Translation and Commentary by Christopher Kuner
Translation copyright 1997 Christopher Kuner. Reproduction is permitted, provided that this translator's note, including the above copyright notice, is retained in its entirety.
Commentary: The following is a translation of the final version of the Digital Signature Ordinance presented to parliament by the German government on December 20, 1996. The Ordinance, which is to be enacted under § 16 of the Digital Signature Law, is concerned with the technical details of using digital signatures in Germany, such as the operation of certification authorities (called "certifiers" here), the validity of certificates, technical components used for digital signatures, and similar matters. The Ordinance is to be passed into law at the same time that the Digital Signature Law is enacted.
Procedure for the Granting and Revocation of Licenses
(1) A license for the operation of a certifier under § 4 para. (1) of the Digital Signature Law shall be applied for in writing to the Authority.
(2) The Authority shall make the necessary determinations to check the requirements for the granting of a license. It can require from the applicant the production of the necessary documents, in particular a current extract from the Commercial Register and current certificates under § 30, para. 5 of the Federal Central Registry Law for the legal representatives of the certifier. In order to demonstrate the necessary expert knowledge, the applicant shall demonstrate that the persons intended to perform certifications and issue time stamps possesses the necessary professional qualifications.
(3) Before rejecting or revoking a license, the Authority shall grant the applicant a hearing and give him the opportunity to eliminate the grounds for such rejection or revocation.
(1) Costs (fees and expenses) are imposed for the following public services:
1. The granting of a license or the rejection of such;
2. The revocation of a license;
3. The complete or partial dismissal of an appeal;
4. The issuance of certificates;
5. Checking the examination reports under § 15, para. (2) as well as controls under § 15, para. (3);
6. Transfer of documentation under § 11, para. (2) of the Digital Signature Law.
(2) The following hourly rates shall be used as the basis for calculating fees for public services under para. (1), nos. 1, 4, 5, and 6:
1. Middle-category officials or comparable employees: DM 65.00
2. Upper-category officials or comparable employees: DM 85.00
3. High-category officials or comparable employees: DM 115.00
A quarter of such hourly rate shall be charged for each 15-minute-period during which any work is performed. If public services are performed by employees of the Authority outside its premises, then fees shall also be charged for travel time which is within normal working hours or is specially reimbursed by the Authority, and for waiting time for which those liable for costs are responsible. The Authority shall regularly examine the hourly rates to ensure that they cover costs.
(3) The fee charged for revocation of a license shall be one-quarter less than the fee charged for granting it; it can be reduced by up to a quarter of the fee charged, or no fee need be charged, when equity so requires. A fee up to the amount of the administrative action being challenged shall be charged for the complete or partial denial of an appeal. Such denial, and particularly denial of an appeal which is solely directed against the allocation of costs, is subject to a fee up to ten percent of the amount in dispute.
(1) The certifier shall identify an applicant under § 5 para. (1), sentence 1 of the Digital Signature Law based on a federal identity card or a passport, or by other appropriate means. If an application for a further certificate contains a digital signature of the applicant, then the certifier need not identify him again.
(2) If information concerning a third party is to be included in a certificate under § 5, para. (2) of the Digital Signature Law, written permission of such third party or permission containing a digital signature must be presented. The certifier may require that such permission be officially certified. The permission of a legal person shall be signed or marked with a digital signature by a natural person with power of representation; such power must be reliably proved. Such third party shall be informed about the contents of such certificate either in writing or in digital form with a digital signature, and shall informed about the possibility of blocking under § 9, para. (1). A professional or other admission shall be proved by presentation of the certificate of admission.
Instruction of the Applicant
(1) The certifier shall instruct the applicant in connection with § 6, sentences 1 and 3 of the Digital Signature Law, in particular concerning the following measures which are necessary to guarantee the security of digital signatures:
1. The private signature key is to be kept under personal control. Upon loss, the signature key certificate is to be immediately blocked. If the certificate has expired or the signature key is no longer required for some other reason, then the key is to be rendered unusable.
2. Personal identity numbers or passwords used for identification with respect to the holder of data concerning the key are to be kept confidential. A change is to be made immediately upon disclosure or the suspicion of disclosure of such identification data.
3. Technical components are to be used for the creation and checking of digital signatures, and for the representation of data to be signed or of signed data to be checked, which meet the requirements under § 14, paras. (1) and (2) of the Digital Signature Law, and the security of which has been verified under § 14, paras. (4) or (5) of the Digital Signature Law. They shall be protected from unauthorized access.
