Abstract
The early adoption of a national, legal digital signature framework in Italy has brought forth a series of problems and vulnerabilities. In this paper we describe each of them, showing how in each case the issue does not lie in the algorithms and technologies adopted, but either in faulty implementations, bad design choices, or legal and methodological issues. We also show which countermeasures would be appropriate to reduce the risks. We show the reflex of these vulnerabilities on the trust-based framework which gives legal value to digital signatures. We think that this study can help to avoid similar mistakes, now that under EU directives a similar architecture is planned or under development in most EU countries.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
D.P.R. 10-11-1997, n. 513, Regolamento contenente i criteri e le modalitá per la formazione, l’archiviazione e la trasmissione di documenti con strumenti informatici e telematici a norma dell’articolo 15, comma 2, della legge 15 marzo 1997, n. 59. Gazzetta Ufficiale n. 60, March 13 (1998) (in Italian)
Perri, P., Zanero, S.: Lessons learned from the italian law on privacy. Computer Law and Security Report 20 (2004)
Monti, A.: Il documento informatico nei rapporti di diritto privato. InterLex website (1997) (in Italian)
Borruso, R., Buonomo, G., Corasaniti, G., D’Aietti, G.: Profili penali dell’informatica. Giuffré (1994)
D.P.C.M. 08-02-1999, Regole tecniche per la formazione, la trasmissione, la conservazione, la duplicazione, la riproduzione e la validazione, anche temporale, dei documenti informatici. Gazzetta Ufficiale n. 87, April 15 (1999) (in Italian)
D.P.R. 07/04/2003, n. 137, Regolamento recante disposizioni di coordinamento in materia di firme elettroniche a norma dell’articolo 13 del decreto legislativo 23 gennaio 2002, n. 10 (2003) (in Italian)
Directive 1999/93/EC of the European Parliament and of the Council of December 13 (1999), On a Community framework for electronic signatures. Official Journal L013 (January 19, 2000)
Cammarata, M., Maccarone, E.: La firma digitale sicura. Il documento informatico nell’ordinamento italiano. Giuffré, Milan (2003)
Dumortier, J.: Legal status of qualified electronic signatures in europe. In: Paulus, S., Pohlmann, N., Reimer, H. (eds.) ISSE 2004-Securing Electronic Business Processes, Vieweg, pp. 281–289 (2004)
Brazell, L.: Electronic signatures: law and regulation. Sweet & Maxwell, London (2004)
Winn, J.K.: The emperor’s new clothes: The shocking truth about digital signatures and internet commerce. Idaho Law Review Symposium on Uniform Electronic Transaction Act (2001)
Kain, K., Smith, S., Asokan, R.: Digital signatures and electronic documents: A cautionary tale. In: Advanced Communications and Multimedia Security, IFIP TC6/TC11 6th Joint Working Conference on Communications and Multimedia Security. IFIP Conference Proceedings, vol. 228, pp. 293–308. Kluwer Academic, Dordrecht (2002)
Zanero, S.: Sconfinati campi di cavoli amari. Vulnerability Advisory (2002) (in Italian)
Autoritá per l’informatica nella pubblica amministrazione: Deliberazione n. 51/2000, “regole tecniche in materia di formazione e conservazione di documenti informatici delle pubbliche amministrazioni ai sensi dell’art. 18, comma 3, del decreto del presidente della repubblica, Novembre 10 (1997), n. 513 (2000) (in Italian)
Firma digitale sicura in Microsoft Word. Press Release (2003) (in Italian)
Cammarata, M.: Regole tecniche per bachi legali. InterLex website (2003) (in Italian)
D.P.C.M. 13 gennaio 2004, Regole tecniche per la formazione, la trasmissione, la conservazione, la duplicazione, la riproduzione e la validazione, anche temporale, dei documenti informatici. Gazzetta Ufficiale n. 98, April 27 (2004) (in Italian)
D.P.R. 28-12-2000, n. 445, “Testo unico delle disposizioni legislative e regolamentari in materia di documentazione amministrativa”. Gazzetta Ufficiale n. 42, February 20 (2001) (in Italian)
How to minimize metadata in Word 2003. Microsoft Knowledge Base (2004)
XML signature requirements. Request For Comments 2807 (2000)
Jøsang, A., Povey, D., Ho, A.: What you see is not always what you sign. In: The proceedings of the Australian UNIX User Group (2002)
Anonymous: Security Advisory (2003) (in Italian)
Pkcs #7: RSA cryptographic message syntax standard. RSA Laboratories, version 1.5 (1993)
Bruschi, D., Fabris, D., Glave, V., Rosti, E.: How to unwittingly sign non-repudiable documents with Java applications. In: 9th Annual Computer Security Applications Conference (2003)
Spalka, A., Cremers, A.B., Langweg, H.: The fairy tale of what you see is what you sign: Trojan horse attacks on software for digital signature. In: Proceedings of the IFIPWG9.6/11.7 Working Conference, Security and Control of IT in Society-II, SCITS-II (2001)
Weber, A.: See what you sign: Secure implementations of digital signatures. In: Campolargo, M., Mullery, A. (eds.) IS&N 1998. LNCS, vol. 1430, pp. 509–520. Springer, Heidelberg (1998)
Spalka, A., Cremers, A.B., Langweg, H.: Protecting the creation of digital signatures with trusted computing platform technology against attacks by trojan horse programs. In: Proceedings of the 16th International Conference on Information Security: Trusted Information, pp. 403–419 (2001)
Balacheff, B., Chan, D., Chen, L., Pearson, S., Proudler, G.: Securing intelligent adjuncts using trusted computing platform technology. In: Proceedings of the 4th Working Conference on Smart Card Research and Advanced Applications, pp. 177–195. Kluwer Academic Publishers, Dordrecht (2001)
Schneier, B.: A hacker looks at cryptography. In: Black Hat Conference (1999)
Gelpi, A.: La firma è sicura, il documento no. InterLex website (2002) (in Italian)
Cammarata, M.: Il certificato di Arsène Lupin. InterLex website (2003) (in Italian)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zanero, S. (2005). Security and Trust in the Italian Legal Digital Signature Framework. In: Herrmann, P., Issarny, V., Shiu, S. (eds) Trust Management. iTrust 2005. Lecture Notes in Computer Science, vol 3477. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11429760_3
Download citation
DOI: https://doi.org/10.1007/11429760_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26042-4
Online ISBN: 978-3-540-32040-1
eBook Packages: Computer ScienceComputer Science (R0)