Electronic Document & Electronic Document &

Signatures

Joint International Doctoral degree in

Law, Science and Technology

http://www.last-jd.eu

Michele Martoni

Contract Professor at the University of Bologna

Ph.D. in IT Law | Lawyer

December 10, 2012, Bologna

0. Roadmap

1) Electronic Identification

2) Identity theft and Data Value (Social 2) Identity theft and Data Value (Social Engineering, OSINT, Phishing, Uncorrected

sharing of personal data - email, social network, cloud computing services, etc.)

3) Technical Introduction

4) Document and Signing

slide 2

4) Document and Signing

5-6) Regulatory Framework (UE and Italian)

1. Electronic Identification

• Is there a way for remote certification of our identity ? Yes !identity ? Yes !

• Is there a way to certify the integrity of an

electronic document ? Yes !

• We have technologies. We have norms. But we need to be aware of the correct use !

• the risk is to use and to share our

slide 3

• the risk is to use and to share our

informations in a way that allow the “abuse”

of these by third person

2. Identity theft & Identity fraud

• Identity theft is a form of stealing someone's identity in which someone pretends to be someone else by assuming someone's identity in which someone pretends to be someone else by assuming that person's identity.

• Identity theft is not always detectable by the individual victims, according to a report done for the FTC. Identity fraud is often but not necessarily the consequence of identity theft.

slide 4

theft.

(1) http://en.wikipedia.org/wiki/Identity_theft(2) Federal Trade Commission, 2006, Identity Theft Survey Report

2.1. Social Engineering

• Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential understood to mean the art of manipulating people into performing actions or divulging confidential information (also personal).

• All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called bugs in the human hardware, are exploited in various combinations to create attack techniques.

slide 5

various combinations to create attack techniques.

(1) http://en.wikipedia.org/wiki/Social_engineering_(security)

2.2. Phishing

• Phishing is a technique of fraudulently obtaining private information.private information.

• Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided.

• The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company

slide 6

web page that seems legitimate—with company logos and content—and has a form requesting everything from a home address to an ATM card’s PIN code.

2.3. Personal data sharing

Ex. Facebook’s Statement of Rights and Responsabilities

Art. 2. Sharing Your Content and InformationArt. 2. Sharing Your Content and Information

You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application setting. In addition:

For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when

slide 7

connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.

(1) http://www.facebook.com/legal/terms

3. Technical Introduction

• The correct classification of the

electronic signatures institute requires electronic signatures institute requires to start its examination from the

essence of this technology.

• Electronic signatures could be

complex and modern applications of

slide 8

complex and modern applications of cryptography

3. Technical Introduction

• We can distinguish:– Cryptography– Cryptography

– Cryptanalysis

• The run between cryptography and cryptanalysis has led to the development of increasingly sophisticated techniques.

• We can distinguish:

slide 9

• We can distinguish:– Steganography

– Cryptography

3.1. Steganography

• physical occultation of the message• physical occultation of the message

• the message is physically “invisible”

• high risk of prejudice in case of interception

slide 10

3.2. Cryptography

• semantic occultation of the content of • semantic occultation of the content of the message

• the message is “visible” but not

“understandable”

• key management become a priority

slide 11

• key management become a priority

3.3. Symmetric cryptography

• The symmetric cryptography, also known as private key encryption or known as private key encryption or secret key, is that particular

cryptographic technique that involves

the use of a single key for the encryption operation and for the

slide 12

encryption operation and for the

deciphering

3.3. Symmetric cryptography

• Ex. Transpositional method

slide 13

3.3.1. Key Exchange

slide 14

Diffie, Hellman, Merkle (Stanford, 1976)

3.4. RSA Algorithm

slide 15

Shamir, Rivest, Adleman (Boston, MIT, 1977)

3.4.1. Asymmetric cryptography

• The asymmetric encryption (public-key cryptography) instead contemplates cryptography) instead contemplates the use of a pair of keys, a public key

and a private key. The principle of this

technique requires that what is encrypted with one key can only be

slide 16

encrypted with one key can only be

decrypted with the other key of the pair

3.4.2. Cryptographic keys

• One key (Kpriv) to encrypt

• One other key (Kpub) to decrypt• One other key (Kpub) to decrypt

• Two different key but interconnected

• Private key (Kpriv) known only by holder

slide 17

holder

• Public key (Kpub) known by everyone

3.4.3. Chypertext

( K Bob)Alice Bob

(KPUBAlice) ( KPUBBob)

