학술논문
전자서명ㆍ인증제도에 관한 법적 연구 / A Legal Study on the Electronic Signature and Certification System in Korea
Document Type
Dissertation/ Thesis
Author
Source
Subject
Language
Korean
Abstract
전자서명·인증제도가 전자서명법에 의해 도입된지 2011년 현재로 벌써 만11년이 되었다. 가상공간에서 당사자가 비대면(非對面)으로 거래를 할 때, 상대방을 확인하지 못하게 되거나 문서의 위․변조가 쉽게 될 수 있다는 취약성을 극복하기 위하여 전자서명과 인증이 필요하다는 것도 주지의 사실이 되었다. 반면, 최근 스마트폰 사용이 급증하면서 외국에서는 잘 사용되지 않고 우리나라에만 독특하게 적용되어 전자거래의 불편을 가중하고 있다는 이유를 들어 공인전자서명 무용론도 대두되고 있다. 하지만 10년이 넘는 기간 동안 전자서명·인증제도의 안정적인 운영을 통해, 우리는 부지불식간에 공인인증서를 실생활에서 친숙히 사용하고 있었기에 불필요한 장애라는 이유로 쉽게 내칠 수 없게 되었다. 익명성을 근간으로 한 사이버 세상에서 나의 존재를 알려줄 수 있는 공인인증서는 앞으로도 그 발전 가능성이 무궁무진하다. 설령, 공인인증서가 아니더라도 비대면거래에서의 정보의 보호와 안전한 정보의 전달을 위한 인증수단은 계속적으로 사용될 것이고 발전될 것으로 전망된다. 전자문서의 안전성과 신뢰성이 확보된 상황에서 전자서명이 이용될 때, 전자상거래분야에 있어서 인터넷 쇼핑, 경매, 각종 예약․발권, 온라인 빌링(online billing), 기업간 거래 등에 서비스 제공이 가능하게 될 것이며, 공공분야에 있어서는 각종 민원업무, 공과금 수납, 전자입찰, 법원의 경매, 정부조달, 수출입통관 및 각종 인․허가신청 등 전자정부 실현을 위한 기초 역할 수행이 가능하다. 금융분야에 있어서는 인터넷 뱅킹, 사이버보험, 사이버증권거래, 전자자금이체, 전자화폐 및 전자쿠폰 발행, 의료분야에서는 원격진료, 처방전전달에 따른 약국의 조제, 내용증명, 가상공간상 주주총회 등에 활용방안이 모색될 수 있다. 특히 유비쿼터스 사회라 일컬어지는 새로운 인터넷환경에서는 길을 걸어가면서도 손에 쥔 스마트폰, PDA 등 개인 휴대장치를 통해 공인인증서로 사이버세상의 나를 입증하고 법률행위를 할 수 있다. 공인인증서가 경제활동인구의 대부분이 사용할 만큼 널리 퍼져있지만, 전자서명은 기술적인 분야이다 보니 기본적인 이해부족으로 인해 공인인증서를 둘러싸고 있는 ‘공인전자서명·인증제도’에 대한 법적인 문제점이 많이 발생되고 있다. 따라서 본 논문에서는 이러한 논의를 하기 위해 전자서명의 원리에서 시작하여 법적 의의, 공인전자서명·인증체계를 소개하고 전자서명의 효력문제와 이를 둘러싼 아직 해결되지 않고 있는 문제점을 지적하였다. 또한 공인전자서명·인증제도와 관련하여 발생되는 손해배상문제에 관하여 서술하였다. 아울러 공인전자서명·인증제도의 활성화를 위한 새로운 문제점도 몇 가지 짚어보았다. 첫째, 전자서명의 개념 정리를 위하여 우선 전자서명의 기술에 관하여 살펴보고, 전자문서와 어우러져 나타나는 전자서명 과정을 통하여 전자서명이 갖는 기능과 다양한 방식에 의한 전자서명 기술에 관하여 정리하여 보았다. 기존 거래방식이 당사자간 직접 대면하여 거래를 하는 대면방식이라면 전자거래는 사이버상에서 이루어지는 비대면방식이다. 이러한 전자적 거래에서 기존 대면방식의 서명과 같은 역할을 담당할 수 있는 것이 전자서명이다. 해외의 전자서명법제를 살펴보면, 국제기구인 UN국제상거래법위원회가 제정한 전자서명모델법이라든지 유럽연합에서 제정한 전자서명입법지침등이 각국의 모델법으로서 역할을 하였다. 세계최초의 전자서명법인 미국 유타주의 전자서명법과 연방전자서명법(E-Sign법), 연방전자거래기본법(UETA)의 관계도 살펴보았다. 또한 우리나라 전자서명법 제정에 많은 영향을 준 독일의 전자서명법 및 일본의 전자서명 및 인증에 관한 법률 등을 중심으로 비교법적 측면에서 살펴보았다. 공인전자서명·인증제도의 당사자는 가입자·이용자·공인인증기관의 3당사자 체계를 갖는다. 이들 3당사자의 관계가 원만히 이루어지도록 하는 정책수립기관인 행정안전부와 관리기관인 한국인터넷진흥원의 기능도 짚어보았다. 둘째, 전자서명의 효력문제와 이를 둘러싼 아직 해결되지 않고 있는 문제점이 있다. 전자서명법은 공인인증기관의 인증역무에 의하여 이루어지는 인증서에 의거한 전자서명에 대하여는 일정한 법적효력의 부여 및 전자서명 이용의 법률관계 당사자들간 책임관계 중 손해배상시 민사책임의 특칙 등을 인정하는 등 공신력을 부여하고 있다. 전자서명법상 공인인증기관에 의하여 인증된 전자서명인 경우에는 법률이 정한 서명 또는 기명날인의 효력을 갖는다(전자서명법 제3조). 반면, 비공인인증기관이 인증한 전자서명은 전자서명법상의 서명 또는 기명날인의 효력을 갖지는 못하나 당사자 사이에 민사법 등 사법의 규정과 법원칙에 근거한 효력을 갖는다. 그런데 전자서명법상 공인전자서명외의 전자서명(비공인전자서명)의 효력을 규정하는 제3조 제3항의 규정은 “당사자의 약정에 따른” 효력으로 규정하여 당사자 사이에만 효력이 있는 것으로 오해할 소지가 있다는 지적이 제기되어 이를 분석하였다. 셋째, 공인인증서의 사용상의 문제점이 있다. 공인인증서 사용시 가장 주의해야 할 점은 본인이 직접 공인전자서명 해야 한다는 것이다. 이는 공인인증서 발급시 직접 대면하여 발급받는 것과 동일한 개념이라 할 수 있는데, 공인인증서를 가입자가 지배·관리하여야 인터넷 환경에서의 거래의 안전성과 신뢰성이 보장되기 때문이다. 그러나 공인인증서의 이용이 급증함에 따라 본인을 대리하여 공인인증서를 사용하는 행위가 빈번하게 발생하고 있다. 일각에서는 전자거래의 활성화를 위하여 대리 전자서명을 적극적으로 허용해야 한다고 주장한다. 반면 다른 한편에서는 공인인증서는 인감과 같으므로 타인에게 함부로 양도·대여해서는 아니되며, 설령 대리행위가 필요하다 할지라도 그 범위는 극히 제한되어야 하며 법령에 규정이 있어야 한다고 주장한다. 생각건대 공인전자서명은 그 전제로 하고 있는 본인 사용원칙을 중심으로 제도가 운영되므로 대리에 적합하지 않다. 결론적으로 공인전자서명은 본인만이 사용하는 것이 원칙이고 그러함으로써 전자거래의 안전성과 신뢰성을 유지시킬 수 있을 것이다. 다만, 전자서명법이 제2조 서명자의 정의에서도 대리가 가능하도록 규정하고 있고, 민법적 측면에서도 대리를 금지할 수 없으므로 공인인증서 내에 대리가 가능함을 표시하는 등의 방법을 통하여 공인전자서명의 대리를 할 수 있도록 제한적으로 허용하는 방안을 강구하는 것이 적절하다고 본다. 넷째, 전자서명의 이용에 따른 손해배상책임에 대한 문제점이 있다. 전자서명법 제26조는 공인인증기관의 손해배상책임에 대하여 다음과 같이 규정하고 있다. “공인인증기관은 인증업무 수행과 관련하여 가입자 또는 공인인증서를 신뢰한 이용자에게 손해를 입힌 때에는 그 손해를 배상하여야 한다. 다만, 공인인증기관이 과실 없음을 입증하면 그 배상책임이 면제된다.” 