Secure e-invoicing

Document Sample
Secure e-invoicing Powered By Docstoc
					Electronic Signatures
& Electronic Invoices

Anna Nordén
•   Swedish IT security product company
•   PKI-based product integrated in applications
•   Merges law and technology
•   Ensures security compliance
•   Current focus on electronic invoicing

• About me
    •   Worked with e-signatures since 1997
    •   UNCITRAL
    •   International Chamber of Commerce (ICC)
    •   TrustWeaver since start 2001
Presentation overview

A. Electronic Signatures
I     PKI and Digital Signatures
II    What is an Electronic Signature?
III   Legal Aspects of Electronic Signatures
IV    The EU e-Signature Directive

B. Electronic Invoices
I PKI and Digital Signatures
PKI Technlogy

• Public key cryptography
• Key pair, a private and a public key
• What the private key encrypts, only the public key can
  decrypt and vice versa - clever, no need to exchange
  one secret key!
• Encrypt a message digest using a private key = digital
• Encrypt a session key using a public key =
Digital signatures allows you to...

• know which private key sent a message (authentication)
• know that the message has not been altered (integrity)

• Effect: the person who sent the message cannot later
  deny this (non-repudiation)
The Identification Issue

 • Excellent technology, but how do you know who
   the owner of the private key is? He says his name
   is Bill Gates...
Certification Authority (CA)

1. Verifies the identity of the key holder
2. Issues a digital identity (certificate) linked to the key pair
How do you know the value of a digital

         Certificate request    Certificate request
         Patric Sporrong        Patric Sporrong
         Tekki AB               Tekki AB
         Blond, blue eyes       Blond, blue eyes
         Passport nr 1234567-   Passport nr
         8910                   1234567-8910
PKI Players and Rules
Rules in the policy-based PKI

• Certificate Policy (CP) – what the CA should do
• Certification Practice Statement (CPS) – how the CA
  fulfills CP requirements
• Contract with certificate holder
• Notification of (or contracts with) relying parties
Who can be a CA?

• 1995 – Vision of the Global CA
• 2005 – Global CA vision is dead
• Reality – different CA structures depending on situation
   •   National CAs (Gov = CA)
   •   Public CAs (e.g VeriSign = CA)
   •   Customer base (e.g. Bank, Insurance comp. = CA)
   •   Supplier network (e.g. Product Company = CA)
   •   Some are open, many are closed
Take aways

• Policy-based PKI is an infrastructure including
  technical, legal and policy components that can be used
   •   Digital Signature, providing
       • integrity
     • authenticity
     • non-repudiation
   • Encryption, providing
     • confidentiality
II What is an Electronic
The ”Signature” concept

• ”A mark to tie information to the person signing”
   •   Authenticity
   •   Integrity
   •   Non-repudiation
• Paper world – ink on paper (handwritten signature)
• Electronic world – digital signature (based on PKI)
• The term ”electronic signature” used for methods to
  replace the handwritten signature
The technical vs the legal concept

•Digital Signature (PKI) is a security
technology; meant to ensure integrity
and authenticity

•”Signature” is a (legal) concept from
the paper world; meant to have legal
effect, equal a handwritten signature
The technical e-signature concept

• Digital Signature (based on PKI technology)
• A security technology meant to ensure
   •   Authenticity (identity)
   •   Integrity (data unchanged)
   •   Non-repudiation (denial not possible)
• PKI also used for encryption
   •   Confidentiality (data kept private)
=> Technical definition
The legal e-signature notion

 •Technology-neutral term signifying all methods to
 legally sign (although definition varies between laws)
 •Aims to replace the handwritten signature in the paper
 world (”The signer signs a contract”)
 => Functional definition
Legal e-signature notion
Comparison e-signature definitions in laws

     Data in electronic form affixed to or associated
     with a data message +
 •   UNCITRAL MLEC: identify signatory + indicate
     his approval
 •   EU e-signature directive: method of
 •   US ESIGN Act: intent to sign
 •   Russian e-sign act: identity + integrity
 •   Sweden: identity + integrity
So in practice, what constitutes a legal electronic

• Click OK-box on a web page ?
• Name typed at the bottom of an email ?
• A voice message saying ”I hereby sign and agree to
  this contract” ?
• A digital signature ?

  Just because something is an electronic signature
  doesn’t mean it is good evidence!
Legal e-signature vs technical dig-signature
Example of confusion

    EU VAT directive on electronic invoicing
    • Refers to signing with ”electronic signature”
    • According to definition it is a digital signature
    • NOT for legal effect, not to replace a
      handwritten signature in the paperworld
    • Merely to ensure integrity and authenticiy of the
      signed data
    • Good example of when a digital signature is
      used only for technical security purposes
Take aways

• Don’t forget to separate e-signatures used for legal
  acts, and e-signatures used only to achieve technical
  security (digital signatures)
• Digital signatures often most appropriate for legal acts –
  incorporates good evidence
• E-signatures very often used as a synonym for digital
  signatures (PKI)
• But e-signature definitions in laws vary
• E-signature =\= proof
III Legal aspects of
Electronic Signatures
Legal certainty of an e-signature

• Possibility to enforce a signature (Enforceability)
• Or recover damages (Liability)
(”Is an Electronic Signature valid?”)

• Admissibility as evidence
   •   Not allowed to deny admission only because
• Legal effect
   •   Non-discrimination
       •   Not allowed to deny legal effect only because electronic
       •   May still deny legal effect due to insufficient security
   •   Equivalence to handwritten signatures
       •   Possible in some jurisdictions
Don’t forget evidence!

