New Standard For EU-Compliant Electronic Signatures

An anonymous reader writes "ETSI has published a multi-part standard that will facilitate secure paperless business transactions throughout Europe, in conformance with European legislation. The standard defines a series of profiles for PAdES — Advanced Electronic Signatures for PDF documents — that meet the requirements of the European Directive on a Community framework for electronic signatures (Directive 1999/93/EC)."

Good to see.

[palegray.net]

It's good to see some progress being made in the formalization of standards for accepting electronic signatures. I'm reminded of the issues with conventional legal guidelines surrounding hand-written signatures, and look forward to cryptographically verifiable alternatives.

Re:Good to see.

[timmarhy]

while i agree, it still boils down to a single point of failure - trust. back in the day the bank teller not only got your signature, she knew your face. by far the most effective security we have ever had, it's all been down hill since personalised service was dumped.

Adobe Lobby machine

Great to see the Adobe Lobby Machine in action. They are really pushing very hard to convince everyone into using PDF at the Service Directive level. OK, there is the ISO 32000-1 standard. But there's more to it than just an open standard. The biggest issue is the risk of vendor lock-in. The big problem with PDF is that there's basically only one vendor supporting the full specification, being Adobe. If you compare this with OOXML you could even state that Microsoft products are less risky as it comes to vendor locking. You can at least open an OOXML or ODF file with some unzipper and have a look at the XML files in case the specification documents are incomplete. This is something you can totally forget when using the PDF standard.

The same applies to the signature extensions. XMLDSig and XAdES come with very good specifications. And even if a product (like OpenOffice.org or Office 2007) has some specific signature implementation/requirement, you can still investigate the plain XML files and find the details. This is absolutely not the case for Adobe PDF signatures... trying to find out what the hell they're doing inside the CMS signature is very hard.

I hope one day people will realize the major risk that vendor lock-in triggers. Having some open standard is not sufficient, you also need an accessible file format to avoid risk of complete vendor lock-in.

Re:Adobe Lobby machine

[The+Cisco+Kid]

Exactly. I can read pretty much read any random PDF found on the net or sent to me, with my choice of tools (Adobe, xpdf, evince, etc). Likewise, I can produce postscript (which I can convert to pdf that can be read with the same choice of tools [Adobe, xpdf, evince, etc] ) with anything that can 'print' documents on my Debian system

I have yet to see anything approaching that level of interoperability, BY DEFAULT, using MS formats. And if it ever comes, it will be only after MS has lodged every possible protest and done everything else possible to prevent it.