German Government Introduces Digital Signatures

← Back to Stories (view on slashdot.org)

German Government Introduces Digital Signatures

Posted by timothy on Monday January 21, 2002 @08:29PM from the weakest-link dept.

bertvl writes: "From this article on CNN: Germany's federal government is introducing electronic signatures for its employees, a step it hopes will help make the security procedure generally accepted in the country. More than 200,000 employees of ministries and agencies will be able to sign electronic documents using a chip card with an encrypted key, giving them the same legal weight as paper documents with a handwritten signature, the federal Cabinet said in a statement Thursday."

18 of 210 comments (clear)

Min score:

Reason:

Sort:

We already have it in Belgium by arnwald · 2002-01-21 20:40 · Score: 4, Interesting

Just last week I set up my life insurance,
and they used the chip in my bank card as a digital signature (together with the code).

The nice lady all explained me on how the Belgian State now accepts these digital signatures and how great that was.

Mind you, that I reside in a farmer community, I wonder how the farmers react ?

Greetings.

--
My other sig is Funny.
That's final proof.. by Rob+Kaper · 2002-01-21 20:41 · Score: 5, Interesting

The German government just get it. First they send 52-page colour booklets promoting open source to all businesses in the country, then they give a large sum of money to add more security and encryption in mutt and KMail, and now this!
Germany by Supa+Mentat · 2002-01-21 20:44 · Score: 5, Interesting

You know Germany seems to be one of the technological world leaders. They just decided to phase out all nuclear power in favor of wind power by the year's end and it looks like they'll do it. The acceptance of digital signitures is a huge step in helping the internet reach its full potential for changing the way we live our lives. Germany is taking this first step. What I want to know is: who are the politicians making all of these progressive decisions and what affect are they having in the EU Parliament? Are other European countries following Germany's lead in these type of issues? I know that German business law strongly favors big business, are there any other laws or policy that a liberal would take issue with in Germany? What is the state of Linux use in Germany? I ask all this because I'm looking at an offer for a research position at the Max Planck Institute in Munich (I'm sorry _Munchen_:).

--
"A witty saying proves nothing." - Voltaire
Legal Weight by Mike+Connell · 2002-01-21 20:54 · Score: 5, Interesting

Surely the 'legal weight' will be determined by the courts: It's only a matter of time before somebody signs something (or appears to), and then denies any involvment. Excuses (true or not) of "My card was stolen", "They made me tell them the key", "I don't know what you're talking about" will presumably be uttered (in german). Cryptogram has covered the problem that "the key isnt the person" in the past.

If the first 10 cases all end up with courts deicing that there isn't enough evidence that the person did actually "sign" the document, there surely won't be much legal weight? A paper signature means little if there is sufficient doubt about it's authenticity, I dont see how that's going to change here.

As an aside, I like the last line of the CNN piece:

Bitkom called instead for a "citizens' card," with chip and electronic signature, for all Germans.

Yeah Baby! I can't see anything bad happening down that road!

--
Tales from behind the Lagom Curtain
1. Re:Legal Weight by Alsee · 2002-01-22 01:01 · Score: 4, Interesting
  
  So, you say a hand signature ... is more secure than a card that has to be stolen plus a PIN
  
  It depends what you mean by secure. If you type your name here I can forge your signature without ever having seen it. I can't do that with your digital signature. But anyone knowledgeable can look at the signature and see it's forged. You can prove you didn't sign it, and they have a lead in trying to catch me. If I have a copy of your signature and am an expert forger things get more difficult, but expert analyisis may prove you didn't sign it.
  
  If I catch your PIN on camera and swipe your card I can make a perfect signature. You have no way to even try to prove you didn't sign it.
  
  And the topic of the thread was how much legal weight a digital signature would have, compared to paper signature. In my oppinion a paper signature would have to carry more weight in court.
  
  Don't get me wrong, I'm definitly pro-technology. This thing is pretty cool.
  
  -
  
  --
  - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
fun and games by Perdo · 2002-01-21 20:58 · Score: 2, Interesting

It's all fun and games until someone steals your digital identity. Just ask all the posters who rate an imposter here. Or ask Signal 11 (7608).

signal ll (150330)
Signal 69 (159601)
Signal 11 (160141)
Signal Eleven 11 (196051)
Signal 12 (196465)
Signal seven 11 (196530)
Signal 1| (196903)
Signal%2011%20 (198994)
Signal 13 (199065)
Signal 10 (199067)
Signal 14 (199492)
Signal%2011 (199508)
Signal l1 (199916)
Signal 11 on. . (200800)
nbsp;Signal 11 (200811
Sìgnal 11 (200815)
Signal 11_bork2 (202783)
Sìgnal ll (203092)
Signal (203244)
Signal 11_bork1 (203709)
Signal II (221055)
Signal 111 (248325)
Signal 1I (255479)
Signal Eleven (261043)
Signal Nine (442438)
by Signal 11 (200808)

