Switzerland

[CH] Decree on Electronic Certification Services Comes into Force

IRIS 2000-10:1/16

Patrice Aubry

RTS Radio Télévision Suisse, Geneva

The Swiss Federal Council's adoption of the Decree on Electronic Certification Services (Oscert) constitutes a decisive step towards acknowledging the use of digital signatures and securing electronic trading in Switzerland. The Decree came into force on 1 May 2000; it lays down the legal, technical and financial conditions which providers of electronic certification services must meet if they wish to be covered by the Decree and be acknowledged by the appropriate authority. Being covered by the Decree remains optional, however; providers of certification services are therefore still free to offer such services outside the system provided for by the Decree. Thus the acknowledgement system is aimed at conferring greater legitimacy and a "quality label" on those providers who so desire. The principal demands made by the Decree concern the generation and use of encryption keys, electronic certificates and the providers of certification services; these demands correspond to those laid down in the appendices to Directive 1999/93/EC of 13 December 1999 on electronic signatures.

Acknowledgement of providers of certification services is issued by the certification bodies accredited by the Swiss Accreditation Service (SAS) of the Federal Office of Metrology (Ofmet). The conditions for acknowledgement laid down by the Decree refer in particular to staff qualifications, the reliability of the IT systems and products used, and the financial resources and guarantees of the service providers. The latter must have the necessary insurance to cover their liabilities. They are also responsible for any prejudice suffered as a result of erroneous certification, unless they are able to demonstrate that they were not at fault in any way. In addition, the list of acknowledged providers of certification services is published. The Decree also provides for the possibility of obtaining a statement from the certification bodies confirming the conformity and validity of an electronic certificate at a given time. Lastly, the Decree defines the minimum requirements which electronic certificates issued by acknowledged providers must meet.

Providers of certification services must physically check the identity of the persons applying for a certificate. In order to guarantee the authenticity of the certificate, this is signed electronically by the service provider before being listed in a register which may be consulted freely by the public. In addition, providers of certification services must cancel a certificate immediately if its holder so requests, for example in the event of losing the private key, or if it transpires that the certificate was obtained fraudulently, or if it ceases to guarantee the connection between a person or an administrative entity and a public key.