEGAL BARRIERS TO ELECTRONIC AUTHENTICATION

Governments should identify and remove legal barriers that hinder the recognition of electronic authentication.

An electronic authentication should not be denied legal effect solely because of its electronic form.

RESPECT FREEDOM OF CONTRACT AND PARTIES' ABILITY TO SET PROVISIONS BY AGREEMENT

To the fullest extent possible, national laws and jurisdictions should recognize and give full legal effect to contractual agreements concerning the use and recognition of electronic authentication techniques.

HARMONIZATION: MAKING LAWS GOVERNING ELECTRONIC AUTHENTICATION CONSISTENT ACROSS JURISDICTIONS

Legal rules relating to electronic authentication should be made to operate collaboratively and provide consistent results across jurisdictions to promote the growth of electronic transactions and establish a predictable legal environment for the use and recognition of electronic authentication methods.

AVOID DISCRIMINATION AND ERECTION OF NON-TARIFF BARRIERS

Governments should recognize that their actions with respect to electronic authentication can create barriers to trade. Governments should not unreasonably discriminate against electronic authentication methods or providers from other jurisdictions or erect improper non-tariff barriers to trade.

ALLOW FOR USE OF CURRENT OR FUTURE MEANS OF ELECTRONIC AUTHENTICATION

Governments should not require or unduly promote the use of particular electronic authentication means or technologies.

PROMOTE MARKET-DRIVEN STANDARDS

Standards for use of electronic authentication methods or technologies should be market-driven to meet user needs.

3.     Goals of this paper

The above discussion has centered on the broad policy framework for electronic authentication, which has now been set up in many jurisdictions by the myriad electronic and digital signature laws and regulations in force or planned around the world. However, perhaps the more difficult exercise will be to make these policy schemes work in practice, i.e., to further the creation of a global, seamless, legal framework for electronic authentication, while at the same time ensuring that they work at the local level as well. Since much of the relevant legislation and regulation is so broadly formulated, many jurisdictions have been setting up various implementation schemes designed to provide the detailed technical guidance to allow the general legal framework for electronic authentication to work in practice. Such schemes may include, for example:

• National and international standards for electronic authentication products and services;
• Regulatory schemes for the supervision, accreditation, and certification of particular authentication products and services (e.g., for accreditation of certification service providers); and
• Guidelines, best practices, and similar documentation for the operation of electronic authentication systems.

Such schemes may be set forth in national legislation, international or regional regulatory principles, guidelines drafted by commercial or policy organizations, or other initiatives.

The remainder of this paper will continue to build upon the above discussion, in order to provide an overview of the direction in which such implementation schemes are proceeding, to analyze the similarities and the differences between the various approaches, and to provide further insight into not simply the content, but also the effectiveness of current legislative and regulatory efforts. This paper concludes with a table containing a brief description of major implementation initiatives in the area of electronic authentication currently going on around the globe.

What follows is not a set of answers, but rather an effort to narrow the subject into a workable framework for readers to identify and analyze a set of useful questions. A primary goal is to help readers organize a coherent view of how various approaches toward accreditation, certification, and standardization both do and should operate and interact. The classification of approaches reflects an attempt to create for the reader a system of organizing principles out of a vast array of approaches. By pushing readers to formulate a sense of how various approaches help achieve legal interoperability on either a local, national, regional, or global scale, it is hoped that conclusions can be reached on the effectiveness of the various schemes themselves.

To this end, readers are encouraged to reflect not only on the adequacy of the minimalist and prescriptive approaches, but also on the adequacy of various efforts to set standards or set up certification or accreditation schemes within each of the approaches. Such standards or regulatory schemes generally develop in three ways. Often a national or regional legislature sets forth the standards, either by mandating specific methods or by explicitly clarifying that no specific standard will be adopted. Alternatively, standard setting bodies - trade groups, regulators, non-governmental organizations - may develop their own sets of standards. Finally, commercial organizations frequently play a crucial role in setting standards, not through formal policymaking but through the development and application of the products or services to be standardized and the systems in which they will operate - in this case, electronic signatures and public key infrastructures.

It is important to note that these three methods of standard-setting/accreditation/certification act in conjunction with one another. Readers are thus encouraged to compare and evaluate their effectiveness, based on criteria such as: the extent to which the market is flourishing; the ease of successfully establishing regional or international interoperability; the prevalence of a particular standard or accreditation/certification scheme within a region; and the growth of a particular standard or scheme outside of the region in which it was established.

PART II.     ANALYSIS

Following passage of the Utah Digital Signature Law in 1995, the last few years have seen an explosion of legislative and regulatory work by governments in the field of electronic authentication. As detailed in the first section of this report, the ILPF, in its previous work, has examined and categorized the basic legislative approaches being used around the world. However, now that several years have gone by, it is easier both to categorize the types of approaches used and to understand the way in which accreditation, certification, and standardization regimes are being constructed to implement them.[3]

As is usually the case when dealing with the subject of electronic signatures, it is important to define the terminology used. As noted in the preface to the table (Part III of this paper), there is a great deal of confusion about the meaning of terms such as "technology neutral," "international standards," and "mandatory," which makes it difficult to apply clear and consistent criteria to the various implementation schemes that exist. This paper takes a pragmatic approach and uses terminology which, hopefully, is both understandable and precise enough to allow meaningful discussion about the issues. Thus, for example, in describing whether an initiative is based on "international standards," use has been made both of long descriptive phrases, short responses such as "yes" and "no" (when this seemed clear), and more subtle responses such as "ostensibly" (when the standards are purported to be "international" by those in charge of the scheme, but there is evidence that this may not be fully the case).

The basic legislative approaches to electronic authentication currently in use are much the same as detailed in previous ILPF studies (and described in Part I), but the following points are worthy of emphasis:

• Some electronic authentication laws are focused uniquely on electronic signatures (for example, some of those that derive from the EU Electronic Signatures Directive), while others also cover contract formation and related issues. Of the latter category, many are based on the UNCITRAL Model Law on Electronic Commerce (e.g., the laws and draft laws of Argentina, Colombia, Ecuador, and Hong Kong). Almost all of the laws give basic legal effect to electronic documents and signatures (i.e., they exclude the possibility of not legally recognizing electronic signatures and documents merely because they are in electronic form), with the exception of certain types of documents or acts (e.g., wills).

