On 31/05/17 19:34, ankostis wrote: > On 31 May 2017 at 15:14, Daniel Pocock <dan...@pocock.pro> wrote: >> >> Are the CMS, PDF or XML standards flexible enough that a PGP signature >> could be used within any of them and thereby satisfy the legislation? > > IANAL, but I would agree with Reiner that the implementing acts are not > technology-neutral. > More detailed, from the three standards supported, only the last one, > XML-sig, supports PGP: https://www.w3.org/TR/xmldsig-core/#sec-PGPData >
Are there any basic examples of using XML-sig with GnuPG for signing and verifying? Are there any specific attributes that need to be included in a key used for eIDAS? E.g. does the legislation expect the photo or even something like home address or date of birth, or just the name and email address is sufficient? > > >>> There are quite heavy >>> legal and organization layers on top of the technology that assure >>> security levels, notification (mutual acceptance) and cooperation >>> procedures. > > Regarding organizational issues, there in nothing in eIDAS *in principal" > that forbids a company to use XML-sig with PGP. > But it would be interesting how the "national authorities" would react > in practice, > should they receive such a request from a company. > If it would work, for certain, these 2 German companies would have a > head-start. > There are a couple of scenarios: - for submitting documents to national authorities, some types of submission (e.g. a tax return without any refund due) are a one-way process. The person submitting the document can assert they submitted it in compliance with the law and it is then a problem for the national authority to make sure their IT systems are reading valid PGP signatures. We will see some of them start advertising vacancies for consultants with PGP expertise at the point people start submitting PGP-signed documents. - for business-to-business or consumer-to-business transactions, if a business is willing to accept orders signed with PGP, they are making life a lot easier for their customers. The money the customer doesn't have to waste on something like SuissID is money the customer can spend with the business in question. Another aspect of this topic: if at least one valid solution exists (e.g. using XML-sig), then consultants specializing in PGP could tell their customers that they offer a competitive solution compliant with eIDAS and ZertES. Regards, Daniel _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
