Question to german users/ Frage an deutsche Benutzer

Ingo Klöcker
Wed May 28 01:36:04 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Tuesday 27 May 2003 09:57, Werner Koch wrote:
> On Mon, 26 May 2003 21:53:14 +0200, Ingo Kl=F6cker said:
> > No, it's not okay. This question concerns at least all members of
> > the EU.
> To a very different level.  Signature laws (if they exist at all) are
> different from country to country.

Well, there is a EU-wide law (well, it's not really a law, but I don't=20
know the proper English word) for digital signatures since a few=20
months. So sooner or later (most likely later) all members of the EU=20
will have a corresponding law.

> > You are probably thinking about the c't magazine. But OpenPGP keys
> > don't have any legal relevance regardless of the institution that
> > signed them.
> Given a signed paper contract about the use of signatures between the
> parties, OpenPGP signed documents can be enforcable to the same grade
> as those with a handwritten signature.

Until the first court decision declares the opposite if one of the=20
parties suddenly decides not to accept OpenPGP signatures anymore.

> > No, you can't use OpenPGP keys (yet). OpenPGP doesn't fulfill the
> > requirements for a qualified certificate AFAIK. (One reason is that
> > there is no centralized PKI for OpenPGP.) Currently only S/MIME
> > keys on smartcards which are issued by two or three companies in
> > Germany
> A qualified signature requires some technical features (most notably
> a trusted device - a smartcard is sufficient for this) as well as a
> certificate by an accredited CA.  There is nothing in the SigV
> regulations which demands the use of X.509 or S/MIME.  Even the
> DINSIG is a draft standard and about all implementations create
> non-interchangeable messages (on purpose, I bet)
> So, to create a SigV compliant qualified signature (which is by law
> treated the same way as a handwritten one) you basically need a
> Smartcard and application licensed by the German RegTP and an
> accredited CA willing to issue certificates (i.e. a key signature)
> for an OpenPGP key.

True. But I doubt there will ever be a qualified signature using OpenPGP=20
since S/MIME is favored by the government (-> SPHINX) and because it=20
would be too confusing if there were two competing types of qualified=20


Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)