 

• Most of the initiatives are, or at least purport to be, "technologically neutral," although the underlying methodology clearly involves PKI technology (e.g., the EU Directive, and the laws of Denmark, Spain, and Sweden). A few of the laws are openly PKI-based, such as the Italian law. Some countries have a general law on authentication that purports to be technologically neutral, and a more specific law applying only to communications with the government that is PKI-based (e.g., Belgium, France, and Luxembourg).

  When one looks more closely at the accreditation, certification, and standardization initiatives described in Part III, a number of trends emerge:

 

• To begin with, there is often a general lack of transparency surrounding such schemes. Information about them is often difficult to come by, may only be available in the respective national language, and tends to be less than accessible to parties outside the country. These factors increase the risk that the scheme may be overly shaped by national or local interests, rather than by a desire to further international legal interoperability.

 

• The majority of countries with laws on electronic authentication have not developed detailed standards, although a number are working on them. It appears that many countries are adopting a "wait and see" attitude as they wait for either regional standards (for example many European countries are awaiting finalization of the EESSI project) or market standards (as seems to be the case in many South American countries) to emerge before finalizing their own.

 

• In those countries where accreditation or certification schemes for electronic authentication exist, the vast majority at least purport to be "voluntary"; very few have been found which are openly mandatory (Ecuador seems to be one). On the other hand, many laws require the use of accredited CSPs in transactions with the government, which can have a powerful effect in forcing a particular standard or accreditation procedure on the market.

 

• Many implementation schemes may have a greater effect in practice than might be supposed from their voluntary nature. In particular, while almost all the laws give basic legal effect to electronic signatures independent of the technology used, very often the most important legal effects are only recognized when the certificate is issued by a service provider that is accredited or certified in some way, or that meets certain standards. An example is provided by the EU Directive, which grants enhanced legal effect to electronic signatures that satisfy certain technical criteria (i.e., signatures that are based on "qualified certificates" and created by "secure signature creation devices," as defined in a set of annexes). While under this scheme all signatures and certificates are admissible in court, in practice the evidentiary hurdles for signatures that meet the criteria for enhanced legal effect will be lower, which could create a powerful de facto incentive to use them instead of other procedures.

 

• The use of accreditation and certification implies the existence of a mechanism to certify compliance. A number of such bodies are contemplated in various national schemes, with the EU scheme under the EU Directive providing a microcosm. Under the Directive, the Member States are supposed to designate their own "bodies" to certify compliance with the Annexes, under the general rules set forth by a committee composed of the Member States and the European Commission. So far, it seems that some Member States will leave the task of certifying compliance to a voluntary, industry-led body (e.g., Ireland, The Netherlands, and the UK), while others (e.g., Germany) will rely on a government agency.

   

• An issue related to certifying compliance with accreditation and certification schemes is that of supervision of signature products and services; i.e., by what means (if at all) those offering such services should be subject to oversight, whether by the government or by a private body. A number of countries (such as those in the EU) are currently struggling with the issue of whether to establish a supervisory body for all authentication products and services, and, if so, what form it should take. Anecdotal evidence suggests that several European governments are reluctant to go to the expense and trouble of establishing a government body for supervision, until it has become clear what direction the market is moving, and whether there is a need for such a body.

 

• Many countries also require CSPs to register in some way before starting their activities (e.g., Luxembourg and Spain); in some cases, this almost rises to the level of a licensing requirement. Furthermore, some countries have enacted legislation regarding additional functions of a CSP, such as time stamping functions (e.g., Austria).

 

• In countries where standards have been adopted or are in the process of being adopted, it is often difficult to ascertain the extent to which they are truly international in nature. While nearly every standardization scheme purports to be based on "international standards," a closer look at anecdotal evidence often reveals that they are not fully compliant with standards drawn up by international groups, and that they often incorporate national variants.

The latest iteration of the UNCITRAL Draft Uniform Rules on Electronic Signatures (as set forth in the "Draft Guide to Enactment")[4] demonstrates an emerging international consensus on the use of accreditation/certification/standardization schemes to determine enhanced legal effect. The draft includes an Article (Article 6) which defines criteria to determine when an electronic signature may be considered "reliable," and further provides that any such determination of reliability must be consistent with "international standards" (Article 7). The commentary in the Draft Guide to Enactment goes on to define "standards" as follows:

With respect to paragraph (2), the notion of "standard" should not be limited to official standards developed, for example, by the International Standards Organization (ISO) and the Internet Engineering Task Force (IETF), or to other technical standards. The word "standards" should be interpreted in a broad sense, which would include industry practices and trade usages, texts emanating from such international organizations as the International Chamber of Commerce, as well as the work of UNCITRAL itself (including these Rules and the Model Law). The possible lack of relevant standards should not prevent the competent persons or authorities from making the determination referred to in paragraph (1). As to the reference to "recognized" standards, a question might be raised as to what constitutes "recognition" and of whom such recognition is required (see A/CN.9/465, para. 94).

It thus seems that the evolving definition of "accreditation," "certification," and "standardization" in the context of electronic authentication is a flexible one, which should be implemented in national systems in a way which furthers truly international, and, hopefully, interoperable electronic commerce. Unfortunately, the evidence so far is that both the plethora of such initiatives, and the way they are being implemented, is not developing in a way that would optimize the use of electronic signature technologies.

With regard to the number of such implementation schemes, it can be seen from the table (Part III of this paper) that nearly all of the industrialized nations have at least initiated a national accreditation, certification, or standardization scheme for electronic signature products and services. One must ask why so many, nationally-based schemes are necessary, and why there is not more reliance on a few, larger-scale schemes that could be tailored for a region, or a particular legal system. One could argue that competition will result among the schemes, leading to a "survival of the fittest," which may well be true to some extent. But, at the same time, having nearly every country adopt its own implementation scheme for electronic signatures carries the risk of leading to a patchwork of inconsistent national systems that may well imperil international legal interoperability.

