PGP for official documents / eIDAS and ZertES

[Rainer Hoerbe]

> Am 31.05.2017 um 15:14 schrieb Daniel Pocock <daniel at pocock.pro>:
> 
> Are the CMS, PDF or XML standards flexible enough that a PGP signature
> could be used within any of them and thereby satisfy the legislation?
> Or could any of those standards potentially be amended/extended to allow
> use of PGP signatures?

CMS and PGP signatures are similar in concept, but incompatible. GPG-signatures could be added to xmldsig quite easily, but implementing this securely in different libraries would be a major undertaking. In addition, the WoT model is not compatible with the PKI + Trust Status Lists of eIDAS, although one could bridge the models, somehow.

> Thanks for the feedback about that.  Are all users likely to depend on
> all of those things, or is it possible that a PGP signature would be
> sufficient in some use cases?
> 
> In Switzerland, a number of state organizations are now accepting
> digital signatures and the Swiss Post is promoting a ZertES/eIDAS
> compliant solution, SuisseID.  However, the price[1] is quite expensive
> and even people who know nothing about PKI look at it and think it is a
> rip-off (Deutsch: ein teurer Flop[2]) and start looking for
> alternatives.  Many organizations are afraid to fully depend on it,
> especially when dealing with consumers.
> 
> It would be good to see PGP-based solutions grabbing market share before
> things like SuisseID eventually gain traction.

PGP is sufficient - I would say even better and more secure - in use cases where a small community leverages a trust relationship from the physical world. An example are CERT-employees or Federation Operators who know each other directly or with usually one intermediary from conferences and meetings, and are technically versed enough to overcome the learning curve.

eIDAS has a very different scope, trying to make electronic identities of all EU citizens trustworthy between member states.  It is hard to judge if SuisseID is expensive or not. With support and integration a price range of 50€/year is what enterprises pay for an employee smartcard. But I guess that even „expensive" cards like nPA and SuisseID are somehow subsidized by the taxpayer. We will probably know only in hindsight if it was worth the investment from a macroeconomic point of view.

PGP might grab significant market shares inside specific domains, where its poor usability does not matter or is covered by scripts and shells. However, as a competitor to eIDAS it would need a massive investment and industry + government support.

> 
> Does eIDAS require people to obtain their smart card or certificate in
> the country where they reside?  Or will they potentially be able to shop
> around, e.g. a Swiss person would be able to go to a German or French
> post office and get a cheaper alternative?

Not cheap, because the vetting of persons against public registers requires administrative procedures. AFAIK only Estonia is offering such a service as of now, called the e-Residency program.

- Rainer