PGP for official documents / eIDAS and ZertES
ankostis
ankostis at gmail.com
Wed May 31 19:34:17 CEST 2017
On 31 May 2017 at 15:14, Daniel Pocock <daniel at pocock.pro> wrote:
>
> Are the CMS, PDF or XML standards flexible enough that a PGP signature
> could be used within any of them and thereby satisfy the legislation?
IANAL, but I would agree with Reiner that the implementing acts are not
technology-neutral.
More detailed, from the three standards supported, only the last one,
XML-sig, supports PGP: https://www.w3.org/TR/xmldsig-core/#sec-PGPData
> > There are quite heavy
> > legal and organization layers on top of the technology that assure
> > security levels, notification (mutual acceptance) and cooperation
> > procedures.
Regarding organizational issues, there in nothing in eIDAS *in principal"
that forbids a company to use XML-sig with PGP.
But it would be interesting how the "national authorities" would react
in practice,
should they receive such a request from a company.
If it would work, for certain, these 2 German companies would have a head-start.
> Thanks for the feedback about that. Are all users likely to depend on
> all of those things, or is it possible that a PGP signature would be
> sufficient in some use cases?
Check also the "closed systems" exception in the eIDAS regulation.
Search the legal-text for this term (e.g. Art 2.2) to get a rough
understanding of this.
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910&from=EN
Finally, I believe that a crucial point is whether the interpretation
of "assurance levels"
can also apply to PGP, and Art 16 hints that it does.
This may be the twisting-arm power for PGP to come on board eIDAS.
Thanks for bringing this subject up,
Kostis
More information about the Gnupg-users
mailing list