With regard to the way in which these myriad schemes are presently being implemented, there is evidence that at least some of them are not as "international" as they purport to be. There is also sometimes more governmental involvement in what are supposedly "private sector" standards than one would think was warranted.

These concerns suggest that vigilance is called for in ensuring that national or regional implementation schemes do not stifle potential growth in the use of signature technologies. On the positive side, the existence of several large-scale, international schemes based on system rules agreed to among the parties can act de facto as a restraining factor on more parochial implementation schemes.

PART III.     TABLE OF DIGITAL AND ELECTRONIC SIGNATURE
IMPLEMENTATION INITATIVES

The following is a table of current accreditation, certification, standardization, and similar initiatives around the world in the area of electronic authentication. It is not intended to be exhaustive, but to provide the most important information about a representative selection of initiatives.

It has been exceedingly difficult to formulate standard terminology in some areas (e.g., in describing the technology used, or whether an initiative is based on international standards), but the authors have gone to great pains to devise descriptive, easily-understandable terms, and to use the same terminology for similar initiatives. Even if the results are not perfectly uniform, they should be descriptive enough to give a reasonably clear sense of what is meant.

Finally, readers will note that the table includes certain policy initiatives (such as the UNCITRAL Model Law and Model Rules, the ILPF papers, and the ABA Digital Signature Guidelines) and electronic authentication legislation (such as the U.S. E-SIGN Act). Although these initiatives do not contain standardization, accreditation, or certification programs for electronic signature products or services, it was decided that such initiatives and legislation should be included because of their underlying importance for many of the implementation initiatives described herein.

The authors wish to thank their correspondents around the world who kindly provided information, without which this table would not have been possible.

1.     International Organizations And Business Entities

i)     IDENTRUS

URL	http://www.identrus.com
Project	Bank certification network for financial and e-commerce transactions.
Technology	PKI.
Based on International Standards?	Yes.
Status	Ongoing project.
Application	Global.
Mandatory?	No.
Summary of Provisions	The network offers a standard for B2B transactions between financial institutions.
Relevant Supervisory Body	Identrus, though its system rules. Initial members include ABN AMRO, Bank of America, Barclays Bank, Canadian Imperial Bank of Commerce (CIBC), Chase Manhattan Bank, Citigroup, Commerzbank, Deutsche Bank, HSBC Group, Hypo Vereinsbank, The Industrial Bank of Japan Limited (IBJ), Royal Bank of Scotland Group, Sanwa Bank, Scotiabank, and Wells Fargo Wholesale Internet Services.

ii)     International Chamber of Commerce (ICC)

URL	http://www.iccwbo.org
Project	General Usage in International Digitally Ensured Commerce (GUIDEC).
Technology	Neutral formulation.
Based on International Standards?	Yes.
Status	Issued November 6, 1997. Under revision this year
Application	Global.
Mandatory?	No.
Summary of Provisions	Addressing specifically the use of digital signatures, the GUIDEC specifies core concepts, best practices and certification issues in the context of international commercial law and practice.
Relevant Supervisory Body	The ICC Information Security Working Party.

iii)     International Telecommunication Union (ITU)

URL	http://www.itu.int/
Project	Development of global digital signature standards.
Technology	Primarily PKI X.509, though the ITU has developed (and continues to work on) other related standards.
Based on International Standards?	Yes.
Status	Ongoing.
Application	Global.
Mandatory?	No.
Summary of Objectives	Headquartered in Geneva, Switzerland, the ITU is an international organization within which governments and the private sector coordinate globa telecommunication networks and services. The ITU Telecommunication Standardization Center (ITU-T) studies technical, operating, and tariff questions and adopts Recommendations with a view to standardizing telecommunications on a worldwide basis.  ITU-T is comprised of over twenty Study Groups and Telecommunication Standardization Advisory Groups. The ITU-T Study Group 7 (SG 7) focuses on data communications, data networks, and open system communication, which work includes the development of standards for electronic signatures and certification authorities. Through the efforts of SG 7, the ITU-T hopes to play a central role in the development of the global infrastructure used for electronic commerce, notably PKI X.509. The ITU also promotes the transfer of technologies to developing countries, largely through its Electronic Commerce for Developing Countries (EC-DC) project.
Relevant Supervisory Body	ITU-T, primarily Study Group 7.

iv)     Internet Engineering Task Force (IETF)

URL	http://www.ietf.org/
Project	Development of global digital signature standards.
Technology	PKI X.509
Based on International Standards?	Yes.
Status	Ongoing.
Application	Global.
Mandatory?	No.
Summary of Objectives	The IETF is a large international community of network designers, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas. The Public-Key Infrastructure K.509 (PKIX) Working Group was established in the Fall of 1995 to develop Internet standards to support an X.509-based PKI. The Working Group is now developing additional protocols that are either integral to PKI management, or that are otherwise closely related to PKI use. The Group also continues to examine alternative certificate revocation methods, conventions for certificate name forms and extension usage for certificates designed for use in (legally-binding) non-repudiation contexts, and protocols for time stamping and data certification.
Relevant Supervisory Body	Public Key Infrastructure (PKIX) Working Group.

v)     Internet Law & Policy Forum (ILPF)

URL	http://www.ilpf.org
Project	Various projects to address specific legal issues that arise from the cross-border nature of electronic commerce.
Technology	Neutral formulation.
Based on International Standards?	Yes.
Status	Ongoing.
Application	Global.
Mandatory?	No.
Summary of Objectives	The ILPF is comprised of about 15 North American, Asian and European companies involved in technology and telecommunications, though it solicits information and advice from a wide range or experts, including legal and technical experts its member companies and other businesses, governments and intergovernmental organizations, academia, and the private practice of law around the world. The Forum’s Digital Signature and Certificate Authorities Working Groups have conducted studies on topics ranging from the promotion of model U.S. digital signature legislation to best practices for certificate authorities. Current goals of the Electronic Authentication Working Group include the removal of legal and tariff barriers to electronic authentication, and the harmonization of laws governing electronic authentication across jurisdictions.
Relevant Supervisory Body	Electronic Authentication, Digital Signature, and Certificate Authorities Working Groups.

