PGP for official documents / eIDAS and ZertES
daniel at pocock.pro
Wed May 31 15:14:19 CEST 2017
On 31/05/17 13:54, Rainer Hoerbe wrote:
> Hi Daniel,
> The eIDAS regulation is replacing the national e-signature laws to make
> signatures (besides other other things) interoperable across borders.
> While the law is fairly technology-neutral, the implementation acts have
> to reference specific technologies, which are CMS, PDF- and XML
> signature, but not PGP-signature.
Are the CMS, PDF or XML standards flexible enough that a PGP signature
could be used within any of them and thereby satisfy the legislation?
Or could any of those standards potentially be amended/extended to allow
use of PGP signatures?
> Beyond that, even if the EU would include PGP signatures, the technical
> interoperability would just be the beginning. There are quite heavy
> legal and organization layers on top of the technology that assure
> security levels, notification (mutual acceptance) and cooperation
> procedures. IMHU none of these exist in the PGP world.
Thanks for the feedback about that. Are all users likely to depend on
all of those things, or is it possible that a PGP signature would be
sufficient in some use cases?
In Switzerland, a number of state organizations are now accepting
digital signatures and the Swiss Post is promoting a ZertES/eIDAS
compliant solution, SuisseID. However, the price is quite expensive
and even people who know nothing about PKI look at it and think it is a
rip-off (Deutsch: ein teurer Flop) and start looking for
alternatives. Many organizations are afraid to fully depend on it,
especially when dealing with consumers.
It would be good to see PGP-based solutions grabbing market share before
things like SuisseID eventually gain traction.
Does eIDAS require people to obtain their smart card or certificate in
the country where they reside? Or will they potentially be able to shop
around, e.g. a Swiss person would be able to go to a German or French
post office and get a cheaper alternative?
More information about the Gnupg-users