Slashdot Mirror

← Back to Stories (view on slashdot.org)

German Government Introduces Digital Signatures

Posted by timothy on from the weakest-link dept.

bertvl writes: "From this article on CNN: Germany's federal government is introducing electronic signatures for its employees, a step it hopes will help make the security procedure generally accepted in the country. More than 200,000 employees of ministries and agencies will be able to sign electronic documents using a chip card with an encrypted key, giving them the same legal weight as paper documents with a handwritten signature, the federal Cabinet said in a statement Thursday."

18 of 210 comments (clear)

  1. We already have it in Belgium by arnwald · · Score: 4, Interesting

    Just last week I set up my life insurance,
    and they used the chip in my bank card as a digital signature (together with the code).

    The nice lady all explained me on how the Belgian State now accepts these digital signatures and how great that was.

    Mind you, that I reside in a farmer community, I wonder how the farmers react ?

    Greetings.

    --
    My other sig is Funny.
  2. That's final proof.. by Rob+Kaper · · Score: 5, Interesting

    The German government just get it. First they send 52-page colour booklets promoting open source to all businesses in the country, then they give a large sum of money to add more security and encryption in mutt and KMail, and now this!

    1. Re:That's final proof.. by swillden · · Score: 4, Funny

      now they set up official documents for simple forged signatures

      Care to describe the method by which these signatures can be forged? Doing so will grant you instant fortune and fame...

      Haven't they figured out that the UK and USA have been reading all their secrets since 1942?

      Shhh... don't tell them the Enigma was broken. If they find out they might switch to a better encryption system.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  3. The flaw in all security systems ... by Big+Dogs+Cock · · Score: 5, Insightful

    ... is people. How many people are going to go for a dump, leaving their keycard on their desk? Practically everyone where I work wanders off at some point leaving their PC logged with their (Notes) mail running. This could lead to hours of fun. Similarly, passwords/phrases get shared, borrowed etc.

    Unless you use biometrics (I don't generally leave my fingers on my desk when I go to lunch), the stupid-factor will always play a part. The legal status of digital signatures will only really be clarified when the first case comes to court with the defense: "someone else must have used my key".

    (OT) Oh, and would people please learn to spell "definite". It's like "finite" with a "de" on the front (quickly checks for typos).

    --
    "Under the iron bridge, we fist" - The Smiths, Still Ill
  4. Germany by Supa+Mentat · · Score: 5, Interesting

    You know Germany seems to be one of the technological world leaders. They just decided to phase out all nuclear power in favor of wind power by the year's end and it looks like they'll do it. The acceptance of digital signitures is a huge step in helping the internet reach its full potential for changing the way we live our lives. Germany is taking this first step. What I want to know is: who are the politicians making all of these progressive decisions and what affect are they having in the EU Parliament? Are other European countries following Germany's lead in these type of issues? I know that German business law strongly favors big business, are there any other laws or policy that a liberal would take issue with in Germany? What is the state of Linux use in Germany? I ask all this because I'm looking at an offer for a research position at the Max Planck Institute in Munich (I'm sorry _Munchen_:).

    --
    "A witty saying proves nothing." - Voltaire
    1. Re:Germany by Reinout · · Score: 5, Informative

      What I want to know is: [...] What is the state of Linux use in Germany?



      Germany is home to an awful lot of linux development. SuSE is from Germany, as an example. The government is also active, sponsoring the GnuPG pgp-like developement. Top government officials (like "secretary of state") opening the LinuxTag for 2 or 3 years in a row now.



      There's a lot of debate currently on whether the Reichstag (the German parliament) should switch to linux. It's kinda funny, even people from the same party are disagreeing, one proclaiming the gospel of linux, the other (being half sponsored by Redmond) denouncing it as a threath to Germany's software industry as a whole :-)



      The best tip is to look at heise. They also've got english news now. Look at what's going on there. That 'heise' publishes two of Europe's best-regarded computer magazines, one for home-use (c't), one for professional use (iX).



      Reinout
      --
      Reinout van Rees
    2. Re:Germany by Gerein · · Score: 5, Insightful
      It would be a 20 year+ project to realise it.

      Well, it is! They just don't build new ones, and the existing nuclear plants are being phased out.

      If they don't the Christ Democrats which are ultra conservatives who think GW Bush's enviromental policies are to compromising will scrap the whole thing.

      Come on. The Christ Democrats are conservative, and I hope they don't win, but comparing their environmental politics with those of GWB?? Environmental support has always been very strong in germany, even with the Christ Democrats.

      ... that it can take upto 10 working days to cache a checque.

      Maybe, because you're the only one, who does it? I've lived all my live in Germany, and I've used a checque only once! I got the money instantly... Who needs checques?

      ... with a Genetic finger print embedded in the national ID ...

