1 / 7

Infrastructure for qualified electronic Signatures in Germany

Infrastructure for qualified electronic Signatures in Germany. Jürgen Schwemmer Moscow, 17th April 2014. Overview. „ History “ of „ Qualified Electronic Signatures “ (QES) since 1997 Peculiarities of QESs Recommendations / german Blueprint /Reality

nan
Download Presentation

Infrastructure for qualified electronic Signatures in Germany

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Infrastructure for qualified electronic Signatures in Germany Jürgen Schwemmer Moscow, 17th April 2014

  2. Overview • „History“ of „Qualified Electronic Signatures“ (QES) since 1997 • Peculiaritiesof QESs • Recommendations/germanBlueprint/Reality • The eIDAS Regulation of 2014

  3. „History“ of QESs since 1997 • 1997 Regulation of (exclusively) technical-organizational system-security of (exclusively) QES (handwritten signature/will declaration) as prerequisite of changes in Civil Code… by German Signature Law and Ordinance (i.e. NO other regulations in the Signature Law) • 1999 Inclusion of other kinds of signatures by Signature Directive 1999/93/EC leads to complete change of the actual objective (AUTHENTICATION), see especially Article 2, Article 5(1) vs. 5(2) and the time of validity check of certificates in annex IV NB:therefore annex IV (on demand of Germany) „only“ recommendation, although certificate verification is the most important/critical item! • 2012/2014 New eIDAS Regulation with additional services like eIDs, seals, time stamps, verification services

  4. Peculiarities of QESs • QES aremeansof will declarationand/or a legal equivalentof HANDWRITTEN signatures (only NATURAL persons!), (almost) all othersignaturesaremeansofauthentication • „Signandforget“ needsvery „longlastingsystems“ (archiving/“oversigning“ bymeansof (qualified) archival time stamps… included; measuresforalgorithmsnecessary!) • Revocation/“time out“ of Root- and/or CA-keys must NOT makevalidity check of end-user-certificatesimpossible („chain-model“ plus „indirectsystem“ aspossiblesolutions) • Validity check ofcertificates must bepossible at „requested“ pointof time or at time ofsigning, (mostly) NOT at theactual time point (i.e. „was thesignature valid whenit was done“?)

  5. Peculiarities of QESs (2) „Secure SignatureCreation Device“ under REAL solecontroloftheowner! („shared“ or „distant“ solutionsmostlycritical) For legal reasons NO „suspend/resume“ ofcertificates! „suspended“ e.g. couldmean „thepersonisincapacitated“ (exceptionsonlywith e.g. „enforced“ useof time stamps…) (e.g. the) „Supervisory Authority“ must take care forcustomers/certificatesof CSPs going/havinggone out ofbusiness in ordertocontinuetheservice („was thesignature valid…“?) „Accreditation“ (Audit beforestartofoperation) canbethewaytothe a.m. requirement (possibly also in future) no „marketdriven“ solutiontobeexspected (No private company´s real „businesscase“ for „my“ (freeofcosts) signature) 5

  6. Recommendations Useof hardware-basedtokensas SSCD (mandatoryfor QES) Evaluation of SSCD forcestheimprovementofthe „operational environment“ assideeffect Separate pathsfor QC and non-QC in ordertobeabletoreactappropriately (e.g. „cut off“ ofonlythe „infectedareas“) Rigorousandcompleteauditingofthesystem, mandatorysecurityconceptincludingtheuseofsigning-/verificationtools… Strictsupervision, NOT just „registering“ CA-productionunitshould not (easily) beaccessedfromtheinternet; only OSCP-respondershouldbe „seen“ from outside „CRL-conclusio“ canbedangerousandmisleading, nogoodprotectionagainstfull-fakesofcertificate-chains For QES anyway („whereas“ No. 20) longterm-conceptnecessary (CA out ofbusiness must NOT leadto user-certificatecannotbeverifiedanymore); Archiving/timestamping! Root-CA operated/mandatedbypublicauthority (nooperation-termination) 6

  7. Thank You for Your Attention Questions? Jürgen SchwemmerSection Qualified Electronic Signatures Bundesnetzagentur, Germany e-mail: juergen.schwemmer@bnetza.de

More Related