공인인증서비스와 관련하여 예상되는 책임 발생의 원인은 신원확인오류, 공인인증서 자체의 오류, 인증모듈의 결함으로 인한 책임발생, 인증서 유효성 검증의 오류 등이 있을 수 있다. 공인인증기관과 등록대행기관, 이용자, 가입자간의 법률관계에 따라 손해배상책임은 채무불이행책임 및 불법행위책임으로 나뉜다. 다섯째, 공인전자서명·인증제도의 활성화를 위한 현재의 상황과 개선방안을 논의하였다. CD/ATM기기, 텔레뱅킹·모바일뱅킹, 전자상거래, 오프라인 가맹점 등 전반적인 전자거래분야에 새로운 인증수단이 개발 및 도입되고 있는 실정이다. 이에 따라 이용자 측면에서는 다양한 거래시에 그에 적합한 인증수단을 기억해 내야하거나 휴대해야 하거나 하는 불편이 생겨 이를 통합할 수 있는 새로운 인증수단의 도입이 중요해지고 있다. 하지만 아직까지는 공인인증서가 가장 안전하다는 입장이 다수를 차지하고 있어 일부 보안성을 크게 요구하지 않는 분야인 경우만 공인인증서의 사용이 줄어들 것으로 전망된다. 모바일 환경에서의 공인인증서에 관한 법적 문제와 기기인증 및 장기 전자서명에 관한 법적 문제도 검토되었다.
In line with the e-Government strategy, Korea has implemented a global standard electronic signature and certification system since the Electronic Signature Act was enacted by Act No. 5792 in 1999. In the cyberspace where the contracting parties cannot meet face to face, it is well-known that to overcome the difficulties of identifying counterparties and the possibility of forgery or falsification of documents, electronic signatures and authentication seems to be inevitable. On the other hand, with the explosive use of smart devices, some critics argue that the current certified electronic signature is regarded as uncomfortable in electronic commerce. They also point out that such certified electronic signature system is not largely used in foreign countries. However, over a decade we have steadily used the electronic signature and certification system in our daily life. So it must be silly to discard the accredited electronic signature on account of an “unnecessary obstacle.” In the cyberspace of anonymity, the publicly accredited certification which allows you to identify who you are is likely to develop further in the future. Even though it is not the accredited certificates, the secure means of authentication will be used continuously and increasingly for the purpose of safe transfer of information. Once the safety and reliability of electronic documents are secured, a variety of e-commerce such as online shopping, auctions, making reservations, ticketing, billing and other B2B transactions will be carried out based on the electronic signature. Also public services like payment of tax and charges, electronic bidding and e-procurement, auction at the court, export and import customs clearance and various licensing and permission will be available as an infrastructure of e-Government. Come to the finance sector, Internet banking and insurance, cybertrading, electronic fund transfer, digital cash and electronic coupon are frequently used. In the medical field, electronic signatures can be used in telemedicine, pharmacy preparation upon the receipt of doctor’s prescription, certification of diagnosis content, and stakeholders' virtual meeting room, etc. In particular, in the new Internet environment, usually referred to as the ubiquitous society, anyone may conduct legal activities by means of an evidenced certificate via smartphones, PDAs, tablet PCs and other personal mobile devices in which accredited certificates are embedded. The majority of Korean people doing economic activities use the accredited certificates. However, due to a lack of basic understanding of certification system which is perceived as somewhat technical, there occur some legal issues on "accredited electronic signature and certification system". Therefore, this study discusses the above-mentioned issues and explains the principle of electronic signature with its legal meaning, the accredited