PGP for official documents / eIDAS and ZertES

ankostis ankostis at
Wed May 31 19:34:17 CEST 2017

On 31 May 2017 at 15:14, Daniel Pocock <daniel at> wrote:
> Are the CMS, PDF or XML standards flexible enough that a PGP signature
> could be used within any of them and thereby satisfy the legislation?

IANAL, but I would agree with Reiner that the implementing acts are not
More detailed, from the three standards supported, only the last one,
XML-sig, supports PGP:

> > There are quite heavy
> > legal and organization layers on top of the technology that assure
> > security levels, notification (mutual acceptance) and cooperation
> > procedures.

Regarding organizational issues, there in nothing in eIDAS *in principal"
that forbids a company to use XML-sig with PGP.
But it would be interesting how the "national authorities" would react
in practice,
should they receive such a request from a company.
If it would work, for certain, these 2 German companies would have a head-start.

> Thanks for the feedback about that.  Are all users likely to depend on
> all of those things, or is it possible that a PGP signature would be
> sufficient in some use cases?

Check also the "closed systems" exception in the eIDAS regulation.
Search the legal-text for this term (e.g. Art 2.2) to get a rough
understanding of this.

Finally, I believe that a crucial point is whether the interpretation
of "assurance levels"
can also apply to PGP, and Art 16 hints that it does.
This may be the twisting-arm power for PGP to come on board eIDAS.

Thanks for bringing this subject up,

More information about the Gnupg-users mailing list