OASIS Digital Signature Services eXtended (DSS-X) TC

 View Only
  • 1.  Some more thoughts concerning the legal aspects

    Posted 03-03-2008 20:11
    Hi Pim,
    
    concerning the statement that "DSS-like" systems (using a bunch of smartcard-based SSCDs as depicted 
    on slide 20 of http://www.ecsec.de/pub/RSA2004.pdf) may be used in Germany to produce 
    (and of course verify) qualified electronic signatures you may want to have a look 
    at https://www.secure.trusted-site.de/certuvit/pdf/93145UD.pdf for example. "DSS-like" means 
    that the certified version of this signature server uses a proprietary web-service-protocol, 
    which is similar to DSS - and will most likely support DSS in a future version. ;-)
    
    The initial uncertainty about the detailed requirements, which have to be fulfilled by an 
    SSCD according to Annex III of [1999/93/EC] has IMHO been removed in 2003 by the publication
    of [2003/511/EC] (cf. Annex B). 
    
    Therefore I would be VERY interested to see whether there is a single EU member state, which 
    a) still has requirements for SSCDs, which significantly deviate from [CWA 14169], or
    b) has a concept of "self qualification" of SSCDs. 
    
    As both points are NOT in line with (my understanding of) [1999/93/EC] I would be a little 
    surprised, if such cases would exist today. 
    
    BR,
     Detlef
    
    Links:
    [1993/93/EC]  http://www.signatur.rtr.at/repository/legal-directive-20000119-en.pdf
    [2003/511/EC] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:175:0045:0046:EN:PDF 
    [CWA 14169]   ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14169-00-2004-Mar.pdf 
    --
    Dipl. Inform. (FH)
    Dr. rer. nat. Detlef Hühnlein
    Partner
    secunet Security Networks AG
    Sudetenstraße 16
    96247 Michelau
    Telefon +49 9571 896479
    Mobil   +49 171  9754980
    detlef.huehnlein@secunet.com
    www.secunet.com
    ======================
    Besuchen Sie uns auf der CeBIT 2008,
    4. - 9. März 2008, Halle 6 Stand J36
    (www.cebit.de)
    ----------------------
    und auf dem Managed Security Forum 2008
    2. April in Frankfurt am Main
    7. Mai in Düsseldorf
    29. Mai in Hamburg
    16. Juni in München
    (www.managed-security-forum.org)
    Wir freuen uns auf interessante Gespräche mit Ihnen. 
    ======================
    secunet Security Networks AG
    Kronprinzenstr. 30
    45128 Essen
    Amtsgericht Essen HRB 13615
    
    Vorstand:
    Dr. Rainer Baumgart
    Thomas Koelzer
    Thomas Pleines
    
    Aufsichtsratsvorsitzender:
    Dr. Karsten Ottenberg
    
    Diese E-mail kann vertrauliche Informationen enthalten. Falls Sie diese E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den Absender und löschen Sie diese E-Mail von jedem Rechner, auch von den Mailservern. Jede Verbreitung des Inhalts, auch die teilweise Verbreitung, ist in diesem Fall untersagt. Außer bei Vorsatz oder grober Fahrlässigkeit schließen wir jegliche Haftung für Verluste oder Schäden aus, die durch Viren befallene Software oder E-Mails verursacht werden.
    
    This e-mail may contain strictly confidential information and is intended for the person to which it is addressed only. Any dissemination, even partly, is prohibited. If you receive this e-mail by mistake, please contact the sender and delete this e-mail from your computer, including your mailserver.
    Except in case of gross negligence or wilful misconduct we accept no liability for any loss or damage caused by software or e-mail viruses. 
    


  • 2.  RE: Some more thoughts concerning the legal aspects

    Posted 03-04-2008 22:54
    Hello Pim and Detlef,
    
    The publication of [2003/511/EC] is aimed to list or refer to acceptable standards, but the EU members are not forced to use the listed standards (CWA-14169).
    For example you can look at the following link to Italian legislation that is based on the EU directive at
    http://www.cnipa.gov.it/site/_files/Opuscolo%2013II.pdf
    on section 35 it says:
    "The national scheme can also provide evaluation 
    And certification with respect to additional European and international criteria, Also on other systems and products related to the field".
    As I mentioned in the conference call yesterday, a centralized approach for digital signatures are used for qualified signatures in other EU member countries.
    Even tough one of the CoSign models is based on an internal array of SSCD smartcards (similar to the approach raised by Detlef), the centralized solution may not require using internal array of SSCD smartcards. 
    
    Regards,
    Ezer
    
    


  • 3.  RE: Some more thoughts concerning the legal aspects

    Posted 03-06-2008 08:17
    Hello Ezer and Detlef,
    
    In countries that do support server-based signing with qualified signatures,
    what are the (minimum) requirements for user authentication? 
    
    Pim
    
    


  • 4.  RE: Some more thoughts concerning the legal aspects

    Posted 03-06-2008 13:01
    Hello Pim,
    
    I don't think there is any EU country that presented any standard for
    server based digital signatures solution. 
    The only referred standard today is CWA-14169 and only smartcards passed
    this certification.
    It is hard to inspect when such standartization will take place. It is
    very much dependant on the offered technology and the acceptance of such
    technology.
    In practice, I can tell you that the following methods are used for
    enhancing the user authentication:
    A - OTP devices - the user is presenting a fixed password as well as One
    Time Password.
    B - Biometric device - 
    C - Authentication smartcard - the user use a smartcard with a client
    authentication certificate. The user's smartcard signs a challenge which
    is verified by the server.
    