(KPRIVAlice) ( KPRIVBob)

( KPUBBob)

slide 18

• Secrecy of content yes

• Authentication no

3.4.4. Signed text

( KPRIVAlice)

Dear Bob,

I love you …

Alice Bob

(KPUBAlice) ( KPUBBob)

(KPRIVAlice) ( KPRIVBob)

( KPRIVAlice)

slide 19

Alice

(KPRIVAlice) ( KPRIVBob)

• Secrecy of content no

• Authentication yes

3.4.5. Signed Cyphertext

( KPRIVAlice)

Dear Bob,

I love you …

( KPRIVAlice)

( KPUBBob)

Alice Bob(KPUBAlice) ( KPUBBob)

(KPRIVAlice) ( KPRIVBob)

slide 20

Alice

• Secrecy of content yes

• Authentication yes

3.4.6. Hash Function

• The problem of encryption by public

key infrastructure is the time necessary key infrastructure is the time necessary for mathematic operations of

encryptions

• Hash Function is an algorithm that turns

a variable-sized amount of text into a

slide 21

a variable-sized amount of text into a fixed-sized output (hash value or

digest).

4. Document and Signing

• Original concept of document• Original concept of document

• Original concept of signing

slide 22

(1) Martoni M., in Cyber Law, Suppl. 17 (december 2008), Italy, p. 138,

Kluwer Law International

slide 23

5. U.E. Regulatory Framework

• Directive 1999/93/EC of the European Parliament and of the Council of 13 Parliament and of the Council of 13 December 1999 on a Community

framework for electronic signatures

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:en:HTML

slide 24

5.1. Directive Scope

• to facilitate the use of electronic

signaturessignatures

• to contribute to their legal recognition

• to ensure the proper functioning of the

internal market

• It does not cover aspects related to

slide 25

• It does not cover aspects related to the conclusion and validity of

contracts or other legal obligations

5.2. Definitions|Electronic Signatures

• data in electronic form which are

attached to or logically associated attached to or logically associated with other electronic data and which

serve as a method of authentication

slide 26

5.2. Definitions|Advanced E.S.

• an electronic signature which meets the

following requirements:following requirements:

– (a) it is uniquely linked to the signatory;

– (b) it is capable of identifying the signatory;

– (c) it is created using means that the signatory

can maintain under his sole control; and

– (d) it is linked to the data to which it relates in

slide 27

– (d) it is linked to the data to which it relates in

such a manner that any subsequent change of

the data is detectable

5.2. Definitions|Signatory

• a person who holds a signature-

creation device and acts either on his creation device and acts either on his own behalf or on behalf of the natural

or legal person or entity he represents

slide 28

5.2. Definitions|Sign.-creation data

• unique data, such as codes or private

cryptographic keys, which are used by cryptographic keys, which are used by the signatory to create an electronic

signature

slide 29

5.2. Definitions|Sign.-creation device

• means configured software or

hardware used to implement the hardware used to implement the signature-creation data

slide 30

5.2. Definitions|Secure ... device

• a signature-creation device which

meets the requirements laid down in meets the requirements laid down in Annex III

slide 31

5.2. Definitions|Secure ... device

Annex III1. Secure signature-creation devices must, by appropriate

technical and procedural means, ensure at the least that:(a) the signature-creation-data used for signature generation(a) the signature-creation-data used for signature generation

can practically occur only once, and that their secrecy isreasonably assured;

(b) the signature-creation-data used for signature generationcannot, with reasonable assurance, be derived and thesignature is protected against forgery using currently availabletechnology;

(c) the signature-creation-data used for signature generationcan be reliably protected by the legitimate signatory againstthe use of others.

slide 32

the use of others.2. Secure signature-creation devices must not alter the data to

be signed or prevent such data from being presented to thesignatory prior to the signature process.

5.2. Definitions|Certificate

• an electronic attestation which links

signature-verification data to a person signature-verification data to a person and confirms the identity of that

person

slide 33

5.2. Definitions|Qualified Certificate

• a certificate which meets the

requirements laid down in Annex I and requirements laid down in Annex I and is provided by a certification-service-

provider who fulfils the requirements

laid down in Annex II

slide 34

5.2. Definitions|Annex I

Qualified certificatesmust contain:

(a) an indication that the certificate is issued as a (a) an indication that the certificate is issued as a qualified certificate;

(b) the identification of the certification-service-provider and the State in which it is established;

(c) the name of the signatory or a pseudonym, which shall be identified as such;

(d) provision for a specific attribute of the signatory to be included if relevant, depending on the purpose

slide 35

be included if relevant, depending on the purpose for which the certificate is intended;

5.2. Definitions|Annex I

(e) signature-verification data which correspond to signature-creation data under the control of the signatory;signature-creation data under the control of the signatory;

(f) an indication of the beginning and end of the period of validity of the certificate;

(g) the identity code of the certificate;

(h) the advanced electronic signature of the certification-service-provider issuing it;

(i) limitations on the scope of use of the certificate, if

slide 36

(i) limitations on the scope of use of the certificate, if applicable; and

(j) limits on the value of transactions for which the certificate can be used, if applicable.