electronic signature certification system in detail. And the issues of the legal effect of electronic signature and remaining problems are examined. Also accredited electronic signature certification-related issues with respect to the indemnification of damages will be discussed. And further the promotional activities of accredited electronic signature certification system will be suggested. First, to define the concept of electronic signature clearly, this study examines the related technologies of electronic signatures, electronic documents, electronic signature certification process, electronic signature capabilities and so on. Contrary to conventional face-to-face transactions, e-commerce via the Internet are conducted anonymously. The electronic signature plays an important role in electronic transactions like signing on a paper-based documents. This study investigates the electronic signature legislation of foreign countries. The Model Law on Electronic Signature suggested by the United Nations Commission on International Trade Law (UNCITRAL), and the European Union Directive on Electronic Signatures 1999 prove to be an effective legislative guide worldwide. The relationship between the Utah Digital Signature Act, the first electronic signature legislation in the world and the Federal Electronic Signature Act (E-Sign Act), the Uniform Electronic Transaction Act (UETA) of the United States are examined. Also the Digital Signature Act of Germany, which gave a significant influence on the Electronic Signature Act of Korea, and the Japanese law on electronic signature authentication are examined comparatively. Accredited electronic signature certification systems have three parties involved; subscriber, user and accredited certification authority. To ensure the friendly relationship among these three parties, the Ministry of Public Administration and Security (MOPAS) establishes relevant and appropriate policy measures, while Korea Information & Security Agency (KISA) is in charge of implementing such policies. Second, there are some unresolved issues on the effect of electronic signature. Electronic signature certification services accredited by the certificate authority invest a certificate with legal validity such as civil liability for damages. When a signature or a signature-seal is required for in an electronic writing or in a written form by other laws, that requirement shall be met if an accredited electronic signature is affixed to the electronic document. Article 3(1) of the Electronic Signature Act. And If an electronic document has an accredited electronic signature affixed to it, the electronic document shall be presumed to have the signature or signature-seal of the signatory and not to have been altered in its content after it was signed. Article 3(2) of the same Act. On the other hand, any electronic signatures other than accredited electronic signatures shall have the same legal effect as the signatures or signature-seals by an agreement between the parties concerned. Article 3(3) of the same Act. An analysis of the provision of Article 3(3), "by an agreement between the parties concerned," which is often misunderstood as effective only between those parties, will be attempted to prove the governing rule on electronic signatures other than accredited electronic signatures. Third, there are problems in the use of accredited certificates. The most important thing is that the user should sign using