 • Although most electronic signatures can be ”legally
   valid”, some are better than others from evidence
 • PKI ”incorporates enforceability”
 • Pay attention to policies and procedures
”Reasonable reliance”

• Before relying on a signature, the relying party needs to
  perform certain steps to verify the trustworthiness of the
• Relying party obligations
   •   Check certificate’s validity (not expired or revoked, CA-
       chain etc)
   •   Check usages restrictions and liability limitations
CA Liability

• CA liability for fawlty services
   •   Registration of key holder, issuing of certificate,
       publishing of revocation information etc
• Sometimes explicit legislation, otherwise general tort
• Rule of thumb: if CA has been negligent it will be held
• Basis for judging negligence is CA’s communicated
  policies and practices
• Limitation of liability – adequate notice
IV EU E-Signature Directive
The directive

• Aims to facilitate use of e-signatures and contribute to
  their legal recognition + open the EU market for e-sigs
  and certification services
• Includes rules on
   •   Legal effect
   •   Liability
   •   Voluntary accreditation
   •   Supervision of CAs
Electronic Signature

• Data in electronic form
• Attached to or logically associated with other electronic
• Serve as a method of authentication
= PKI, PIN, password, ...
Advanced Electronic Signature

•   Uniquely linked to the signatory
•   Capable of identifying the signatory
•   Created with means under signatory’s sole control
•   Any subsequent change of the data is detectable
•   = policy-based PKI
Qualified Electronic Signature

•   Advanced electronic signatures
•   Based on a “qualified certificate”
•   Created by a “secure signature creation device” (SSCD)
•   = PKI based on EU standards + hardware
Legal effect

• QES satisfy legal requirements in relation to electronic
  documents like a handwritten signature in relation to
  paper documents
   •   Sufficient but NOT necessary!
• Non-discrimination of e-signatures in general
   •   Not denied legal effect
   •   Not denied admissibility as evidence in court
Current status and problems of Directive

•   Interoperability
•   Cross-border recognition
•   Autmated signing
•   Solutions?
    •   More standards (ETSI)
    •   EU validation body
Electronic invoicing in EU
Invoicing Directive 2001/115/EC (2006/112/EC)

• Electronic invoicing
   •   Since 2004 all Member States must accept e-invoices
   •   Prerequisites:
       •   Customer accepts invoice in electronic format
       •   Ensure integrity and authenticity in transport and storage
• Storage, outsourcing & self-billing
• Transposed to Member State law
   •   Variations: options in Directive, but also impact of pre-
       existing laws
   •   Compliance: not with Directive but local requirements
       applied by tax authorities
Authenticity and integrity guarantee

  • In transmission and storage, by means of
      • ALT 1: Electronic Signatures
      • ALT 2: ”EDI” (legally defined) with contractual security
  • Exception
      • ALT 3: Countries allowed to accept ”other means” – no
        cross-border acceptance guarantee

The risks of non-compliance
• Loss of buyer’s right to reclaim input VAT (also retroactively)
• In some countries: fines
• Slow and costly audit processes
The VAT mechanism and risks

                Audit up to 11 years later:
 Supplier            Payment
                Contract price                              Buyer
                     + invoice
                   Contract price + VAT
                VAT (10-25%)
                   Contract price + VAT

                                              Deducts VAT paid to
                                              supplier from own VAT
                                                         VAT +
        VAT                                              collected on
                                              payments fines

                     Tax authorities
EU Invoicing Directive

Objective: uniform e-invoicing requirements

                                              • Integrity and authenticity
                         2001/115 –           guarantees through e-
                         “Invoicing           signatures or “EDI”
                         Directive”           • Storage of invoices in any
                                              European country
                                              • Content of invoices
                                              • Outsourcing of invoice
                                              issuance to third party
                                              • Self-billing
EU Invoicing Directive

Result: 27 different country laws differing on many accounts
EU: a multi-layered fragmented legal landscape

       Country implementations
       Invoicing Directive 2001

       Country implementations
       E-signature Directive 1999

       Country implementations
      EDI Recommendation 1994
EDI option
  • Contractual security processes required
     • With transport-level security (e.g. SSL) only,
       procedures, logs, audit trails needed
     • Save proof of integrity and authenticity guarantee for
       ten years
  • Summary statements often required
     • paper form
     • country-specific requirements
  • Differing requirements (e.g. FR, BE, ES)
  • “Automated, machine-to-machine, unambiguous
     “web-EDI”, manual self-billing, downloading from
    seller server are not viewed as EDI
  • Not accepted as secure in e.g. CH
Point-to-point security (e.g. SSL, AS2)

  (Arguably) de facto authenticity and integrity between points
  No inherent auditability
         Requires system and process (audit trail) documentation including change
         management system to prove safeguards were applied across multiple
         generations of technology, staff and processes.

Signatures: the audit advantage

                            Tax authorities

 Anytime, anywhere:
  De facto authenticity and integrity
  Inherent auditability
e-Signature requirements
“High” and “low” security countries is a simplification, high diversity of
approaches is more correct:

     CA country of establishment and
     Data centre security
     Hardware and software components                                        Country A
     Accreditation / certification /
     supervision / audit
     Subject identification procedures
     Tax-specific identification (VAT nr) in
     Law enforcement disclosure
     Permitted applications and purposes
     Relying party obligations                                               Country B
     Backup procedures
     Signing automation & batch signing
     Supplier/buyer processes




Anna Nordén
+ 46 (0)8 410 057 93

Shared By: