On 31 May 2017 at 15:14, Daniel Pocock <dan...@pocock.pro> wrote: > > Are the CMS, PDF or XML standards flexible enough that a PGP signature > could be used within any of them and thereby satisfy the legislation?
IANAL, but I would agree with Reiner that the implementing acts are not technology-neutral. More detailed, from the three standards supported, only the last one, XML-sig, supports PGP: https://www.w3.org/TR/xmldsig-core/#sec-PGPData > > There are quite heavy > > legal and organization layers on top of the technology that assure > > security levels, notification (mutual acceptance) and cooperation > > procedures. Regarding organizational issues, there in nothing in eIDAS *in principal" that forbids a company to use XML-sig with PGP. But it would be interesting how the "national authorities" would react in practice, should they receive such a request from a company. If it would work, for certain, these 2 German companies would have a head-start. > Thanks for the feedback about that. Are all users likely to depend on > all of those things, or is it possible that a PGP signature would be > sufficient in some use cases? Check also the "closed systems" exception in the eIDAS regulation. Search the legal-text for this term (e.g. Art 2.2) to get a rough understanding of this. http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910&from=EN Finally, I believe that a crucial point is whether the interpretation of "assurance levels" can also apply to PGP, and Art 16 hints that it does. This may be the twisting-arm power for PGP to come on board eIDAS. Thanks for bringing this subject up, Kostis _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
