Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Standard For EU-Compliant Electronic Signatures

Posted by timothy on from the ja-das-war-ich dept.

An anonymous reader writes "ETSI has published a multi-part standard that will facilitate secure paperless business transactions throughout Europe, in conformance with European legislation. The standard defines a series of profiles for PAdES — Advanced Electronic Signatures for PDF documents — that meet the requirements of the European Directive on a Community framework for electronic signatures (Directive 1999/93/EC)."

42 comments

  1. Good to see. by palegray.net · · Score: 2, Insightful

    It's good to see some progress being made in the formalization of standards for accepting electronic signatures. I'm reminded of the issues with conventional legal guidelines surrounding hand-written signatures, and look forward to cryptographically verifiable alternatives.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    1. Re:Good to see. by timmarhy · · Score: 2, Insightful

      while i agree, it still boils down to a single point of failure - trust. back in the day the bank teller not only got your signature, she knew your face. by far the most effective security we have ever had, it's all been down hill since personalised service was dumped.

      --
      If you mod me down, I will become more powerful than you can imagine....
    2. Re:Good to see. by CarpetShark · · Score: 1

      back in the day the bank teller not only got your signature, she knew your face.

      Yes, and maybe even enough of your behaviour to know if you're being coerced into withdrawing all your money, or if you just want to.

    3. Re:Good to see. by clickety6 · · Score: 1

      Yeah, but just like fingerprint detectors that was so easily fooled by using a latex cast of the person's
      face over your own... have you never seen Mission Impossible?

      --
      ----------------------------------- My Other Sig Is Hilarious -----------------------------------
    4. Re:Good to see. by MartinSchou · · Score: 1

      And that falls apart as soon as you aren't visiting your local branch. Like when you're in another city.

      And while you could just bring cash with you, that's not always an option, like when you're leaving before pay day and not getting back until after pay day. Are you supposed to starve, should you spend eight hours in a car driving back home just to get money and then drive another eight hours to get back to where you were?

      At some point convenience needs to play a role.

      And keep in mind that the first banks weren't about meeting your local teller. It was about giving your money to a local banker who would then, for a fee of course, give you a writ explaining his partners at your destination that you were entitled to a certain amount of money. This writ could easily be hidden on your body, allowing you to bring a large fortune with you without needing a large entourage to guard it.

    5. Re:Good to see. by Anonymous Coward · · Score: 0

      A fingerprint detector that is fooled by a cast of the person's face.... Somehow I think you messed that one up

    6. Re:Good to see. by MrMr · · Score: 1

      Unless he's a finger puppet.

  2. Adobe Lobby machine by Anonymous Coward · · Score: 1, Insightful

    Great to see the Adobe Lobby Machine in action. They are really pushing very hard to convince everyone into using PDF at the Service Directive level. OK, there is the ISO 32000-1 standard. But there's more to it than just an open standard. The biggest issue is the risk of vendor lock-in. The big problem with PDF is that there's basically only one vendor supporting the full specification, being Adobe. If you compare this with OOXML you could even state that Microsoft products are less risky as it comes to vendor locking. You can at least open an OOXML or ODF file with some unzipper and have a look at the XML files in case the specification documents are incomplete. This is something you can totally forget when using the PDF standard.

    The same applies to the signature extensions. XMLDSig and XAdES come with very good specifications. And even if a product (like OpenOffice.org or Office 2007) has some specific signature implementation/requirement, you can still investigate the plain XML files and find the details. This is absolutely not the case for Adobe PDF signatures... trying to find out what the hell they're doing inside the CMS signature is very hard.

    I hope one day people will realize the major risk that vendor lock-in triggers. Having some open standard is not sufficient, you also need an accessible file format to avoid risk of complete vendor lock-in.

    1. Re:Adobe Lobby machine by cbreak · · Score: 4, Informative

      There are many ways to create PDFs and read PDFs without relying on Adobe. Mac OS X offers wide support for this format, every application that can print can create a PDF file. PDFs can be opened with Preview and many other applications understand it.
      LaTeX can create PDF files either directly or with ghostscript, which creates PDFs out of Postcript files.
      Many different libraries exist to create a PDF programmatically.
      Not all implementations might be feature complete, but it's far from being as proprietary as Office from Microsoft.

    2. Re:Adobe Lobby machine by Yer+Mum · · Score: 2, Interesting

      But unless alternative PDF readers can verify electronic signatures, they'll be useless. And more importantly, unless alternative PDF writers can generate electronic signatures, they'll be useless. That's where the money is.

    3. Re:Adobe Lobby machine by The+Cisco+Kid · · Score: 2, Insightful

      Exactly. I can read pretty much read any random PDF found on the net or sent to me, with my choice of tools (Adobe, xpdf, evince, etc). Likewise, I can produce postscript (which I can convert to pdf that can be read with the same choice of tools [Adobe, xpdf, evince, etc] ) with anything that can 'print' documents on my Debian system

      I have yet to see anything approaching that level of interoperability, BY DEFAULT, using MS formats. And if it ever comes, it will be only after MS has lodged every possible protest and done everything else possible to prevent it.