5.2. Definitions|Annex II

Certification-service-providers must:

(a) demonstrate the reliability necessary (a) demonstrate the reliability necessary for providing certification services;

(b) ensure the operation of a prompt and secure directory and a secure and immediate revocation service;

(c) ensure that the date and time when

slide 37

(c) ensure that the date and time when a certificate is issued or revoked can be determined precisely;

5.2. Definitions|Annex II

(d) verify, by appropriate means in accordance with national law, the identity and, if applicable, any specific attributes of the person to which a qualified national law, the identity and, if applicable, any specific attributes of the person to which a qualified certificate is issued;

(e) employ personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided, in particular competence at managerial level, expertise in electronic signature techology and familiarity with

slide 38

electronic signature techology and familiarity with proper security procedures; they must also apply administrative and management procedures which are adequate and correspond to recognised standards;

5.2. Definitions|Annex II

(f) use trustworthy systems and products which

are protected against modification and are protected against modification and ensure the technical and cryptographic

security of the process supported by them;

(g) take measures against forgery of certificates, and, in cases where the

certification-service-provider generates

slide 39

certification-service-provider generates signature-creation data, guarantee

confidentiality during the process of generating such data;

5.2. Definitions|Annex II

(h) maintain sufficient financial resources to operate in conformity with the requirements laid down in the Directive, in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance;risk of liability for damages, for example, by obtaining appropriate insurance;

(i) record all relevant information concerning a qualified certificate for an appropriate period of time, in particular for the purpose of providing evidence of certification for the purposes of legal proceedings. Such recording may be done electronically;

(j) not store or copy signature-creation data of the person to whom the certification-service-provider provided key management services;

(k) before entering into a contractual relationship with a person seeking a certificate to support his electronic signature inform that person by a durable means of communication of the precise terms and

slide 40

a durable means of communication of the precise terms and conditions regarding the use of the certificate, including any limitations on its use, the existence of a voluntary accreditation scheme and procedures for complaints and dispute settlement. Such information, which may be transmitted electronically, must be in writing and in redily understandable language. Relevant parts of this information must also be made available on request to third-parties relying on the certificate;

5.2. Definitions|Annex II

(l) use trustworthy systems to store certificates in a verifiable form so that:in a verifiable form so that:

- only authorised persons can make entries and changes,

- information can be checked for authenticity,

- certificates are publicly available for retrieval in only those cases for which the certificate-holder's consent has been obtained, and

slide 41

holder's consent has been obtained, and

- any technical changes compromising these security requirements are apparent to the operator.

5.2. Definitions|Annex IV

Recommendations for secure signature verification

During the signature-verification process it should be ensured with reasonable certainty that:

(a) the data used for verifying the signature correspond to the data displayed to the verifier;

(b) the signature is reliably verified and the result of that verification is correctly displayed;

slide 42

5.2. Definitions|Annex IV

(c) the verifier can, as necessary, reliably establish the contents of the signed data;establish the contents of the signed data;

(d) the authenticity and validity of the certificate required at the time of signature verification are reliably verified;

(e) the result of verification and the signatory's identity are correctly displayed;

(f) the use of a pseudonym is clearly indicated; and

slide 43

(f) the use of a pseudonym is clearly indicated; and

(g) any security-relevant changes can be detected.

Summary

SignatureElectronic Advanced

SignatureElectronic

Signature

Advanced

Electronic Signature

DeviceSignature

Creation Device

Secure Signature

Creation Device

slide 44

Certificate CertificateQualified

Certificate

5.3. Market Access

1. Member States shall not make the

provision of certification services provision of certification services subject to prior authorisation.

slide 45

5.3. Market Access

2. Without prejudice to the provisions of paragraph 1, Member States may introduce or maintain voluntary accreditation schemes aiming at enhanced levels accreditation schemes aiming at enhanced levels of certification-service provision. All conditions related to such schemes must be objective, transparent, proportionate and non-discriminatory. Member States may not limit the number of accredited certification-service-providers for reasons which fall within the scope of this Directive.