      Unfortunately you're right with this one. May very well happen. On a side note: In the moment the US is pushing european countries to introduce biometrical finger prints on the IDs, threatening to require visas for imigration again...

      ... a free for Corporations to use Genetic database ...

      Very unlikely! Privacy concerns have been very strong in Germany, I could never imaginge the government to let corporations access a (hypothetical) genetic database!

    3. Re:Germany by 4im · · Score: 4, Informative

      You know Germany seems to be one of the technological world leaders.

      They're certainly no losers, but the general public's attitude has been rather anti-tech these past years.

      They just decided to phase out all nuclear power in favor of wind power by the year's end and it looks like they'll do it.

      Says who? Never heard about that one. Wouldn't be possible anyway, there's by far not enough wind power available (or to be made available) to come even close to replacing nuclear power, and certainly not by the end of the year. Sure, the green party hates anything that's got "nuclear" in it's name, but that's hardly rational. If I'd got moderator points, I'd have modded you a troll for this point.

      The acceptance of digital signitures is a huge step in helping the internet reach its full potential for changing the way we live our lives. Germany is taking this first step.

      Maybe. It's unfortunate, though, that they chose a system that's already been broken. IIRC they took quite some heat for it from clued guys, but they went ahead anyway.

      What is the state of Linux use in Germany?

      AFAIK, it's one of the highest levels on this planet. SuSE's from Nuernberg, and AFAIK they make more money than Red Hat.

      I ask all this because I'm looking at an offer for a research position at the Max Planck Institute in Munich (I'm sorry _Munchen_:).

      Good luck there.

  5. credit authorization? by MiTEG · · Score: 4, Insightful

    Here in the U.S., for me anyway, the most common reason for me to have to sign something is when I pay with a credit card, yet when I purchase something online, no signature is required. This could be great if used by e-commerce companies to verify the person making the purchase is indeed who they say they are.

    Slightly off topic, but why are the currencies given in Japanese yen in the article if it is hosted on an American site and about Germany?

    --
    The future isn't what it used to be.
  6. Legal Weight by Mike+Connell · · Score: 5, Interesting

    Surely the 'legal weight' will be determined by the courts: It's only a matter of time before somebody signs something (or appears to), and then denies any involvment. Excuses (true or not) of "My card was stolen", "They made me tell them the key", "I don't know what you're talking about" will presumably be uttered (in german). Cryptogram has covered the problem that "the key isnt the person" in the past.

    If the first 10 cases all end up with courts deicing that there isn't enough evidence that the person did actually "sign" the document, there surely won't be much legal weight? A paper signature means little if there is sufficient doubt about it's authenticity, I dont see how that's going to change here.

    As an aside, I like the last line of the CNN piece:

    Bitkom called instead for a "citizens' card," with chip and electronic signature, for all Germans.

    Yeah Baby! I can't see anything bad happening down that road!

    --
    Tales from behind the Lagom Curtain
    1. Re:Legal Weight by Alsee · · Score: 4, Interesting

      So, you say a hand signature ... is more secure than a card that has to be stolen plus a PIN

      It depends what you mean by secure. If you type your name here I can forge your signature without ever having seen it. I can't do that with your digital signature. But anyone knowledgeable can look at the signature and see it's forged. You can prove you didn't sign it, and they have a lead in trying to catch me. If I have a copy of your signature and am an expert forger things get more difficult, but expert analyisis may prove you didn't sign it.

      If I catch your PIN on camera and swipe your card I can make a perfect signature. You have no way to even try to prove you didn't sign it.

      And the topic of the thread was how much legal weight a digital signature would have, compared to paper signature. In my oppinion a paper signature would have to carry more weight in court.

      Don't get me wrong, I'm definitly pro-technology. This thing is pretty cool.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  7. Re:Logistics by Graymalkin · · Score: 4, Insightful

    Keeping track of 200k signatures will be a logistical nightmare? What the hell are you talking about? How many millions of credit and debit cards exist in the world? How many does a single bank issue? Cripe man. As for signing documents...that is just encryption. You have your public key off somewhere and keep the private key on a smart card. Your smart card would have an info file about you and contain your public and private keys (the private key being protected by a password or biometric key). You'd sign the document and add the signature as an attachment to a document. Somebody would get it and grab your public key from something as basic as an HTTP server and verify that the document they received was as you sent it. Easy to crack no. If you're using 128-bit encryption you're pretty set though it'd be even better to use larger keyspaces. Dnet's RC5-64 has been on since 1998 and still hasn't found the key. They're pumping through millions of keys per day. So easy to crack, no. Hard to maintain, no.

    --
    I'm a loner Dottie, a Rebel.
  8. Interesting illustration . . . by servasius_jr · · Score: 4, Funny

    According to the article's illustration, the Germans will digitally sign their names by writing a long, free-floating string of binary in the air with an ordinary pencil. Evidently the technology being used is both more advanced and more bizarre than anything I've ever seen.

