A Law Approach

Although, as already noticed, no juridic definition of ‘document’ is available, the Italian law does provide a definition of what a digital document is: according to L 59/1997 (15 Mar.), that represents a milestone for the official adoption of digital technologies in formal transactions, a digital document is to be intended as the “dig-ital representation of juridically relevant deeds, facts or data” (art. 1, par. 1). Hence, it can be identified in any sequence of bits or, more practically, in any computer file.

Moreover, “The deeds, data and documents produced by the Public Administration or by privates using computer or telematic systems, the agreements contracted using the same means, as well as their filing and transmission using computer systems, are valid and relevant to all intents and purposes of law” (art. 15, par. 2). As a side-effect, this introduces the need for a secure way of signing them. Criteria and modalities for applying such a principle are stated in the DPR 513/1997 (10 Nov.), where several fundamental concepts are introduced and defined (art. 1), among which Certification and CAs:

9Talking of legal matters in different languages is not easy, due to the extremely different concepts, practices and procedures that have been developed and are currently in use in each country, and to the lack of a correspondence among them. A list and a short explanation of relevant law act categories in Italy is:

L (Legge) Act approved by the Parliament.

DL (Decreto Legge) Law by decree: an act provisionally issued by the Government, that needs formal approval by the Parliament.

DPR (Decreto del Presidente della Repubblica) Decree of the President of the Republic.

DPCM (Decreto del Presidente del Consiglio dei Ministri) Decree of the President of the Council of Ministers.

DM (Decreto Ministeriale) Decree of a Minister.

Validation system The computer and cryptography system that is able to generate and affix a digital signature or to check its validity.

Asymmetric keys The pair of (private and public) encryption keys, mutually re-lated, to be exploited in the context of systems for validation or encryption of digital documents.

Private key The element of the pair of asymmetric keys, intended to be known only to its regular holder, by which the digital signature is affixed on a digital document or a digital document previously encrypted using the corresponding public key can be decoded.

Public key The element of the pair of asymmetric keys, intended to be made public, by which the digital signature affixed on the document by the regular holder of the asymmetric keys can be checked or digital documents to be transmitted to the regular holder of such keys can be encrypted.

Certification The outcome of the computer process that is applied to the public key and that can be checked by validation systems by which the one-to-one cor-respondence between a public key and the regular holder to which it belongs is guaranteed; the regular holder is identified and the period of validity of the key itself and the deadline of expiration of its related certificate are stated (in any case not more than three years).

Temporal validation The outcome of the computer process by which are assigned, to one or more digital documents, a date and a time that can be objected to third parties.

Electronic address The identifier of a physical or logical resource that is able to receive and record digital documents.

Certifier Public or private subject that carries out the certification, issues the public key certificate, publishes it along with the public key itself, publishes and updates the lists of suspended and revoked certificates.

The same act assigns to a digital document endowed with a digital signature the same legal validity according to the Civil Law (art. 2702) as a traditional paper document endowed with an autographic signature. These notions pave the way for the adoption of the digital signature as “an authentication mechanism that allows the author of a message to add a code that acts as a signature. The signature is created using the hash code of the message (that can be considered as its digital fingerprint) and encrypting it by means of the author’s private key. The signature guarantees the origin and integrity of the message”. In particular, mutual authentication protocols

“allow the communicating entities to guarantee to each other their own identity and to exchange session keys”; one-way authentication, in contrast, just “guarantees to the receiver that the message actually comes from the indicated sender”.

“Technical rules for the generation, transmission, preservation, duplication, re-production and validation, also temporal, of digital documents” according to art. 3, par. 1 of this first regulation on digital signature were provided in the DPCM is-sued 8 Feb. 1999, where a signature device is defined as “an electronic device pro-grammable only in its origin, capable of at least storing in a protected way the pri-vate key and generating inside of it digital signatures”. DPR 445/2000 (28 Dec.) collected in a single text all regulations concerning administrative documentation,

and to the juridic acknowledgment of the relevance and validity of digital documents and signatures added the requirements a digital document must fulfill.

