[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [dss-x] RE: Some more thoughts concerning the legal aspects
Hello all, Until the end of 2007 the Austrian so-called "Verwaltungssignatur" (based on certificates which basically have less strict requirements for the issuing CAs) could be used equivalently to a qualified signature (under specific circumstances). Based on this Verwaltungssignatur, Mobilkom Austria (an Austrian telecom provider) provided a server based signature using out-of-band authentication via one-time codes sent to registered cell phones. Due to economic reasons, however, Mobilkom Austria did not pursue the certification of this solution for qualified signatures. In Austria this is still a topic worth discussion. Clemens Am Donnerstag, 6. März 2008 schrieb Pim van der Eijk: > Hello Ezer and Detlef, > > In countries that do support server-based signing with qualified > signatures, what are the (minimum) requirements for user authentication? > > Pim > > -----Original Message----- > From: Ezer Farhi [mailto:Ezer@arx.com] > Sent: 04 March 2008 23:54 > To: pvde@sonnenglanz.net; Huehnlein, Detlef > Cc: dss-x@lists.oasis-open.org > Subject: RE: Some more thoughts concerning the legal aspects > > Hello Pim and Detlef, > > The publication of [2003/511/EC] is aimed to list or refer to acceptable > standards, but the EU members are not forced to use the listed standards > (CWA-14169). > For example you can look at the following link to Italian legislation that > is based on the EU directive at > http://www.cnipa.gov.it/site/_files/Opuscolo%2013II.pdf > on section 35 it says: > "The national scheme can also provide evaluation And certification with > respect to additional European and international criteria, Also on other > systems and products related to the field". > As I mentioned in the conference call yesterday, a centralized approach for > digital signatures are used for qualified signatures in other EU member > countries. > Even tough one of the CoSign models is based on an internal array of SSCD > smartcards (similar to the approach raised by Detlef), the centralized > solution may not require using internal array of SSCD smartcards. > > Regards, > Ezer > > -----Original Message----- > From: Huehnlein, Detlef [mailto:Detlef.Huehnlein@secunet.com] > Sent: Monday, March 03, 2008 10:11 PM > To: pvde@sonnenglanz.net > Cc: Ezer Farhi; dss-x@lists.oasis-open.org > Subject: Some more thoughts concerning the legal aspects > > Hi Pim, > > concerning the statement that "DSS-like" systems (using a bunch of > smartcard-based SSCDs as depicted on slide 20 of > http://www.ecsec.de/pub/RSA2004.pdf) may be used in Germany to produce (and > of course verify) qualified electronic signatures you may want to have a > look at https://www.secure.trusted-site.de/certuvit/pdf/93145UD.pdf for > example. "DSS-like" means that the certified version of this signature > server uses a proprietary web-service-protocol, which is similar to DSS - > and will most likely support DSS in a future version. ;-) > > The initial uncertainty about the detailed requirements, which have to be > fulfilled by an SSCD according to Annex III of [1999/93/EC] has IMHO been > removed in 2003 by the publication of [2003/511/EC] (cf. Annex B). > > Therefore I would be VERY interested to see whether there is a single EU > member state, which > a) still has requirements for SSCDs, which significantly deviate from [CWA > 14169], or > b) has a concept of "self qualification" of SSCDs. > > As both points are NOT in line with (my understanding of) [1999/93/EC] I > would be a little surprised, if such cases would exist today. > > BR, > Detlef > > Links: > [1993/93/EC] > http://www.signatur.rtr.at/repository/legal-directive-20000119-en.pdf > [2003/511/EC] > http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:175:0045:00 >4 6:EN:PDF > [CWA 14169] > ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14169-00-2004-Mar.pdf > -- > Dipl. Inform. (FH) > Dr. rer. nat. Detlef Hühnlein > Partner > secunet Security Networks AG > Sudetenstraße 16 > 96247 Michelau > Telefon +49 9571 896479 > Mobil +49 171 9754980 > detlef.huehnlein@secunet.com > www.secunet.com > ====================== > Besuchen Sie uns auf der CeBIT 2008, > 4. - 9. März 2008, Halle 6 Stand J36 > (www.cebit.de) > ---------------------- > und auf dem Managed Security Forum 2008 > 2. April in Frankfurt am Main > 7. Mai in Düsseldorf > 29. Mai in Hamburg > 16. Juni in München > (www.managed-security-forum.org) > Wir freuen uns auf interessante Gespräche mit Ihnen. > ====================== > secunet Security Networks AG > Kronprinzenstr. 30 > 45128 Essen > Amtsgericht Essen HRB 13615 > > Vorstand: > Dr. Rainer Baumgart > Thomas Koelzer > Thomas Pleines > > Aufsichtsratsvorsitzender: > Dr. Karsten Ottenberg > > Diese E-mail kann vertrauliche Informationen enthalten. Falls Sie diese > E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den > Absender und löschen Sie diese E-Mail von jedem Rechner, auch von den > Mailservern. Jede Verbreitung des Inhalts, auch die teilweise Verbreitung, > ist in diesem Fall untersagt. Außer bei Vorsatz oder grober Fahrlässigkeit > schließen wir jegliche Haftung für Verluste oder Schäden aus, die durch > Viren befallene Software oder E-Mails verursacht werden. > > This e-mail may contain strictly confidential information and is intended > for the person to which it is addressed only. Any dissemination, even > partly, is prohibited. If you receive this e-mail by mistake, please > contact the sender and delete this e-mail from your computer, including > your mailserver. > Except in case of gross negligence or wilful misconduct we accept no > liability for any loss or damage caused by software or e-mail viruses. > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in > OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php -- Clemens Orthacker A-SIT, Graz University of Technology Inffeldgasse 16a, 8010 Graz, Austria Tel: +43 316 873 5512 Web: http://www.a-sit.at/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]