4 Legislation on Electronic Signatures

(1) Necessity of Legislation on Electronic Signatures

1. a. Necessity of Legislation in Japan

   First of all, it should be discussed whether there should be any legislation on electronic signatures when discussing the legislation of electronic signatures.

   There may be an opinion that there is no necessity for legislation on electronic authentication or electronic signatures because measures taken by private entities are the best way to deal with issues concerning electronic commerce. Certainly, parties to telecommunications should be able to determine how to authenticate a generator of data in data transmission. Legislation that forces the parties to use only certain types of electronic authentication is not appropriate. Free competition by private entities plays a very important role in the advancement of authentication technology and reliability of certification authority. Legislation obstructing such free competition is not desirable. These standpoints should be taken into consideration in discussing the necessity of legislation on electronic signatures.

   But all kinds of legislation cannot be denied, even if the above-mentioned perspectives are respected. For example, in paper-based transactions, parties to a transaction can determine a method of identification used in each transaction, but, in fact, signatures and seals are used in most cases. This is because there are laws that establish legal effects of signatures and seals (cf. Article 228(4) of the Civil Proceedings Act) as part of a legal framework to realize secure paper-based transactions. Needless to say, such laws do not force parties to a transaction to use certain methods of authentication and do not obstruct advancement in authentication methods other than signatures and seals. So legislation on electronic signatures whose contents are similar to current laws on signatures and seals does not obstruct free activities of private parties but is useful as part of the establishment of a legal framework for advancement in electronic commerce.

   There may be another opinion that there is no necessity for legislation on electronic authentication or electronic signatures because contracts or stipulations formed by private entities can deal with such issues. Certainly, contracts can deal with many issues but not all issues. For example, issues relating to evidentiary rules and signature requirements should be dealt with by legislation. In addition, it should be discussed whether there should be some special rule on the relationship between parties to electronic authentication.

   In discussing the necessity of legislation on electronic signatures, specific issues should be inspected thoroughly. Adopting the attitude that legislation is unnecessary regulation and denying any kind of legislation on electronic signatures may the hinder the realization of secure electronic commerce and applications. Legislation on electronic signatures which establishes their legal effects will be directly related to the contents of basic laws such as the Civil Code, the Commercial Code and the Code of Civil Procedure, so issues including the legislation's consistency with such basic laws should be discussed carefully when introducing the legislation.

2. b. Foreign Legislation

   In many countries, legislation on electronic signatures has already been enacted or will be introduced and issues concerning electronic signature law have been discussed in international forums.

   In the United States, almost all states have started discussing electronic signature law and some kind of law on electronic signatures has been enacted in many states. Although the contents of the legislation in each state differ, they may be classified into general categories. First of all, there are some acts that establish acceptance of electronic signatures in specific areas such as data transmission to public entities and medical records (cf. California, Connecticut). On the other hand, there are acts which are generally applicable to public or private communications. Then, such general acts can be divided into two categories. First, some acts concern "electronic signatures", which are data attached to some electronic record by the generator of the record with the intent to authenticate the record, and establish relatively limited legal effects, that is, satisfaction of form and signature requirements (cf. Virginia, Massachusetts ). Second, some other acts concern "digital signatures", which are based on public key cryptography, or their equivalent and establish not only such legal effects as presumptions and liabilities as well as satisfaction of form and signature requirements, but also establish a licensing system for certification authorities (cf. Utah, Washington). There are also some acts which are hybrids or compromises of the above-mentioned categories. In addition, the National Conference of Commissioners on Uniform State Laws has started forming the Uniform Electronic Transactions Act, which will be the model for state legislation, and some bills of federal legislation are being discussed to conform the contents of electronic signature laws in the United States.

