OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

dss-x message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: Some more thoughts concerning the legal aspects


Hello Pim,

I don't think there is any EU country that presented any standard for
server based digital signatures solution. 
The only referred standard today is CWA-14169 and only smartcards passed
this certification.
It is hard to inspect when such standartization will take place. It is
very much dependant on the offered technology and the acceptance of such
technology.
In practice, I can tell you that the following methods are used for
enhancing the user authentication:
A - OTP devices - the user is presenting a fixed password as well as One
Time Password.
B - Biometric device - 
C - Authentication smartcard - the user use a smartcard with a client
authentication certificate. The user's smartcard signs a challenge which
is verified by the server.

Ezer

-----Original Message-----
From: Pim van der Eijk [mailto:pvde@sonnenglanz.net]
Sent: Thursday, March 06, 2008 10:16 AM
To: Ezer Farhi; 'Huehnlein, Detlef'
Cc: dss-x@lists.oasis-open.org
Subject: RE: Some more thoughts concerning the legal aspects



Hello Ezer and Detlef,

In countries that do support server-based signing with qualified
signatures,
what are the (minimum) requirements for user authentication? 

Pim

-----Original Message-----
From: Ezer Farhi [mailto:Ezer@arx.com] 
Sent: 04 March 2008 23:54
To: pvde@sonnenglanz.net; Huehnlein, Detlef
Cc: dss-x@lists.oasis-open.org
Subject: RE: Some more thoughts concerning the legal aspects

Hello Pim and Detlef,

The publication of [2003/511/EC] is aimed to list or refer to acceptable
standards, but the EU members are not forced to use the listed standards
(CWA-14169).
For example you can look at the following link to Italian legislation
that
is based on the EU directive at
http://www.cnipa.gov.it/site/_files/Opuscolo%2013II.pdf
on section 35 it says:
"The national scheme can also provide evaluation And certification with
respect to additional European and international criteria, Also on other
systems and products related to the field".
As I mentioned in the conference call yesterday, a centralized approach
for
digital signatures are used for qualified signatures in other EU member
countries.
Even tough one of the CoSign models is based on an internal array of
SSCD
smartcards (similar to the approach raised by Detlef), the centralized
solution may not require using internal array of SSCD smartcards. 

Regards,
Ezer

-----Original Message-----
From: Huehnlein, Detlef [mailto:Detlef.Huehnlein@secunet.com]
Sent: Monday, March 03, 2008 10:11 PM
To: pvde@sonnenglanz.net
Cc: Ezer Farhi; dss-x@lists.oasis-open.org
Subject: Some more thoughts concerning the legal aspects

Hi Pim,

concerning the statement that "DSS-like" systems (using a bunch of
smartcard-based SSCDs as depicted on slide 20 of
http://www.ecsec.de/pub/RSA2004.pdf) may be used in Germany to produce
(and
of course verify) qualified electronic signatures you may want to have a
look at https://www.secure.trusted-site.de/certuvit/pdf/93145UD.pdf for
example. "DSS-like" means that the certified version of this signature
server uses a proprietary web-service-protocol, which is similar to DSS
-
and will most likely support DSS in a future version. ;-)

The initial uncertainty about the detailed requirements, which have to
be
fulfilled by an SSCD according to Annex III of [1999/93/EC] has IMHO
been
removed in 2003 by the publication of [2003/511/EC] (cf. Annex B). 

Therefore I would be VERY interested to see whether there is a single EU
member state, which
a) still has requirements for SSCDs, which significantly deviate from
[CWA
14169], or
b) has a concept of "self qualification" of SSCDs. 

As both points are NOT in line with (my understanding of) [1999/93/EC] I
would be a little surprised, if such cases would exist today. 

BR,
 Detlef

Links:
[1993/93/EC]
http://www.signatur.rtr.at/repository/legal-directive-20000119-en.pdf
[2003/511/EC]
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:175:0045
:004
6:EN:PDF 
[CWA 14169]
ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14169-00-2004-Mar.pdf 
--
Dipl. Inform. (FH)
Dr. rer. nat. Detlef Hühnlein
Partner
secunet Security Networks AG
Sudetenstraße 16
96247 Michelau
Telefon +49 9571 896479
Mobil   +49 171  9754980
detlef.huehnlein@secunet.com
www.secunet.com
======================
Besuchen Sie uns auf der CeBIT 2008,
4. - 9. März 2008, Halle 6 Stand J36
(www.cebit.de)
----------------------
und auf dem Managed Security Forum 2008
2. April in Frankfurt am Main
7. Mai in Düsseldorf
29. Mai in Hamburg
16. Juni in München
(www.managed-security-forum.org)
Wir freuen uns auf interessante Gespräche mit Ihnen. 
======================
secunet Security Networks AG
Kronprinzenstr. 30
45128 Essen
Amtsgericht Essen HRB 13615

Vorstand:
Dr. Rainer Baumgart
Thomas Koelzer
Thomas Pleines

Aufsichtsratsvorsitzender:
Dr. Karsten Ottenberg

Diese E-mail kann vertrauliche Informationen enthalten. Falls Sie diese
E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den
Absender und löschen Sie diese E-Mail von jedem Rechner, auch von den
Mailservern. Jede Verbreitung des Inhalts, auch die teilweise
Verbreitung,
ist in diesem Fall untersagt. Außer bei Vorsatz oder grober
Fahrlässigkeit
schließen wir jegliche Haftung für Verluste oder Schäden aus, die durch
Viren befallene Software oder E-Mails verursacht werden.

This e-mail may contain strictly confidential information and is
intended
for the person to which it is addressed only. Any dissemination, even
partly, is prohibited. If you receive this e-mail by mistake, please
contact
the sender and delete this e-mail from your computer, including your
mailserver.
Except in case of gross negligence or wilful misconduct we accept no
liability for any loss or damage caused by software or e-mail viruses. 

smime.p7s



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]