--
If voting were effective, it would be illegal by now.
Project �gypten (Free Software Sphinx-Clients) by hany · 2002-01-21 20:59 · Score: 2, Interesting

Project Ägypten (Free Software Sphinx-Clients):

The Sphinx project launched by German authorities aims to improve secure email exchange. The projects technological base is the protocol 'TeleTrust e.V. MailTrusT Version 2'. This includes the standards S/MIME, X.509v3 and others.

Proprietary products are already on the way, but with the project Ägypten there is now also a Free Software solution going to be realized for popular mail user agents (sphinx-enabling KMail and mutt are essential goals).

The Free Software companies Intevation, g10 Code and Klarälvdalens Datakonsult AB are contracted by the German 'Bundesamt für Sicherheit in der Informationstechnik (BSI)' to incorporate the Sphinx protocols into Free Software MUAs. Background is to ensure availability of alternatives to proprietary desktops.

--
hany
Thoughts on the perfect ID card.. by ShaniaTwain · 2002-01-21 21:10 · Score: 3, Interesting

G'damn, but this is a tough issue (I'm speaking generally here) How do you:

(1) Insure that no one can fake your identity

(2) Insure that no one can conglomerate data from your identity

It seems to me that both (1) and (2) are desireable, yet mutually exlusive. How do you insure anonimity with a definite ID? These two issues have never been smashed together with such power before. Digital technology gives us the possibility for either (1) or (2), but can it ever give us both? Are they mutually exclusive? Is it either anarchy or buttonhole ID facism?

.. Personaly I would opt for Anarchy for myself, and button-hole facism for everybody else.. (for safety's sake of course).. How 'bout you?

--
Starsucks
what about theft? by BladeMelbourne · 2002-01-21 21:28 · Score: 2, Interesting

What happens if someone steals your card? It is like forging a signature, although harder to deny.

Wouldn't thumb or retinal scans be more secure (maybe more expensive though?)
So what's the difference with a phisical ID... by lay · 2002-01-21 21:35 · Score: 4, Interesting

...after all?

I know you americans don't have ID cards, but we have them in Portugal and allways had, so we don't tend to consider them as forms of major control, even though they are.

The point here is that if you loose your wallet and someone gets ahold of your ID card, you can be in a lot of trouble if it gets misused.

I have heard of stories from people I know that lost their ID and found themselves being chased by stores that claimed people had bought stuff there, paid the first entrance fee and never paid the rest. And that is the least that you can expect, even if you report your ID being missed 5 minutes after you loose it.

We, at least, don't have that many legal mechanisms to prevent situations like those, but I would bet it's a matter of time until there is a case of stolen digital ID.

The German government, by giving incentive to open source applications like encription and security are aware of these problems. So if they actualy exist? They existed well before things went digital, so you can expect a few cases of stolen ID before things get smooth.

Nice move here in Europe, btw. First GEANT, now this, really love the way things are popping up after a lot of foundation work.
Lay

Weakly typed languages will bring us armageddon

--
Lay
Weakly typed languages will bring us armageddon
Oh yeah, and there's the European Citizenship! by lay · 2002-01-21 21:47 · Score: 3, Interesting

So, like all you are aware of, citizens from European countries have phisical and economic mobility troughout the member states. And we have a common currency now too. So, since Belgium already has a system like this too, the next logical step would be to implement this troughout the whole Europe, which I bet has already been tought.

Any other European country that has a system like this? What are the chances of all these systems being interchangeable?

It's nice that a government from another member state can digitaly ID you... isn't it? :-)

Lay

Weakly typed languages will bring us armageddon

--
Lay
Weakly typed languages will bring us armageddon
Why Digital Signatures Are Not Signatures by fhwang · 2002-01-21 23:54 · Score: 5, Interesting

Damn, I could've sworn it was just yesterday that I posted this article to another discussion here on /.
Everyone who's praising the German government on being all tech-savvy and forward-thinking and blah-blah-blah should first read Bruce Schneier's thoughts on the subject: Why Digital Signatures Are Not Signatures.
In a nutshell, he says this: Cryptography can do quite a bit to guarantee that a given signature came from a given computer. It can do absolutely nothing to guarantee that that signature represents the person it purports to represent. To quote Schneier: "The mathematics of cryptography, no matter how strong, cannot bridge the gap between me and my computer."
It's all good and well for governments to embrace new technology, but only if they don't cause major fuckups in the process.