   In Europe, such countries as Germany and Italy have approved electronic signature law. German Digital Signature Act (Gesetz zur digitalen Signatur) regulates licensed certification authorities but allow non-licensed certification authorities to act freely. The Italian act also regulates certification authority from the standpoint of public law. Thus, there are some laws to regulate certification authorities which offer authentication services in Europe. But it should be noted that even in Europe regulation of certification authorities is not considered the only way for legislation on electronic signatures. In addition to legislation in individual countries in Europe, the European Union (EU) has discussed issues concerning electronic signatures and proposed a common legal framework in the EU relating to requirements for certification authorities and legal recognition of electronic signatures.

   Discussions of issues on electronic signatures in international organizations have also been conducted. For example, the United Nations Commission on International Trade Law (UNCITRAL) is preparing Draft Uniform Rules dealing with issues on electronic signatures and certification authorities. The current Draft establishes some legal effects of electronic signatures and deals with liability issues of certification authorities, though the contents of the Draft Uniform Rules are not finalized. The Draft permits states enacting laws based on the Uniform Rules to set up official standards for operations of certification authorities but establishes some legal effects on electronic signatures verified by reference to the public key listed on a certificate issued by a certification authority which does not fulfill the requirements set forth in the standards, though this point is rather controversial.

   There are a variety of electronic signature laws in the world, so we should pay much attention to foreign legal discussions when conducting studies in Japan. Especially, it should be taken into consideration that major countries in the world have already started studying legislation on electronic signatures or have already enacted electronic signature laws.

(2) Specific Issues

1. Scope of Legislation on Electronic Signatures

   First of all, the scope of legislation should be determined when studying legislation concerning electronic signatures. The word "electronic signature" often means digital data or results of certain data processing which are functionally equivalent to a handwritten signature, but now mainly digital signatures based on public key cryptography are regarded as such electronic signatures.

   In establishing legal effects of electronic signatures which are equal to effects of handwritten signatures, it is natural that digital signatures which are used widely for electronic authentication should be within the scope of legislation. On the other hand, something like a simple password should not be within the scope of legislation as a matter of course, because it is not regarded as functionally equivalent to a handwritten signature.

   The question is whether electronic signatures which have the same function as handwritten signatures, that is, signer authentication, should be included within the scope of legislation. There seems to be some electronic signature methods which are not based on public key cryptography at present. In taking rapid development of telecommunication and cryptography technology and the possibility that electronic signatures other than digital signatures will be mainly used in the future into consideration, the scope of legislation should not be limited to digital signatures. So, generally speaking, any kind of electronic signature should be included within the scope of legislation.

   Of course, all electronic signatures may not have all possible legal effects of electronic signatures established by legislation because requirements for each legal effect may differ. In addition, digital signatures, which are widely used and whose schemes are widely known, may be governed by specific rules in addition to general rules on electronic signatures generally.

2. Legal Effects of Electronic Signature

   In studying the possible legal effects of electronic signatures while taking legal effects of signatures or seals into consideration, the following legal effects should be investigated.

   (a) Presumption of Authenticity of an Electronic Document

   Article 228(4) of the Code of Civil Procedure provides that it is presumed that a private document with a signature or seal of a person or its representative is made by that person. This means that when a signature or a seal of a person is attached to a document and the signature or a seal is made intentionally by that person, it is presumed that the whole document is made intentionally by that person. In establishing such legal effects of a signature or seal, the fact that a signature or seal is widely used for authentication purposes, that a signature or seal is uniquely linked to each person and a certain signature or seal is made by only a certain person (in the case of a seal, a seal should be handled properly), and that alteration of documents with a signature or a seal is considerably difficult are taken into consideration.

   As for electronic signatures, at least digital signatures based on public key cryptography are used for authentication purposes and can be deemed uniquely linked to a certain person when a private key used to generate a digital signature is handled properly. Moreover, alteration of an electronic document with a digital signature could be made impossible, so long as the algorithm is sufficiently strong enough(at the very least, alteration of an electronic document with a digital signature is already more difficult than that of a document with a handwritten signature.). There are also some electronic signatures which have the same functions as handwritten signatures. As electronic signatures including digital signatures may be deemed functionally equal to handwritten signatures or seals, legislation for establishing the legal effect of electronic signatures like the effect provided by the Article 228(4) of the Code of Civil Procedure is possible. And requirements for such legal effect may be the functional equivalence of a handwritten signature, so electronic signatures with such legal effect should not be limited to digital signatures based on public key cryptography.

