Question to german users/ Frage an deutsche Benutzer

Werner Koch
Tue May 27 09:56:02 2003

On Mon, 26 May 2003 21:53:14 +0200, Ingo Klöcker said:

> No, it's not okay. This question concerns at least all members of the 
> EU.

To a very different level.  Signature laws (if they exist at all) are
different from country to country.

> You are probably thinking about the c't magazine. But OpenPGP keys don't 
> have any legal relevance regardless of the institution that signed 
> them.

Given a signed paper contract about the use of signatures between the
parties, OpenPGP signed documents can be enforcable to the same grade
as those with a handwritten signature.

> No, you can't use OpenPGP keys (yet). OpenPGP doesn't fulfill the 
> requirements for a qualified certificate AFAIK. (One reason is that 
> there is no centralized PKI for OpenPGP.) Currently only S/MIME keys on 
> smartcards which are issued by two or three companies in Germany 

A qualified signature requires some technical features (most notably a
trusted device - a smartcard is sufficient for this) as well as a
certificate by an accredited CA.  There is nothing in the SigV
regulations which demands the use of X.509 or S/MIME.  Even the DINSIG
is a draft standard and about all implementations create
non-interchangeable messages (on purpose, I bet)

So, to create a SigV compliant qualified signature (which is by law
treated the same way as a handwritten one) you basically need a
Smartcard and application licensed by the German RegTP and an
accredited CA willing to issue certificates (i.e. a key signature) for
an OpenPGP key.



  Nonviolence is the greatest force at the disposal of
  mankind. It is mightier than the mightiest weapon of
  destruction devised by the ingenuity of man. -Gandhi