電子簽章法關於憑證機構管理規範之研究

Abstract

網路安全為電子商務及電子化政府時代最重要之課題，而公開金讑基礎建設透過公開金鑰密碼技術，構成網路安全與信賴之基礎。亦即藉由憑證機構的驗證，於電子文件傳送時，提供「身分識別」、「隱密性」、「資料完整性」及「不可否認性」等四種安全保證。簡言之，憑證機構為公開金鑰基礎建設之核心，而完備妥善之法制規範方能保障消費者利益並促進產業發展。

目前我國關於憑證機構之法制規範，係規定於「電子簽章法」及其子法（施行細則、憑證實務作業基準應載明事項準則及外國憑證機構許可辦法）作為規範基礎，就憑證機構之管理規範係採「低度管理」原則，僅要求憑證機構於成立時，書面審查其所提出之憑證實務作業基準，如此並無法確保憑證機構之可信賴性及保障電子交易之安全。

觀諸國際間立法現況，就憑證機構管理規範之發展趨勢均改採「高度管理」原則，並建有相當規模的規範法制。相較之下，我國法規並未相應就憑證機構之營運管理透過法制進行較詳細規範。隨著憑證應用之持續發展及成長，如何因應憑證機構實務需求並符合國際發展趨勢與國際接軌，有必要對現行憑證機構管理規範作全面之檢討。

本論文從實務面及技術面的角度出發，首先，先強調憑證機構需要完備法制規範之重要性，並了解我國及世界先進各國憑證應用及憑證機構之發展現況。其次，從整理比較我國與世界先進各國對憑證機構之實務運作及規範，檢討我國憑證機構之相關規範。最後，提出具體修法建議作為本文之結論。

Internet security is becoming the most important issue of the E-Commerce and E-Government era. Internet security and reliance can be protected by Public Key Infrastructure (PKI), which employs the use of public key cryptography technologies.

In other words, ‘Authentication’, ‘Confidentiality’, ‘Integrity’, and ‘Non-Repudiation’ are four kinds of security measures that can be safeguarded by PKI verifying through Certificate Authority (CA) while transferring E-Documents. In short, CA is an essential part of PKI and the legislation should be more mature and comprehensive so that it may integrate consumers’ interests as well as develop Certification Service Providers.

The ‘Electronic Signature Act’ and its inherent regulations, is the sole legal instrument in executing CA in our country at present. (Including: Enforcement Rules of the Electronic Signatures Act, Standards of the Certification Practice Statement, and Regulations Governing Permission of Foreign Certification Service Providers).

The Act regulates CA through less intervention, which only requires document examination (Certification Practice Statement, CPS) before licensing. Accordingly, current procedures are insufficient to guarantee customer reliance on CA and Internet security. On the other hand, the international CA management’s trend is towards “more intervention” provided with complete legal institutions. By comparison, the R.O.C. lacks detailed regulations to manage CA’s operation. This should be the critical issue to comply with international standards. Due to the rapid growth and progress of certificating utilization, it is time to examine the relevant CA legal system.

From a pragmatic and technological point of view, this thesis discusses the importance of Certificate Authority Management Regulations and goes on to introduce the current advanced situation of international certificate application and CA service providers in the R.O.C. and the other countries.

Furthermore, it re-evaluates the R.O.C regulations by comparing them with the practice in other developed countries. The conclusion of the thesis, will submit an effective proposal as a viable alternative.