Electronic publishing of legislation: towards authenticity

1
Electronic publishing of legislationtowards
authenticity

• European Forum of Official Gazettes
• - Working Group on Authenticity
• Helsinki Tallinn, June 14-15, 2007

2
On the present situation

• Discussion on the authenticity of the electronic
  Legal Gazette in most countries, although still
  in the majority of countries the paper version of
  law is the only authentic one
• The methods of authentication of the texts in
  Legal Gazettes have been discussed in the working
  group by delegates from Austria, Belgium,
  Estonia, Finland, France, Germany, Greece,
  Hungary, Iceland, Italy, Latvia, Lithuania,
  Portugal, Slovenia and Spain.
• The national reports and meeting reports are
  available at the Forum website (most documents
  will be public in 2007)

3
Work focussed on following issues

• What kind of technical tools are available for
  the authentication of electronic official
  gazettes
• What kind of reliable processes in the production
  and publishing / distribution of electronic
  official gazettes
• What is the quality control in the production
  chain
• Which tools are generic and could be used also in
  other countries
• The approach has been pragmatic - what level of
  reliability and authenticity is sufficient

4
On the structure of the Final Report

• 1. On the general developments
• 2. On the key concepts
• 3. Legislative issues on electronic legal
  gazettes
• 4. Use of electronic signatures in the
  authentication
• 5. Use of workflow or chain of confidence in the
  authentication
• 6. Use of secure servers and certificates in the
  authentication
• 7. Good practices an inventory
• Annex 1 List of useful standards

5
First experiences in
authentication

• Belgium 1.1.2003 electronic version is not
  authentic, but it is the only version widely
  available (five paper copies are authentic) in
  addition a helpdesk with free of charge access
  described in the law
• Austria 1.1.2004 only an electronic version,
  which is authentic, is available. In addition,
  non-authentic electronic versions (html/pdf)
• France 1.7.2004 the paper and electronic
  versions are equally authentic
• Estonia 23.1.2001 the paper and electronic
  versions are equal 1.1.2007 electronic version
  the only authentic one

6
On recent developments 2005-2007

• In a large number of countries, development
  projects to increase the reliability of the
  electronic official gazette and to gradually
  replace the paper version with authentic
  electronic version. Examples
• France a new kind of chain of confidence
  established in the production of JO
  authentic JO already online
• Greece a secure server established, using
  certificates and digitally signed electronic
  Official Gazette
• Portugal electronic version of Diário da
  República is the only authentic version
• Slovenia electronic version of Uradni list as
  authentic as paper version
• Denmark the number of paper versions is cut down
  with new electronic version and new legislative
  act on Official Gazette
• Hungary authentication of electronic Official
  Gazette implemented

7
Common features in Member states 2005-2007

• Digital signatures introduced
• Secure servers established
• Use of certificates with secure servers
• Legislative reforms concerning the status of
  electronic Official Gazette
• Authentic and consolidated law made available
• Number of paper copies of Official Gazette cut
  down with new electronic version

8
Defining authenticity

• Authenticity is one of the security attributes of
  electronic documents
• Integrity, reliability and usability are the
  related attributes
• Authentication the process of verifying that a
  document or message is authentic and that is had
  not been altered in route from the distribution
  to the recipient(s).

9
Different concepts of authenticity

• Authenticity of electronic document
• Authentication of a production chain (reliability
  of the chain, chain of confidence)
• Authentication of the delivery via Internet e.g.
  with secure servers
• (integrity of the document, usability of data)

10
The earliest approach Declaratory
authenticity

• A simple and efficient approach to
  authenticity is authenticity by legislative
  means or declaratory authenticity
• The authenticity of electronic version is
  defined either by
• 1) national law the electronic version has
  same legal status as the paper version
• the electronic version is the only
  authentic version
• 2) or by declaration, tradition or
  administrative principle
• the authenticity of electronic documents can
  be based on the competence and authority of the
  publisher or on general reliability of the
  information source

11
The total approach Workflow

• Very few experiences
• Austria workflow ensuring the authenticity of
  documents during legislative process (project
  e-Recht and MOA (Module for Online Applications),
  with modern security technology)
• France a chain of confidence in the publishing
  process and a new SOLON system in the Government
  workflow
• Portugal RedeLex system
• Germany eNorm system for drafting
• Finland PTJ system

12
Solon / France - Entry module of
the e-legislation production flow

• Chargés de mission
• Conseillers techniques
• Service Législatif

Assemblée nationale et Sénat
SGG
Conseil dÉtat
FTP
DJO access On-line
The different users of Solon
13
Internet
Internet
On line data capturing or transfer of
structured data
Editorial production
Free access to public information
Réseau Ader
B D J
SOLON
Consolidation of legal data
14
Authenticating the legal act - Use of
electronic signatures

• Authenticity by electronic signature ensures the
  reliability and integrity of any electronic
  document
• Authenticity by certification means the matching
  of electronic signatures (server signatures or
  individual signatures)
• A broad variety of electronic signatures
  available (with flexible choices)
• XML-DSIG and XaDES, PCKS7 PKCS11, PDF
  electronic signature

15
Certifying the valid signature - Austria
16
Using the signature for PDF document - Greece
Digital Signature
17
Certifying the valid signature - French
Journal Officiel

• In the French authentic Journal Officiel, the
  user of the authentic file is informed of the
  validity of the signature

