RE: Some more thoughts concerning the legal aspects

["Ezer Farhi" <Ezer@arx.com>]

Hello Pim and Detlef,

The publication of [2003/511/EC] is aimed to list or refer to acceptable standards, but the EU members are not forced to use the listed standards (CWA-14169).
For example you can look at the following link to Italian legislation that is based on the EU directive at
http://www.cnipa.gov.it/site/_files/Opuscolo%2013II.pdf
on section 35 it says:
"The national scheme can also provide evaluation 
And certification with respect to additional European and international criteria, Also on other systems and products related to the field".
As I mentioned in the conference call yesterday, a centralized approach for digital signatures are used for qualified signatures in other EU member countries.
Even tough one of the CoSign models is based on an internal array of SSCD smartcards (similar to the approach raised by Detlef), the centralized solution may not require using internal array of SSCD smartcards. 

Regards,
Ezer

-----Original Message-----
From: Huehnlein, Detlef [mailto:Detlef.Huehnlein@secunet.com] 
Sent: Monday, March 03, 2008 10:11 PM
To: pvde@sonnenglanz.net
Cc: Ezer Farhi; dss-x@lists.oasis-open.org
Subject: Some more thoughts concerning the legal aspects

Hi Pim,

concerning the statement that "DSS-like" systems (using a bunch of smartcard-based SSCDs as depicted 
on slide 20 of http://www.ecsec.de/pub/RSA2004.pdf) may be used in Germany to produce 
(and of course verify) qualified electronic signatures you may want to have a look 
at https://www.secure.trusted-site.de/certuvit/pdf/93145UD.pdf for example. "DSS-like" means 
that the certified version of this signature server uses a proprietary web-service-protocol, 
which is similar to DSS - and will most likely support DSS in a future version. ;-)

The initial uncertainty about the detailed requirements, which have to be fulfilled by an 
SSCD according to Annex III of [1999/93/EC] has IMHO been removed in 2003 by the publication
of [2003/511/EC] (cf. Annex B). 

Therefore I would be VERY interested to see whether there is a single EU member state, which 
a) still has requirements for SSCDs, which significantly deviate from [CWA 14169], or
b) has a concept of "self qualification" of SSCDs. 

As both points are NOT in line with (my understanding of) [1999/93/EC] I would be a little 
surprised, if such cases would exist today. 

BR,
 Detlef

Links:
[1993/93/EC]  http://www.signatur.rtr.at/repository/legal-directive-20000119-en.pdf
[2003/511/EC] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:175:0045:0046:EN:PDF 
[CWA 14169]   ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14169-00-2004-Mar.pdf 
--
Dipl. Inform. (FH)
Dr. rer. nat. Detlef Hühnlein
Partner
secunet Security Networks AG
Sudetenstraße 16
96247 Michelau
Telefon +49 9571 896479
Mobil   +49 171  9754980
detlef.huehnlein@secunet.com
www.secunet.com
======================
Besuchen Sie uns auf der CeBIT 2008,
4. - 9. März 2008, Halle 6 Stand J36
(www.cebit.de)
----------------------
und auf dem Managed Security Forum 2008
2. April in Frankfurt am Main
7. Mai in Düsseldorf
29. Mai in Hamburg
16. Juni in München
(www.managed-security-forum.org)
Wir freuen uns auf interessante Gespräche mit Ihnen. 
======================
secunet Security Networks AG
Kronprinzenstr. 30
45128 Essen
Amtsgericht Essen HRB 13615

Vorstand:
Dr. Rainer Baumgart
Thomas Koelzer
Thomas Pleines

Aufsichtsratsvorsitzender:
Dr. Karsten Ottenberg

Diese E-mail kann vertrauliche Informationen enthalten. Falls Sie diese E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den Absender und löschen Sie diese E-Mail von jedem Rechner, auch von den Mailservern. Jede Verbreitung des Inhalts, auch die teilweise Verbreitung, ist in diesem Fall untersagt. Außer bei Vorsatz oder grober Fahrlässigkeit schließen wir jegliche Haftung für Verluste oder Schäden aus, die durch Viren befallene Software oder E-Mails verursacht werden.

This e-mail may contain strictly confidential information and is intended for the person to which it is addressed only. Any dissemination, even partly, is prohibited. If you receive this e-mail by mistake, please contact the sender and delete this e-mail from your computer, including your mailserver.
Except in case of gross negligence or wilful misconduct we accept no liability for any loss or damage caused by software or e-mail viruses.