[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AW: [dss-x] RE: Some more thoughts concerning the legal aspects
Hi Ezer, > The publication of [2003/511/EC] is aimed to list or refer to > acceptable standards, but the EU members are not forced to > use the listed standards (CWA-14169). well, the EU members WERE not forced to use the acceptable standards listed in [2003/511/EC] UNTIL these reference numbers WERE published. Art. 3 (4) of [1999/93/EC] reads: "4. The conformity of secure signature-creation-devices with the requirements laid down in Annex III shall be determined by appropriate public or private bodies designated by Member States. The Commission shall, pursuant to the procedure laid down in Article 9, establish criteria for Member States to determine whether a body should be designated. A determination of conformity with the requirements laid down in Annex III made by the bodies referred to in the first subparagraph shall be recognised by all Member States." Therefore the German signature decree, which was (as the Italian) issued in 1997 for the first time and updated in 2001 to include the necessary changes because of [1999/93/EC], includes in § 15 (6) SigV a statement, which makes clear that standards for SSCDs (corresponding to Art. 3 (5) and Art. 9 of [1999/93/EG]) shall be recognized, IF they are published. § 15 (6) SigV is (unfortunately in German): " (6) Soweit im Rahmen des Verfahrens nach Artikel 3 Abs. 5 und Artikel 9 der Richtlinie 1999/93/EG in der jeweils geltenden Fassung Referenznummern für allgemein anerkannte Normen für Produkte für qualifizierte elektronische Signaturen festgelegt und im Amtsblatt der Europäischen Gemeinschaften veröffentlicht werden, haben diese abweichend von den Absätzen 1 bis 5 Geltung, mit Ausnahme der Produkte nach § 15 Abs. 7 des Signaturgesetzes. Die zuständige Behörde veröffentlicht im Bundesanzeiger die aktuell gültigen Anforderungen auf Grund der Festlegungen nach Satz 1. " My Italian is not good enogh to check, whether the Italian signature act (or decree) has a similar stipulation or not. But I would be surprised, if it would not, because this would be a case of improper implementation of the directive [1999/93/EC] (in particular the Art. 3 (4) above) ... and this would seem to be unlikely nowadays. BR, dh > For example you can look at the following link to Italian > legislation that is based on the EU directive at > http://www.cnipa.gov.it/site/_files/Opuscolo%2013II.pdf > on section 35 it says: > "The national scheme can also provide evaluation And > certification with respect to additional European and > international criteria, Also on other systems and products > related to the field". > As I mentioned in the conference call yesterday, a > centralized approach for digital signatures are used for > qualified signatures in other EU member countries. > Even tough one of the CoSign models is based on an internal > array of SSCD smartcards (similar to the approach raised by > Detlef), the centralized solution may not require using > internal array of SSCD smartcards. > > Regards, > Ezer > > -----Original Message----- > From: Huehnlein, Detlef [mailto:Detlef.Huehnlein@secunet.com] > Sent: Monday, March 03, 2008 10:11 PM > To: pvde@sonnenglanz.net > Cc: Ezer Farhi; dss-x@lists.oasis-open.org > Subject: Some more thoughts concerning the legal aspects > > Hi Pim, > > concerning the statement that "DSS-like" systems (using a > bunch of smartcard-based SSCDs as depicted on slide 20 of > http://www.ecsec.de/pub/RSA2004.pdf) may be used in Germany > to produce (and of course verify) qualified electronic > signatures you may want to have a look at > https://www.secure.trusted-site.de/certuvit/pdf/93145UD.pdf > for example. "DSS-like" means that the certified version of > this signature server uses a proprietary > web-service-protocol, which is similar to DSS - and will most > likely support DSS in a future version. ;-) > > The initial uncertainty about the detailed requirements, > which have to be fulfilled by an SSCD according to Annex III > of [1999/93/EC] has IMHO been removed in 2003 by the > publication of [2003/511/EC] (cf. Annex B). > > Therefore I would be VERY interested to see whether there is > a single EU member state, which > a) still has requirements for SSCDs, which significantly > deviate from [CWA 14169], or > b) has a concept of "self qualification" of SSCDs. > > As both points are NOT in line with (my understanding of) > [1999/93/EC] I would be a little surprised, if such cases > would exist today. > > BR, > Detlef > > Links: > [1993/93/EC] > http://www.signatur.rtr.at/repository/legal-directive-20000119-en.pdf > [2003/511/EC] > http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:200 3:175:0045:0046:EN:PDF > [CWA 14169] > ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14169-00-200 4-Mar.pdf > -- > Dipl. Inform. (FH) > Dr. rer. nat. Detlef Hühnlein > Partner > secunet Security Networks AG > Sudetenstraße 16 > 96247 Michelau > Telefon +49 9571 896479 > Mobil +49 171 9754980 > detlef.huehnlein@secunet.com > www.secunet.com > ====================== > Besuchen Sie uns auf der CeBIT 2008, > 4. - 9. März 2008, Halle 6 Stand J36 > (www.cebit.de) > ---------------------- > und auf dem Managed Security Forum 2008 > 2. April in Frankfurt am Main > 7. Mai in Düsseldorf > 29. Mai in Hamburg > 16. Juni in München > (www.managed-security-forum.org) > Wir freuen uns auf interessante Gespräche mit Ihnen. > ====================== > secunet Security Networks AG > Kronprinzenstr. 30 > 45128 Essen > Amtsgericht Essen HRB 13615 > > Vorstand: > Dr. Rainer Baumgart > Thomas Koelzer > Thomas Pleines > > Aufsichtsratsvorsitzender: > Dr. Karsten Ottenberg > > Diese E-mail kann vertrauliche Informationen enthalten. Falls > Sie diese E-Mail irrtümlich erhalten haben, informieren Sie > bitte unverzüglich den Absender und löschen Sie diese E-Mail > von jedem Rechner, auch von den Mailservern. Jede Verbreitung > des Inhalts, auch die teilweise Verbreitung, ist in diesem > Fall untersagt. Außer bei Vorsatz oder grober Fahrlässigkeit > schließen wir jegliche Haftung für Verluste oder Schäden aus, > die durch Viren befallene Software oder E-Mails verursacht werden. > > This e-mail may contain strictly confidential information and > is intended for the person to which it is addressed only. Any > dissemination, even partly, is prohibited. If you receive > this e-mail by mistake, please contact the sender and delete > this e-mail from your computer, including your mailserver. > Except in case of gross negligence or wilful misconduct we > accept no liability for any loss or damage caused by software > or e-mail viruses. > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS > TC that generates this mail. You may a link to this group > and all your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr oups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]