vi)       UNCITRAL Model Law on Electronic Commerce

URL	http://www.uncitral.org
Project	Model international law.
Technology	Neutral formulation.
Status	Enacted.
Application	United Nations Member States (upon implementation by Member States).
Mandatory?	No.
Summary of Provisions	Defines electronic signatures and provides for legal effect of electronic signatures, by offering a baseline for presumptions of validity. In four Chapters, the Model Law addresses: general provisions related to the definition of electronic commerce; the recognition of specific qualities of digitally-produced and signed documents that can be used to establish their full legal validity; crucial factors in the communication of data messages, including contract formation, recognition by all involved parties, attribution, and receipt and acknowledgement of receipt; and the application of the Model Law’s general provisions to contracts related to the carriage of goods. Included with the Model Law is a guide to its enactment, designed to provide in-depth explanations of the purposes of the Law’s provisions, so that officials in Member States may better understand why specific provisions have been included and determine which, if any, of the provisions might have to be varied to take into account particular national circumstances.
Relevant Supervisory Body	United Nations Commission on International Trade Law.

vii)       UNCITRAL Model Rules on Electronic Signatures

URL	http://www.uncitral.org
Project	Model international rules.
Technology	Neutral formulation.
Status	Draft.
Application	United Nations Member States (upon implementation by Member States).
Mandatory?	No.
Summary of Provisions	Provides for legal effect of electronic signatures which varies depending of the level of technical reliability. According to the drafters, the Uniform Rules are meant to provide a basic "framework" to be supplemented by technical and/or contractual regulations (determined by Member States and/or the parties to a transaction facilitated through the use of electronic signatures). For this reason, the Rules offer general provisions to establish the legal validity of electronic signatures, and specify basic rules of conduct for the parties involved in a digital signature transaction. As with the Model Law, the Uniform Rules will be accompanied by guide to enactment, to explain why specific provisions were included as essential basic features of a statutory device designed to achieve the objectives of the Rules.
Relevant Supervisory Body	United Nations Commission on International Trade Law.

2     EUROPEAN UNION

i)     EESSI (EU-wide standardization initiative)

URL	http://www.ict.etsi.org/eessi/EESSI-homepage.htm
Technology	PKI x. 509
Based on International Standards?	Ostensibly. Profile for qualified certificates: Standard for the use of X. 509 public key certificates as qualified certificates; European profile based on current IETF PKIX draft. Standards for CSPs issuing qualified certificates: Based on BS 7799. Electronic signature formats: ES 201 733.
Status	Ongoing project.
Application	European Union.
Mandatory?	No.
Summary of Provisions	Voluntary, EU-wide standards and accreditation for signature creation devices, signature verification, and other areas. Supervision of the CSPs issuing qualified certificates to the public (registration/notification; self-declaration for fulfilling QC policy). The standards-related work is carried out by CEN and ETSI (EU-wide standardization bodies). ETSI is responsible for defining standards for qualified certificates, security management and certificate policy for CSPs issuing qualified certificates; electronic signature syntax and encoding formats (Annexes I and II of the EU Directive). CEN is responsible for creating standards for signature creation and verification products and functional standards for certification service providers (Annexes III and IV of the EU Directive and also Annex II (f)). The work of ETSI/CEN is carried out in various working groups: Area D defines the CSP which includes a certification, registration authority, repositories and querying capabilities. The current definition contains the following functional areas: certificate issuance, revocation issuance, certificate revocation status, certificate dissemination and registration. Optional areas include time stamping and subscriber key generation and SSCD preparation. Area F defines secure signature creation devices. The device may or may not contain the ability to generate the key pair. While this device is sometimes thought of only as a smart card, the working group is also considering the use of other devices. Area G1 is in charge of the signature creation environment. Signing is to be done in one of three environments:   (a) Trusted, where the user completely trusts the environment; (b) Partially Trusted, where the user has partial trust (e.g., such as using an employer’s computer for personal use at the office); and (c) Untrusted (e.g., such as using a public kiosk). The environment has three interfaces:  user interface, SSCD interface and input/output interface. Area G2 works in the signature validation environment. Area G2 does not require the SSCD to create a signature, but only the user’s public certificate. Area V works on validation.
Relevant Supervisory Body	To be determined, depending on the Member State.  Some Member States will have voluntary, self-certification schemes, while others will have governmental schemes.

3     EUROPE (EU Member States)

i)     AUSTRIA

URL	http://www.a-sit.at/Englishch/documents.htm
Technology	Neutral formulation.
Based on International Standards?	Ostensibly (ITSEC E3 high/E2 high).
Status	Enacted.
Application	Austria (both public and private sector).
Mandatory?	No.
Summary of Provisions	Generally follows EU Directive. Secure electronic signature meets handwriting requirements. Supervisory body has broad powers to ensure compliance by CSPs. CSPs must notify supervisory body when they start operations.
Relevant Supervisory Body	Telekom-Control-Kommission (government agency, under Art. 110 of the Telecommunications Law).

ii)     BELGIUM

URL	None.
Technology	PKI.
Based on International Standards?	No national standards.
Status	Draft being considered in parliament.
Application	Belgium.
Mandatory?	No.
Summary of Provisions	It follows the EU Directive. Provides for legal effect of electronic signatures.
Relevant Supervisory Body	Unknown.

iii)     DENMARK

URL	http://www.fsk.dk/cgi-bin/intranet/doc-show.cgi?doc_id=34226
Technology	Technology neutral but PKI-based.
Based on International Standards?	The law is silent on the standards issue; although regarding secure signature creation devices there is a reference to generally recognized standards (approved and published by the Commission).
Status	Enacted (entered into force on October 2000).
Application	Denmark (excluded when the laws calls for formal requirements).
Mandatory?	No.
Summary of Provisions	It follows the EU Directive. Accreditation is not required but CSPs must declare commencement of activities. Private or public bodies will be set up for testing compliance. Under extraordinary circumstances, the National Telecom Agency might deprive CSPs of the right to issue advanced electronic signatures. Advanced electronic signatures satisfy any signature requirement stipulated by law.
Relevant Supervisory Body	National Telecom Agency.

