New Standard For EU-Compliant Electronic Signatures

An anonymous reader writes "ETSI has published a multi-part standard that will facilitate secure paperless business transactions throughout Europe, in conformance with European legislation. The standard defines a series of profiles for PAdES — Advanced Electronic Signatures for PDF documents — that meet the requirements of the European Directive on a Community framework for electronic signatures (Directive 1999/93/EC)."

Good to see.

[palegray.net]

It's good to see some progress being made in the formalization of standards for accepting electronic signatures. I'm reminded of the issues with conventional legal guidelines surrounding hand-written signatures, and look forward to cryptographically verifiable alternatives.

Re:Good to see.

[timmarhy]

while i agree, it still boils down to a single point of failure - trust. back in the day the bank teller not only got your signature, she knew your face. by far the most effective security we have ever had, it's all been down hill since personalised service was dumped.

Re:Good to see.

[CarpetShark]

back in the day the bank teller not only got your signature, she knew your face.

Yes, and maybe even enough of your behaviour to know if you're being coerced into withdrawing all your money, or if you just want to.

Re:Good to see.

[clickety6]

Yeah, but just like fingerprint detectors that was so easily fooled by using a latex cast of the person's
face over your own... have you never seen Mission Impossible?

Re:Good to see.

[MartinSchou]

And that falls apart as soon as you aren't visiting your local branch. Like when you're in another city.

And while you could just bring cash with you, that's not always an option, like when you're leaving before pay day and not getting back until after pay day. Are you supposed to starve, should you spend eight hours in a car driving back home just to get money and then drive another eight hours to get back to where you were?

At some point convenience needs to play a role.

And keep in mind that the first banks weren't about meeting your local teller. It was about giving your money to a local banker who would then, for a fee of course, give you a writ explaining his partners at your destination that you were entitled to a certain amount of money. This writ could easily be hidden on your body, allowing you to bring a large fortune with you without needing a large entourage to guard it.

Re:Good to see.

A fingerprint detector that is fooled by a cast of the person's face.... Somehow I think you messed that one up

Re:Good to see.

[MrMr]

Unless he's a finger puppet.

New standard for EU-Compliant toilets

It's an unfortunate inevitability of life -- everybody poops. And
while this task can occasionally provide us with an opportunity to
relax or engage in some deep thinking, there are other instances when
this basic undertaking becomes a chore no person should have to
endure. Whether or not these stooling sessions can be tolerated, is
often determined by one single factor: where it is taking place? If
you're alone in the privacy of your own home, why not make an hour of
it and get some reading in? However, if you're at work with your boss
sitting in the adjacent stall, you'd better hold off on dropping
anything for fear of creating an embarrassing splash. With that in
mind though, things could be worse, and here are eight examples of how
much worse..

8-The Wilderness Toilet

This is essentially taking a #2 in a wall-less bathroom. Sure,
you're in a pretty remote location, but it's not so remote that they
haven't needed to accommodate other people with full bowels. At any
second, some fellow hiker could round that nearby group of trees and
put an eyeball on you while you prepare to release yesterday's granola
bar. It's also safe to assume that since this toilet is on a path
intended for people who want to get away from the hectic bustle of
society, that same society's emphasis on cleanliness and sterile
toilets is far removed as well. And since the act of pooping leaves
man at nearly his most helpless, this would seem like the ideal time
for a voracious wild animal to attack. So, not only is this an
uncomfortable practice, but it's a dangerous one as well.

7-School

Kids can be merciless. They will go to great measures to find any
points of weakness in their unfortunate victims, and to a youth,
finding out that someone has been pooping presents an incredible
opportunity for ridicule. Yet, at times your body requires you to crap
at these academic establishments, and so you are immediately presented
with the impossible task of somehow taking an undetectable dump, or
completely leaving school. If you excuse yourself from class, the time
you spend in the bathroom will surely be recorded by your callous
peers, and upon return, you will be thoroughly mocked. If you try and
poop in between class, you'll be too worried about the possibility of
being tardy, and you'll probably pinch it off before you're completely
done. And even if you muster up the courage to attempt this risky
procedure, there's always the risk of someone walking in and berating
you while you take part in what should be one of mankind's most
private moments. So please children, let each other poop in peace.

