[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Some more thoughts concerning the legal aspects
Hello Pim, I don't think there is any EU country that presented any standard for server based digital signatures solution. The only referred standard today is CWA-14169 and only smartcards passed this certification. It is hard to inspect when such standartization will take place. It is very much dependant on the offered technology and the acceptance of such technology. In practice, I can tell you that the following methods are used for enhancing the user authentication: A - OTP devices - the user is presenting a fixed password as well as One Time Password. B - Biometric device - C - Authentication smartcard - the user use a smartcard with a client authentication certificate. The user's smartcard signs a challenge which is verified by the server. Ezer -----Original Message----- From: Pim van der Eijk [mailto:pvde@sonnenglanz.net] Sent: Thursday, March 06, 2008 10:16 AM To: Ezer Farhi; 'Huehnlein, Detlef' Cc: dss-x@lists.oasis-open.org Subject: RE: Some more thoughts concerning the legal aspects Hello Ezer and Detlef, In countries that do support server-based signing with qualified signatures, what are the (minimum) requirements for user authentication? Pim -----Original Message----- From: Ezer Farhi [mailto:Ezer@arx.com] Sent: 04 March 2008 23:54 To: pvde@sonnenglanz.net; Huehnlein, Detlef Cc: dss-x@lists.oasis-open.org Subject: RE: Some more thoughts concerning the legal aspects Hello Pim and Detlef, The publication of [2003/511/EC] is aimed to list or refer to acceptable standards, but the EU members are not forced to use the listed standards (CWA-14169). For example you can look at the following link to Italian legislation that is based on the EU directive at http://www.cnipa.gov.it/site/_files/Opuscolo%2013II.pdf on section 35 it says: "The national scheme can also provide evaluation And certification with respect to additional European and international criteria, Also on other systems and products related to the field". As I mentioned in the conference call yesterday, a centralized approach for digital signatures are used for qualified signatures in other EU member countries. Even tough one of the CoSign models is based on an internal array of SSCD smartcards (similar to the approach raised by Detlef), the centralized solution may not require using internal array of SSCD smartcards. Regards, Ezer -----Original Message----- From: Huehnlein, Detlef [mailto:Detlef.Huehnlein@secunet.com] Sent: Monday, March 03, 2008 10:11 PM To: pvde@sonnenglanz.net Cc: Ezer Farhi; dss-x@lists.oasis-open.org Subject: Some more thoughts concerning the legal aspects Hi Pim, concerning the statement that "DSS-like" systems (using a bunch of smartcard-based SSCDs as depicted on slide 20 of http://www.ecsec.de/pub/RSA2004.pdf) may be used in Germany to produce (and of course verify) qualified electronic signatures you may want to have a look at https://www.secure.trusted-site.de/certuvit/pdf/93145UD.pdf for example. "DSS-like" means that the certified version of this signature server uses a proprietary web-service-protocol, which is similar to DSS - and will most likely support DSS in a future version. ;-) The initial uncertainty about the detailed requirements, which have to be fulfilled by an SSCD according to Annex III of [1999/93/EC] has IMHO been removed in 2003 by the publication of [2003/511/EC] (cf. Annex B). Therefore I would be VERY interested to see whether there is a single EU member state, which a) still has requirements for SSCDs, which significantly deviate from [CWA 14169], or b) has a concept of "self qualification" of SSCDs. As both points are NOT in line with (my understanding of) [1999/93/EC] I would be a little surprised, if such cases would exist today. BR, Detlef Links: [1993/93/EC] http://www.signatur.rtr.at/repository/legal-directive-20000119-en.pdf [2003/511/EC] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:175:0045 :004 6:EN:PDF [CWA 14169] ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14169-00-2004-Mar.pdf -- Dipl. Inform. (FH) Dr. rer. nat. Detlef Hühnlein Partner secunet Security Networks AG Sudetenstraße 16 96247 Michelau Telefon +49 9571 896479 Mobil +49 171 9754980 detlef.huehnlein@secunet.com www.secunet.com ====================== Besuchen Sie uns auf der CeBIT 2008, 4. - 9. März 2008, Halle 6 Stand J36 (www.cebit.de) ---------------------- und auf dem Managed Security Forum 2008 2. April in Frankfurt am Main 7. Mai in Düsseldorf 29. Mai in Hamburg 16. Juni in München (www.managed-security-forum.org) Wir freuen uns auf interessante Gespräche mit Ihnen. ====================== secunet Security Networks AG Kronprinzenstr. 30 45128 Essen Amtsgericht Essen HRB 13615 Vorstand: Dr. Rainer Baumgart Thomas Koelzer Thomas Pleines Aufsichtsratsvorsitzender: Dr. Karsten Ottenberg Diese E-mail kann vertrauliche Informationen enthalten. Falls Sie diese E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den Absender und löschen Sie diese E-Mail von jedem Rechner, auch von den Mailservern. Jede Verbreitung des Inhalts, auch die teilweise Verbreitung, ist in diesem Fall untersagt. Außer bei Vorsatz oder grober Fahrlässigkeit schließen wir jegliche Haftung für Verluste oder Schäden aus, die durch Viren befallene Software oder E-Mails verursacht werden. This e-mail may contain strictly confidential information and is intended for the person to which it is addressed only. Any dissemination, even partly, is prohibited. If you receive this e-mail by mistake, please contact the sender and delete this e-mail from your computer, including your mailserver. Except in case of gross negligence or wilful misconduct we accept no liability for any loss or damage caused by software or e-mail viruses.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]