在上一篇《电子合同的法律效力如何体现?》我们看到人们产生法律效力质疑的并非电子合同的内容,而是电子合同采用电子实现方式这一技术带来的疑问与担忧,譬如签署人身份的确认,内容易伪造、篡改等。在本文中我们就一起来探讨电子合同的法律效力如何在电子签名https://www.bjca.cn/ProductSolutions/servicedetail/?ContentID=276#service应用中进行保障。
电子合同采用可靠电子签名技术来保障其法律效力
根据《电子签名法》的规定,“可靠的电子签名与手写签名或者盖章具有同等的法律效力”。可靠电子签名具有如下的特点:
(1)电子签名制作数据用于电子签名时,属于电子签名人专有;
(2)签署时电子签名制作数据仅由电子签名人控制;
(3)签署后电子签名的任何改动能够被发现
(4)签署后对数据电文内容和形式的任何改动能够发现
可以看到采用可靠电子签名能够确保签名人身份的真实性,数据内容的完整性,并且签名人与电子签名以及数据内容的关联关系可以得以明确。不仅如此,带有可靠电子签名的电子合同还能确保签名与数据内容一旦被篡改即被发现,实现签名人签名行为的责任认定。因此,电子合同普遍采用可靠电子签名技术来保障其法律效力。
新晋技术标准规范可靠电子签名的生成与验证
《电子签名法》确立了可靠电子签名所具有的法律效力,但如何从技术上实现可靠电子签名和如何验证电子签名是可靠的等问题,仍没有得到很好的解决。目前,在电子商务市场蓬勃发展的推动下,市场涌现了大量的电子合同厂商,每一家都宣称提供可靠电子签名的电子合同产品,如何去判定厂商提供的产品是否合规呢?基于这样的市场需求,为了贯彻落实《电子签名法》,促进可靠电子签名的应用普及,全国信息安全标准化技术委员会发布了可靠电子签名的国家标准《GBT35285-2017信息安全技术公钥基础设施基于数字证书的可靠电子签名生成及验证技术要求》(以下简称《技术要求》,于2018年7月1日正式实施。《技术要求》中明确规定基于数字证书的可靠电子签名生成条件:
(1)合法的电子认证服务机构为电子签名人颁发数字证书;
(2)签名私钥运算在国家密码管理局审批许可的签名密码设备中完成;
(3)签名密码设备通过pin、口令、生物特征等方式鉴别电子签名人;
(4)采用国家密码管理局许可的数字签名密码算法;
基于国产密码体系的数字签名密码算法,合法的第三方CA证书服务,和通过国家密码管理局审批许可的签名设备,是可靠电子签名生成的关键。.其中涉及太过专业的签名密码算法机制不在此赘述,简而言之数字签名密码技术保障了签名人身份真实、数据内容完整性和签名行为不可否认。
《技术要求》中,在工信部、国密局的严格监管下,对电子认证服务、签名身份核实、签名数据格式、签名密码设备、电子签名程序和签名流程等进行了严格要求。在这种政府监管,信任背书、规范操作的执行条件下才保证了可靠电子签名的生成和验证。
至此,我们对电子合同的法律效力从法律解读、技术实现等不同层面进行了阐述。对于计划部署电子合同的厂商会产生新的疑问:部署电子合同系统对现有企业信息系统有哪些要求?部署方式如何选择?部署前需要重点评估和关注哪些问题?数字认证将在后续的文章中一一为你揭晓。
SecuretheLegalEffectofElectronicContractswithReliableElectronicSignatures
Inthepreviousarticle,howisthelegaleffectofanelectroniccontractreflected?"Weseethatpeoplewhoquestionthelegaleffectarenotthecontentoftheelectroniccontract,butthedoubtsandconcernsbroughtaboutbytheelectronicrealizationoftheelectroniccontract.Forexample,theidentificationoftheidentityofthesignatoryiseasytoforgeandfalsify.Inthisarticle,wewilldiscusshowthelegaleffectsofelectroniccontractscanbeguaranteedinpracticalapplications.