After all these regulations, the European directive 1999/93/CE came with 15 ar-ticles and 4 attachments in which the requirements for qualified certificates, for the CAs that issue such certificates and for the secure signature devices are defined, and recommendations are given for the secure signature. Such a new framework required some changes to the Italian law, that were carried out by DL 10/2002 (23 Jan.), and implemented by DPR 137/2003 (7 Apr.) that assigns to digital documents the same validity as a legal proof as all other means recognized by the Civil Law (art. 2712).

The DPCM issued 8 Feb. 1999 was updated by the DPCM issued 13 Jan. 2004, spec-ifying the regulations for setting up public lists of certificates (art. 29, par. 1), while the DPCM issued 2 July 2004 defines the “Competence concerning electronic signa-ture certifiers”. Also related, although not specifically concerning digital signasigna-ture, is the DPR 68/2004 (11 Feb.), concerning “Regulations including requirements for the exploitation of certified electronic mail”, according to L 3/2003 (16 Jan.), art. 27.

The most recent significant contribution is represented by the DL 82/2005 (7 Mar.), titled “Digital Administration Act” (Codice dell’Amministrazione Digi-tale), as modified by the DL 159/2006 (4 Apr.), where the various concepts, already introduced, of digital signature, validation system, certification and asymmetric keys are explained, and the following kinds of signatures are defined, in order of increas-ing reliability (art. 1, par. 1):

Electronic signature The set of data in electronic form, attached or connected by means of a logic association to other electronic data, used as a means for digital identification according to the CE regulations.

Qualified electronic signature The electronic signature obtained by means of a computer procedure that guarantees its unambiguous association to the signee, cre-ated using means on which the signee can have an exclusive control and associcre-ated to the data to which it refers in such a way to allow pointing out whether the data themselves have been subsequently modified, that is based on a qualified certificate and carried out exploiting a secure device for the creation of the signature.

Digital signature A particular kind of qualified electronic signature based on a sys-tem of encryption keys, one public and one private, related to each other, that al-lows the legal owner using the private key and the addressee using the public key, respectively, to reveal and to check the provenance and the integrity of a digital document or of a set of digital documents.

The European regulation (art. 2) defines only the electronic signature and an-other kind, called Advanced electronic signature, that can be ranked between the electronic signature and the qualified one in the above list. The latter adds to the features of the former the integrity of the document and the exclusiveness of the signee. The qualified signature, although not formally defined in the CE Directive, is suggested by art. 3 (par. 4) and art. 5 thereof, and adds to the advanced one the use of a secure device and a certificate released by a qualified certifier. Finally, the digital signature adds to the qualified one the fact that the certifier is accredited:

thus, the kind of signature required in Italy in 1997 (by DPR 513/1997, art. 10) was

already stronger than what required by the European regulations issued two years later. Indeed, the digital signature derives from a digital document perspective on the subject, and hence has the strictest requirements and the largest validity; conversely, the other three kinds of signature derive from an electronic commerce perspective:

they can be issued by any certifier (even not accredited, in which case their validity is limited to the organization in which they are exploited, but does not extend to the legal level). According to DL 82/2005, the former two kinds of signature can be only discretionally accepted as a proof, while the latter two kinds have full proving power: “A digital document, signed using a digital signature or other kind of qual-ified electronic signature, has the effect provided for by art. 2702 of the Civil Law.

The use of the signature device is assumed to be traceable back to its owner, except if he gives proof of the contrary” (art. 21, par. 2).

According to the European regulations (art. 3) the certification services must not be authorized, but for application in the PA the single governments may add further requirements. In any case, the procedure of qualification is provided for, and the certifiers that are qualified in a country are automatically qualified in all other UE countries. A committee must be set up to check the fulfillment of security require-ments by the signature devices and software (art. 9, 10). Qualified certificates issued by non-EU countries are valid if they fulfill the Directive requirements and there are agreements with the EU (art. 7), while DPR 513/1997 in Italy acknowledges them if they are operated under license or authorization of an EU country (art. 8, par. 4).

A very recent update in the field is represented by DPCM issued 30 Mar. 2009, reporting “Technical rules concerning digital signatures”.