  9. A good next step by nsample · · Score: 5, Informative
    Regardless of your views on "net-widening" and "freedom" and "tracking" and the like, this is the next logical step for genuine security.

    Good security should consists of three parts:

    1. Something you have
    2. Something you know
    3. Something you are

    Now it seems the German government has two out of the three (know+have), which is one (or two!) better than most of the world. Now all they need are retinal scanners, and they're set!

    Like I said, it may not be a Good Thing® they end up with, but whatever it is... it's a lot closer to "secure" than anything else.
  10. So what's the difference with a phisical ID... by lay · · Score: 4, Interesting

    ...after all?

    I know you americans don't have ID cards, but we have them in Portugal and allways had, so we don't tend to consider them as forms of major control, even though they are.

    The point here is that if you loose your wallet and someone gets ahold of your ID card, you can be in a lot of trouble if it gets misused.

    I have heard of stories from people I know that lost their ID and found themselves being chased by stores that claimed people had bought stuff there, paid the first entrance fee and never paid the rest. And that is the least that you can expect, even if you report your ID being missed 5 minutes after you loose it.

    We, at least, don't have that many legal mechanisms to prevent situations like those, but I would bet it's a matter of time until there is a case of stolen digital ID.

    The German government, by giving incentive to open source applications like encription and security are aware of these problems. So if they actualy exist? They existed well before things went digital, so you can expect a few cases of stolen ID before things get smooth.

    Nice move here in Europe, btw. First GEANT, now this, really love the way things are popping up after a lot of foundation work.

    Lay

    Weakly typed languages will bring us armageddon

    --
    Lay
    Weakly typed languages will bring us armageddon
  11. Re:Germany / EU Directive by CyberQ · · Score: 4, Informative

    It is not really a innovative step by the German government alone. All EU member states have to transform the EU directive on e-commerce into national law. According to the directive the member states have to make sure that most contracts (very few exceptions) can be closed online. The German government just tries to extend this rule to public law.

    --
    Line 9: Argument of type SIGNATURE expected.
  12. Why Digital Signatures Are Not Signatures by fhwang · · Score: 5, Interesting
    Damn, I could've sworn it was just yesterday that I posted this article to another discussion here on /.

    Everyone who's praising the German government on being all tech-savvy and forward-thinking and blah-blah-blah should first read Bruce Schneier's thoughts on the subject: Why Digital Signatures Are Not Signatures.

    In a nutshell, he says this: Cryptography can do quite a bit to guarantee that a given signature came from a given computer. It can do absolutely nothing to guarantee that that signature represents the person it purports to represent. To quote Schneier: "The mathematics of cryptography, no matter how strong, cannot bridge the gap between me and my computer."

    It's all good and well for governments to embrace new technology, but only if they don't cause major fuckups in the process.

    --

    Do domain names matter?

  13. Be equally critical of new and old by Mawbid · · Score: 4, Interesting
    When evaluating new systems, people tend to be critical, and rightly so; implementing the system is costly, and a lot could go wrong.

    But I feel that often the risks and costs of the old system are not given as much weight.

    Let's take an example. Some years back, an argument raged in my community about a proposed tunnel under a fjord. The tunnel would allow people to get to the other side in 6 minutes instead of following the outline of the fjord for 45 minutes on a narrow, winding, often steep road.

    The risks of the the new system, the tunnel, got a lot of press. We were treated to many horrifying predictions, each fit for a disaster movie. The proponents of the tunnel pointed out that while the road does not make a good disaster movie, people regularly die in car crashes on it.

    My observasion is that this argument got considerably less recognition than it should have if people had viewed the issue rationally.

    In light of this, can we perhaps enrich the discussion on this particular new system (digital signatures) by identifying the risks and costs of the old system (handwritten signatures on paper).

    I can see a few.

    1) Signatures can be forged. It takes talent, skill and effort to do it well, but only rarely do you need to do it well, because the signature is rarely verified by anyone who actually knows how to do it. (It's not always verified at all. I saw a bogus check hanging in a store once, signed Donald Duck or something like that. The clerk had actually accepted this check as payment.)

    2) The piece of paper needs to be in the same place as the signer. This can't always be arranged easily and sometimes people accept the dangerous alternative of doing business with no signature at all (or a weaker version of the digital signature, the pin code).

    3) Handwriting recognition can't be automated (or has the software gotten good enough?), with the same results as in point 2 (think ATMs).

    I'm thinking of things like online shopping and tax returns at the same time here, but to get a clear picture the applications of signatures should probably be categorized. Also note that I haven't decided in favour of digital signatures. I just want to promote this idea of mine that we should give equal weight to the risks and costs of the system already in place as to the risks and costs of the system being proposed.

    --
    Fuck the system? Nah, you might catch something.