Electroniccontractsusereliableelectronicsignaturetechnologytoprotecttheirlegaleffects
AccordingtotheElectronicSignatureLaw,"areliableelectronicsignaturehasthesamelegaleffectasahandwrittensignatureorstamp."Reliableelectronicsignatureshavethefollowingcharacteristics:
(1)Whentheelectronicsignatureproductiondataisusedforelectronicsignature,itisexclusivetotheelectronicsignatureholder;
(2)Theelectronicsignatureproductiondataatthetimeofsigningisonlycontrolledbytheelectronicsignatory;
(3)Anychangestotheelectronicsignatureaftersigningcanbefound
(4)Anychangestothecontentandformofthedatamessageaftersigningcanbefound
Itcanbeseenthattheuseofreliableelectronicsignaturesensurestheauthenticityoftheidentityofthesigner,theintegrityofthedatacontent,andtheassociationbetweenthesignerandtheelectronicsignatureanddatacontentcanbeclarified.Notonlythat,electroniccontractswithreliableelectronicsignaturesensurethatsignaturesanddatacontentarediscoveredoncetheyhavebeentamperedwith,andthatthesignatory'ssignaturebehaviorisrecognized.Therefore,electroniccontractsgenerallyusereliableelectronicsignaturetechnologytoprotecttheirlegaleffectiveness.
Newtechnologystandardstostandardizethegenerationandverificationofreliableelectronicsignatures
TheElectronicSignatureLawestablishesthelegaleffectofreliableelectronicsignatures,buthowtoachievereliableelectronicsignaturesandhowtoverifyelectronicsignaturesisstillnotwellsolved.Atpresent,undertheimpetusoftheboominge-commercemarket,alargenumberofelectroniccontractmanufacturershaveemergedinthemarket.Eachcompanyclaimstoprovidereliableelectronicsignatureelectroniccontractproducts.Howtojudgewhethertheproductsprovidedbythemanufacturersareincompliance?basedonsuchmarketdemand,inordertoimplementtheElectronicSignatureLawandpromotethepopularizationofreliableelectronicsignatureapplications,theNationalInformationSecurityStandardizationTechnicalCommitteeissuedanationalstandardforreliableelectronicsignatures.GBT35285-2017InformationSecurityTechnologyPublicKeyInfrastructureisbasedonTheTechnicalRequirementsforReliableElectronicSignatureGenerationandVerificationofDigitalCertificates(hereinafterreferredtoasthe"TechnicalRequirements")wasofficiallyimplementedonJuly1,2018.The"TechnicalRequirements"clearlystipulatestheconditionsforgeneratingreliableelectronicsignaturesbasedondigitalcertificates:
(1)Alegalelectroniccertificationserviceagencyissuesadigitalcertificatetoanelectronicsignatory;
(2)ThesignatureprivatekeyoperationiscompletedinthesignaturecryptographicdeviceapprovedbytheStateCryptographicAuthority;
(3)Thesignaturecryptographicdeviceauthenticatestheelectronicsignerbymeansofpin,password,biometrics,etc.;
(4)DigitalsignaturecryptographyalgorithmapprovedbytheNationalCryptographicAuthority;
Thedigitalsignaturecryptographyalgorithmbasedonthedomesticcryptosystem,thelegalthird-partyCAcertificateservice,andthesignaturedeviceapprovedbytheNationalCryptographicAuthorityarethekeytothegenerationofreliableelectronicsignatures.Themechanismofsignaturecryptographyinvolvingtoomuchprofessionalisnotdescribedhere.Inshort,thedigitalsignaturecryptographytechnologyguaranteestheidentityofthesigner,theintegrityofthedatacontentandtheundeniablesignaturebehavior.
Inthe"TechnicalRequirements",underthestrictsupervisionoftheMinistryofIndustryandInformationTechnologyandtheStateSecretsBureau,strictrequirementswereimposedonelectronicauthenticationservices,signatureidentityverification,signaturedataformats,signaturecryptographicdevices,electronicsignatureproceduresandsignatureprocesses.Thegenerationandverificationofreliableelectronicsignaturesareguaranteedundersuchconditionsofgovernmentsupervision,trustendorsementandstandardoperation.
Sofar,ourlegaleffectsonelectroniccontractshavebeenelaboratedondifferentlevelssuchaslegalinterpretationandtechnicalrealization.Thereisanewquestionforvendorsplanningtodeployelectroniccontracts:Whataretherequirementsfordeployinganelectroniccontractsystemforanexistingenterpriseinformationsystem?Howtochoosethedeploymentmethod?Whatissuesneedtobeevaluatedandfocusedbeforedeployment?Digitalcertificationwillbeannouncedinthefollowingarticles.