3. Each Member State shall ensure the establishment

slide 46

3. Each Member State shall ensure the establishment of an appropriate system that allows for supervision of certification-service-providers which are established on its territory and issue qualified certificates to the public.

5.3. Market Access

[...]

7. Member States may make the use of 7. Member States may make the use of electronic signatures in the public sector subject to possible additional requirements. Such requirements shall be objective, transparent, proportionate and non-discriminatory and shall relate only to the specific characteristics of the application

slide 47

specific characteristics of the application concerned. Such requirements may not constitute an obstacle to cross-border services for citizens.

5.4. Legal Effects

1. Member States shall ensure that advanced electronic signatures which are based on a electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device:

(a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwrittensignature satisfies those requirements in

slide 48

signature satisfies those requirements in relation to paper-based data; and

(b) are admissible as evidence in legal proceedings.

5.4. Legal Effects

2. Member States shall ensure that an electronic signature is not denied legal effectiveness and admissibility as evidence in legal proceedingssignature is not denied legal effectiveness and admissibility as evidence in legal proceedingssolely on the grounds that it is:

- in electronic form, or

- not based upon a qualified certificate, or

- not based upon a qualified certificate issued by an accredited certification-service-provider, or

- not created by a secure signature-creation device.

slide 49

- not created by a secure signature-creation device.

5.5. Liability

1. As a minimum, Member States shall ensure that by issuing a certificate as a qualified certificate to the public or by guaranteeing such a certificate to the public a certification-service-provider is liable for damage caused to any entity or legal or natural person who certificate to the public a certification-service-provider is liable for damage caused to any entity or legal or natural person who reasonably relies on that certificate:

(a) as regards the accuracy at the time of issuance of all information contained in the qualified certificate and as regards the fact that the certificate contains all the details prescribed for a qualified certificate;

(b) for assurance that at the time of the issuance of the certificate, the signatory identified in the qualified certificate held the signature-creation data corresponding to the signature-verification data given or identified in the certificate;

slide 50

or identified in the certificate;

(c) for assurance that the signature-creation data and the signature-verification data can be used in a complementary manner in cases where the certification-service-provider generates them both;

(d) unless the certification-service-provider proves that he has not acted negligently.

5.5. Liability

2. As a minimum Member States shall ensure that a certification-service-provider who has issued a certificate as a qualified certificate to the public is liable for damage caused to any entity or legal or natural person who reasonably relies on the certificate for failure to register public is liable for damage caused to any entity or legal or natural person who reasonably relies on the certificate for failure to register revocation of the certificate unless the certification-service-provider proves that he has not acted negligently.

3. Member States shall ensure that a certification-service-provider may indicate in a qualified certificate limitations on the use of that certificate. provided that the limitations are recognisable to third parties. The certification-service-provider shall not be liable for damage arising from use of a qualified certificate which exceeds the limitations placed on it.

4. Member States shall ensure that a certification-service-provider may indicate in the qualified certificate a limit on the value of transactions

slide 51

4. Member States shall ensure that a certification-service-provider may indicate in the qualified certificate a limit on the value of transactions for which the certificate can be used, provided that the limit is recognisable to third parties.

The certification-service-provider shall not be liable for damage resulting from this maximum limit being exceeded.

5.6. International Aspects

1. Member States shall ensure that certificates which are issued as certificates which are issued as qualified certificates to the public by a certification-service-provider established in a third country are recognised as legally equivalent to certificates issued by a certification-

slide 52

certificates issued by a certification-service-provider established within the Community if some conditions are realized.

6. Italian Regulatory Framework

• D.Lgs. 82/2005, Codice dell’Amministrazione Digitale (CAD)dell’Amministrazione Digitale (CAD)http://www.digitpa.gov.it/cad

• D.P.C.M. 30/03/2009, Regole tecniche

in materia di generazione, apposizione e verifica delle firme digitali e

validazione temporale dei documenti

slide 53

validazione temporale dei documenti informaticihttp://www.digitpa.gov.it/sites/default/files/normativa/DPCM_30-mar-09_0.pdf