   (b) Presumption of a Generator of an Electronic Signatures

   In claiming the legal effect of electronic signatures like the effect provided by the Article 228(4) of the Code of Civil Procedure, authenticity of electronic signatures must be proven by the person claiming the authenticity of an electronic document with an electronic signature. This is the same rule as that concerning handwritten signatures and seals. In the case of a seal, authenticity of a seal is usually proven by utilizing a certificate of an impression of a seal issued by the commercial registry or a local public entity, that is, when a certain impression of a seal is the same as the impression certified by a certificate issued by the commercial registry or a local public entity it is actually presumed that the impression of a seal is made by the person listed on the certificate. Therefore, as for electronic signatures, it may be possible to consider legislation for presumption of a generator of an electronic signature, to make proof of this point easy. On the other hand, there are opinions that establishing such legal effect for electronic signatures by legislation is not necessary or appropriate in comparison with the case of an impression of seal because such legal effect for an impression of a seal is not stipulated. Whether such presumption should be established by legislation should be carefully discussed.

   If such presumption is established by law, such presumption will be established only when an electronic signature is specifically associated with a person using it for authentication purpose and fulfills requirements for the legal effect like the effect provided by the Article 228(4) of the Civil Proceedings Act ( see (a) ). To be concrete, as for digital signatures based on public key cryptography, it may be possible to set up requirements for certification authorities providing information for associating a digital signature with a person using it for authentication purpose and to presume that a digital signature certified by a certification authority which fulfills such requirements is generated by the person listed on a certificate issued by the certification authority.

   On the other hand, as for electronic signatures other than digital signatures, it is difficult to establish uniform requirements for them at present. So at least at present, it seems difficult to set up requirements for such presumption for electronic signatures other than digital signatures to establish such presumption.

   (c) Satisfaction of signature requirements

   In the Japanese legal system, preparation of a document with a signature or a seal is required in certain cases. Such requirements are established by such basic private laws as the Civil Code and the Commercial Code and public laws concerning applications to public entities. As electronic signatures are functionally equivalent to handwritten signatures, it may be possible to admit that a document with a signature is substituted by an electronic document with an electronic signature.

   In such cases, it should be discussed what kind of signature requirements can be satisfied by preparing an electronic documents with an electronic signature. There may be an opinion that all kinds of signature requirements should be satisfied by preparing an electronic document with an electronic signature. But, for example, whether electronic applications using electronic documents with electronic signatures can be permitted is an essential issue for procedures of applications, so it does not seem practical to permit all kinds of electronic applications at the present time. Electronic applications should be realized by the amendment of individual provisions governing each application, taking the purpose of each application into consideration. In addition, whether signatures as a part of the requirements of negotiable instruments including bills and checks can be substituted by electronic signatures should be carefully investigated because there are special issues such as how to decide a rightful claimant using digital data which is duplicated easily. Thus, it seems inappropriate to consider that all kinds of signature requirements should be satisfied by preparing an electronic document with an electronic signature.

   So it may be appropriate to establish laws to admit substitution of a document with a handwritten signature by an electronic document with an electronic signature in some limited cases of signature requirements. For example, signature requirements (other than those concerning negotiable instruments) in the Civil Code and the Commercial Code which are basic laws on transactions are as follows: balance sheet (Art. 33(4) of the Commercial Code); articles of incorporation (Art. 63 of the Commercial Code, 166(1) etc.); record of a general meeting of shareholders (Art. 244(2) of the Commercial Code); record of a board of directors (Art. 260-4(2) of the Commercial Code); record of a meeting of bond holders (Art. 339(2) of the Commercial Code); claim of conversion of convertible bonds (Art. 222-5(2) of the Commercial Code); claim of conversion of convertible shares; and a written contract of brokerage (Art. 546 of the Commercial Code).

