Michele Martoni and Monica Palmirani
The third class, framed by Article 21( 2) CAD, is the one comprising digital documents bearing an advanced, qualified, or digital electronic signature, and created in compliance with the technical rules referred to in Article 20( 3) CAD, and whose purpose is to ensure that the author can be identified and that the document preserves its integrity and inalterability. Any digital document that satisfies these conditions is recognized in the law as having full probative force pursuant to Article 2702 of the Italian Civil Code. With this class of documents, the use of a signature‐creating device is assumed to be ascribable to the owner of the device unless that person can prove otherwise.
4.1 Automated signatures
In certain contexts, a signing procedure can involve a large number of documents, making it impractical to sign documents in piecemeal fashion on a“ document by document” basis. Indeed, as is known, every signature makes it necessary to unlock the private key contained in the signature‐creating device by entering a PIN.
In these cases, therefore, the law provides for and legitimizes“ automated” signing procedures. These procedures, however, are themselves subject to stringent legal criteria.
By an automated signing procedure, then, is meant any procedure making it possible to sign multiple digital documents in bulk by entering a single PIN just once. It bears mentioning that each digital document in such a bundle will still be individually signed. This is also referred to as mass digital signing.
The technical rules, in their current draft, define an automated signature as that“ particular computerized procedure for affixing an electronic or qualified signature once authorization is given by the signer, who maintains exclusive control of the signature keys, but who need not be continuously keeping watch.” Immediately as we read this definition we will notice that it defines not only an automated signature but also a remote one, considering that in describing what automated means, it thereby also introduces the idea of the signatory not having to keep oversight or be always on hand.
A final comment is that because an automated signature is a qualified or digital electronic signature, it is linked to a signature certificate. Owing to the kind of use made of automated signatures, this certificate can be housed in the signature‐creating device( e. g., a smart card o USB token) rather than on other devices, such as a hardware security module( HSM). An HSM is a kind of secure crypto‐processor designed to manage signature keys. It is a physical device traditionally connected directly to the server used by the signatory. This is a topic we will be taking up later on in this discussion [ Smith( 2010)].
4.2 Remote signatures
A remote signature is defined in the current draft of the technical rules as that“ specific kind of procedure for affixing a qualified electronic signature or a digital signature which is generated through an HSM and guarantees that a private key is in its owner’ s sole control.”
And by an HSM is meant, in this circumstance, the combined“ hardware and software that outputs secure devices for generating signatures in such a way as to securely manage one or more pairs of cryptographic keys.”
A remote signature, in other words, is a signature a signatory can affix to a document without having a signing device within physical reach. Which is precisely why the signing device needs to be protected against thirdparty use.
4.3 Relevant legal provisions
Article 4( 2) of the DPCM of 30 March 2009, stipulates what follows:“ A signature affixed through an automated procedure pursuant to Article 35( 3) CAD must be affixed using a key pair different from any of the other pairs in the signatory’ s possession.” The subsequent Article 4( 3) reads:“ If an automated procedure uses more than one device for generating the same signatory’ s signatures, each such device must use a different key pair.” Under Article 35( 2) CAD,“ secure devices and the procedures herein referred to in the previous subsection( 1) must guarantee the integrity of the digital documents a signature is affixed to.”
313