6.1. Definitions|Electronic Document

• The informatics representation of acts,

fact or data, legally relevantfact or data, legally relevant

• i.e. file

slide 54

6.2. Definitions|Analogical Document

• The “non” informatics representation of

acts, fact or data, legally relevantacts, fact or data, legally relevant

• i.e. paper document

slide 55

6.3. Definitions|Copy and Duplicate

1. informatics copy of analogical document: the electronic document document: the electronic document with contents identical to the

analogical document that inspired

• for example transcription with word

processor of paper (hand-written)

slide 56

processor of paper (hand-written) notes or oral notes

6.3. Definitions|Copy and Duplicate

2. informatics copy image of analogical document: the electronic document document: the electronic document with contents and forms identical to

the analogical document that

inspired

• for example scan of paper

slide 57

• for example scan of paper document

6.3. Definitions|Copy and Duplicate

3. informatics copy of electronic documents: the electronic document documents: the electronic document with content identical to that of the

document from which it is drawn on

computer with different sequence of binary values

slide 58

binary values

• for example file translated in a

different format (from .doc to .pdf)

6.3. Definitions|Copy and Duplicate

4. duplicate: the electronic document obtained by storing, on the same obtained by storing, on the same device or on different devices, the same sequence of binary values of

the original document

• for example “cut & paste”

slide 59

• for example “cut & paste”

6.4. Definitions|Electronic Signature

• l'insieme dei dati in forma elettronica, allegati oppure connessi tramite associazione logica ad altri oppure connessi tramite associazione logica ad altri dati elettronici, utilizzati come metodo di identificazione informatica

• the set of data in electronic form attached to or logically associated

with other electronic data, used as a

slide 60

with other electronic data, used as a method of informatics identification

(authentication)

6.5. Definitions|Advanced E.S.

• insieme di dati in forma elettronica allegati oppure connessi a un documento informatico che consentono l’identificazione del firmatario del documento e garantiscono la connessione univoca al firmatario, creati con mezzi sui quali il firmatario può conservare un firmatario del documento e garantiscono la connessione univoca al firmatario, creati con mezzi sui quali il firmatario può conservare un controllo esclusivo, collegati ai dati ai quali detta firma si riferisce in modo da consentire di rilevare se i dati stessi siano stati successivamente modificati

• set of data in electronic form attached to or associated with an electronic document that enable identification of the signatory of the document and provide the unique connection to the signatory, created using means that the

slide 61

the signatory, created using means that the signatory can maintain exclusive control, linked to the data to which that signature refers to allow to detect whether the data have been subsequently modified

6.6. Definitions|Qualified E.S.

• un particolare tipo di firma elettronica avanzata che sia basata su un certificato qualificato e che sia basata su un certificato qualificato e realizzata mediante un dispositivo sicuro per la creazione della firma

• a particular type of advancedelectronic signature that is based on a

qualified certificate and created by a

slide 62

qualified certificate and created by a secure device for the creation of

signature

6.6.1. Certification Authority

• The digital signature technology ensure that in the process of sign was used the private key connected to the public key used for verification.process of sign was used the private key connected to the public key used for verification.

• The certification of the key has the different function to connect the public key to an identified person.

• The certification, in the case of the digital signature, is the result of the informatics procedure, applied to the public key and detectable by the validation systems, that ensures the correspondence between

slide 63

systems, that ensures the correspondence between public key and subject holder to whom it belongs, it identifies the period of validity of that key and the expiry date of the certificate

6.6.1. Certification Authority

• Simple C.A.

• Qualified C.A.• Qualified C.A.

• Accredited C.A.

– Different qualities

– Different procedures to become C.A.

slide 64

– Different procedures to become C.A.

– Different level of the certification services

6.6.2. Electronic Certificate

• Electronic Certificates– electronic certificates are now defined such as – electronic certificates are now defined such as electronic certificates that connect the identity of the holder to the data used to verify electronic signatures

• Qualified Certificates– qualified certificates are electronic certificates

slide 65

– qualified certificates are electronic certificates comply with the requirements envisaged in Annex I of the Directive and issued by certification meets the requirements provided in Annex II of the Directive

6.6.3. Signature Device

• Signature Device

• Secure Signature Device• Secure Signature Device

slide 66

6.7. Definitions|Digital Signature

• un particolare tipo di firma elettronica avanzata basata su un certificato qualificato e su un sistema di chiavi crittografiche, una pubblica e una privata, correlate tra loro, che consente al titolare tramite la chiave privata e al destinatario tramite la chiave pubblica, rispettivamente, di rendere privata, correlate tra loro, che consente al titolare tramite la chiave privata e al destinatario tramite la chiave pubblica, rispettivamente, di rendere manifesta e di verificare la provenienza e l'integrità di un documento informatico o di un insieme di documenti informatici