iv)       FINLAND

URL	None.
Technology	Neutral formulation.
Based on International Standards?	Yes.
Status	Draft (it seems unlikely that the Act will be adopted in the year 2000).
Application	Finland.
Mandatory?	No.
Summary of Provisions	Draft law follows Directive.
Relevant Supervisory Body	Telecommunications Administration Centre (Telehallintokeskus) and Mittatekniikan keskus.

v)     FRANCE

URL	http://www.justice.gouv.fr
Technology	Neutral formulation.
Based on International Standards?	International standards (EN 45 xxx, ISO 9000, BS 7799). National ITSEC/CCevaluation / certification scheme.
Status	Draft.
Application	France.
Mandatory?	No.
Summary of Provisions	Voluntary accreditation. Must declare commencement of activities. Provides for legal effect of electronic signatures.
Relevant Supervisory Body	French Accreditation Body (COFRAC).

vi)       GERMANY

a     Statutory Scheme

URL	www.iukdg.de
Technology	PKI
Based on International Standards?	National standard ostensibly based on international norms, but with national variations.
Status	Enacted, ongoing action to implement EU Directive
Application	Germany.
Mandatory?	No.
Summary of Provisions	Sets security standard for qualified certificates. No notification necessary for unaccredited CSPs. Wide-ranging civil penalties for violations by accredited CSPs.
Relevant Supervisory Body	Regulierungsbehörde (government agency under Federal Economics Ministry).

b     ISIS

Name	ISIS (Industrial Signature Interoperability Specification)
URL	None.
Technology	PKI.
Based on International Standards?	Ostensibly.
Status	Version 1.2 published on December 3, 1999.
Application	Germany.
Mandatory?	No.
Summary of Provisions	Sets forth uniform standards for data and messages for services provided under the German Digital Signature Law. Defines formats for certificates and directory services.
Relevant Supervisory Body	Designed as a specification for companies offering certification services under the German Digital Signature Law. Companies presently participating include: German Federal Printer, CCC Competence Center Informatik GmbH, Debis Systemhaus Information Security Services GmbH, Deutsche Post AG, D-Trust GmbH, Gieseke + Devrient GmbH, TC Trust Center, TeleCash, Telesec Deutsche Telekom AG.

vii)       GREECE

URL	None.
Technology	PKI.
Based on International Standards?	It is uncertain whether the national standardization body (ELOT) will adopt national standards.
Status	Draft presidential decree that transposes literal text of EU Electronic Signatures Directive.
Application	Greece.
Mandatory?	No.
Summary of Provisions	Mandatory accreditation of CSP.
Relevant Supervisory Body	Unknown.

viii)     IRELAND

URL	None.
Technology	Neutral.
Based on International Standards?	Yes.
Status	Discussions underway between business and government on accreditation/certification scheme under the EU Directive, but no clear timetable for completion.
Application	Ireland.
Mandatory?	No.
Summary of Provisions	No draft provisions yet, but any scheme is likely to be business-led and based on a system of voluntary accreditation/certification.
Relevant Supervisory Body	Likely to be under the auspices of the Irish National Accreditation Board (NAB).

ix)       ITALY

URL	http://www.aipa.it/attivita
Technology	PKI.
Based on International Standards?	Ostensibly (X. 509v3, RSA PKCS#1, ISO 10118-3 (SHA-1), PKCS#7 (rfc 2321)).
Status	Enacted.
Application	Italy.
Mandatory?	No.
Summary of Provisions	Electronic signatures must be interoperable with government. CSP must be accredited for signature to be equivalent to handwritten signature. Provides for legal effect of electronic documents if they comply with the technical requirements laid out by the law. It also gives full force and effects to hard copies and excerpts of electronic documents and authorizes compliance with all mandatory provisions on the keeping of documents with electronic media.  It contains rules which govern the transmission of an electronic document by virtue of which an electronic document is deemed to have been dispatched and received if sent to the e-mail address of the recipient. Despite purporting to follow the EU Directive on Electronic Signatures, several provisions might need to be modified to fully incorporate the Directive, in particular, (a) becoming registered as a CSP in effect requires a government license, and (b) the fact that legal effect is limited to certificates from registered CSPs.
Relevant Supervisory Body	AIPA (Autorita’ per l’informatica nella Publica Amministrazione/Authority for Information Technology).

x)     LUXEMBOURG

URL	http://www.etat.lu/
Technology	Technology neutral but PKI-based.
Based on International Standards?	Yes (ISO/EN).
Status	Enacted although it has not entered into force yet.
Application	Luxembourg.
Mandatory?	No.
Summary of Provisions	Technology neutral but PKI-based. Secure electronic signature based on qualified certificate meets handwriting requirements. Voluntary accreditation system although prior to the commencement of their activities, CSPs (non certified) offering qualified certificates must provide the National Registry of Accreditation with sufficient evidence of compliance with minimum technical requirements. This agency is structured as a "monitoring body", which might be assisted by private bodies. Forthcoming regulation will detail how the Agency works.
Relevant Supervisory Body	National Registry of Accreditation (Ministry of Economy).

xi)       THE NETHERLANDS

URL	http://www.minvenw.nl/hdtp/factsheets/trust1.html
Technology	PKI.
Based on International Standards?	ANSI ABA/X9 and national standards.
Status	Ongoing project (carried out by Governments and business) which intents to become the "market standard". Non-published draft is being prepared by the Ministry of Justice to modify the Civil code to adopt a functional-equivalence definition of electronic document and electronic signature.
Application	The Netherlands.
Mandatory?	No.
Summary of Provisions	Voluntary accreditation scheme (TTP. NL Scheme). Registration of any CSP that issues qualified certificates. Public registry establishes whether CSP is accredited. Requirements for CSP follow EU Directive.
Relevant Supervisory Body	Ministry of Transport and Communications.

xii)       PORTUGAL

URL	http://www.missao-si.mct.pt/assinatura_digital.html
Technology	PKI.
Based on International Standards?	Standards to be defined by forthcoming regulation.
Status	Enacted.
Application	Portugal.
Mandatory?	No.
Summary of Provisions	Voluntary accreditation. Accredited CSP must comply with additional security measures. Provides for legal effect of electronic signatures.
Relevant Supervisory Body	To be designated by forthcoming regulation.