6-Your New Girlfriend/Boyfriend's House

Let's say you're about to leave your newly-acquired significant
other's residence after your first sleep over, when nature suddenly
decides this would be the perfect moment to defecate. Maybe it's the
nerves after a night of apprehensive tongue-kissing and heavy petting,
or maybe it's the three-bean taco salad you ate prior to the
caressing, but whatever the case, your body's telling you it needs to
be relieved immediately. Now the bathroom in this situation is
certainly not the problem; it's clean, and probably provides some sort
of reading material. The problem is what will happen to this new and
delicate relationship once the odorous evidence of your actions hits
the air. There may be an air-freshener, or perhaps you're carrying
some matches, but that will only mask the smell, and the psychological
damage of having your body demonstrate what it's like at its most foul
will forever remain in the nostrils of their brain. This will
permanently change how your significant other looks at you.

5-The Port-a-Potty

Here's what the Port-a-Potty brings to waste elimination sessions:
One--They're typically found in unfamiliar, public locations that can
make an already-taxing exercise more stres

Adobe Lobby machine

Great to see the Adobe Lobby Machine in action. They are really pushing very hard to convince everyone into using PDF at the Service Directive level. OK, there is the ISO 32000-1 standard. But there's more to it than just an open standard. The biggest issue is the risk of vendor lock-in. The big problem with PDF is that there's basically only one vendor supporting the full specification, being Adobe. If you compare this with OOXML you could even state that Microsoft products are less risky as it comes to vendor locking. You can at least open an OOXML or ODF file with some unzipper and have a look at the XML files in case the specification documents are incomplete. This is something you can totally forget when using the PDF standard.

The same applies to the signature extensions. XMLDSig and XAdES come with very good specifications. And even if a product (like OpenOffice.org or Office 2007) has some specific signature implementation/requirement, you can still investigate the plain XML files and find the details. This is absolutely not the case for Adobe PDF signatures... trying to find out what the hell they're doing inside the CMS signature is very hard.

I hope one day people will realize the major risk that vendor lock-in triggers. Having some open standard is not sufficient, you also need an accessible file format to avoid risk of complete vendor lock-in.

Re:Adobe Lobby machine

[cbreak]

There are many ways to create PDFs and read PDFs without relying on Adobe. Mac OS X offers wide support for this format, every application that can print can create a PDF file. PDFs can be opened with Preview and many other applications understand it.
LaTeX can create PDF files either directly or with ghostscript, which creates PDFs out of Postcript files.
Many different libraries exist to create a PDF programmatically.
Not all implementations might be feature complete, but it's far from being as proprietary as Office from Microsoft.

Re:Adobe Lobby machine

[Yer+Mum]

But unless alternative PDF readers can verify electronic signatures, they'll be useless. And more importantly, unless alternative PDF writers can generate electronic signatures, they'll be useless. That's where the money is.

Re:Adobe Lobby machine

[The+Cisco+Kid]

Exactly. I can read pretty much read any random PDF found on the net or sent to me, with my choice of tools (Adobe, xpdf, evince, etc). Likewise, I can produce postscript (which I can convert to pdf that can be read with the same choice of tools [Adobe, xpdf, evince, etc] ) with anything that can 'print' documents on my Debian system

I have yet to see anything approaching that level of interoperability, BY DEFAULT, using MS formats. And if it ever comes, it will be only after MS has lodged every possible protest and done everything else possible to prevent it.

Re:Adobe Lobby machine

[TheTurtlesMoves]

I use PDF all the time on linux. I don't use a single adobe product, and I do use a commercial product for annotation. Thats not lock in.

You can download the full PDF spec with a pretty standard agreement. The biggest part of the agreement is that the pdf readers you write with the standard will enforce document "no printing/no copying" settings. You don't need to pay a fee that a lot of other standards require before they give the documentation.

PDF as a format is controlled by adobe, but it is open format in that everyone can implement readers and writers without restriction.

Re:Adobe Lobby machine

And even then, it will probably require violating a dozen MS patents.

Re:Adobe Lobby machine

However, the most common reader (i.e. Adobe's) allows adding comments to a PDF only if the document has been cryptographically signed by Adobe Acrobat Professional. That's quite a clever racket indeed, if your business partners expect to be able to use the commenting feature. Mine do, so I pay for an Adobe license for that single feature.

