Certification Authorities Registrar About The ES Law

The E-Sign Law in Israel

The E-Sign law in detail

The E-Sign law in practice

1. The E-Sign Law in Israel            [back to top]

Israel has legislated the Electronic Signature Law, 5761-2001 (henceforth: "the E-Sign law" or "the law") as the first legislative arrangement to adapt its legal environment to the internet and computer based transactions. The E-Sign law is the cornerstone for other legislative arrangements in this area. It has enabled moving forward with several projects which display the potential in this area.

The Israeli E-Sign law follows the techniques applied by the European legislator in Directive 1999/93/EC on a Community Framework for electronic signatures (henceforth: "the Directive"). Like the Directive, the Israeli E-Sign law is based on a two level approach. At the statutory level, the E-Sign law defines substantial requirements for "electronic signatures". These requirements are purely legal and non technical. On the second and lower level, there are two sets of regulations promulgated by the Minister of Justice, which elaborate various technical aspects of the law, and regulate the operation of Certificate Authorities under the law.

The Ministry of Justice in Israel is in charge of implementing the law, in two major aspects. The Ministry of Justice is in charge of licensing private certification authorities through a regulatory officer, the Certification Authorities Registrar.  Currently, there is one authorized Certificate Authority licensed in Israel. The Department for Legislation and Legal Counsel in the Ministry of Justice advises government bodies about E-government services and implementing digital signatures.

These authorities follow the work done internationally on PKI and E-Sign, because of the similar policy goals and technological base. The work done by European Electronic Signature Standardization Initiative (EESSI) has been studied carefully. The extensive work done in the EESSI is used as a basis for many policy decisions both in regulating electronic signatures, and in the wider context of electronic commerce and E-government.

However, some differences exist – but they are a natural result of the fact that the Directive is a legal instrument on a Union level, whereas the E-Sign law is a national level law.

             2. The E-Sign law in detail [1]                [back to top]

                        The law contains three major legal arrangements: the minimum requirements for legally viable "electronic signatures", the evidentiary value of these "electronic signatures", and the division of liability between the different parties to a signature process.

            The law's basic building block is a "Secure e-signature"[2]". In substance it can be considered as equivalent to the Directive's "advanced e-signature"[3], since both types of signatures' definitions refer to the minimum substantial requirements for legal validity of "electronic signatures", e.g. the ability to recognize the signer and protecting the signed message from being changed.

 The Secure e-signature definition refers to signatures which are created by a "Signing Device" (Private Key) and can be verified by a "Signature Verification Device" (Public Key). In addition, the Israeli e-signature Regulations specify the security requirements with regard to the Signing Device used to create the signature and the means used to operate it (like smart card, token etc.). An electronic signature created by a "Signing Device" which meets these requirements is presumed to be a "Secured e-signature". This requirement is substantially similar to the requirements for a "Secure Signature Creation Device" in the Directive and in EESSI standards which elaborate these requirements.

            The regulations include a presumption, that the use of secure devices, lead to a "secure electronic signature"[4]. In this method, there is "soft regulation" on the technical requirements for a "secure electronic signature". This method is intended to encourage compliance with the regulation. It should be noted that these regulations and more specifically, the regulations relating to the elements of a "secure signature" are in the Regulations revision plan.   

            An "electronic signature" that complies with these requirements, has formal legal standing[5]. The message to which it is attached is admissible in court, and there is a presumption that the message was not changed since it was signed, and that it was signed by the person who holds the signature device.

            "Certified e-signature" is defined as a Secure e-signature that has an "Electronic Certificate" issued by a "Certification Authority". "Electronic Certificate" is an electronic credential issued by a Certification Authority, confirming that a certain Signature Verification Device belongs to a certain person. "Certification Authority" according to the Israeli law is an issuer of Electronic Certificates that has been certified and registered by the CA Registrar under the law. The law and regulations impose extensive duties on the Certification Authorities in order to ensure their reliability and the trustworthiness of the certificates they issue. These duties include all aspects of managing a high standard CA, according to international standards and practices. In this context it should be mentioned that with regard to the signature holder, in addition to usual identification, key generation and certificate issuing processes, the CA has to ensure that the device that holds the signing key complies with the requirements stipulated in the regulations (as mentioned above).

