ZertES

From HandWiki
Short description: Swiss law on electronic signatures

ZertES is a Swiss Federal law that regulates the conditions under which trust service providers may use certification services with electronic signatures. Additionally, this law provides a framework that outlines the provider’s obligations and rights as they apply to providing their certification services.[1][2]

Description

ZertES was approved into law on December 19, 2003.[3] The law promotes the use of secure services for electronic certification to facilitate the use of qualified electronic signatures. Under this law, the signatures would be equal to a handwritten signature.[4]

Switzerland’s ZertES law possesses a similar tiered structure and standards of legal value as the European Union’s eIDAS Regulation. ZertES provides several assurance levels; qualified electronic signatures is the highest level, equivalent to a handwritten signature. For many official documents, it is required that the electronic signatures used be at this qualified electronic signature level.[1]

Standards

Under ZertES, an electronic signature refers to electronic data that is either attached to or associated to other electronic data, which serves as a means of authentication for that data. Currently, ZertES does not provide specifications on how electronic signatures should be technically implemented. Despite this limitation, the Swiss Federal Council has made international agreements to facilitate the international use of electronic signatures and allow for their legal recognition. Therefore, the council allows that electronic signatures that have been technically implemented as digital standards in eIDAS be accepted.[5]

The following standards are recognized by the Swiss Federal Council:[1]

Electronic transactions

A fortgeschrittene elektronische Signatur, also known as an advanced electronic signature, must meet certain requirements in order to prove its authenticity, including:[1]

  • Establishing a unique link to its signatory
  • The ability to identify its signatory or holder
  • Having been created with software or equipment that remains under the sole control of its signatory
  • The capability of identifying if the data or document to which it is attached to has been altered or tampered with after being signed[1]

ZertES allows for the enhancement of the advanced electronic signature and its legal value by adding on a qualified certificate, which is similar to how eIDAS allows for this instance. The upgraded advanced electronic signature is referred as qualifizierte elektronische Signatur or qualified electronic signature. The signature must be produced by a secure signature creation device and then be attached to the qualified certificate. At the time that the signature is created, the certification must be valid.[1]

ZertES requires that qualified certificates must provide:[2]

  • A serial number that identifies it as a qualified certificate
  • The name of the individual who holds the signature verification
  • Signature verification
  • The name and state where the issuer of the certificate is established, in addition to the qualified electronic signature of the issuer, referred to as Anbieterin von Zertifizierungsdiensten, in addition to the national or foreign accreditation body that accredited the issuer
  • Time that the certificate will be valid for
  • Proof of recognition for the certificate service provider who provides the certification services
  • Transaction information for which the certificate can be used[2]

Certificate service providers that issue qualified certificates are required to undergo audits performed by a conformity assessment body that has been appointed by the Schweizerische Akkreditierungsstelle (de).[1]

Under ZertES, the Swiss Federal Council regulates signature generation and issues Signaturprüfschlüssel (signature verification keys) to qualified certificates. The secure signature creative device must verify that the signature key used is:[5]

  • Unique and its secrecy can be reasonably assured
  • Protected from being counterfeited
  • Under the sole control of the signatory

The signature verification process will ensure that:

  • The data used to verify the signature corresponds to the data sent to the verifier
  • The signature is reliably verified and its verification result is displayed correctly
  • If needed, the verifier is able to determine the contents of the signed data
  • It is clearly identified when a pseudonym is used
  • If tampering has occurred, it will be detected
  • The signature owner’s identity is properly displayed[5]

ZertES requires qualified trust service providers to meet requirements that will ensure the validity of the certificates they issue for electronic signatures. Providers can be naturalized or legal citizens. Under certain circumstances, foreign suppliers may be permitted to provide certification services.[5]

Legal implications

ZertES is similar to eIDAS in assuring the legal bindingness of electronic signatures and a tiered approach to legal value in court with qualified electronic signatures having a higher probative value than advanced electronic signatures. Cross-border communications between Switzerland and the Member state of the European Union occur on a daily basis, as the country is home to many internationally active banks and companies. Therefore, ZertES and eiDAS are comparable in technical design and carry similar legal implications.[1]

References