Slashdot Mirror
German Government Introduces Digital Signatures
bertvl writes: "From this
article on CNN: Germany's federal government is introducing electronic signatures for its employees, a step it hopes will help make the security procedure generally accepted in the country. More than 200,000 employees of ministries and agencies will be able to sign electronic documents using a chip card with an encrypted key, giving them the same legal weight as paper documents with a handwritten signature, the federal Cabinet said in a statement Thursday."
I'm sorry, looks like Belgium was first with the digital signiture being leagal. My mistake.
"A witty saying proves nothing." - Voltaire
Good security should consists of three parts:
Now it seems the German government has two out of the three (know+have), which is one (or two!) better than most of the world. Now all they need are retinal scanners, and they're set!
Like I said, it may not be a Good Thing® they end up with, but whatever it is... it's a lot closer to "secure" than anything else.
It is not really a innovative step by the German government alone. All EU member states have to transform the EU directive on e-commerce into national law. According to the directive the member states have to make sure that most contracts (very few exceptions) can be closed online. The German government just tries to extend this rule to public law.
Line 9: Argument of type SIGNATURE expected.
Hong Kong's Government has implemented PKI infrastructure for digital signature for their citizens. However, there has a fundamental fault in the system - not being thoughtful in distributing the root CA. First the root CA is not embedded in the browsers we commonly use, or have a upper root CA, which is included in browser, signed their root CA. They even allow citizen use floppy to transfer the CA issued to computer...hmm....
Anyway, the technology is mature, the things yet to be done are policy-making and legalese. Nothing is 100% secure, the CA issuer must bare the legal responsibility and liability. I wish they'd one day realize what is the legal implication of such a faulty CA system.
What I want to know is: [...] What is the state of Linux use in Germany?
Germany is home to an awful lot of linux development. SuSE is from Germany, as an example. The government is also active, sponsoring the GnuPG pgp-like developement. Top government officials (like "secretary of state") opening the LinuxTag for 2 or 3 years in a row now.
There's a lot of debate currently on whether the Reichstag (the German parliament) should switch to linux. It's kinda funny, even people from the same party are disagreeing, one proclaiming the gospel of linux, the other (being half sponsored by Redmond) denouncing it as a threath to Germany's software industry as a whole :-)
The best tip is to look at heise. They also've got english news now. Look at what's going on there. That 'heise' publishes two of Europe's best-regarded computer magazines, one for home-use (c't), one for professional use (iX).
Reinout
Reinout van Rees
WRONG! Digitial signatures were equal to written ones in Germany long before the EU directive. IIRC germany was actually the first state in the world to pass such laws.
Who do you think was the strongest supporter of the EU-directive? The german security requirements were actually much harder than those now demanded by the EU. Many big companies, who had already invested in the needed infrastructure (setting up an CA in a secure building, etc.) were pretty much pissed after the laws got relaxed with the EU-directive.
The new thing now is, that the german government is trying to push the use of digital signatures, because the adoption has been really low.
Not that I would agree with your generally praise of germany (although it sounds good :-)), but in this point you were right.
Germany passed digital signature laws in 1997 already,
being the first state in the world to do so.
You know Germany seems to be one of the technological world leaders.
They're certainly no losers, but the general public's attitude has been rather anti-tech these past years.
They just decided to phase out all nuclear power in favor of wind power by the year's end and it looks like they'll do it.
Says who? Never heard about that one. Wouldn't be possible anyway, there's by far not enough wind power available (or to be made available) to come even close to replacing nuclear power, and certainly not by the end of the year. Sure, the green party hates anything that's got "nuclear" in it's name, but that's hardly rational. If I'd got moderator points, I'd have modded you a troll for this point.
The acceptance of digital signitures is a huge step in helping the internet reach its full potential for changing the way we live our lives. Germany is taking this first step.
Maybe. It's unfortunate, though, that they chose a system that's already been broken. IIRC they took quite some heat for it from clued guys, but they went ahead anyway.
What is the state of Linux use in Germany?
AFAIK, it's one of the highest levels on this planet. SuSE's from Nuernberg, and AFAIK they make more money than Red Hat.
I ask all this because I'm looking at an offer for a research position at the Max Planck Institute in Munich (I'm sorry _Munchen_:).
Good luck there.
Well according to the BBC the Germans currently get about 3.5% of their power from wind (a 44% increase over the previous year), however (again according to the BBC) they currently get about 33% of their power from nuclear sources and the last plant won't be turned off for about 32 years ...
They don't check on normal transactions, only in special cases (very large/unusual transactions or account transfers).
I remember as a student that we had a bank account that was in name of the dorm. One of us, the house-elder was in charge of it. This is a pretty common construction in dorms in the Netherlands.
In our dorm we had this one guy who did the finances. He had lived in there for almost 12 years. He had paid the phone bills and the beer bills all from our account. When he moved out, we wanted to transfer the account to another dorm member. Only then we found out that the account was still under control from someone who moved out 12 years ago. In the course of the 12 years, all payments (about 40 every month) had been made with an illegal signature!
