Question to german users/ Frage an deutsche Benutzer
Wed May 28 01:36:04 2003
Content-Description: signed data
On Tuesday 27 May 2003 09:57, Werner Koch wrote:
> On Mon, 26 May 2003 21:53:14 +0200, Ingo Kl=F6cker said:
> > No, it's not okay. This question concerns at least all members of
> > the EU.
> To a very different level. Signature laws (if they exist at all) are
> different from country to country.
Well, there is a EU-wide law (well, it's not really a law, but I don't=20
know the proper English word) for digital signatures since a few=20
months. So sooner or later (most likely later) all members of the EU=20
will have a corresponding law.
> > You are probably thinking about the c't magazine. But OpenPGP keys
> > don't have any legal relevance regardless of the institution that
> > signed them.
> Given a signed paper contract about the use of signatures between the
> parties, OpenPGP signed documents can be enforcable to the same grade
> as those with a handwritten signature.
Until the first court decision declares the opposite if one of the=20
parties suddenly decides not to accept OpenPGP signatures anymore.
> > No, you can't use OpenPGP keys (yet). OpenPGP doesn't fulfill the
> > requirements for a qualified certificate AFAIK. (One reason is that
> > there is no centralized PKI for OpenPGP.) Currently only S/MIME
> > keys on smartcards which are issued by two or three companies in
> > Germany
> A qualified signature requires some technical features (most notably
> a trusted device - a smartcard is sufficient for this) as well as a
> certificate by an accredited CA. There is nothing in the SigV
> regulations which demands the use of X.509 or S/MIME. Even the
> DINSIG is a draft standard and about all implementations create
> non-interchangeable messages (on purpose, I bet)
> So, to create a SigV compliant qualified signature (which is by law
> treated the same way as a handwritten one) you basically need a
> Smartcard and application licensed by the German RegTP and an
> accredited CA willing to issue certificates (i.e. a key signature)
> for an OpenPGP key.
True. But I doubt there will ever be a qualified signature using OpenPGP=20
since S/MIME is favored by the government (-> SPHINX) and because it=20
would be too confusing if there were two competing types of qualified=20
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----