xiii)     SPAIN

URL	http://www.sgc.mfom.es/legisla/top_leg.htm
Technology	Neutral, but PKI-based.
Based on International Standards?	No national standards yet, awaiting EU standards.
Status	Enacted.
Application	Spain. Does not apply to communications involving the government (special national standards for this).
Mandatory?	No, although electronic communication with government requires the use of specific type of signatures and certificates.
Summary of Provisions	Follows very closely EU Directive. Voluntary accreditation. Accredited CSP must comply with additional security measures. Provides for legal effect of electronic signatures. Additional legal effects are provided to electronic signatures issued by licensed CSP.
Relevant Supervisory Body	Accreditation is carried out jointly by ENAC (Entidad Nacinal de Acreditacion) & Ministry of Science and Technology.

xiv)     SWEDEN

URL	http://www.swedac.se
Technology	Technology neutral but PKI-based.
Based on International Standards?	No national standards. Reference to EN 45012, BS 7799, ISO TR 13335.
Status	Adopted in late October 2000.
Application	Sweden.
Mandatory?	No.
Summary of Provisions	The proposal follows the Directive on most important points. Accreditation is not mandatory. The use of standards is not mandatory. Provides for legal effect of electronic signatures.
Relevant Supervisory Body	National Post and Telecom Agency.

xv)     UK

a     CLOUD COVER

Name	CLOUD COVER
URL	http://www.cesg.gov.uk/cloudcover/
Technology	PKI solutions.
Based on International Standards?	Ostensibly (X. 509 v3 certificates & X. 509 v2 certificate revocation list, RSA PKCS, others).
Status	Ongoing project.
Application	UK government communications and government Intranet (including, potentially, communications with citizens).
Mandatory?	Yes (for UK government).
Summary of Provisions	Government scheme to develop minimum PKI interoperability standards for the UK government. Run by CESG (root authority which certifies CSPs for the government), a part of the UK Civil Service.
Relevant Supervisory Body	CESG’s certification body of the UK IT Security Evaluation and Certification Scheme is accredited by the UK Accreditation Service.

b     T-Scheme

Name	T-Scheme.
URL	None.
Technology	PKI.
Based on International Standards?	Yes.
Status	Ongoing project with participation by business and government.
Application	UK companies and government agencies that self-certify under the scheme.
Mandatory?	No.
Summary of Provisions	The T-Scheme is designed to be a scheme for CSPs in the UK (including, possibly, the UK government) to issue certificates that have met certain industry-defined standards for trustworthiness. The status of such certificates under the EU Directive (i.e., whether they would be considered per se to be "qualified certificates") is presently uncertain.
Relevant Supervisory Body	Self-regulation. Government supervision may be established for authentication procedures that do not participate in T-Scheme.

4     EUROPE (non-EU)

i)     CZECH REPUBLIC

URL	http://www.park.cz/commerce/
Technology	Neutral formulation.
Based on International Standards?	Unclear.
Status	Enacted.
Application	Czech Republic (covers both private and public communications).
Mandatory?	No.
Summary of Provisions	Follows EU Directive on electronic signatures. Certification authorities must be authorized by the Office for electronic signatures.
Relevant Supervisory Body	Office for electronic signatures (Ministry of transport and communications).

ii)     SLOVAKIA

URL	http://www.economy.gov.sk
Technology	Neutral formulation.
Based on International Standards?	Unclear.
Status	Draft.
Application	Slovakia.
Mandatory?	No.
Summary of Provisions	Certification authorities must be accredited. Certification authority can function only in the form of stock company (with a capital of 10 000 000 SK). National office for Electronic Signatures establishes Registrar Bodies that are responsible for correctness of identity of applicants for certificates.
Relevant Supervisory Body	Office for Electronic Signatures.

iii)     SWITZERLAND

URL	http://www.bakom.ch/eng/subpage/?category_104.html
Technology	PKI.
Based on International Standards?	The implementation of the provisions is to be based on international standards. At the present and absent international standards, accredited CSPs must ensure compliance with EN 45012.
Status	Enacted, ongoing action to implement the provisions of this Decree.
Application	Switzerland.
Mandatory?	No.
Summary of Provisions	Voluntary accreditation scheme. Compliance with the requirements is ensured by accredited certification bodies. Such bodies must supervise the accredited CSP. CSP must be registered before starting activities.
Relevant Supervisory Body	Swiss Accreditation Service of the Federal Office of Metrology (http://www.sas.admin.ch), which is responsible for authorizing accredited certification bodies.

5     NORTH AMERICA

i)     CANADA

a     Uniform Electronic Commerce Act (UECA)

URL	http://www.law.ualberta.ca/alri/ulc/current/euecafin.htm (an annotated version can be found at http://www.law.ualberta.ca/alri/ulc/current/euecafa.htm)
Project	Model provincial law.
Technology	Neutral.
Status	Model law only.
Application	Canada (where adopted).
Mandatory?	Yes (where adopted).
Summary of Provisions	Follows the specifications set out in UNCITRAL Model Law on Electronic Commerce. Provides legal effect to electronic signatures.
Relevant Supervisory Body	To be determined by each adopting jurisdiction.

b     Personal Information Protection and Electronic Documents Act

URL	http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills /government/C-6/C-6_4/90052b-3E.html#17
Project	Federal legislation.
Technology	Neutral.
Status	Came into force May 1 2000.
Application	Canada.
Mandatory?	Yes.
Summary of Provisions	Part 2 of the Act provides for legal effect of electronic signatures, but does not prescribe the use of any specific technology or procedure; introduces the concept of "secure electronic signature" to be defined through regulations.
Relevant Supervisory Body	Canadian government.

c     Ontario Electronic Commerce Act (ECA)

URL	http://www.ontla.on.ca/Documents/documentsindex.htm (see Bill # 88)
Project	Provincial law.
Technology	Neutral.
Status	Received Royal Assent October 16 2000.
Application	vOntario.
Mandatory?	Yes.
Summary of Provisions	Follows the specifications set out in the UNCITRAL Model Law on Electronic Commerce (and the Canada Uniform Electronic Commerce Act). Provides legal effect to electronic signatures.
Relevant Supervisory Body	Ministry of the Attorney General.