So I'm pretty sure that most signatures are never checked. <grin>
the pun is mightier than the sword
Banks don't often check small amounts. With me they've only checked signatures in checks above 200 Euros. Anything lower than that they'd just paid.
Thing here is that, in order for a system of digital identification to get widespread adoption, the public has to have trust . Who's going to be in favour of a system that people will initially perceive as being insecure (because it's not them that are signing, "it's a computer") , especialy with all the news about trojans and security breaches in networked systems?
The point is that people are on the other side of digital ID, they're not thinking "Oh, good, I can have documents digitaly signed and save me a whole lot of trouble", they're thinking more in the lines of "Hey, and if someone..."
They will have to check and double check and triple check to guarantee that the system is secure, otherwise they will have a very hard time trying to implement it a second time after they loose public trust.
Why are ATM machines and credit cards widely accepted by the public? On top of the convenience, they offer a (limited) liability for the damages that can come from its misusage, otherwise people would carry plain good old-fashioned cash anywhere they went.
Lay
Weakly typed languages will bring us armageddon
Unless you use biometrics (I don't generally leave my fingers on my desk when I go to lunch), the stupid-factor will always play a part.
You may not leave your fingers, but you leave a hell of a lot of fingerprints. Fingerprints are easy to gather. Retina scans are much harder but do not adress other issues of using biometric data for authentication.
You cannot trust biometric data to be secret. You can't use it to replace passwords because you can't chage it and I'm afraid people put too much value on biometric data.
To me the distinction between "something you have", "something you know" and "something you are" has always been vague. In most practical places they can be reduced to eachother. A hand can be replaicated artificially (are->have). A onetime password system kan be described in terms of an initial vector (have->known). A password you can write down (know->have). Etc.
You're certainly right, but the article was about laws in germany.
Germany has had some historical autocratic/statist leanings and nationalism or the belief in the state has entertained some moments of popularity.
50 years ago. Today nationalism and especially patriotism is not a very common phenomenon, and, compared to the US (or france, or..), the majority of germans are not patriotic at all. People watch movies like 'Pearl Habour' or people hanging US flags after 9/11 with disbelief. If a german would make a movie like this or put a german flag in a car people would call him right wing extremist...
But there is a certain amount of trust in the state and government that americans seem to lack though.
I suspect the truth of it is that having a national ID card is useful to the government, but often in a good way.
Why? It's not like there is somebody at every corner asking for your identity. Actually, in my whole life, I have been asked for my identity card by local authorities inside germany exactly once. And that was because a friend and me were driving next to a congress hall where a summit of european heads of state was taking place. There is no 'tracking' of people, if the police wants to know your identity they will find it out whether you have a identity card or not. Usually you need the id if you, for example, open a bank account, rent a car or things like this. In all these cases the companies already know your identity anyway and the id card is used as a proof.
Dont know about the netherlands, but in germany it is mandatory. Many people dont carry one all the time, though, and AFAIK it's not an offence. On german ids are: surname, given name, date & place of birth, nationality, date of expiry, signature or bearer, address, height, colour of eyes, religous name or pseudonym, authority (issuer), a picture of the bearer and a number.
I am required by my employer to wear my ID badge so it is visible at all times. I have to scan it to gain entrance to my building, and it is occasionally visually inspected on top of that. To make this process simple, almost all of us wear our IDs on retractor clips on our belts.
My ID badge also has a smart-card chip in it. I put in the reader on my desk, enter my PIN, and log into the computer/network. I am required to lock my workstation when I leave my desk even momentarily, and auto-lock behavior is enforced if I forget. I can be fired if I am caught cheating on these security practices. Turst me, that's motivation to do things right.
People can learn anything if it's in their best interests to do so.
--Jaborandy
Our national ID card is basically used in the exact same situations where in the US you would be asked for a drivers or non-drivers license.
That is:
- To prove who you are (open a bank account, etc)
- Buy alcohol or rent a video with an age restriction to prove your age
There is no other form of tracking taking place.
The only thing which sounds weird for people coming from abroad is that when you have a residence in a town, you have to go to the registration office and register.
You need to be registered to get a voting card so you can vote, so you can get a tax card every year so you can work (legally) (same thing as presenting your SSN card in the US), to receive unemployment benefits and stuff like that- also tpo ensure you are not getting it more than once.
The Germany are really paranoid about "Datenschutz" = Privacy issues, at least 10 times more than in the US.
American companies in the USA collect and exchange a lot more information than in Germany. The data gathering and exchange laws here are very very strict.
In the US, all a company needs is your SSN and they basically know your whole life history, In Germany that doesn't happen, while it is possible to find out if people have not been paying bills in the past. Negative financial data is tracked (Schufa) but you have a right to gain access to the information they store on you and if it is wrong and you can proove it, correct it. Also, data gets deleted automatically after so and so many years.
In the USA you are asked for your SSN almost everywhere, and the companies exchange the data. Here the companies (for example when signing up for a cell phone contract) gets the information from the central Schufa whether you have problems paying bills or not.
You can compare it to peer to peer and centralized networks. While p2p is great for "broadcasting" information, it is very bad for privacy critical data, because with p2p you have no control over who has the data.