18
Authenticating the delivery - secure servers
and protocols

• Authenticity by secure server or secure protocol
  ensures the reliability of any electronic
  document source
• A secure server provides secure connections and
  the data in the in-transit process between the
  user and the server is encrypted. A secure
  protocol (e.g. HTTPS) can be used to protect the
  transfer of data from a secure server, with
  security protocol such as SSL, TLS or PCT.
• Usually the use of certificates is recommendable

19
Authenticity by secure server/protocol (2)

• Authenticity by secure server or secure protocol
• A number of open source server applications are
  available
• Plone is a ready-to-run content management system
  that is built on the free Zope application
  server.
• Zope is an open source web application server,
  featuring a transactional object database which
  can store also dynamic HTML templates, scripts, a
  search engine, and relational database (RDBMS)
  connections and code.
• open source server software applications, e.g.
  Apache SSL and OpenSSL

20
Generic elements in the authentication (1)

• Workflow and chain of confidence
• Modules for Online Applications (Austria)
• Chain of confidence certification structures
  (France)

21
Generic elements in the authentication (2)

• Electronic signatures
• XML-DSIG and XAdES standards are open
• PKCS used in PDF documents
• OpenXAdES concept
• Secure servers and certificates
• Apache (Apache SSL)
• OpenSSL

22
Authenticity by digital signature time stamp?

• The Use of Time Stamps with Signatures
• Objectives To have a valid signature during a
  long period and minimize the resign operations.
• A solution to the archiving of electronic
  documents
• France A Time Stamp for the XAdES texts to
  extend the certificate period of validity
  (beyond the initial 2 years)
• Standards
• RFC 1305 Network Time Protocol
• RFC 3161 Internet X509 PKI Time Stamp Protocol
  (TSP)
• OpenTSA

23
Authentication as a process

• Authentication as a pragmatic process
• -Principle of proportionality
• What are the actual benefits, what are the
  costs?
• Use what you have got
• Let all the flowers bloom
• But Do no become too technically-oriented
• Pay attention to the most critical phases in the
  production and distribution
• If your current work process in the printing of
  Official Gazettes is well protected (some chain
  of confidence), a secure server with
  certificate may be the sufficient new element

24
How much authenticity and security is enough?

• For the majority of users, the authenticated
  electronic versions of acts are not necessarily
  the most usable ones. For utilizing and
  distributing the electronic versions, the
  authentic one may not be best one. This has been
  found out in the studies in Austria and France.
• In Austria, currently 51 use the pdf version
  of the Legal Gazette, 36 use the html version,
  11 use the word version and only 2,3 use the
  authentic version, which incorporates the
  electronic signature.
• Similar results from Portugal, where the
  electronic version is authentic since July 2006.
  It is accessible via a secure system, using
  https, and a non-secure system, with traditional
  http protocol. Currently only about 7 use the
  secure system.

25
Authenticity - collecting the best practices

• 1) Protect the document databases and control
  access to the original databases (firewall,
  replication of databases etc.)
• 2) Collect the pdf files and make them available
• 3) Check the legislation and make necessary
  amendments
• 4) Utilize secure servers with certificates -
  use secure servers with open architecture and
  lower costs
• 5) Decide whether you need electronic signatures
• - if you think that you need, make your choice
• 6) Check the possibilities of workflow or chain
  of confidence, limited or comprehensive

26

SWOT ANALYSIS OF AUTHENTICATION METHODS
USE OF ELECTRONIC SIGNATURES
Weaknesses- Not necessary if workflow and secure
servers are used -Difficulty to choose the most
suitable electronic signature -Difficulties in
transferring the signature to new document
formats

• Strengths- Efficient and reliable methods for
  authentication
• Several techniques and
• standards available, also
• open source signatures

• Threats
• - The archiving of documents with electronic
  signature is problematic
• The electronic signature has to be renewed
  (re-signed) frequently

Opportunities- Electronic signature is
applicable to all legislative documents
-Essential part of electronic commerce
27

SWOT ANALYSIS OF AUTHENTICATION METHODS
USE OF SECURE SERVERS AND CERTIFICATES
Weaknesses-Does not guarantee the authenticity
of documents -Difficulty to choose the most
suitable combination of SSL and
protocols -Progress in data encryption outdates
the old one (40-bit encryption etc.) -gt Risk of
intrusion and hacking

• Strengths- Efficient method for
• ensuring the data transfer
• Several techniques and standards available,
• also open source
• -Data encryption is used

• Threats
• The standards and protocols develop constantly

Opportunities- Experience found in all
countries, well-known techniques -Secure server
easy to establish and maintain
28
Useful standards or de facto
standards in annex

• 1. Electronic signatures
• - XMLDSIG - IETF/W3CXML RFC 3275
• - XML Advanced Electronic Signatures (XAdES)
  www.etsi.org
• - OpenXAdES www.openxades.org
• - PCKS7 PKCS15. http//tools.ietf.org/html/r
  fc2315
• - PDF electronic signature (uses PKCS7).
  www.adobe.com
• 2. Time Stamp
• - RFC 1305 Network Time Protocol
  http//tools.ietf.org/html/rfc1305
• - RFC 3161 Internet X509 PKI Time Stamp Protocol
  (TSP) http//www.ietf.org/rfc/rfc2459.txt
• - OpenTSA Open Time Stamp Architecture
  http//www.opentsa.org
• 3. Secure servers, secure socket layers and
  computer security
• RFC 3279 - Algorithms and Identifiers for the
  Internet X.509 Public Key Infrastructure
  Certificate and Certificate Revocation List (CRL)
  Profile
• - Transport Layer Security (TLS) The TLS
  Protocol, version 1.0 http//tools.ietf.org/html/
  rfc2246
• - OpenSSL and OpenSC