What is an electronic signature?
An electronic signature is the general term for different techniques that can be used to "sign" digital information in the same manner as a handwritten signature is used to sign a paper document. These techniques can, for example, be based on biometric characteristics such as reading of the iris/eye or finger prints, the reading of an electronic pen or digital signatures based on electronic keys and certificates.
The technical realisation of electronic signatures that are called digital signatures is the most common at the present time. When formulating digital signatures, encryption is used that is based on advanced mathematical functions.
Section 6 of the Electronic Signatures Act establishes the legal consequences of electronic signatures. It also states that if the law permits a transaction to be carried out electronically, the requirement for a signature will always be satisfied in the form of a qualified electronic signature. Therefore, under certain conditions, the provision equalises the legal effects of a qualified electronic signature with a handwritten signature. Other electronic signatures can also be deemed to satisfy such signature requirements, however there must be a specific assessment in each instance, cf. the principle in Norwegian law pertaining to the free presentation of evidence and free assessment of evidence.
What are qualified electronic signatures and advanced electronic signatures?
Various definitions of electronic signatures can be found in Section 3 of the Electronic Signatures Act. Among other things, this includes the general definition of electronic signatures being: "data in electronic form that are attached to other electronic data and are used as a method of authentication". Therefore, the definition links electronic data to a physical person which together can create an electronic signature.
Section 3 of the Electronic Signatures Act defines an advanced electronic signature as an electronic signature that is exclusively associated with the signatory, can identify the signatory, is created with the assistance of methods that only the signatory has control over and is associated with other electronic data in such a manner that it can be verified whether this has been changed after signing.
Section 3 of the Electronic Signatures Act defines a qualified electronic signature as an advanced electronic signature based on a qualified certificate and created by an approved secure signature creation device.
The signature that is used in Norway as of 2012 is the advanced electronic signature because there is not presently any need for qualified electronic signatures.
What is an electronic certificate?
In order to be able sign electronically, there must be a connection between a physical person and electronic data. A digital signature requires an electronic certificate that contains information about the signatory and the public key and in this way identifies it as the signatory. These types of certificates can also be used for authentication without the signature. The most important function of the certificate is to guarantee the connection between the private key and the signatory. The issuer of the certificate signs the certificate with its own private key.
There are several different types of certificates, however Nkom only monitors the issuing of qualified certificates and certificates issued under the self-declaration scheme. The Electronic Signatures Act sets requirements for the content of such qualified certificates and the Act sets strict requirements for the parties that issue these certificates. More detailed information about what a qualified certificate must contain can be found in Section 4 of the Electronic Signatures Act.
EU regulations and Norwegian laws and regulations set strict requirements for the issuers of qualified electronic certificates. The regulation is almost identical throughout all of the Europe enabling us to also use electronic signatures and qualified certificates in communication across national borders.
Why would anyone want to use electronic signatures?
The use of electronic signatures creates trust between known and unknown parties who need to know that the party they are communicating with is who it claims to be. An electronic signature can be used as confirmation of the identity of the party that sent the information, as an assurance that electronically transferred information has not been changed during the process and as an assurance that the sender will not be able to deny that it was he/she that sent it. Electronic signatures can, for example, be used to reach agreements, for electronic reporting and for electronic document handling. In addition, the signature can be used for payment over the Internet.
What is PKI and how is the electronic signature used?
The party that wishes to use this type of signature is assigned an electronic key pair that consists of a public and private key and a certificate in which the signatory's identity is linked to the public key. The public key can be distributed to the recipients of the signed messages in a similar manner to how telephone numbers are distributed. The private key is strictly personal, just like the code for a bank card. Therefore, there is only one person who can sign the message with the assistance of the secret private key, while there are many who can confirm the signature with the assistance of the public key. This system requires that infrastructure is established for distributing the public keys. This infrastructure is often referred to as Public Key Infrastructure (PKI).
When the holder of the key pair codes a message with his/her private key, the message will only be able to be decoded with the assistance of his/her public key. The message will be decoded such that the content is secured against changes during the process.
The public key can be sent to the recipient together with the signed message. The recipient uses the public key to confirm or verify that it is the holder of the private key who has sent the message. The recipient will also be able to see if even the slightest change has been made to the message after signing.
The Electronic Signatures Act sets requirements for the private key having to be under the control of the certificate holder. The issuers of certificates employ different methods for complying with this requirement. For example, the private key can be stored on a plastic card with a data chip (smart card). The standard technical solution for the use of smart cards is that, in order to gain access to the private key, one must insert the card in a card reader and punch in a personal code (in the same manner as when using bank cards at an ATM). Instead of a code it may be possible in the future to use finger prints or other biometric characteristics.