Question to german users/ Frage an deutsche Benutzer

[Werner Koch]

On Mon, 26 May 2003 21:53:14 +0200, Ingo Klöcker said:

> No, it's not okay. This question concerns at least all members of the 
> EU.

To a very different level.  Signature laws (if they exist at all) are
different from country to country.

> You are probably thinking about the c't magazine. But OpenPGP keys don't 
> have any legal relevance regardless of the institution that signed 
> them.

Given a signed paper contract about the use of signatures between the
parties, OpenPGP signed documents can be enforcable to the same grade
as those with a handwritten signature.

> No, you can't use OpenPGP keys (yet). OpenPGP doesn't fulfill the 
> requirements for a qualified certificate AFAIK. (One reason is that 
> there is no centralized PKI for OpenPGP.) Currently only S/MIME keys on 
> smartcards which are issued by two or three companies in Germany 

A qualified signature requires some technical features (most notably a
trusted device - a smartcard is sufficient for this) as well as a
certificate by an accredited CA.  There is nothing in the SigV
regulations which demands the use of X.509 or S/MIME.  Even the DINSIG
is a draft standard and about all implementations create
non-interchangeable messages (on purpose, I bet)

So, to create a SigV compliant qualified signature (which is by law
treated the same way as a handwritten one) you basically need a
Smartcard and application licensed by the German RegTP and an
accredited CA willing to issue certificates (i.e. a key signature) for
an OpenPGP key.


Shalom-Salam,

   Werner

-- 
  Nonviolence is the greatest force at the disposal of
  mankind. It is mightier than the mightiest weapon of
  destruction devised by the ingenuity of man. -Gandhi