How, but mainly why, could it happen that in Hungary, at the end of 2005, the up-to-date electronic signature technology, which had proved itself efficient and had a suitable regulatory background, would be abandoned for an indefinite period of time-or, if not abandoned, then at least pushed into the background to give place to the password technology which "is" unsuitable for purpose" but which may well be popularised artificially? I am afraid that this article will also be unable to answer these questions, but it is certain that it has happened. It has been shown time after time how far our country is from achieving an efficient administrative ideal which is both logically structured and legally secure. In this essay it will be shown how the electronic signature (as applying to electronic tax returns) -which was provided for under an Act of 2001 - was introduced and then cancelled.
The Act on the Rules of Taxation (TRA) was finalised in November 2001. In the Act Section 175, Subsection (9) established and, at the same time, made it obligatory for taxpayers belonging to the Directorate of Priority Taxpayers (DPT) to submit their tax returns in a certified electronic format. The legislature wished to resolve the issue of the certification of tax returns by certificates issued by qualified Certificating Authorities operating on a market basis, which would have been a suitable and cost-effective solution for achieving their aim. Unfortunately, when the above section took effect, such organizations did not exist in Hungary, and so the legislature referred the matter of providing the electronic certification service to the authority of the Tax and Financial Control Administration (APEH) - temporarily,
- 25/26 -
that is, and until the first qualified Certificate Authority began operating. On the basis of the rule, this would, in practice, have meant that, with the restricted use certificates issued by APEH (with which, otherwise, only simple electronic signatures may be produced[1] in accordance with Act XXXV of 2001 on Electronic Signatures, or the ESA) - only tax liabilities arising before the last day of the month of the 180[th] day following the publication of the registration of the first qualified Certificate Authority could be performed legally.
However, in order to carry out its temporary duties as laid down in the Act (which it otherwise provided it collectively and free of charge), APEH did not purchase non-qualified certificates (at under ft. 10,000 per certificate) for the, roughly, 500 tax-paying companies then belonging to the DPT, although these, based on the Act and legally effective, were available at that time in the market. Instead, they built up their own temporary system - enforced by the law - whose costs amounted to hundreds of millions of Hungarian forints.
After all this, in the 4 April 2003 issue of the Hungarian Gazette the name of the first qualified Certificate Authority[2] in Hungary was published. This was soon followed by another company. Since there were two companies in the market, it was expected that, following the expiry of the 180-day deadline (calculated from 4 April) - and without any amendment of the law - the original intention of the legislature would be fulfilled and the electronic signatures (checked with the help of the certificates issued by the existing, qualified Certificate Authorities operating on a market basis) would ensure the necessary, long-term authenticity of tax returns.
In Spring the qualified Certificate Authorities and APEH began a reconciliation process regarding technology and the rules of procedure, the purpose of which was, on the one hand, to reconfigure[3] the APEH system to enable it to handle the certificates issued by the qualified Certificate Authorities, and, on the other hand, to clarify the manner in which the Certificate Authorities supply information stipulated in Schedule No. 10, paragraph 7 to the TRA. In addition, several other questions have arisen to which no answers have been forthcoming from authentic sources until today. Such an issue, for example, was that Section 9, subsection (2) of the ESA makes it possible for a qualified Certificate Authority to determine the highest value of the liability that can be assumed with the given certificate on one occasion in the qualified certificates[4] issued by them. Both Certificate Authorities operating in the market at that time took advantage of this opportunity, since, if the signatory accepts liability in any electronic document greater than this value - that is, if he exceeds the limit stipulated in the certificate - then, in accordance with Section 15, subsection (2) of the ESA the Certificate Authority issuing the certificate will not be liable for any claims arising from such a document or any damages caused in this manner, even if his liability could be established in accordance with the other provisions of Section 15.
These reconciliations that began in the Spring were broken off after a few sessions, and at the beginning of the Summer statements issued by APEH were published in several places. According to these, they wished to introduce authentication based on a user-name and password basis instead of on electronic signature technology. The main arguments for the introduction of this solution were its low cost and the fact that it can be widely introduced quickly. These arguments are partly true, but yet they force the users of this solution to make several compromises. In the case of a tax return in the paper-based world, the purpose of the signature provided by hand was to ensure long-term authentication. This purpose must be ensured by the method of authentication in the case of tax returns in the electronic world also. Unfortunately, authentication with a password is only capable of identifying the current user, which disqualifies the method from achieving its aim, i.e., the long-term and indisputable character of the return. As opposed to the electronic signature, authentication with a password does not make it possible to reveal changes made to the tax return upon the authentication provided by the authorized entity. The reason for this is that, in comparison with the electronic signature, the user's name and password do not contain any information about the electronic document - in this particular case about the actual tax return. The following table compares the main characteristics of the two technologies from various significant positions:
User's name and password | Electronic signature | |
What is it suitable for? | For authenticating the cur- rent user. | For authenticating the current and long-term user and for the estab- lishment of content identity. |
Does it contain informa- tion regarding its user compulsorily? | No | Yes, because encryption takes place with the private key of the signer. |
Does it contain information regarding the transaction/file authenticated by him? | No | Yes, it contains the 'fingerprint' of the transaction/file. |
Does it vary by transac- tion? | No | Yes, since it contains the 'fin- gerprint' of the transaction/file, which is always different. |
Can there be two identical ones? | Yes | Only if the same person signs the same file. |
Are the data necessary for the transaction in the ownership of the entity authorized to perform the transaction exclusively? | No, because the user's name and password must also be stored in a central data base, and they can be sent easily to anyone - even by SMS. | Yes, because owing to the nature of asymmetric encrypting the private key necessary for the signature is in the possession of the signatory alone. |
A Jogkódex-előfizetéséhez tartozó felhasználónévvel és jelszóval is be tud jelentkezni.
Az ORAC Kiadó előfizetéses folyóiratainak „valós idejű” (a nyomtatott lapszámok megjelenésével egyidejű) eléréséhez kérjen ajánlatot a Szakcikk Adatbázis Plusz-ra!
Visszaugrás