a certificate by himself. Since it is just like obtaining the certificate face to face, the subscriber’s governance and management of certificates may be reinforced with enhanced reliability and trustworthiness on the Internet. However, the use of certificate on behalf of the person frequently occurs with a surge of certificate usage. To promote the electronic transactions, a suggestion has been made that electronic signatures by proxy should be allowed. On the other hand, there is another argument that, because the certificate is same as the seal, temporary lending of such certificate to someone else should not be allowed. When such proxy is allowed, its scope of usage should be limited and firmly stipulated specifically in law. We can assume the operating system of accredited electronic signature is subject to the authentication of signatory. So it is not suitable to proxy. In principle, only the person himself may use certified electronic signature so that the safety and reliability of electronic transactions may be preserved. However, the interpretation of the term “Signatory”, Article 2 (Definitions) of the Electronic Signature Act says that the signing may be conducted by a proxy, and the Civil Act acknowledges the proxy by nature. Therefore, in such a manner as indicates the certified electronic signature on behalf of someone, it is appropriate to take measures that allow proxy. Fourth, this study discusses some legal issues on the liability for damages in the usage of electronic signatures. Article 26 of the Electronic Signature Act provides for the liability of the accredited certification authority as follows: "The accredited certification authority shall be liable for damages incurred by a subscriber or any user relying on an accredited certificate in connection with the performance of certification services. If, however, the accredited certification authority is proven not liable for such damages, the liability shall be exempted." The causes of expected liability which would occur in connection with the accredited certification services are the identification errors, errors in the certificate itself, incurrence of liability due to defects of the authentication modules, and the errors of certificate validation. The liability for damages can be divided into the liability of default on an obligation and tort liability, depending on the legal relationship among accredited certification authority and registration agencies, users, and subscribers. Finally, this study explores the current situation and the method to promote certified electronic signature and to improve certification system. In the area of overall electronic transactions, such as CD/ATM, tele-banking, mobile banking, e-commerce, and offline affiliated store, etc., brand-new means of certification are being developed and introduced. Accordingly, there are various transaction methods at the user side. It means that each user should remember appropriate certification method or need to carry some tokens. So it is important to integrate all these methods to new one to relieve inconvenience of users. Yet, so far, the accredited certificate is still the most reliable method even though the usage of accredited certificates presumably dwindles in the areas that do not require security significantly. Legal issues regarding the accredited certificate in the mobile environment, device certification and long-term electronic signature are also examined.