    Ezer
    
    


  • 5.  AW: [dss-x] RE: Some more thoughts concerning the legal aspects

    Posted 03-06-2008 15:59
    Hi Pim,
    
    in Germany there are no stipulations for the strength of the 
    authentication. Hence even UID/password is fine (with respect to the law). 
    
    As the legal construction in this case may be 
    interpreted that the DSS-server signs on behalf of the client,
    who provides the DSS-server (explicitly or implicitely) with a
    power of attorney (cf. Section 2 of http://www.ecsec.de/pub/2004_PKI.pdf) 
    and the creation of a power of attorney (in German law) does not need to have a specific form,
    there probably can not be stipulations in general. 
    
    BR,
      Detlef
    
    > -----Ursprüngliche Nachricht-----
    > Von: Pim van der Eijk [mailto:pvde@sonnenglanz.net] 
    > Gesendet: Donnerstag, 6. März 2008 09:16
    > An: 'Ezer Farhi'; Huehnlein, Detlef
    > Cc: dss-x@lists.oasis-open.org
    > Betreff: [dss-x] RE: Some more thoughts concerning the legal aspects
    > 
    > 
    > Hello Ezer and Detlef,
    > 
    > In countries that do support server-based signing with 
    > qualified signatures, what are the (minimum) requirements for 
    > user authentication? 
    > 
    > Pim
    > 
    > 


  • 6.  Re: [dss-x] RE: Some more thoughts concerning the legal aspects

    Posted 03-06-2008 17:09
    Hello all,
    
    Until the end of 2007 the Austrian so-called "Verwaltungssignatur" (based on 
    certificates which basically have less strict requirements for the issuing 
    CAs) could be used equivalently to a qualified signature (under specific 
    circumstances).
    Based on this Verwaltungssignatur, Mobilkom Austria (an Austrian telecom 
    provider) provided a server based signature using out-of-band authentication 
    via one-time codes sent to registered cell phones. Due to economic reasons, 
    however, Mobilkom Austria did not pursue the certification of this solution 
    for qualified signatures.
    In Austria this is still a topic worth discussion. 
    
    Clemens
    
    Am Donnerstag, 6. März 2008 schrieb Pim van der Eijk:
    > Hello Ezer and Detlef,
    >
    > In countries that do support server-based signing with qualified
    > signatures, what are the (minimum) requirements for user authentication?
    >
    > Pim
    >
    > 


  • 7.  AW: [dss-x] RE: Some more thoughts concerning the legal aspects

    Posted 03-06-2008 15:51
    Hi Ezer,
    
    > The publication of [2003/511/EC] is aimed to list or refer to 
    > acceptable standards, but the EU members are not forced to 
    > use the listed standards (CWA-14169).
    
    well, the EU members WERE not forced to use the acceptable 
    standards listed in [2003/511/EC] UNTIL these reference numbers
    WERE published. 
    
    Art. 3 (4) of [1999/93/EC] reads:
    
    "4. The conformity of secure signature-creation-devices with
    the requirements laid down in Annex III shall be determined by
    appropriate public or private bodies designated by Member
    States. The Commission shall, pursuant to the procedure laid
    down in Article 9, establish criteria for Member States to
    determine whether a body should be designated.
    A determination of conformity with the requirements laid
    down in Annex III made by the bodies referred to in the first
    subparagraph shall be recognised by all Member States."
    
    Therefore the German signature decree, which was (as the Italian)
    issued in 1997 for the first time and updated in 2001 to 
    include the necessary changes because of [1999/93/EC], includes
    in § 15 (6) SigV a statement, which makes clear that standards 
    for SSCDs (corresponding to Art. 3 (5) and Art. 9 of [1999/93/EG])
    shall be recognized, IF they are published. 
    
    
    § 15 (6) SigV is (unfortunately in German):
    "
    (6) Soweit im Rahmen des Verfahrens nach Artikel 3 Abs. 5 und Artikel 9 der Richtlinie 1999/93/EG in der jeweils geltenden Fassung Referenznummern für allgemein anerkannte Normen für Produkte für qualifizierte elektronische Signaturen festgelegt und im Amtsblatt der Europäischen Gemeinschaften veröffentlicht werden, haben diese abweichend von den Absätzen 1 bis 5 Geltung, mit Ausnahme der Produkte nach § 15 Abs. 7 des Signaturgesetzes. Die zuständige Behörde veröffentlicht im Bundesanzeiger die aktuell gültigen Anforderungen auf Grund der Festlegungen nach Satz 1.
    "
    
    My Italian is not good enogh to check, whether the Italian signature
    act (or decree) has a similar stipulation or not. But I would be surprised,
    if it would not, because this would be a case of improper implementation of
    the directive [1999/93/EC] (in particular the Art. 3 (4) above) 
    ... and this would seem to be unlikely nowadays.
    
    BR,
      dh
    
    
    > For example you can look at the following link to Italian 
    > legislation that is based on the EU directive at 
    > http://www.cnipa.gov.it/site/_files/Opuscolo%2013II.pdf
    > on section 35 it says:
    > "The national scheme can also provide evaluation And 
    > certification with respect to additional European and 
    > international criteria, Also on other systems and products 
    > related to the field".
    > As I mentioned in the conference call yesterday, a 
    > centralized approach for digital signatures are used for 
    > qualified signatures in other EU member countries.
    > Even tough one of the CoSign models is based on an internal 
    > array of SSCD smartcards (similar to the approach raised by 
    > Detlef), the centralized solution may not require using 
    > internal array of SSCD smartcards. 
    > 
    > Regards,
    > Ezer
    > 
    >