4. If a certificate contains data under § 7, para. (1) no. 7 or para. (2) of the Digital Signature Law and such data is important for the contents of signed data, the certificate shall be included in the digital signature for such data.
5. If a point in time may be important for the evidentiary value of signed data, a time stamp is to be affixed as needed.
6. If data are needed in signed form for longer than five years, then a further digital signature should be affixed upon expiration of such period, to the extent that such period is not extended under § 18, para. (2).
7. When checking signatures, such person shall determine whether, in his judgment, the particular signature key certificate and attribute certificate were valid at the time the signature was created, whether the certificates contain restrictions under § 7, para. (1) no. 7 of the Digital Signature Law, whether the certificates are included in the digital signature as necessary (see no. 4), and whether the data contain a time stamp as necessary (see no. 5).
(2) Further instruction may be dispensed with if an applicant already has a certificate.
Creation and Storage of Signature Keys and Identification Data
(1) If signature keys are created by the signature key owner, then the certifier shall convince itself that the signature key owner used appropriate technical components. This also applies to personal identity numbers, passwords, or other data which serve to identify the signature key owner to the holder of data concerning the key.
(2) If signature keys or identification data under para. (1), sentence 2 are provided by the certifier, then the certifier shall take steps to exclude the unnoticed disclosure of private keys or identification data and their storage by the certifier.
Delivery of Signature Keys and Identification Data
Insofar as the certifier provides signature keys or identification data under § 5, para. (2), it shall personally deliver the private signature key and the identification data to the intended signature key owner and have such delivery confirmed in writing by such owner, unless the owner requests a different means of delivery in writing.
Validity of Certificates
(1) The validity period of a certificate may be no longer than three years. The time between the issuance and the beginning of the certificate's validity period may be no longer than six months.
(2) The validity of an attribute certificate shall be no longer than the validity of the signature key certificate to which it refers.
Public Certificate Registries
(1) The certifier shall record certificates issued by it for a period of at least ten years from the beginning of their validity in a registry in accordance with the provisions of § 5, para. (1), sentence 2 of the Digital Signature Law.
(2) The Authority shall record certificates issued by it for a period of at least 15 years from begin of their validity in a registry in accordance with the provisions of § 4, para. (5), sentence 3 of the Digital Signature Law. Insofar as foreign certificates are recognized, this also applies to the public signature keys of the highest certifiers in such foreign countries. The Authority shall publish the telecommunication connections under which the certificates are accessible in the Federal Gazette.
(3) Following expiration of the time periods mentioned in paras. (1) and (2), the certifier and the Authority shall make possible an examination of their certificates upon application in a particular case until expiration of the time period mentioned in § 13, para. (3).
Procedure for Blocking Certificates
(1) The certifier shall make known to signature key owners and third parties whose information is incorporated in a certificate, as well as to the Authority, a telephone number under which they may at any time have certificates immediately blocked.
(2) It shall block a certificate under the requirements of § 8 of the Digital Signature Law if an application of a signature key owner, its legal representative, or a third party with a legitimate interest under para. (1) is presented with a digital signature or in writing, or if an agreed authentication procedure was used.
(3) The blocking of certificates shall be unmistakably indicated in the registry under § 8 with information concerning the time, and may not be revoked.
Reliability of Personnel
The certifier shall convince itself of the reliability of persons who assist in the issuance of signature key certificates or time stamps. In particular, it may require presentation of a certificate under § 30, para. 1 of the Federal Central Registry Law. Unreliable persons may not take part in such procedure.
Protection of Technical Components
The certifier shall take measures to protect technical components and private signature keys used for the creation of certificates and time stamps from unauthorized access.
(1) The security plan under § 4, para. (3) of the Digital Signature Law shall contain all security measures as well as, in particular, an overview of the technical components used and a representation of the organizational procedure of certification activity. The plan shall be immediately amended in case of any changes affecting security.
(2) The Authority shall maintain a catalogue of appropriate security measures and shall publish them in the Federal Gazette. Such measures should be considered when drawing up a security plan. The catalogue shall be drawn up based on data from the Federal Office for Security in Information Technology in consultation with business and scientific experts.
