Slashdot Mirror
German Government Introduces Digital Signatures
bertvl writes: "From this
article on CNN: Germany's federal government is introducing electronic signatures for its employees, a step it hopes will help make the security procedure generally accepted in the country. More than 200,000 employees of ministries and agencies will be able to sign electronic documents using a chip card with an encrypted key, giving them the same legal weight as paper documents with a handwritten signature, the federal Cabinet said in a statement Thursday."
This is definately more secure than any paper signature. Of course, both can be duplicated perfectly, the digital sig being a lot harder (depending on the key strength).
Cthulhu Saves.
... is people. How many people are going to go for a dump, leaving their keycard on their desk? Practically everyone where I work wanders off at some point leaving their PC logged with their (Notes) mail running. This could lead to hours of fun. Similarly, passwords/phrases get shared, borrowed etc.
Unless you use biometrics (I don't generally leave my fingers on my desk when I go to lunch), the stupid-factor will always play a part. The legal status of digital signatures will only really be clarified when the first case comes to court with the defense: "someone else must have used my key".
(OT) Oh, and would people please learn to spell "definite". It's like "finite" with a "de" on the front (quickly checks for typos).
"Under the iron bridge, we fist" - The Smiths, Still Ill
Here in the U.S., for me anyway, the most common reason for me to have to sign something is when I pay with a credit card, yet when I purchase something online, no signature is required. This could be great if used by e-commerce companies to verify the person making the purchase is indeed who they say they are.
Slightly off topic, but why are the currencies given in Japanese yen in the article if it is hosted on an American site and about Germany?
The future isn't what it used to be.
Paper easily collects fingerprints and body fluids. You may not be able to perfectly verify that signature, but you should be able to verify whether or not someone actually held the paper.
Keycards are great, but only if used in conjunction with biometrics.
The power of accurate observation is commonly called cynicism by those who have not got it. - G.B. Shaw
Keeping track of 200k signatures will be a logistical nightmare? What the hell are you talking about? How many millions of credit and debit cards exist in the world? How many does a single bank issue? Cripe man. As for signing documents...that is just encryption. You have your public key off somewhere and keep the private key on a smart card. Your smart card would have an info file about you and contain your public and private keys (the private key being protected by a password or biometric key). You'd sign the document and add the signature as an attachment to a document. Somebody would get it and grab your public key from something as basic as an HTTP server and verify that the document they received was as you sent it. Easy to crack no. If you're using 128-bit encryption you're pretty set though it'd be even better to use larger keyspaces. Dnet's RC5-64 has been on since 1998 and still hasn't found the key. They're pumping through millions of keys per day. So easy to crack, no. Hard to maintain, no.
I'm a loner Dottie, a Rebel.
If the encryption is not strong enough to deter the majority of fraudsters, then I'd steer clear.
I'd hope they use some kind of pin code in addition to the "chip card". I also hope you can cancel a "chip card" if it gets stolen...
If someone fraudulently uses your digital signature that better not be binding!
The card itself is simple. It will be much harder for the government to coordinate a reliable infrastructure (databases, card readers, etc). That is why I think we won't be seeing it anytime soon.
Of course, there are all of the people problems. The system will have to be highly usable. Today, people can't even handle encrypted email (without physical tokens) because it is too hard. I would be much more positive if someone could show me software that put digital signatures/crypto in terms that a regular person could understand. The current GUIs that wrap around PGP/GPG don't cut it because they assume you understand the underlying process.
Brian
It's only a matter of time before somebody signs something (or appears to), and then denies any involvment. Excuses (true or not) of "My card was stolen", "They made me tell them the key", "I don't know what you're talking about" will presumably be uttered (in german).
Hmmm... very strange argument. Why is that different to hand signatures then?
Same excuses the other way round (and as courts probably here them very often):
"My signature was faked." (Event though it looks the same)
"They made me sign it."
"I don't know what you're talking about."
uttered in any language.
It doesn't matter if it was done digital or analog. The legal situation isn't worse. It only got better, because you have more security features. It's quite easy to fake a hand signature, but it's nearly impossible to fake a digital signature...