    4. Re:Adobe Lobby machine by TheTurtlesMoves · · Score: 2, Informative

      I use PDF all the time on linux. I don't use a single adobe product, and I do use a commercial product for annotation. Thats not lock in.

      You can download the full PDF spec with a pretty standard agreement. The biggest part of the agreement is that the pdf readers you write with the standard will enforce document "no printing/no copying" settings. You don't need to pay a fee that a lot of other standards require before they give the documentation.

      PDF as a format is controlled by adobe, but it is open format in that everyone can implement readers and writers without restriction.

      --
      The Grey Goo disaster happened 3 billion years ago. This rock is covered in self replicating machines!
    5. Re:Adobe Lobby machine by Anonymous Coward · · Score: 0

      And even then, it will probably require violating a dozen MS patents.

    6. Re:Adobe Lobby machine by Anonymous Coward · · Score: 0

      However, the most common reader (i.e. Adobe's) allows adding comments to a PDF only if the document has been cryptographically signed by Adobe Acrobat Professional. That's quite a clever racket indeed, if your business partners expect to be able to use the commenting feature. Mine do, so I pay for an Adobe license for that single feature.

    7. Re:Adobe Lobby machine by Anonymous Coward · · Score: 0

      I can add comments to mac created pdfs just fine.

    8. Re:Adobe Lobby machine by Anonymous Coward · · Score: 1, Informative

      PDF is now an ISO standard so theoretically no longer controlled by Adobe. The latest specification no longer includes the text about PDF readers enforcing document security settings in exchange for the permission to use the "copyrighted data structures".

    9. Re:Adobe Lobby machine by Anonymous Coward · · Score: 0

      Interesting. Do you add them in Preview on a mac, or in Acrobat Reader?

    10. Re:Adobe Lobby machine by TheRaven64 · · Score: 2, Interesting

      Yes, I found this a good reason to switch away from Adobe Reader; Apple's Preview (as well as being faster) lets me annotate any PDF. My workflow involves a lot of PDFs and no Adobe products at all. I generate images in PDF format from a variety of tools (GraphVis, OmniOutliner, GNUplot, and so on), incorporate them into documents using pdflatex and send them to my publisher. They annotate them and send them back, whereupon I review the annotations in Preview, make changes to the LaTeX source and then send them the final result for publication.

      --
      I am TheRaven on Soylent News
    11. Re:Adobe Lobby machine by CarpetShark · · Score: 1

      Mac OS X offers wide support for this format

      I believe Apple licenses Display Postscript and probably other PS stuff from Adobe.

    12. Re:Adobe Lobby machine by elsJake · · Score: 1

      I haven't read the specification but i certainly like the "Obey DRM limitations" check box in the Kpdf settings menu.

    13. Re:Adobe Lobby machine by RMH101 · · Score: 1

      What does this have to do with the DRM required for ER/ES?

    14. Re:Adobe Lobby machine by jimking · · Score: 1

      OK, as an Adobe employee and the designated Adobe PDF Platform Architect let me put forward some facts.
      o PDF has been an ISO standard for over a year (ISO 32000-1). (A free copy can be obtained here: http://www.adobe.com/devnet/pdf/pdf_reference.html (bottom of the page).)
      o There are no legal restrictions imposed by Adobe to develop software to process PDF. No money, no hassle, never was.
      o There are thousands of applications created by hundreds of vendors that process PDF files in some way. (Do a Google search on PDF Software.)
      o There are many of those that can create and verify PDF digital signatures. (Do a Google search on PDF Signatures.)
      o People who are not developers have no desire to decipher the innards of the files that are on their computers, XML, binary or whatever.
      o People in Europe use PDF files widely and they want a digital signature capability that meets the European Commission (EC) requirements. The new ETSI/ESI standard (TS 102 778), that was the subject of this press release, provides that. It is nicknamed PAdES (PDF based) and joins two previous ETSI signature standards CAdES (CMS Based) and XAdES (XML based) to support the ECs Advanced Electronic Signature (AdES) requirements. Europeans want these standards and the solutions they support!
      o Security does not reside in a passive file. It resides in the software that processes that file.

  3. Re:Secure Paperless Business Transactions? by Anonymous Coward · · Score: 0

    Mod parent -1: Not-sharpest-tool-in-shed

  4. Re:Secure Paperless Business Transactions? by Cheesetrap · · Score: 2, Informative

    Are you claiming to be a better tool?

  5. Acronym by mac1235 · · Score: 1

    ETSI = European Telecommunications Standards Institute. (It's not obvious from the article.) http://en.wikipedia.org/wiki/European_Telecommunications_Standards_Institute

  6. OS Implementation? by CarpetShark · · Score: 2, Interesting

    Anyone know if this will be implementable in free software? Are there patent/copyright issues?