d     Saskatchewan Electronic Information and Documents Act

URL	http://www.legassembly.sk.ca/bills/html/bill038.htm
Project	Provincial law.
Technology	Neutral.
Status	Received Royal Assent June 21 2000.
Application	Saskatchewan.
Mandatory?	Yes.
Summary of Provisions	Very similar to the Uniform Electronic Commerce Act.
Relevant Supervisory Body	Ministry of the Attorney General.

ii)     UNITED STATES

a     Electronic Signatures in Global and National Commerce (E-SIGN) Act

URL	http://thomas.loc.gov/cgi-bin/query/D?c106:6:./temp/~c106Nii0hw::
Project	National law.
Technology	Neutral.
Status	Signed into law on June 30, 2000.
Application	United States
Mandatory?	Yes.
Summary of Provisions	Provides for legal effect of electronic signatures but does not prescribe the use of any specific technology or procedure.
Relevant Supervisory Body	None.

b     Uniform Electronic Transactions Act (UETA)

URL	http://www.nccusl.org/uniformact_summaries/uniformacts-s-ueta.htm
Project	Model state law.
Technology	Neutral.
Status	Adopted in twenty-two (?) states.
Application	United States (where adopted).
Mandatory?	Yes (where adopted).
Summary of Provisions	Provides for legal effect of electronic signatures but does not prescribe the use of any specific technology or procedure.
Relevant Supervisory Body	To be determined by each adopting state.

c     RSA Data Security, Inc.

URL	http://www.rsasecurity.com
Project	The Public Key Cryptography Standards (PKCS)
Technology	Various formal and de facto standards, including ANSI X9 documents, PKIX, SET, S/MIME, and SSL.
Based on International Standards?	No.
Status	RSA is not a standards-setting body, but a US-based supplier of software components for data security. However the PKCS, which are produced by the company’s research and development division, RSA Laboratories, have become widely referenced and implemented by national standards organizations.
Application	United States.
Mandatory?	No, though the PKCS have been integrated into a number of formal standards.
Summary of Objectives	Develop technical solutions for the secure transfer of electronic data.
Relevant Supervisory Body	RSA Laboratories.

d     National Institute of Standards and Technology (NIST)

URL	http://www.nist.gov
Project	Development and application of technology, measurements, and standards for the protection of government information.
Technology	DSA ANSI X9.31 ANSI X9.62 (ECDSA)
Based on International Standards?	No.
Status	Ongoing.
Application	U.S. Government.
Mandatory?	No.
Summary of Accomplishments	Developed the Digital Signature Standard (DSS).
Relevant Supervisory Body	Federal Public Key Infrastructure (FPKI) Steering Committee and the PKI Technical Working Group (PKI-TWG).

e     Federal Public Key Infrastructure (FPKI) Steering Committee

URL	http://www.gits-sec.treas.gov/index.shtml
Project	Various initiatives to identify and resolve federal PKI technical and business issues, and find solutions to policy and interoperability issues. Current project involves the creation of the Federal Bridge Certification Authority (FBCA) to allow the interoperation of federal agencies (and ultimately external organizations) that employ their own PKIs.
Technology	Neutral.
Based on International Standards?	No.
Status	Projects are ongoing; FBCA expected to be operational by the end of 2000.
Application	United States.
Mandatory?	No.
Summary of Objectives	The FBCA would act as a trusted third party, to cross-certify individual governmental CAs so that a user from any participating agency who is presented with a certificate could trust that certificate, regardless of which CA issued it.
Relevant Supervisory Body	The Government Information Technology Services (GITS) Board Champion for Security.

f     National Automated Clearinghouse Association (NACHA)

URL	http://www.nacha.org
Project	Guidelines for Constructing Policies Governing the Use of Identity-Based Public Key Certificates.
Technology	Neutral.
Based on International Standards?	No.
Status	Published in 1999, along with results of NACHA study on Certification Authority Interoperability.
Application	United States.
Mandatory?	No.
Summary of Provisions	Promotes and facilitates the standardization of policies and procedures related to electronic payments. NACHA’s PKI work is specifically designed to encourage uniformity in states’ e-commerce policies and practices, and to advance the security of interstate electronic transactions.
Project Development Body	The Internet Council’s Certification Authority Rating and Trust Task Force (CARAT).

g     American Bar Association (ABA)

URL	http://www.abanet.org/scitech/ec/isc/dsgfree.html
Project	Digital Signature Guidelines.
Technology	The guidelines are specific to digital signatures, certificates and PKIs
Based on International Standards?	No. The Guidelines have influenced standards outside the U.S. to varying degrees.
Status	Issued in August 1996.
Application	Proposed for United States.
Mandatory?	No.
Summary of Provisions	The Guidelines provide a detailed examination of the legal principles applicable to the use of digital certificates and PKIs..
Relevant Supervisory Body	The Information Security Committee of the ABA’s Section of Science & Technology, Electronic Commerce Division.

h     American Bar Association (ABA)

URL	http://www.abanet.org/scitech/ec/isc/home.html
Project	PKI Assessment Guidelines (PAG)
Technology	Digital signatures, certificates and PKIs
Based on International Standards?	Yes, including BS 7799, X.509, PKIX RFC 2527 and other standards.
Status	Draft
Application	Anticipated to be in the U.S. and of considerable influence globally
Mandatory?	No.
Summary of Provisions	Section A (Introduction) provides an introduction to the PAG. Section B (PKI Overview) includes a broad overview of PKI and PKI assessment, a list of important PKI-related terms, and references to significant related documents. (A more detailed tutorial on PKI technology is included in a PAG Appendix. Section C (Legal Preface) presents important legal issues and principles that generally affect PKI. Section D (PAG Provisions) contains the PAG’s substantive assessment provisions, following generally the format of RFC 2527.
Relevant Supervisory Body	The Information Security Committee of the ABA’s Section of Science & Technology, Electronic Commerce Division.

