PGP for official documents / eIDAS and ZertES

Daniel Pocock daniel at pocock.pro
Thu Jun 1 08:06:01 CEST 2017 


On 31/05/17 19:34, ankostis wrote:
> On 31 May 2017 at 15:14, Daniel Pocock <daniel at pocock.pro> wrote:
>>
>> Are the CMS, PDF or XML standards flexible enough that a PGP signature
>> could be used within any of them and thereby satisfy the legislation?
> 
> IANAL, but I would agree with Reiner that the implementing acts are not
> technology-neutral.
> More detailed, from the three standards supported, only the last one,
> XML-sig, supports PGP: https://www.w3.org/TR/xmldsig-core/#sec-PGPData
> 

Are there any basic examples of using XML-sig with GnuPG for signing and
verifying?

Are there any specific attributes that need to be included in a key used
for eIDAS?  E.g. does the legislation expect the photo or even something
like home address or date of birth, or just the name and email address
is sufficient?


> 
> 
>>> There are quite heavy
>>> legal and organization layers on top of the technology that assure
>>> security levels, notification (mutual acceptance) and cooperation
>>> procedures.
> 
> Regarding organizational issues, there in nothing in eIDAS *in principal"
> that forbids a company to use XML-sig with PGP.
> But it would be interesting how the "national authorities" would react
> in practice,
> should they receive such a request from a company.
> If it would work, for certain, these 2 German companies would have a head-start.
> 

There are a couple of scenarios:

- for submitting documents to national authorities, some types of
submission (e.g. a tax return without any refund due) are a one-way
process.  The person submitting the document can assert they submitted
it in compliance with the law and it is then a problem for the national
authority to make sure their IT systems are reading valid PGP
signatures.  We will see some of them start advertising vacancies for
consultants with PGP expertise at the point people start submitting
PGP-signed documents.

- for business-to-business or consumer-to-business transactions, if a
business is willing to accept orders signed with PGP, they are making
life a lot easier for their customers.  The money the customer doesn't
have to waste on something like SuissID is money the customer can spend
with the business in question.

Another aspect of this topic: if at least one valid solution exists
(e.g. using XML-sig), then consultants specializing in PGP could tell
their customers that they offer a competitive solution compliant with
eIDAS and ZertES.

Regards,

Daniel

More information about the Gnupg-users mailing list