Well, it is! They just don't build new ones, and the existing nuclear plants are being phased out.
If they don't the Christ Democrats which are ultra conservatives who think GW Bush's enviromental policies are to compromising will scrap the whole thing.
Come on. The Christ Democrats are conservative, and I hope they don't win, but comparing their environmental politics with those of GWB?? Environmental support has always been very strong in germany, even with the Christ Democrats.
Maybe, because you're the only one, who does it? I've lived all my live in Germany, and I've used a checque only once! I got the money instantly... Who needs checques?
Unfortunately you're right with this one. May very well happen. On a side note: In the moment the US is pushing european countries to introduce biometrical finger prints on the IDs, threatening to require visas for imigration again...
Very unlikely! Privacy concerns have been very strong in Germany, I could never imaginge the government to let corporations access a (hypothetical) genetic database!
Unfortunately, the article misses the main point: Germany has been trying to build a PKI for governmental use since 1997 or so (when legislation was passed to make documents carrying some types of digital signatures equivalent to paper documents).
However, the 1997 law features very high requirements for CAs and the actual implementations of digital signing. Partly because of the high security standards (which look good on paper, but fails in practice--a certified solution was successfully attacked by compromising the hosting general purpose computer), and partly because of incompatibilities, acceptance of this type of signatures was extremely low.
The new digital signature law introduces a new kind of digital signature with lower security standards, and which does not necessarily require additional hardware. Although this is less secure (key theft might be possible), this approach seems to be practical.
At the same time, the compatibility problems are addressed in the Sphinx framework, where KMail and GnuPG are enhanced so that they can exchange messages with other Sphinx-compatible clients.
If I'm not mistaken, the German federal government announced recently that it would promote the use of the low security digital signature in non-critical areas of the federal government. I think this is a good idea; even a digital signature based entirely on software (and not on some smart card which fully implements an assymmetric crypto algorithm) provides more authentication than a simple phone call, and certainly much more non-repudiation (even more than an oral consultation). And this time, the rollout might actually succeed, if the clients get ready soon.
At the risk of sounding like a troll (which this is not), I think the US has a stronger tradition of personal freedom. Germany has had some historical autocratic/statist leanings and nationalism or the belief in the state has entertained some moments of popularity.
The US, on the other hand, has a strong tradition of distrusting its Government (and about half the time, justly so). These are the same folks who believe that the freedom to bear arms is what makes for a truly free and safe society.
I suspect the truth of it is that having a national ID card is useful to the government, but often in a good way. It does allow the government to track people more effectively, but not every aspect of that is disturbing. OTOH, I'm quite sure that sometimes governments (or their employees) do engage in disturbing activities including taking advantage of things the government knows about its people. But not having an ID card won't change that... just make it a bit more involved....
What about forged signatures?
xxxxxxxxxx O xxxxxxxxxx H xxxxxxxxxx xxxxxxxxxx W xxxxxxxxxx E xxxxxxxxxx L xxxxxxxxxx L xxxxxxxxxx.
Actually, I'm not done yet. I just wanted to say that we're moving towards a moneyless, paperless society. One day, and it might not be so far off in the distant future, there will be no money, and all documents will be electronic and signed with digital signatures. All your personal information will be stored on a so-called "chip card." This will be a sort of global identification card, which will simultaneously serve as:
With tiny storage medium such as microdrives reaching capacities of a gigabyte or more, such a card is not far off. It could even come from the government already in a nice waterproof protective wallet. After a few years go by, they'll start implanting this technology in peoples' bodies, and sell you on the added conveniences, such as monitoring of your life functions, the impossibility of getting kidnapped, huge reduction in crimes, etc. That way, Big Brother can really be in control of your life.
Ok, now I'm done.
xxxxxxxxxx O xxxxxxxxxx H xxxxxxxxxx xxxxxxxxxx W xxxxxxxxxx E xxxxxxxxxx L xxxxxxxxxx L xxxxxxxxxx.