   There are some problems in enabling substitution of a document with a handwritten signature by an electronic document with an electronic signature, while such substitution is useful from the standpoint of parties. For example, in certain cases a handwritten signature or a seal is required not only for the purpose of clarifying the author of the document but also for the purpose of ensuring prudent decisions by requiring a certain form, so when such substitution is permitted in such cases, the aim of law, ensuring prudent decision, may be spoiled. In enabling such substitution, the aim of each provision should be investigated.

   Substitution of a simple "document " by an electronic document could also be possible as well as substitution of a document with a handwritten signature by an electronic document with an electronic signature. In this case in discussing what kind of form requirements should be satisfied by preparing an electronic document, the aim of each provision should be respected. There may be opinions that there is little necessity for legislation on this matter because an electronic document can satisfy form requirements in certain cases when it can be deemed that the word "document" includes "electronic document".

3. Relation of Parties to Electronic Authentication

   In the case of digital signatures based on public key cryptography, there are three parties, that is, the parties to the transaction and the certification authority. The relation between the parties to the transaction and the certification authority should be investigated here. The relation contains three aspects: the relation between the parties to the transaction using electronic authentication; the relation between the subscriber ( whose name is listed in a certificate) and the certification authority; and the relation between the relying party ( who verifies the degital signature using a public key listed on the certificate issued by the certification authority to confirm the identity of the subscriber) and the certification authority.

   First, the relation between the parties to a transaction is governed by general contract law. But there is an opinion that rules applied to transactions generally should be amended because of the differences between general transactions and electronic transactions. This issue is discussed in the Substantive Law Subcommittee and has been presented in the Interim Report. Further discussions will be made in the future in the Substantive Law Subcommittee.

   On the other hand, the relation between certification authorities and subscribers or relying parties should be discussed independently. In several countries, there are discussions on legislation to limit liability of certification authorities or to establish a rule that certification authorities are liable for losses incurred by its operation unless the certification authority proves that there was no negligence in its operations. In addition, it may be possible to establish discretionary provisions on the relation between certification authorities and subscribers or relying parties. But, these issues may be appropriately governed by general rules. In Japan, discussion should be continued taking the above-mentioned perspectives into consideration.

4. Designation Scheme for Certification Authorities

   (a) Purpose of the Designation System

   1. As stated above, there may be legislation to establish the same legal effects of electronic signatures as those of handwritten signatures or seals. In such legislation, requirements for legal effects of electronic signatures must be set up. But, it is difficult for the general public to recognize an electronic signature which satisfies such requirements, while it is relatively easy to recognize a handwritten signature or a seal which satisfies legal requirements. In general, at least digital signatures based on public key cryptography are eligible for such legal effects, but even in the case of digital signatures, whether they have legal effects depends on such factors as algorithm and key length. Besides, as the scope of electronic signatures with legal effects will change in accordance with development of technology, it will be more and more difficult to know the scope of electronic signatures with legal effects at any given point in time. So it may be useful to establish a system to clarify what constitutes an electronic signature with legal effects in advance as well as to establish requirements for legal effects of electronic signatures, in order that the general public can easily recognize an electronic signature with legal effects.
   2. In establishing presumption that a person listed on a certificate is a generator of a digital signature (see b (b)), a specific framework for certification authorities issuing certificates may be needed to ensure accuracy of the contents of the certificate. And which digital signatures verified by reference to public keys listed on certificates issued by certification authorities are eligible for presumption of a generator of an electronic signature may be clarified by showing certification authorities accord with the framework.
   3. There can then be legislation to establish a legal standard for certification authorities and to designate certification authorities that accord with the standard. In such a case, digital signatures verified by reference to a public key listed on a certificate verified by such a "designated" certification authority can be deemed electronic signatures with legal effects and it can be presumed that such digital signatures were generated by the person listed on a certificate. The purpose of this "designation" system is not to regulate certification authorities but to clarify what constitutes an electronic signature with legal effects in advance and to set up requirements to establish the presumption that a digital signature is generated by the person listed on a certificate issued by a "designated certification authority". In addition, the designation system may be useful because it offers a standard for realizing appropriate operations of certification authorities. On the other hand, it may be questionable whether the designation system can be well operated in light of rapid development of technology on electronic signatures and issues on the body designating certification authorities should be carefully discussed. In the future, further discussions on issues, including the propriety of setting up the designation system, should be continued, taking the above-mentioned aspects and discussions held at international forums into consideration.
   4. In the case of setting up the designation system, there are some options concerning how to deal with non-designated certification authorities. It is not appropriate to prohibit non-designated bodies from acting as certification authorities because such prohibition seriously limits free activities of private entities in the area of electronic authentication. Also, it is not appropriate to provide some legal effects only with a digital signature certified by a certificate issued by a designated certification authority and not to provide any legal effects with any other electronic signatures because there is no problem in providing the same legal effects that digital signatures certified by designated certification authorities may have with electronic signatures certified by non-designated certification authorities, if such electronic signatures fulfill certain requirements. Accordingly, it seems appropriate to provide some legal effects with electronic signatures other than digital signatures certified by a designated certification authority when establishing the designation system.