    1. Re:OS Implementation? by RiotingPacifist · · Score: 1

      No software patent issues in Europe, so while you could patent the entire process with a business patent or something, no patent can prevent you from implementing the software parts.

      --
      IranAir Flight 655 never forget!
  7. Reference or Link to Standard by omb · · Score: 1

    It would be helpful if someone posted a link to the standard.

  8. TS 102 778-x by mrt_2394871 · · Score: 5, Informative

    The European Telecommunications Standards Institute's search page is at:
    http://pda.etsi.org/pda/queryform.asp
    Search for "pades" in the title will get you the five parts of the standard (well, Technical Specification).

    ETSI TS 102 778-x

    And thank goodness it's ETSI doing this, since they publish their standards without charge.

  9. What is secure about signatures? by dhammabum · · Score: 1

    I've just had a quick look at the standard - the problem here isn't the mechanism of the signature, but the security of the signature itself. Should the computer on which the signature resides be compromised, the attacker can create and sign documents at will. Also as the standard allows for "serial signatures" which means multiple related signatures for serial authorisation/authentication, it also presents the potential of a man-in-the-middle attack. Why should a company actually trust such a system? I can't see this replacing binding contracts between the parties.

    --
    I am not a robot. I am a unicorn.
    1. Re:What is secure about signatures? by nOw2 · · Score: 1

      I can't see this replacing binding contracts between the parties.

      If you wish to issue invoices electronically in the EU, they can only be legal (for VAT etc.) if signed correctly.

      This varies country by country; sometimes it just needs to be signed by any old self-signed cert, sometimes you need a cert issued by a central tax authority, sometimes a cert issued by a bank, and some countries don't bother at all and you can invoice by plain text if you like.

      But anyway; for invoicing at least, signed PDFs can be legally binding contracts.

    2. Re:What is secure about signatures? by CXI · · Score: 1

      The real problem is that electronic signatures are trying to make an inherently non-secure or verifiable process into something that is secure are verifiable. In truth, written signatures are meaningless, constantly forged and not reliable at all. It's a huge effort to take the office business processes currently in place and actually make them secure enough that a digital signature can work. Take the most basic example where a secretary signs the boss's name. Multiply that by a hundred other exceptions that happen all day, every day in an office. You have to completely undo all the bad habits and/or create complex delegation systems in order to avoid having to change how entire departments work.

    3. Re:What is secure about signatures? by jonbryce · · Score: 1

      Britain follows the you can invoice by plain text if you like approach. Dead tree invoices don't need to be signed either, and they usually are not.

  10. Cool...now we have cementd adobe in place! by hesaigo999ca · · Score: 1

    The biggest vulnerability is adobe pdf reader. Everyone accounts for 99% of pcs use adobe reader (with all its vulnerabilities) and this now has just put the icing on the cake. I hope that most people know to use a different reader then adobe to load the content...
    unless of course this new format will only be available by adobe and not allowed by other pdf readers...

    They have cemented a known bad file system in place for digital exchange ...great!

  11. Could Be Big by twmcneil · · Score: 1

    Judging from the low number of comments posted in reply to this story, it looks like a lot of people are going "So What?"

    This could be big though. Here we have a well known and well defined format (pdf) moving in and occupying this space first before Microsoft. This gives pdf (and Adobe if you wish) a big headstart in defining the market for products based upon this standard.

    Next, some people in Redmond will try to figure out how to displace this spec with their own. I think they will find it harder to discredit ETSI than it was for them to discredit Peter Quinn. And I hope they find it harder to buy ETSI than it was for them to buy ISO.

    --
    "The ferrets, they're every where I tell you!"
  12. Why do we need a new standard? by grahamm · · Score: 1

    Why are the EU re-inventing the wheel? What is wrong with using existing digital signature specifications such as those defined in RFCs 3851 and 4880?

    1. Re:Why do we need a new standard? by jimking · · Score: 1

      ISO 32000-1 (aka PDF 1.7 specification) makes use of many appropriate RFCs. There was no re-inventing here, just an application of standard technology to a widely used document format.

  13. Why PDF? by jgrahn · · Score: 1

    And they tie it to the PDF file format *why* exactly? PGP/OpenPGP/GnuPG have supported signing *any* kind of file since ... well, forever. But I suppose it could have been worse -- they could have spent a few years to design a standard for signing Commodore 64 binaries or something.

    Maybe the big thing is really how they plan trust to work -- the article doesn't say and I'm too lazy to check.

    1. Re:Why PDF? by Anonymous Coward · · Score: 0

      Note that PGP / etc create a signature envelope around the document. The signature format described in the standard embeds the signature into the document itself, where it can be viewed just like a more typical wet ink signature. Also means only one app is required to both view and verify the signed doc.