• a particular type of advanced electronic signature based on a qualified certificate and a system of cryptographic keys, one public and one private, related to each other, which allows the holder using the private key and the recipient using the public

slide 67

the private key and the recipient using the public key, respectively, to make manifest and verify the origin and integrity of an electronic document or a set of electronic documents

Summary

• Electronic Signature– Electronic Signature

• Advanced Electronic Signature• Advanced Electronic Signature– Qualified Electronic Signature

» Digital Signature

» [other]– [other]

• [other]

• Electronic Certificate– Electronic Certificate– Electronic Qualified Certificate

– Certification Authority

• Signature Device– Signature Device

slide 68

– Signature Device

– Secure Signature Device

• Certification Authority– Certification Authority– Qualified Certification Authority

– Accredited Certification Authority

Summary

slide 69

6.8. Legal Effects

• Art. 20.1 bis CAD– L'idoneità del documento informatico a

soddisfare il requisito della forma scritta e il suo – L'idoneità del documento informatico a

soddisfare il requisito della forma scritta e il suo valore probatorio sono liberamente valutabili in giudizio, tenuto conto delle sue caratteristiche oggettive di qualità, sicurezza, integrità ed immodificabilità, fermo restando quanto disposto dall’articolo 21.

– The suitability of the electronic document to satisfy the requirement of written form and its

slide 70

satisfy the requirement of written form and its probative value can be freely evaluated in judgment, in view of its objective characteristics of quality, safety, integrity and immutability, subject to the provisions of Article 21.

6.8. Legal Effects

• Art. 21.1 CAD

– Il documento informatico, cui è apposta una – Il documento informatico, cui è apposta una firma elettronica, sul piano probatorio è liberamente valutabile in giudizio, tenuto conto delle sue caratteristiche oggettive di qualità , sicurezza, integrità e immodificabilità.

– The electronic document, which is signed with a

electronic signature, in terms of evidence is freely

slide 71

electronic signature, in terms of evidence is freely

estimated in judgment, in view of its objective

characteristics of quality, safety, integrity and

immutability.

6.8. Legal Effects

• Art. 21.2 CAD– Il documento informatico sottoscritto con firma elettronica

avanzata, qualificata o digitale, formato nel rispetto delle avanzata, qualificata o digitale, formato nel rispetto delle regole tecniche di cui all'articolo 20, comma 3, che garantiscano l'identificabilità dell'autore, l'integrità e l'immodificabilità del documento, ha l'efficacia prevista dall'articolo 2702 del codice civile. L'utilizzo del dispositivo di firma si presume riconducibile al titolare, salvo che questi dia prova contraria.

– The electronic document signed with an advanced electronic signature, qualified or digital, format in compliance with the technical rules [...], to ensure the

slide 72

compliance with the technical rules [...], to ensure the identification of the author, integrity and immutability of the paper, has the effectiveness of Article 2702 of the Italian Civil Code. The use of the signature device is assumed due to the owner, unless he proves otherwise.

6.8. Legal Effects

• Art. 21.2 bis CAD– Salvo quanto previsto dall’articolo 25, le scritture

private di cui all’articolo 1350, primo comma, – Salvo quanto previsto dall’articolo 25, le scritture

private di cui all’articolo 1350, primo comma, numeri da 1 a 12, del codice civile, se fatte con documento informatico, sono sottoscritte, a pena di nullità, con firma elettronica qualificata o con firma digitale.

– Except as provided in Article 25, the private documents referred to in Article 1350, first paragraph numbers from 1 to 12, of the Civil

slide 73

paragraph numbers from 1 to 12, of the Civil Code, if done with electronic documents are signed, under penalty of nullity, with qualified electronic signature or with digital signature.

6.9. Time Stamping

• The result of the informatics procedure which is attributed to one or more electronic documents, a date and a time enforceable against third partiesattributed to one or more electronic documents, a date and a time enforceable against third parties

• The timestamp has another important function. It allows to extend the value of the certificate of digital signature beyond the normal period of validity. This is on condition that the signature is associated with a timestamp, enforceable against third parties, at an earlier time than the suspension,

slide 74

third parties, at an earlier time than the suspension, expiration or revocation of the certificate.

Thank you

Michele MartoniContract Professor at the University of BolognaPh.D. In IT Law

Lawyer

michele.martoni@unibo.it | www.unibo.it

Thank you

michele.martoni@unibo.it | www.unibo.it

www.michelemartoni.it