      But, as systems of electronic signatures other than digital signatures are not established at present, it seems actually impossible to establish designation systems for electronic signatures other than digital signatures. So inevitably there will be only a designation system for digital signatures at present. As a result, presumption of a generator of an electronic signature will be provided only with digital signatures certified by designated certification authorities because there must be a specific legal framework to ensure appropriate operations of certification authorities in establishing such presumption.

   (b) Contents of the Designation System

   It should be discussed whether the above-mentioned designation system should be established or not. But when a designation system for certification authorities is established, the following issues may be dealt with. In the designation system, requirements for designation and a certain legal framework to ensure appropriate operations of designated certification authorities will be necessary. The following is a designation system for certification authorities which publish information for identifying a generator of a digital signature based on public key cryptography by issuing a certificate.

   1. Requirements and Procedure for Designation

      (i) Requirements for designation will be "a person who can execute their duties as a certification authority appropriately and securely", as the aims of the designation system are to clarify what are electronic signatures with legal effects and to establish requirements for presumption on a generator of an electronic document. Details of the "duties as a certification authority" and standards to determine whether a person can execute their duties "appropriately and securely", which may include the following matters, may be established individually. A considerable part of the details and standards, especially those concerning technological sides, will be established by cabinet order or ministerial ordinance so that such details and standards can keep up with rapid technological development.

      (ii) It is appropriate to designate certification authorities only when a certification authority applies for the designation.

      (iii) An act allowing the public to mistake a non-designated person for a designated certification authority must be avoided when establishing the designation system.

   2. Public Notice of the Designation

      There may be a system to publish the name of a designated entity, its office, and so on to clarify the designated certification authorities in designating certification authority.

   3. Entrustment of the Operations of a Designated Certification Authority

      All of the duties as a certification authority should not necessarily be executed by a designated certification authority itself: part of them can be executed by a party other than the designated certification authority. In fact, the function of certification (issuing certificates) and the function of authentication (registering information necessary for electronic authentication) are fulfilled by separate entities in some cases. To deal with such cases, it may be necessary to admit entrustment of the operations as a certification authority by a designated certification authority.

   4. Obligation of a Designated Certification Authority, etc.

      The following obligation, other than duties concerning operations of a certification authority, could be imposed on a designated certification authority (and its directors and employees) by law. Further discussions are needed on concerning individual issues.

      (i) Obligation concerning Certification Practice Statement

      To ensure appropriate and secure operations of designated certification authorities, designated certification authorities could be obliged to establish a basic rule concerning their operations (certification practice statement) by law. The contents of the certification practice statement could be decided by designated certification authorities, but there is an opinion that matters to be dealt with in the certification practice statement should be determined by law. There is another opinion that certification practice statements should be reported, authorized, or published, and moreover, it should deal with certain matters established by law. Further study on this issue should be continued.