6     SOUTH AMERICA

i)     ARGENTINA

URL	www.cnv.gov.ar
Technology	PKI.
Based on International Standards?	Not defined yet; although the Secretaria de la Funcion Publica publishes draft standards.
Status	Draft.
Application	Argentina (it does not cover relationships involving the government).
Mandatory?	No.
Summary of Provisions	Accreditation is voluntary. Provides for legal effect of electronic signatures.
Relevant Supervisory Body	Secretaria de la Funcion Publica (Jefatura de Gabinete de Ministros).

ii)     COLOMBIA

URL	http://natlaw.com/ecommerce/materials.htm
Technology	PKI.
Based on International Standards?	Not addressed (waiting for implementing regulations).
Status	Enacted.
Application	General.
Mandatory?	No.
Summary of Provisions	Follows the proposed UNCITRAL Model Law. Provides for legal effect of electronic signatures. CA must be licensed.
Relevant Supervisory Body	Colombian Superintendent of Industry and Trade.

iii)     CHILE

URL	http://www.modernizacion.cl/
Technology	Technology neutral but PKI-based.
Based on International Standards?	Yes. Projects are ongoing to define market standards regarding communications with the government.
Status	Draft.
Application	Private communications. There is an additional law on the use of digital signatures for electronic communications carried out by government.
Mandatory?	No.
Summary of Provisions	Provides legal effects of electronic documents and signatures.
Relevant Supervisory Body	Unidad de Tecnologías de la Información y Comunicaciones.

iv)     ECUADOR

URL	http://natlaw.com/ecommerce/materials.htm
Technology	Technology neutral but PKI-based.
Based on International Standards?	Unclear.
Status	Draft.
Application	Ecuador.
Mandatory?	Yes.
Summary of Provisions	Mandatory licensing scheme. Provides for legal effect of electronic signatures.
Relevant Supervisory Body	Ecuadorian Superintendent of Telecommunications.

v)     PERU

URL	http://www.corpece.net/servicios/proyectos
Technology	Technology neutral but PKI-based.
Based on International Standards?	Yes, although specific standards still need to be defined.
Status	Enacted.
Application	Peru.
Mandatory?	No.
Summary of Provisions	CSP must be registered prior to starting activities. Unclear whether accreditation is voluntary or mandatory. Provides for legal effect of electronic signatures.
Relevant Supervisory Body	To be defined.

7     ASIA

i)     AUSTRALIA

URL	http://www.law.gov.au/ecommerce
Technology	Neutral formulation.
Based on International Standards?	Standards Australia Committee IT/12/4/1 is responsible for the development of PKAF related Standards. Australian Standard 4539 deals with the Public Key Authentication Framework (PKAF). There are existing standards for protection of PINs in financial transactions. Where possible the laws are based on ISO or IETF standards http://www.standards.com.au There is a private sector body, the Certification Forum of Australia, which is developing a voluntary standards based accreditation process. Limited details on the Forum can be found at http://www.aeema.asn.au There is also a National Electronic Authentication Council which is looking at policy and standards requirements. Information is at http://www.noie.gov.au/projects/consult/NEAC/index.htm
Status	Enacted. The States and territories have agreed to mirror the federal legislation and the two largest states, New South Wales and Victoria have already passed their versions.
Application	Australia.
Mandatory?	No.
Summary of Provisions	Accreditation is not mandatory. The Australian Government has an accreditation scheme for CAs issuing certificates for dealings with the Federal Government. The states and territories are looking at also adopting the scheme which is called Gatekeeper. Information on the scheme is available at http://www.ogo.gov.au/projects/publickey/Gatekeeper.htm
Relevant Supervisory Body	Various (see above).

ii)     HONG KONG

URL	http://www.info.gov.hk/itbb/english/it/eto.htm
Technology	PKI.
Based on International Standards?	Presumably yes although technical specifications are not adopted yet.
Status	Enacted, although some parts have not entered into force yet.
Application	Hong Kong (it applies to both for private and also Administrative communications).
Mandatory?	No.
Summary of Provisions	Voluntary accreditation scheme. Equates electronic documents and signatures to paper documents with handwritten signatures although it excepts from this rule certain documents (such as wills, trusts, powers of attorney, documents required to be stamped, documents concerning land, oaths, statutory declarations, judgements, court warrants and negotiable instruments). The legal effects of electronic signatures are only provided if the signature is supported by a recognized certificate issued by a recognized certification authority. Security criteria for the management, systems and operations of CSPs in the areas of identification and authentication of registration, suspension and revocation requests; generation, issuance, suspension and revocation of certificates; and publication and archiving of certificates and their suspension or revocation information. Licensed CSPs will enjoy the benefits of trustworthiness, consumer confidence, and an evidentiary presumption for digital signatures.
Relevant Supervisory Body	Hong Kong Government.

iii)     JAPAN

URL	http://www.mpt.go.jp/eng/
Technology	Neutral formulation.
Based on International Standards?	Ostensibly.
Status	General law has been adopted and is to enter into force in April 2001. Awaiting implementation of regulations regarding technical requirements.
Application	It does not apply to the government (another initiative is underway). Governmental PKI system or electronic government project will take effect by 2003.
Mandatory?	No.
Summary of Provisions	Voluntary accreditation scheme which require CSP to issue certificates with encryption keys with more than a certain number of bits, and to use certain facilities and equipment. Provides for legal effect of electronic signatures (presumption of the authenticity of an electronic document if a specific person has applied an electronic signature.).
Relevant Supervisory Body	Ministry of International Trade and Industry and Ministry of Posts and Telecommunications.

iv)       SINGAPORE

URL	http://www.cca.gov.sg/
Technology	PKI
Based on International Standards?	Ostensibly
Status	Regulations are in effect; no licensed CAs as of December 3, 1999
Application	Singapore
Mandatory?	No
Summary of Provisions	Security criteria for the management, systems and operations of CSPs in the areas of identification and authentication of registration, suspension and revocation requests; generation, issuance, suspension and revocation of certificates; and publication and archival of certificates and their suspension or revocation information. Licensed CSP will enjoy the benefits of trustworthiness, consumer confidence and evidentiary presumption for digital signatures.
Relevant Supervisory Body	Singapore CCA (Controller of Certification Authorities) and National Computer Board