Dissection of the Hungarian electronic signature law

Csilla Endrődi <csilla@sch.bme.hu>

BME Department of Measurement and Information Systems

Zoltán Hornák <hornak@mit.bme.hu>

BME Department of Measurement and Information Systems

It is strongly demanded that electronic documents can be applied in formal office work in the business life as well as in polity, too. But it obviously can not work without making the adequate security, which can be warranted by using digital signatures. This technology requires deliberate, reliable and responsible background infrastructure – a nationwide system – which is to be controlled by the state.

International events also stimulate that we take action at our earliest convenience. In January of 2000 European Union accepted a law about electronic signatures, which declares that all member states must ensure that electronic signatures are recognised as being in conformity with the legal requirements relating to handwritten signatures and are admissible as evidence in legal proceedings in the same manner as handwritten signatures. (The deadline for implementation of the legislation in the Member States is July of 2001.)

In August of 2000 the Hungarian Cabinet decreed that the electronic signature law is to be worked out and they laid down the most relevant statutes of it. The elaboreted draft of the law will be discussed by the parliament in the first quarter of the year 2001. Its acceptance is expected in March, and it will come into force probably in late summer.

In my discourse I mean to dissect the Hungarian electronic signature draft law. In the course of my disquisition I do not intend to reveal the vulnerable points by judiciary way, but I try to throw light on the correspondence between the regulation and its definitely needed technical background, the occurent technical problems.

I looked for the answer for the following questions among others:

• Supposing to comply with the present version of the draft, is it possible to make abuse with using digital signatures or issuing certificates?

• What risks are in the functional structure formulated by the draft? Which are the vulnerable parts of the system? What attacks are threatening?

• What are the technical problems, of which control is not included in the draft and can cause difficulties later?

• Will the proposed annual supervision be enough to meet the requirements (e.g. mandatory backup)?

• What technical difficulties can occur by the connection to the international system?

As a result of the dissection it can be stated that the draft serves as a proper basis for the use of digital signatures according to the directives of the EU, but it leaves many technological questions open that can basically influence the security of the system and can lead to judiciary and technological backdoors.