      (ii) Obligation of Confidentiality

      Information concerning subscribers obtained by certification authorities when registering a subscriber may include information which should not be disclosed. Besides, a private key used by a designated certification authority to attach a digital signature to a certificate should be managed securely. So it may be possible to impose on certification operations an obligation of confidentiality for confidential information such as information on the subscriber and private key information by law. But this issue may be dealt with appropriately by general law such as tort law.

   5. Cancellation of Designation

      In establishing the designation system, requirements for cancellation of designation should be discussed. In general terms, designation would be cancelled when a designated certification authority is not considered as "a person who can execute their duties as a certification authority appropriately and securely". It is possible to limit the reasons for cancellation to those listed in a provision governing cancellation, such as "when a designated certification authority violated the law or the certification practice statement".

   6. Procedures for Business Closing Procedures for Business Closing

      After a designated certification authority is dissolved or closes its business, validity of certificates which have already been issued will no longer be certified by the designated certification authority. In such cases, there may be some trouble in proving validity of a certificate issued by the designated certification authority in court. It is possible to establish a system for a designated certification authority to take over certificate records issued by another designated certification authority which has closed its business so that the validity of the certificates can be proved easily by using the records, if necessary.

   (b) Legal Framework for Operations of Designated Certification Authorities

   In the designation system, a certain legal framework for basic certification operations such as issuance, revocation, and suspension of certificates could be established. The contents of the legal framework are discussed in the following. First of all, the meaning of the validity of a certificate should be discussed. The validity of a certificate means the status of a certificate which is required for admitting legal effects of electronic signatures certified by a certificate issued by a designated certification authority, that is, the effects that the digital signature is deemed as an electronic signature which has legal effects and that it is presumed that the generator of the electronic signature is a person listed on the certificate.

   The validity of a certificate can be admitted when a subscriber requests a certification authority to issue a certificate concerning a public key corresponding to subscriber's private key and a certificate is actually issued. On the other hand, it is not appropriate to admit the validity of a certificate when the fact that the validity of a certificate has been lost is published in a certain manner by a designated certification authority or after the date of expiry listed in a certificate, because in such cases a subscriber seems unlikely to attach a digital signature to an electronic document and a relying party can easily know the fact. In such cases, a certificate should be deemed invalid. Further study on the validity of a certificate should be made, respecting the actual operations of certification authorities.

   1. Issuance of a Certificate

      (i) A subscriber to be listed on a certificate must be identified in a reliable manner when a designated certification authority issues a certificate. This is the essential part of certification operations, so it is indispensable to ensure reliability of identification conducted by a certification authority. It may be possible to limit methods of identification by law to certain methods, for example, information registered in a commercial register or to establish a law providing that methods of identification should be provided in the certification practice statement.

      (ii) The following are possible requirements for a certificate issued by a designated certification authority.

      α. an electronic document recording information necessary to identify the following matters

      1. subscriber ( a person who generates an electronic signature)
      2. algorithm used for encryption and decryption of an electronic signature of a subscriber
      3. subscriber's public key
      4. date of issuance of a certificate
      5. designated certification authority issuing the certificate

      β. statement that the certificate is issued by a designated certification authority in accordance with law governing the designation system

      γ. digital signature of a designated certification authority

      (iii) In generating a digital signature certified by a designated certification authority, an algorithm which fulfills certain technical requirements and a secure key (from the standpoint of key length) must be used, because the designation system will be established in order to admit certain legal effects of a digital signature certified by a designated certification authority. So it is possible to provide that a designated certification authority can list only those algorithms and subscriber's public keys which fulfill certain requirements.

      (iv) A public key of a designated certification authority, which is used to verify a digital signature attached to a certificate, should be published in a certain manner so that relying parties can verify the digital signature of a designated certification authority.

      (v) A designated certification authority must be required to record the contents of a certificate and maintain the record when issuing a certificate. It is possible to establish provisions which govern how to prepare and how to maintain the record by law.