In line with the e-Government strategy, Korea has implemented a global standard electronic signature and certification system since the Electronic Signature Act was enacted by Act No. 5792 in 1999. In the cyberspace where the contracting parties cannot meet face to face, it is well-known that to overcome the difficulties of identifying counterparties and the possibility of forgery or falsification of documents, electronic signatures and authentication seems to be inevitable. On the other hand, with the explosive use of smart devices, some critics argue that the current certified electronic signature is regarded as uncomfortable in electronic commerce. They also point out that such certified electronic signature system is not largely used in foreign countries. However, over a decade we have steadily used the electronic signature and certification system in our daily life. So it must be silly to discard the accredited electronic signature on account of an “unnecessary obstacle.” In the cyberspace of anonymity, the publicly accredited certification which allows you to identify who you are is likely to develop further in the future. Even though it is not the accredited certificates, the secure means of authentication will be used continuously and increasingly for the purpose of safe transfer of information. Once the safety and reliability of electronic documents are secured, a variety of e-commerce such as online shopping, auctions, making reservations, ticketing, billing and other B2B transactions will be carried out based on the electronic signature. Also public services like payment of tax and charges, electronic bidding and e-procurement, auction at the court, export and import customs clearance and various licensing and permission will be available as an infrastructure of e-Government. Come to the finance sector, Internet banking and insurance, cybertrading, electronic fund transfer, digital cash and electronic coupon are frequently used. In the medical field, electronic signatures can be used in telemedicine, pharmacy preparation upon the receipt of doctor’s prescription, certification of diagnosis content, and stakeholders' virtual meeting room, etc. In particular, in the new Internet environment, usually referred to as the ubiquitous society, anyone may conduct legal activities by means of an evidenced certificate via smartphones, PDAs, tablet PCs and other personal mobile devices in which accredited certificates are embedded. The majority of Korean people doing economic activities use the accredited certificates. However, due to a lack of basic understanding of certification system which is perceived as somewhat technical, there occur some legal issues on "accredited electronic signature and certification system". Therefore, this study discusses the above-mentioned issues and explains the principle of electronic signature with its legal meaning, the accredited electronic signature certification system in detail. And the issues of the legal effect of electronic signature and remaining problems are examined. Also accredited electronic signature certification-related issues with respect to the indemnification of damages will be discussed. And further the promotional activities of accredited electronic signature certification system will be suggested. First, to define the concept of electronic signature clearly, this study examines the related technologies of electronic signatures, electronic documents, electronic signature certification process, electronic signature capabilities and so on. Contrary to conventional face-to-face transactions, e-commerce via the Internet are conducted anonymously. The electronic signature plays an important role in electronic transactions like signing on a paper-based documents. This study investigates the electronic signature legislation of foreign countries. The Model Law on Electronic Signature suggested by the United Nations Commission on International Trade Law (UNCITRAL), and the European Union Directive on Electronic Signatures 1999 prove to be an effective legislative guide worldwide. The relationship between the Utah Digital Signature Act, the first electronic signature legislation in the world and the Federal Electronic Signature Act (E-Sign Act), the Uniform Electronic Transaction Act (UETA) of the United States are examined. Also the Digital Signature Act of Germany, which gave a significant influence on the Electronic Signature Act of Korea, and the Japanese law on electronic signature authentication are examined comparatively. Accredited electronic signature certification systems have three parties involved; subscriber, user and accredited certification authority. To ensure the friendly relationship among these three parties, the Ministry of Public Administration and Security (MOPAS) establishes relevant and appropriate policy measures, while Korea Information & Security Agency (KISA) is in charge