1 / 7

Directive 99/93/EC: Liability aspects

Directive 99/93/EC: Liability aspects. Ignacio Alamillo. Introduction. Art. 6 Directive 99/93/EC, 13th December Strict liability model The CSP will be liable to ANY person who reasonably relies in qualified certificates – it refers to “public”, connecting with the consumer notion

keran
Download Presentation

Directive 99/93/EC: Liability aspects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Directive 99/93/EC: Liability aspects Ignacio Alamillo

  2. Introduction • Art. 6 Directive 99/93/EC, 13th December • Strict liability model • The CSP will be liable to ANY person who reasonably relies in qualified certificates – it refers to “public”, connecting with the consumer notion • The burden to prove diligent action is on the CSP. Negligence action and consequential damages cannot be contractually excluded • Consumer protection rules also applies (art. 6.5) – liability caps may be forbidden under national regulation, except under ‘value limitation’ rule

  3. Liability associated to certificate issuance or guarantee - 1 • Art. 6.1 D 99/93/EC: Accuracy – at time of issuance – of all information contained in the qualified certificate • Inclusion of minimum required content, regarding Annex I of the Directive • The certificate must be marked as “qualified” certificate • Consumers relying in certificates must be able to identify a qualified certificate

  4. Liability associated to certificate issuance or guarantee - 2 • Proof-of-possession by signatory of the signature-creation data – at time of issuance – corresponding to the signature-verification data given or identified in the qualified certificate • It means the CSP must impose certain demonstration methods • Typically, a signed certificate request (PKCS#10) is used when the CSP does not create the key pair

  5. Liability associated to certificate issuance or guarantee - 3 • Assurance regarding complementary operation between signature-creation data and signature-verification data • Only if the CSP generates the key pair • It means the CSP must check the mathematical relationship between the private and the public key • For instance, creating the key pair (not recommended) • Or requiring the usage of certain key-creation algorithms • Also making some testing before definitive issuance

  6. Liability associated to service level • Art. 6.2 D 99/93/EC: Incorrect revocation data make the CSP liable for all damaged suffered by relying parties (general public = consumers) • Includes the failure to register and process a revocation request • Typically also includes the delay in publication of certificate revocation information

  7. Liability control – reduction and disclaim • Art. 6.3 and 6.4 D 99/93/EC: The CSP may control risk with two methods: Use and value limitations • Key usage (digital signature, key encipherment, etc) • Extended key usage (e-mail protection, code signing, etc) • Notice inside certificate (may not be seen) • Policy control: high level usage definition (contracts, e-invoices, etc) • Subscriber and relying party agreements: best solution in civil law systems)

More Related