Re:Adobe Lobby machine

I can add comments to mac created pdfs just fine.

Re:Adobe Lobby machine

PDF is now an ISO standard so theoretically no longer controlled by Adobe. The latest specification no longer includes the text about PDF readers enforcing document security settings in exchange for the permission to use the "copyrighted data structures".

Re:Adobe Lobby machine

Interesting. Do you add them in Preview on a mac, or in Acrobat Reader?

Re:Adobe Lobby machine

[TheRaven64]

Yes, I found this a good reason to switch away from Adobe Reader; Apple's Preview (as well as being faster) lets me annotate any PDF. My workflow involves a lot of PDFs and no Adobe products at all. I generate images in PDF format from a variety of tools (GraphVis, OmniOutliner, GNUplot, and so on), incorporate them into documents using pdflatex and send them to my publisher. They annotate them and send them back, whereupon I review the annotations in Preview, make changes to the LaTeX source and then send them the final result for publication.

Re:Adobe Lobby machine

[CarpetShark]

Mac OS X offers wide support for this format

I believe Apple licenses Display Postscript and probably other PS stuff from Adobe.

Re:Adobe Lobby machine

[elsJake]

I haven't read the specification but i certainly like the "Obey DRM limitations" check box in the Kpdf settings menu.

Re:Adobe Lobby machine

[RMH101]

What does this have to do with the DRM required for ER/ES?

Re:Adobe Lobby machine

[jimking]

OK, as an Adobe employee and the designated Adobe PDF Platform Architect let me put forward some facts.
o PDF has been an ISO standard for over a year (ISO 32000-1). (A free copy can be obtained here: http://www.adobe.com/devnet/pdf/pdf_reference.html (bottom of the page).)
o There are no legal restrictions imposed by Adobe to develop software to process PDF. No money, no hassle, never was.
o There are thousands of applications created by hundreds of vendors that process PDF files in some way. (Do a Google search on PDF Software.)
o There are many of those that can create and verify PDF digital signatures. (Do a Google search on PDF Signatures.)
o People who are not developers have no desire to decipher the innards of the files that are on their computers, XML, binary or whatever.
o People in Europe use PDF files widely and they want a digital signature capability that meets the European Commission (EC) requirements. The new ETSI/ESI standard (TS 102 778), that was the subject of this press release, provides that. It is nicknamed PAdES (PDF based) and joins two previous ETSI signature standards CAdES (CMS Based) and XAdES (XML based) to support the ECs Advanced Electronic Signature (AdES) requirements. Europeans want these standards and the solutions they support!
o Security does not reside in a passive file. It resides in the software that processes that file.

Secure Paperless Business Transactions?

S.P.B.T.? They may as well be trading grains of denim lint like the US'ians.

This is what I think of EU and it's sister Union of North America: more straying from the original exclusive jurisdictions and pulled into a slaughterhouse that only a quasi psychiatrist-conspiracytheorist historian could navigate through pro-per.

That's what you call it when you interact with corporations: constant regulation and re-defenitions. What was once a simple trade using lawful money of a man to a man, has now been obfuscated. People get angrier, because they don't know how to Pen a contract payable in said gold or silver specie, and so it all washes down in the anals of history as another necessary compromise to condition money into corporate units of "currency" that doesn't float around in its own value like a numismatic token from Lakota Nationals or through NorFed.

PAdES? P.A.d.E.S.? What's with the bullshit generator today? Couldn't they just name it somthing fluffy like PayPal?

Re:Secure Paperless Business Transactions?

Mod parent -1: Not-sharpest-tool-in-shed

Re:Secure Paperless Business Transactions?

[Cheesetrap]

Are you claiming to be a better tool?

Acronym

[mac1235]

ETSI = European Telecommunications Standards Institute. (It's not obvious from the article.) http://en.wikipedia.org/wiki/European_Telecommunications_Standards_Institute

100% PURE AFRICAN NIGGER

I am all that is called jigaboo.

OS Implementation?

[CarpetShark]

Anyone know if this will be implementable in free software? Are there patent/copyright issues?

Re:OS Implementation?