   2. Revocation of a Certificate

      (i) The meaning of revocation of a certificate is that a certificate is made invalid permanently from a certain point in time. It is considered that a certificate is made invalid after the fact that the validity of a certificate has been lost is published in a certain manner by a designated certification authority or after the date of expiry listed on the certificate.

      (ii) Procedures for revocation of a certificate may be started when a subscriber requests revocation, when a subscriber dies or dissolves (in the case that a subscriber is a director of a company). It may be possible to establish a law providing the causes for revocation. It may also be possible to restrict methods of identification of a person who requests revocation necessary in procedures for revocation of a certificate.

      (iii) A designated certification authority should begin procedures for revocation "promptly" after a subscriber requests the revocation of a certificate from the standpoint of protection of subscribers if a certificate is considered invalid after a designated certification authority published the fact that the certificate is invalid.

   3. Suspension of a Certificate

      (i) A certificate is revoked when a certificate is made invalid permanently. In the procedure of revocation, it must be confirmed whether the person who requests revocation is the right. Certain materials should be required to identify the person who requests revocation, so it may be difficult to request revocation promptly after the time when a certificate should be revoked in certain cases. But in the case that the private key of a subscriber is compromised, some measures concerning the validity of a certificate should be taken. There may be some other cases in which a certificate should be suspended temporarily, rather than be revoked permanently. To deal with such cases, simple procedures to suspend the certificate temporarily before revoking it may be needed. This is a system for suspension of a certificate. It should be discussed whether there should be some rules concerning suspension of a certificate in the designation system.

      (ii) First of all, it should be determined whether a suspended certificate is valid or not. On the one hand, some think that a suspended certificate can be deemed invalid while a certificate is suspended. On the other hand, others think that a suspended certificate can be deemed invalid after the certificate is suspended but only when the certificate is then revoked while the certificate is suspended.

      (iii) It should be discussed whether there should be certain rules concerning procedures for the identification of applicants and the period of suspension in the designation system, although basically procedures for suspension of a certificate can be decided freely by each designated certification authority.

   4. Validation of a Certificate

      In a scheme of electronic authentication, a certification authority publishes the information necessary to identify revoked or suspended certificates when certificates are revoked or suspended. Then, a person who receives a certificate (a relying party) may inquiry about the validity of the certificate and confirm the validity of the certificate by receiving a response to the inquiry (such inquiries and responses are usually made on line.).

      There are opinions that contracts between a certification authority and subscribers can properly deal with their relationship and that no special legal rules on certification of the validity of a certificate are needed. But it should be discussed whether there should be provisions on procedures for certification of the validity of a certificate conducted by a designated certification authority in the designation system. It may be possible to establish public law to prohibit false certification when validation of a certification by public law.

   5. Retention of Record concerning Certificates

      It is possible to set up legal rules to provide that certain information on the contents of certificates and revocation and suspension of certificates be retained for a certain period of time, because such information will be needed when there is a dispute on a digital signature certified by a certificate issued by a designated certification authority. The definition of information maintained by a designated certification authority and the period of time during which the information is maintained should be discussed.

   (c) Electronic Signatures Certified by Foreign Certification Authorities

   In the above-mentioned system, the presumption of authenticity of an electronic document and satisfaction of signature requirements seem to be provided to a digital signature certified by a certificate issued by a foreign certification authority, if the digital signature fulfills certain requirements.

   In establishing a designation system, it should be discussed whether a foreign certification authority can be designated. It may be possible to regard a certification authority licensed in a foreign country as a designated certification authority. These issues should be discussed in the future.

   (d) Measures against a Designated Certification Authority which Violated Law on the Designation System

   In establishing a designation system on certification authority, certain duties are imposed upon certification authorities, in addition to certain requirements for designation. When a designated certification authority does not fulfill the requirements for designation any longer, the designation should be cancelled. However, when a designated certification authority violates duties imposed upon designated certification authorities, as a general rule, measures other than cancellation of designation should not be taken.