            The registrar is appointed by the Minister of Justice under the law. According to the law he should be eligible to be a magistrate judge, therefore he must be a lawyer. He is in charge of certifying and registering the Certification Authorities and supervising their activity, in order to ensure their compliance with the law and the regulations. The registrar is also assigned with constant monitoring and application of the law. The registrar relies on information security and information technology technical staff for audits. In practice, international experience and standardization in this field is taken into account and is used as a basis for many policy decisions. For example ETSI documents relating to regulating CA's have served as a base for the registrar's internal guidelines as to the audit of CA's.

The Certified e-signature provides high level of certainty, which is comparable to the certainty level provided by the Directive's "qualified certificate". Accordingly, section 2 of the E-Sign law allows using this electronic signature even when there is a statutory requirement for a signature. Therefore this signature is the full substitute to the handwritten signature, except for limited uses, such as signing wills.

            With regard to liability, the law's basic division is between the signer and the recipient, and it differs between "Secure electronic signature" and "Certified electronic signature". The signer, that holds a "signature creation device" for a "Secure electronic signature", has a duty to reasonably guard his device. In the case of loss of control over the device (such as theft), he has to notify all those who would reasonably rely on his signature because of "regular relations" between them. With regard to "Certified electronic signature", as there is an authorized third party involved in the trust chain, there is a different division of liability with regard to "authorized signatures". Thus, the owner of a signature creation device that loses control of it has only to notify the Certificate Authority about it and cancel the certificate and the signature. The Certificate Authority has a duty to promptly publish the cancellation of the certificate on its constantly updated "Certificate Revocation List".

            In the field of international cooperation, section 22 of the law empowers the registrar to register a foreign CA subject only to recognition of the authority that supervises over it. At present there are no foreign certification authorities registered.

3. The E-Sign law in practice                  [back to top]

The experience with electronic signatures in Israel is that this field has not realized the initial expectations of legislators and regulators. The so called "hen and egg" problem, where little demand for electronic signatures has lead to few applications implementing electronic signatures and so forth, can be observed in Israel. Nevertheless, at present the Government of Israel has chosen PKI and electronic signatures as the leading technology for e-government applications and secure transactions. In this context, the possibility of cross recognition in the e-government context magnifies the network effect of implementing PKI.

At present the government is the main enabler of e-sign related projects. There are several large scale projects, which utilize the technological and legal advantages of electronic signatures to promote electronic commerce and e-government applications.

The first large scale project, set in motion in September 2003, is Israel Securities Authority's "Magna" – a completely electronic filing and reporting system to the Securities Authority and to the stock exchange. This system relies on using certified electronic signatures for signing filings, both in the technical and legal aspects. As a result of its implementation stock exchange reporting has become more streamlined, changing drastically the costs of reporting to firms and the availability of market related information in real time to the market. This project serves as a model project for other e-sign based projects. There are around 3000 electronic certificates issued for use in this project.

The second large scale project (now in last testing stages) is an electronic civil court system, intended to lead to "paperless court files". This system is based to a large extent on electronic signatures, which allow safe filing and retrieval of court documents. It is estimated that between 30,000 and 40,000 lawyers which interact with the court system will be issued electronic certificates.

Another project to be mentioned deals with electronic receipts and customs certificates. Israeli tax regulations allow, under certain conditions, to issue electronic receipts, which have important effects on efficiency and transparency. These regulations do not require the high level "certified signature", but rather its possibility to sign the receipt using the "secure signature", if external means to recognize the signer are available in the transaction. These can be relevant when a credit card is used, or a bank transfer is involved. Thus the signature is relevant to show that the receipt hasn’t changed since it was signed, and give some reference to its origin.

       Another tax related project is related to filing of electronic customs documents. The electronic filing allows faster processing and more efficient auditing in this area. This project involved the issuing of "certified electronic signatures" to customs agents in order to file the customs documents.  

  Other projects include e-government tendering, which has great potential for more efficient and competitive government bidding and the issuance of pledge registration confirmations e-signed by the Registrar of Pledges in the Ministry of Justice.