--
Do domain names matter?
1. Re:Why Digital Signatures Are Not Signatures by swillden · 2002-01-22 06:12 · Score: 3, Interesting
  
  Actually I don't think Schneier exaggerated; he was criticizing the common implementation approach, and he was dead on. If I recall his article correctly, he did mention that it could be done with some sort of single-purpose personal signing device which displayed the document, authenticated the user and created the signature. So he also admits that digital signatures can be useful when done properly, but that doing them properly is harder than most people think.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Education in Germany by sireenmalik · 2002-01-22 00:06 · Score: 2, Interesting

I have been thinking of writting about this and today one slashdotters question has prompted me to finally take it up.
I am doing M.Sc.Information Technology at the Uni of Stuttgart. Its a very good program as it includes technical subjects like IP Networks, Telecomm Networks,Distributed Systems, Mobile Communictions, DSP, Embedded Systems, etc etc as well as non-technical courses such as Law, Business Management, Innovation and Technology Management, etc.
The whole program is in English!!!! Infact there are many universities here which are offering such programs. for more info this website . Check out the "free Education" link. Yes, the education is totally free here.
In our course on Law, there was a very strong emphasis on "Digital Signatures". You can say that it has been taken up consciously on all levels and its not an overnight decision. A long well thought out process.
Thoughts on One-Way Authentication : As far as i know the E-Card + PIN code combination is the only secure solution, otherwise all one-way authentication schemes can be hacked. I dont about other banks but atleast Deustsche Bank is using a combination of same technique for their internet banking. You have log-in/password to login onto your account, but to make the actual transaction one has to enter a unique id which is sent by DB through regular mail( you get 50 transaction ids ). This is again a hybrid solution.
Of all the countries, i think, Germany has made the most secure and wise use of technology.

--

Voltaire: God is dead.
God: Voltaire is dead!
Re:Logistics by NightWhistler · 2002-01-22 00:15 · Score: 2, Interesting

Actually, I saw a documentary about this about two years ago... They tried all kinds of fake signatures, in one case they even used a smiley... Almost all payments were carried out just fine...

--
PageTurner Reader: open-source e-reader for Android with cloudsync. http://pageturner-reader.org
Be equally critical of new and old by Mawbid · 2002-01-22 00:32 · Score: 4, Interesting

When evaluating new systems, people tend to be critical, and rightly so; implementing the system is costly, and a lot could go wrong.
But I feel that often the risks and costs of the old system are not given as much weight.
Let's take an example. Some years back, an argument raged in my community about a proposed tunnel under a fjord. The tunnel would allow people to get to the other side in 6 minutes instead of following the outline of the fjord for 45 minutes on a narrow, winding, often steep road.
The risks of the the new system, the tunnel, got a lot of press. We were treated to many horrifying predictions, each fit for a disaster movie. The proponents of the tunnel pointed out that while the road does not make a good disaster movie, people regularly die in car crashes on it.
My observasion is that this argument got considerably less recognition than it should have if people had viewed the issue rationally.
In light of this, can we perhaps enrich the discussion on this particular new system (digital signatures) by identifying the risks and costs of the old system (handwritten signatures on paper).
I can see a few.
1) Signatures can be forged. It takes talent, skill and effort to do it well, but only rarely do you need to do it well, because the signature is rarely verified by anyone who actually knows how to do it. (It's not always verified at all. I saw a bogus check hanging in a store once, signed Donald Duck or something like that. The clerk had actually accepted this check as payment.)
2) The piece of paper needs to be in the same place as the signer. This can't always be arranged easily and sometimes people accept the dangerous alternative of doing business with no signature at all (or a weaker version of the digital signature, the pin code).
3) Handwriting recognition can't be automated (or has the software gotten good enough?), with the same results as in point 2 (think ATMs).
I'm thinking of things like online shopping and tax returns at the same time here, but to get a clear picture the applications of signatures should probably be categorized. Also note that I haven't decided in favour of digital signatures. I just want to promote this idea of mine that we should give equal weight to the risks and costs of the system already in place as to the risks and costs of the system being proposed.

--
Fuck the system? Nah, you might catch something.
Re:Its nice to see it again by tjansen · 2002-01-22 00:50 · Score: 3, Interesting

In Germany everybody has a national id card, and I have never heard anybody complain about it. On the contrary, after WTC many people wondered that the US doesnt have one. The concept of not having an ID sounds very strange to most people here.
Re:Its nice to see it again by Anonymous Coward · 2002-01-22 02:02 · Score: 1, Interesting

Is carrying a form of legally valid ID (passport, drivers licence) mandatory in The Netherlands? Does the ID card carry more information than the passport/drivers license ?