[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AW: [dss-x] RE: Some more thoughts concerning the legal aspects
Hi Pim, in Germany there are no stipulations for the strength of the authentication. Hence even UID/password is fine (with respect to the law). As the legal construction in this case may be interpreted that the DSS-server signs on behalf of the client, who provides the DSS-server (explicitly or implicitely) with a power of attorney (cf. Section 2 of http://www.ecsec.de/pub/2004_PKI.pdf) and the creation of a power of attorney (in German law) does not need to have a specific form, there probably can not be stipulations in general. BR, Detlef > -----Ursprüngliche Nachricht----- > Von: Pim van der Eijk [mailto:pvde@sonnenglanz.net] > Gesendet: Donnerstag, 6. März 2008 09:16 > An: 'Ezer Farhi'; Huehnlein, Detlef > Cc: dss-x@lists.oasis-open.org > Betreff: [dss-x] RE: Some more thoughts concerning the legal aspects > > > Hello Ezer and Detlef, > > In countries that do support server-based signing with > qualified signatures, what are the (minimum) requirements for > user authentication? > > Pim > > -----Original Message----- > From: Ezer Farhi [mailto:Ezer@arx.com] > Sent: 04 March 2008 23:54 > To: pvde@sonnenglanz.net; Huehnlein, Detlef > Cc: dss-x@lists.oasis-open.org > Subject: RE: Some more thoughts concerning the legal aspects > > Hello Pim and Detlef, > > The publication of [2003/511/EC] is aimed to list or refer to > acceptable standards, but the EU members are not forced to > use the listed standards (CWA-14169). > For example you can look at the following link to Italian > legislation that is based on the EU directive at > http://www.cnipa.gov.it/site/_files/Opuscolo%2013II.pdf > on section 35 it says: > "The national scheme can also provide evaluation And > certification with respect to additional European and > international criteria, Also on other systems and products > related to the field". > As I mentioned in the conference call yesterday, a > centralized approach for digital signatures are used for > qualified signatures in other EU member countries. > Even tough one of the CoSign models is based on an internal > array of SSCD smartcards (similar to the approach raised by > Detlef), the centralized solution may not require using > internal array of SSCD smartcards. > > Regards, > Ezer > > -----Original Message----- > From: Huehnlein, Detlef [mailto:Detlef.Huehnlein@secunet.com] > Sent: Monday, March 03, 2008 10:11 PM > To: pvde@sonnenglanz.net > Cc: Ezer Farhi; dss-x@lists.oasis-open.org > Subject: Some more thoughts concerning the legal aspects > > Hi Pim, > > concerning the statement that "DSS-like" systems (using a > bunch of smartcard-based SSCDs as depicted on slide 20 of > http://www.ecsec.de/pub/RSA2004.pdf) may be used in Germany > to produce (and of course verify) qualified electronic > signatures you may want to have a look at > https://www.secure.trusted-site.de/certuvit/pdf/93145UD.pdf > for example. "DSS-like" means that the certified version of > this signature server uses a proprietary > web-service-protocol, which is similar to DSS - and will most > likely support DSS in a future version. ;-) > > The initial uncertainty about the detailed requirements, > which have to be fulfilled by an SSCD according to Annex III > of [1999/93/EC] has IMHO been removed in 2003 by the > publication of [2003/511/EC] (cf. Annex B). > > Therefore I would be VERY interested to see whether there is > a single EU member state, which > a) still has requirements for SSCDs, which significantly > deviate from [CWA 14169], or > b) has a concept of "self qualification" of SSCDs. > > As both points are NOT in line with (my understanding of) > [1999/93/EC] I would be a little surprised, if such cases > would exist today. > > BR, > Detlef > > Links: > [1993/93/EC] > http://www.signatur.rtr.at/repository/legal-directive-20000119-en.pdf > [2003/511/EC] > http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:200 3:175:0045:004 > 6:EN:PDF > [CWA 14169] > ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14169-00-200 4-Mar.pdf > -- > Dipl. Inform. (FH) > Dr. rer. nat. Detlef Hühnlein > Partner > secunet Security Networks AG > Sudetenstraße 16 > 96247 Michelau > Telefon +49 9571 896479 > Mobil +49 171 9754980 > detlef.huehnlein@secunet.com > www.secunet.com > ====================== > Besuchen Sie uns auf der CeBIT 2008, > 4. - 9. März 2008, Halle 6 Stand J36 > (www.cebit.de) > ---------------------- > und auf dem Managed Security Forum 2008 > 2. April in Frankfurt am Main > 7. Mai in Düsseldorf > 29. Mai in Hamburg > 16. Juni in München > (www.managed-security-forum.org) > Wir freuen uns auf interessante Gespräche mit Ihnen. > ====================== > secunet Security Networks AG > Kronprinzenstr. 30 > 45128 Essen > Amtsgericht Essen HRB 13615 > > Vorstand: > Dr. Rainer Baumgart > Thomas Koelzer > Thomas Pleines > > Aufsichtsratsvorsitzender: > Dr. Karsten Ottenberg > > Diese E-mail kann vertrauliche Informationen enthalten. Falls > Sie diese E-Mail irrtümlich erhalten haben, informieren Sie > bitte unverzüglich den Absender und löschen Sie diese E-Mail > von jedem Rechner, auch von den Mailservern. Jede Verbreitung > des Inhalts, auch die teilweise Verbreitung, ist in diesem > Fall untersagt. Außer bei Vorsatz oder grober Fahrlässigkeit > schließen wir jegliche Haftung für Verluste oder Schäden aus, > die durch Viren befallene Software oder E-Mails verursacht werden. > > This e-mail may contain strictly confidential information and > is intended for the person to which it is addressed only. Any > dissemination, even partly, is prohibited. If you receive > this e-mail by mistake, please contact the sender and delete > this e-mail from your computer, including your mailserver. > Except in case of gross negligence or wilful misconduct we > accept no liability for any loss or damage caused by software > or e-mail viruses. > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS > TC that generates this mail. You may a link to this group > and all your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr oups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]