Question to german users/ Frage an deutsche Benutzer

Werner Koch wk@gnupg.org
Wed May 28 14:06:02 2003


On Tue, 27 May 2003 19:19:51 +0200, Stephan Stapel said:

> But what I still don't understand is what Werner wrote, what applications
> are licensed by the german RegTP? Does this issue apply for GnuPG?

To be able to issue a certificate useful for a qualified[1] digital
signature a CA must be accredited by the RegTP and for that it is
required that verified systems must be used for the certification, the
used hardware tokens etc.  See
http://www.regtp.de/tech_reg_tele/start/in_06-02-05-00-00_m/index.html
for a list of approved products.

Having a compliant card is actual sufficient, because it won't be
possible to check whether a suitable card reader has actually been
used for creating the signature.  However, it is in the user's own
interest to use secure device and viewers etc.

All the mainstream products are only available for Windows, so the
certification of the software is a bit questionable because the OS
isn't certified and the certification does not involve a code
inspection.


Shalom-Salam,

   Werner


[1] "qualified" is a class of signatures as defined by the German
signature laws.  There are also "advanced" digital signatures, with
the rule that suitable measures must be taken to prevent forging and
"simple" digital signature where just signing the email with your name
in plain text would be sufficient and in compliance to the law
(without any real advantage of course).

-- 
  Nonviolence is the greatest force at the disposal of
  mankind. It is mightier than the mightiest weapon of
  destruction devised by the ingenuity of man. -Gandhi