[RiotingPacifist]

No software patent issues in Europe, so while you could patent the entire process with a business patent or something, no patent can prevent you from implementing the software parts.

Reference or Link to Standard

[omb]

It would be helpful if someone posted a link to the standard.

TS 102 778-x

[mrt_2394871]

The European Telecommunications Standards Institute's search page is at:
http://pda.etsi.org/pda/queryform.asp
Search for "pades" in the title will get you the five parts of the standard (well, Technical Specification).

ETSI TS 102 778-x

And thank goodness it's ETSI doing this, since they publish their standards without charge.

What is secure about signatures?

[dhammabum]

I've just had a quick look at the standard - the problem here isn't the mechanism of the signature, but the security of the signature itself. Should the computer on which the signature resides be compromised, the attacker can create and sign documents at will. Also as the standard allows for "serial signatures" which means multiple related signatures for serial authorisation/authentication, it also presents the potential of a man-in-the-middle attack. Why should a company actually trust such a system? I can't see this replacing binding contracts between the parties.

Re:What is secure about signatures?

[nOw2]

I can't see this replacing binding contracts between the parties.

If you wish to issue invoices electronically in the EU, they can only be legal (for VAT etc.) if signed correctly.

This varies country by country; sometimes it just needs to be signed by any old self-signed cert, sometimes you need a cert issued by a central tax authority, sometimes a cert issued by a bank, and some countries don't bother at all and you can invoice by plain text if you like.

But anyway; for invoicing at least, signed PDFs can be legally binding contracts.

Re:What is secure about signatures?

[CXI]

The real problem is that electronic signatures are trying to make an inherently non-secure or verifiable process into something that is secure are verifiable. In truth, written signatures are meaningless, constantly forged and not reliable at all. It's a huge effort to take the office business processes currently in place and actually make them secure enough that a digital signature can work. Take the most basic example where a secretary signs the boss's name. Multiply that by a hundred other exceptions that happen all day, every day in an office. You have to completely undo all the bad habits and/or create complex delegation systems in order to avoid having to change how entire departments work.

Re:What is secure about signatures?

[jonbryce]

Britain follows the you can invoice by plain text if you like approach. Dead tree invoices don't need to be signed either, and they usually are not.

Cool...now we have cementd adobe in place!

[hesaigo999ca]

The biggest vulnerability is adobe pdf reader. Everyone accounts for 99% of pcs use adobe reader (with all its vulnerabilities) and this now has just put the icing on the cake. I hope that most people know to use a different reader then adobe to load the content...
unless of course this new format will only be available by adobe and not allowed by other pdf readers...

They have cemented a known bad file system in place for digital exchange ...great!

Could Be Big

[twmcneil]

Judging from the low number of comments posted in reply to this story, it looks like a lot of people are going "So What?"

This could be big though. Here we have a well known and well defined format (pdf) moving in and occupying this space first before Microsoft. This gives pdf (and Adobe if you wish) a big headstart in defining the market for products based upon this standard.

Next, some people in Redmond will try to figure out how to displace this spec with their own. I think they will find it harder to discredit ETSI than it was for them to discredit Peter Quinn. And I hope they find it harder to buy ETSI than it was for them to buy ISO.

Why do we need a new standard?

[grahamm]

Why are the EU re-inventing the wheel? What is wrong with using existing digital signature specifications such as those defined in RFCs 3851 and 4880?

Re:Why do we need a new standard?

[jimking]

ISO 32000-1 (aka PDF 1.7 specification) makes use of many appropriate RFCs. There was no re-inventing here, just an application of standard technology to a widely used document format.

Why PDF?

[jgrahn]

And they tie it to the PDF file format *why* exactly? PGP/OpenPGP/GnuPG have supported signing *any* kind of file since ... well, forever. But I suppose it could have been worse -- they could have spent a few years to design a standard for signing Commodore 64 binaries or something.

Maybe the big thing is really how they plan trust to work -- the article doesn't say and I'm too lazy to check.

Re:Why PDF?

Note that PGP / etc create a signature envelope around the document. The signature format described in the standard embeds the signature into the document itself, where it can be viewed just like a more typical wet ink signature. Also means only one app is required to both view and verify the signed doc.