29 July 2002

Julie Ruelle

Legislation allowing the implementation of the electronic signature is in the process of being completed. Two years after the law of March 13, 2000 which established the electronic signature by stating that it "consisted of a reliable process of identification guaranteeing its connection with the one it is attached to" and a year after the decree of March 13, 2001 which specified the conditions in which the process was considered reliable (Article 2 of this decree states that "the reliability of a process of a secure electronic signature is established thanks to a secure pronouncement on the creation of an electronic signature and that the verification of this signature relies on the use of a qualifying electronic certificate"), the decree of April 18, 2002 and the order of May 31, 2002 complete the French legislation relating to the acknowledgement of electronic signatures.

The order of May 31, 2002 refers to the recognition of qualifying providers of electronic certification[1] and to the accreditation of the bodies responsible for the evaluation. The decree of April 18, 2002 defines the issuing procedure and the required certificate so that the devices used conform to the provisions of the decree of March 31, 2001.

The decree establishes the schema of certification and specifies the following points: the procedure of evaluation and certification, the evaluation centres, and the committee director of the certification in security of the information technologies.

Four types of players must be distinguished in the certification procedure:

  • The Applicant (the person who submits the device to the evaluation and certification),
  • The Evaluation Centres of the Security of the Information Technologies (CESTI),
  • The Central Direction of the Security of information systems (DCSSI),
  • The Committee Director of the Certification in Security of the Information Technologies.

The importance of the Committee Director must not be reduced in the measure that it participates in all the stages of the evaluation and certification procedure. In addition to the issuing of the notification and the proposals which relate as much to the politics of certification and the norms and rules used for the evaluation and certification as the agreements of mutual acknowledgement, the Committee Director has the power to examine all litigation relating to the evaluation procedures established by the decree with the purpose of reconciliation.

The decree provides that the accreditation schema takes place in two phases:

The evaluation of the security offered by the device and the certification.

  1. The evaluation

The evaluation allows the assessment of the security actually offered by a product or system.

The Applicant (for example, a software publisher) must first select an authorised evaluation centre.

(a) the choice of an authorised evaluation centre

At the present time, there are seven French centres of evaluation which have been authorised or are in the course of being authorised (AQL – Groupe SILICOMP, SERMA technologies, CEA – LETI, Ernst & Young eLabel, Algoriel et Oppida).

The authorisation is issued by the Prime minister after notice by the committee director of the certification. It is valid for two years and is renewable.

In order to be authorised, the evaluation centre must demonstrate (i) that it respects the norms in effect, (ii) that it is capable of applying the evaluation criteria and assuring the required confidentiality, as well as (iii) its technical competences. With regards to the two first conditions (i) and (ii), the evaluation centre must provide an accreditation issued by an accreditation process (the order of May 31, 2002 designated the French Committee of Accreditation (COFRAC) as well as the signatory bodies of accreditation of the multi-lateral European agreement taken in the context of the European coordination of accreditation bodies as accreditation processes).

In the event that the centre no longer fulfils its requirements as described by the decree, the Prime Minister can withdraw the authorisation after notification by the committee director of certification.

The decree does not leave out the international aspects since it specifies that the authorisation procedure of foreign centres is already the subject of an authorisation. For this reason, the decree distinguishes between authorisation coming from a third country in the European Union or not, according to the authorisation already obtained:

  • If the authorisation was granted by the authorities in which the centre is “located” (“installé”) in the context of a homologous procedure, the authorisation can approve this centre after notification by the committee director of certification.
  • On the other hand, if the centre is located in the territory of a Member State of the European Community and was authorised in the context of an equivalent procedure, it is the Prime minister who must authorise it.

It must be noted that, on the one hand, by making reference to the country of installation, all questions are avoided concerning the “nationality” of the centre. On the other hand, the authorisation procedure implemented in the country of installation is not evaluated in the same fashion. In such a case, a homologous procedure will be sufficient while in the other case the procedure must be equivalent. While this distinction may be clear in theory, it can nevertheless be difficult to put into practice. Finally, while the authorisation of a centre located outside the European Union is optional, the authorisation of centres located in the other Member States is legal since the procedures used are equivalent.

For all the evaluation centres, those located both in France and abroad, the DCSSI has the power to ensure that the evaluation centres continue to satisfy the criteria under which they were authorised. The decree lacks clarity on this point; it would have been necessary to specify the methods of control, particularly referring to the control of centres located abroad.

The selection of the CESTI by the applicant can be made by invitation to tender. The summary of conditions serving as the base for the invitation to tender contains particularly the “Cible security”, the technical elements which conform to the common criteria established by the international organisations. Therefore, it can be useful to call upon a CESTI to draft a summary of conditions. The technical elements of the summary of charges are then transmitted to the DCSSI.

(b) The evaluation procedure

The Applicant determines with the CESTI(s) the products to evaluate, the protection and confidentiality conditions of the information, the operation costs of the evaluation, as well as the time periods for carrying out the evaluation.

The DSCCI attends to the proper execution of the evaluation. It can ask at any moment to watch the evaluation or to obtain information.

The Applicant can withdraw its request for evaluation at any time. There seems to be no condition or formality required for this withdrawal. This withdrawal can, however, give rise to a compensation. It can reasonably be assumed that this compensation will consist of the reimbursement of fees generated for the evaluation.

The evaluation centre issues an evaluation report to the applicant and the DCSSI. By specifying that this report is covered by the industrial and commercial secret, the law avoids all debates on a possible communication of the document to third parties.

  1. The certification

“The certification is an independent confirmation, materialised by the issuing of a certificate, which attests that the evaluation was carried out conforming to the rules of the schema and indicates the level of evaluation carried out.”

The Applicant and DCSSI validate the evaluation reports in connection with the concerned centre of evaluation. If the two reports are validated, the DCSSI produces a certification report within a month (from the validation date of the two reports).

This certification report containing the characteristics of the proposed objectives of security and the results of the evaluation is concluded at the issuing or refusal of the certificate. The certification report can be the subject of a transmission to the public or third parties if the applicant desires it. It is advisable to note that, in accordance with Article 3.II.1 of the decree of March 30, 2001, the Applicant cannot oppose the publication of the issuing of the conformity certificate.

The certificate is issued by the Prime Minister.

The international aspects of the certification are also taken into account by the decree: the decree provides that the agreements of mutual acknowledgement of certificates with the homologous foreign bodies can by passed by the DCSSI (to date, the DCSSI has signed two agreements of mutual acknowledgement: the European agreement of mutual acknowledgement SOG-IS[2], and the Arrangement of mutual acknowledgement according to the MRA common criteria).

Regarding the certificates issued by the bodies of other Member States, the Prime Minister must recognise that they are worth the same as the decree (but this obligation only exists if the procedure applied in the country of the State is comparable to the French procedure and offers equivalent guarantees).

Despite certain raised inaccuracies, the decree of April 18, 2002 proposes a certification schema which is quite thorough and simple to implement. Since the securing of the exchanges and transactions is a recurring question, it can be assumed that the procedure established by the decree will be used frequently, despite its optional nature.

[1] In virtue of the decree of March 31, 2001, these providers of electronic certification are responsible for delivering the electronic certificates which guarantee the identity of the signatory.
[2] SOG-IS: Senior Officers Group for Information Systems Security.