Michele Martoni and Monica Palmirani
These three aspects are separately treated in this contribution under its three main headings: Section 3 presents the legal framework for the electronic signature; Section 4 the digital document’ s legal validity and effectiveness; and Section 5, the critical issues raised by the legal and technical analysis of the pilot‐case.
3. Electronic signatures and the digital signature
Before the EU Directive 1999 / 93 / EC, Italian law only recognized the concept of a digital signature( DPR 513 / 1997). As a legal term, electronic signature thus originates in the European Union and designates the general class inclusive of all electronic signatures. Its foundation lies in the so‐called principle of technological neutrality embedded in the EU’ s regulatory policy. As a general class, electronic signatures comprise four subtypes:( 1) basic electronic signatures;( 2) advanced electronic signatures;( 3) qualified electronic signatures; and( 4) digital signatures. Digital signatures, then, are a particular type of electronic signature based on a specific technology, namely, asymmetric( or public key) cryptography. Article 1( 1)( q) CAD( the Italian Code on Digital Administration, Legislative Decree 82 / 2005) defines an electronic signature as“ the complex of electronic data— either attached to other data or connected to them by logical linking— used as a method of electronic identification.” The basic electronic signature is the“ weakest” of all such signatures. It essentially consists of systems of electronic authentication embodying requisites less stringent than those built into qualified electronic signatures and digital signatures [ Birch( 1997); Brennan( 2001)].
3.1 Electronic signatures
The function of an electronic signature is to make electronic identification possible [ Verde( 1990); Muenchinger( 2002)]. By electronic identification is meant the ability of an electronic signature to validate the data it refers to. The aforementioned CAD defines it as the“ the validation of the complex of data uniquely and exclusively assigned to someone, making it possible to identify that person in an information system, and carried out through appropriate technologies, its purpose( among others) being that of making access secure.”
3.2 The advanced electronic signature
An advanced electronic signature is defined in the aforementioned DPR 513 / 1997 as“ the complex of electronic data or the complex of data attached to a digital document,( i) making it possible to identify the document’ s signatory,( ii) ensuring that they uniquely link to the signatory,( iii) created using means under the signatory’ s exclusive control, and( iv) linked to the data the signature is affixed to in such a way that any subsequent change in the data can be detected.”
3.3 The qualified electronic signature
A qualified electronic signature is defined in the CAD as“ a specific type of advanced electronic signature based on a qualified certificate and carried out using a secure device for creating signatures.” A qualified signature, then, is a system that provides two guarantees, ensuring that a document’ s signatory can be identified, and that any change which may have been made to the document after its signing can be detected. To this end, the law requires that the signature be affixed using a secure device under the signatory’ s exclusive control.
The electronic signature and the qualified electronic signature are defined in such a way as not to call for any specific technology. Indeed, the law does not mention any specific technique but only confines itself to setting out the governing principles.
3.4 The digital signature
The digital signature, by contrast, does come about as the result of a specific technological choice [ Cachin et al.( 2009); Diffie et al.( 1976); Elgamal( 1985)]. Indeed, it is defined under Article 1( 1)( s) CAD as“ a particular type of advanced electronic signature coupled with a qualified certificate and based on a system of mutually linked cryptographic keys— one private, the other public— making it possible for the signatory using the private key and for the recipient using the public key to respectively disclose and verify the source and integrity of a digital document or a set of such documents.”
The cryptography used for digital signatures is thus called asymmetric or public‐key cryptography [ Rivest et al.( 1978)]. As mentioned, this technique uses a pair of keys: one of them private, which must remain secret and at the signer / holder’ s sole disposal, the other one public, which by contrast can be disclosed to anyone. What
311