of implementing such policies. Second, there are some unresolved issues on the effect of electronic signature. Electronic signature certification services accredited by the certificate authority invest a certificate with legal validity such as civil liability for damages. When a signature or a signature-seal is required for in an electronic writing or in a written form by other laws, that requirement shall be met if an accredited electronic signature is affixed to the electronic document. Article 3(1) of the Electronic Signature Act. And If an electronic document has an accredited electronic signature affixed to it, the electronic document shall be presumed to have the signature or signature-seal of the signatory and not to have been altered in its content after it was signed. Article 3(2) of the same Act. On the other hand, any electronic signatures other than accredited electronic signatures shall have the same legal effect as the signatures or signature-seals by an agreement between the parties concerned. Article 3(3) of the same Act. An analysis of the provision of Article 3(3), "by an agreement between the parties concerned," which is often misunderstood as effective only between those parties, will be attempted to prove the governing rule on electronic signatures other than accredited electronic signatures. Third, there are problems in the use of accredited certificates. The most important thing is that the user should sign using a certificate by himself. Since it is just like obtaining the certificate face to face, the subscriber’s governance and management of certificates may be reinforced with enhanced reliability and trustworthiness on the Internet. However, the use of certificate on behalf of the person frequently occurs with a surge of certificate usage. To promote the electronic transactions, a suggestion has been made that electronic signatures by proxy should be allowed. On the other hand, there is another argument that, because the certificate is same as the seal, temporary lending of such certificate to someone else should not be allowed. When such proxy is allowed, its scope of usage should be limited and firmly stipulated specifically in law. We can assume the operating system of accredited electronic signature is subject to the authentication of signatory. So it is not suitable to proxy. In principle, only the person himself may use certified electronic signature so that the safety and reliability of electronic transactions may be preserved. However, the interpretation of the term “Signatory”, Article 2 (Definitions) of the Electronic Signature Act says that the signing may be conducted by a proxy, and the Civil Act acknowledges the proxy by nature. Therefore, in such a manner as indicates the certified electronic signature on behalf of someone, it is appropriate to take measures that allow proxy. Fourth, this study discusses some legal issues on the liability for damages in the usage of electronic signatures. Article 26 of the Electronic Signature Act provides for the liability of the accredited certification authority as follows: "The accredited certification authority shall be liable for damages incurred by a subscriber or any user relying on an accredited certificate in connection with the performance of certification services. If, however, the accredited certification authority is proven not liable for such damages, the liability shall be exempted." The causes of expected liability which would occur in connection with the accredited certification services are the identification errors, errors in the certificate itself, incurrence of liability due to defects of the authentication modules, and the errors of certificate validation. The liability for damages can be divided into the liability of default on an obligation and tort liability, depending on the legal relationship among accredited certification authority and registration agencies, users, and subscribers. Finally, this study explores the current situation and the method to promote certified electronic signature and to improve certification system. In the area of overall electronic transactions, such as CD/ATM, tele-banking, mobile banking, e-commerce, and offline affiliated store, etc., brand-new means of certification are being developed and introduced. Accordingly, there are various transaction methods at the user side. It means that each user should remember appropriate certification method or need to carry some tokens. So it is important to integrate all these methods to new one to relieve inconvenience of users. Yet, so far, the accredited certificate is still the most reliable method even though the usage of accredited certificates presumably dwindles in the areas that do not require security significantly. Legal issues regarding the accredited certificate in the mobile environment, device certification and long-term electronic signature are also examined.