Re: [dss-x] RE: Some more thoughts concerning the legal aspects

[Clemens Orthacker <clemens.orthacker@a-sit.at>]

Hello all,

Until the end of 2007 the Austrian so-called "Verwaltungssignatur" (based on 
certificates which basically have less strict requirements for the issuing 
CAs) could be used equivalently to a qualified signature (under specific 
circumstances).
Based on this Verwaltungssignatur, Mobilkom Austria (an Austrian telecom 
provider) provided a server based signature using out-of-band authentication 
via one-time codes sent to registered cell phones. Due to economic reasons, 
however, Mobilkom Austria did not pursue the certification of this solution 
for qualified signatures.
In Austria this is still a topic worth discussion. 

Clemens

Am Donnerstag, 6. März 2008 schrieb Pim van der Eijk:
> Hello Ezer and Detlef,
>
> In countries that do support server-based signing with qualified
> signatures, what are the (minimum) requirements for user authentication?
>
> Pim
>
> -----Original Message-----
> From: Ezer Farhi [mailto:Ezer@arx.com]
> Sent: 04 March 2008 23:54
> To: pvde@sonnenglanz.net; Huehnlein, Detlef
> Cc: dss-x@lists.oasis-open.org
> Subject: RE: Some more thoughts concerning the legal aspects
>
> Hello Pim and Detlef,
>
> The publication of [2003/511/EC] is aimed to list or refer to acceptable
> standards, but the EU members are not forced to use the listed standards
> (CWA-14169).
> For example you can look at the following link to Italian legislation that
> is based on the EU directive at
> http://www.cnipa.gov.it/site/_files/Opuscolo%2013II.pdf
> on section 35 it says:
> "The national scheme can also provide evaluation And certification with
> respect to additional European and international criteria, Also on other
> systems and products related to the field".
> As I mentioned in the conference call yesterday, a centralized approach for
> digital signatures are used for qualified signatures in other EU member
> countries.
> Even tough one of the CoSign models is based on an internal array of SSCD
> smartcards (similar to the approach raised by Detlef), the centralized
> solution may not require using internal array of SSCD smartcards.
>
> Regards,
> Ezer
>
> -----Original Message-----
> From: Huehnlein, Detlef [mailto:Detlef.Huehnlein@secunet.com]
> Sent: Monday, March 03, 2008 10:11 PM
> To: pvde@sonnenglanz.net
> Cc: Ezer Farhi; dss-x@lists.oasis-open.org
> Subject: Some more thoughts concerning the legal aspects
>
> Hi Pim,
>
> concerning the statement that "DSS-like" systems (using a bunch of
> smartcard-based SSCDs as depicted on slide 20 of
> http://www.ecsec.de/pub/RSA2004.pdf) may be used in Germany to produce (and
> of course verify) qualified electronic signatures you may want to have a
> look at https://www.secure.trusted-site.de/certuvit/pdf/93145UD.pdf for
> example. "DSS-like" means that the certified version of this signature
> server uses a proprietary web-service-protocol, which is similar to DSS -
> and will most likely support DSS in a future version. ;-)
>
> The initial uncertainty about the detailed requirements, which have to be
> fulfilled by an SSCD according to Annex III of [1999/93/EC] has IMHO been
> removed in 2003 by the publication of [2003/511/EC] (cf. Annex B).
>
> Therefore I would be VERY interested to see whether there is a single EU
> member state, which
> a) still has requirements for SSCDs, which significantly deviate from [CWA
> 14169], or
> b) has a concept of "self qualification" of SSCDs.
>
> As both points are NOT in line with (my understanding of) [1999/93/EC] I
> would be a little surprised, if such cases would exist today.
>
> BR,
>  Detlef
>
> Links:
> [1993/93/EC]
> http://www.signatur.rtr.at/repository/legal-directive-20000119-en.pdf
> [2003/511/EC]
> http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:175:0045:00
>4 6:EN:PDF
> [CWA 14169]
> ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14169-00-2004-Mar.pdf
> --
> Dipl. Inform. (FH)
> Dr. rer. nat. Detlef Hühnlein
> Partner
> secunet Security Networks AG
> Sudetenstraße 16
> 96247 Michelau
> Telefon +49 9571 896479
> Mobil   +49 171  9754980
> detlef.huehnlein@secunet.com
> www.secunet.com
> ======================
> Besuchen Sie uns auf der CeBIT 2008,
> 4. - 9. März 2008, Halle 6 Stand J36
> (www.cebit.de)
> ----------------------
> und auf dem Managed Security Forum 2008
> 2. April in Frankfurt am Main
> 7. Mai in Düsseldorf
> 29. Mai in Hamburg
> 16. Juni in München
> (www.managed-security-forum.org)
> Wir freuen uns auf interessante Gespräche mit Ihnen.
> ======================
> secunet Security Networks AG
> Kronprinzenstr. 30
> 45128 Essen
> Amtsgericht Essen HRB 13615
>
> Vorstand:
> Dr. Rainer Baumgart
> Thomas Koelzer
> Thomas Pleines
>
> Aufsichtsratsvorsitzender:
> Dr. Karsten Ottenberg
>
> Diese E-mail kann vertrauliche Informationen enthalten. Falls Sie diese
> E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den
> Absender und löschen Sie diese E-Mail von jedem Rechner, auch von den
> Mailservern. Jede Verbreitung des Inhalts, auch die teilweise Verbreitung,
> ist in diesem Fall untersagt. Außer bei Vorsatz oder grober Fahrlässigkeit
> schließen wir jegliche Haftung für Verluste oder Schäden aus, die durch
> Viren befallene Software oder E-Mails verursacht werden.
>
> This e-mail may contain strictly confidential information and is intended
> for the person to which it is addressed only. Any dissemination, even
> partly, is prohibited. If you receive this e-mail by mistake, please
> contact the sender and delete this e-mail from your computer, including
> your mailserver.
> Except in case of gross negligence or wilful misconduct we accept no
> liability for any loss or damage caused by software or e-mail viruses.
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in
> OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



-- 
Clemens Orthacker  A-SIT, Graz University of Technology
Inffeldgasse 16a, 8010 Graz, Austria
Tel: +43 316 873 5512         Web: http://www.a-sit.at/