(1) Documentation under § 10 of the Digital Signature Law shall cover the security plan (including any changes), examination reports under § 15, paras. (1) and (2), contractual agreements with applicants, and certificates received from the Authority. The following shall be documented: with regard to certificate applications received and agreements with signature key owners, a copy of the identity card presented or of some other proof of identity; with regard to information concerning third parties in a certificate, the documentation necessary for them to be included; the granting of a pseudonym; proof of the required instruction; certificates which have been created, including the time of issuance and delivery, as well as acknowledgment of delivery; blocking of certificates; and information under § 15, para. (2) of the Digital Signature Law. If the Authority provides signature keys or identification data under § 5, para. (2), then the time of delivery and confirmation thereof shall be documented. Records kept in digital form shall be digitally signed.
(2) Documentation under para. (1) shall be kept for at least 33 years from the time of issuance of the signature key certificate and shall be secured in such a way that it is accessible during this time. Documentation about information under § 12, para. (2), sentence 2 of the Digital Signature Law shall be kept for at least ten years.
Termination of Activities
(1) A certifier wishing to terminate its activities shall inform the Authority at least four months prior thereto.
(2) Before terminating its activities, the certifier shall inform the signature key owner of its intention to terminate its activities as a certifier at least three months beforehand with regard to each certificate which is not blocked and which has not expired at the time of terminating its activities, shall instruct him regarding whether another certifier will take over the certificate, and shall name such certifier. If this is not the case, then, following expiration of the time period mentioned in para. (1), all certificates shall be blocked which were not already blocked or had not expired at such time. The signature key owners of certificates to be blocked shall be informed thereof.
(3) Notice to the Authority and instruction of the signature key owners shall be done in writing or in digital form with a digital signature.
(4) A certifier which takes over the documentation under § 11, para. (2) of the Digital Signature Law or the Authority shall record the certificates which have been taken over in a registry under § 8.
Control of Certifiers
(1) A certifier shall present its security plan and the results of the examination under § 4, para. (3), sentence 3 of the Digital Signature Law to the Authority no later than one month before its planned commencement of activities.
(2) A certifier shall cause a new examination to be conducted following any substantial changes, or at least every two years, and shall immediately present the results thereof to the Authority.
(3) The Authority may carry out examinations at reasonable intervals and if there is reason to believe that the provisions of the Digital Signature Law or this Ordinance have been violated.
Requirements for Technical Components
(1) The technical components necessary for the creation of signature keys shall be designed in such a way that, with near-absolute certainty, a key only occurs once and the private key may not be calculated from the public key. The confidentiality of the private key must be assured, and it may not be copied. Any changes to the technical components with regard to technical security must be perceptible to the user.
(2) The technical components necessary for the creation or examination of digital signatures must be designed so that the private signature key may not be calculated from the signature, and so that the signature may not be falsified in any other way. The private signature key should be able to be used only after identification of the owner by possession and knowledge, and should not be revealed during use. Further characteristics, such as biometrics, may be used for identification of the signature key owner. The technical components necessary to collect identification data must be designed so that such data is not revealed and is stored only in the storage medium containing the private signature key. Any changes to the technical components with regard to technical security must be perceptible to the user.
(3) The data to be signed for representation and the technical components necessary for use of technical components under para. (2) shall be designed so that such person can sufficiently perceive the creation of a digital signature and the contents of the data which the signature covers. The technical components necessary for the examination of a digital signature must be designed so that the contents of the data which the digital signature covers are sufficiently perceptible and an accurate confirmation of correctness can be guaranteed. If technical components under sentences 1 or 2 are offered to third parties for use in the course of business, then they must be automatically checked upon use for authenticity and for any changes relevant to technical security, and any such changes must be perceptible to the user.
(4) The technical components by which certificates are to be verifiably maintained or accessed under § 5, para. (1), sentence 2 of the Digital Signature Law must be designed so that only authorized persons can make entries and changes, the blocking of a certificate cannot be revoked in a way which goes unnoticed, and information can be checked for authenticity. Only certificates which are verifiably maintained need not be publicly accessible. Any changes to the technical components with regard to technical security must be perceptible to the operator.
(5) The Authority shall maintain a catalogue of appropriate security measures, to be published in the Federal Gazette, which measures should be taken into consideration regarding the technical components. The catalogue shall be drawn up based on data from the Federal Office for Security in Information Technology in consultation with business and scientific experts.
Checking of Technical Components
(1) The technical components must be checked for fulfillment of the requirements of the "Criteria for the Evaluation of the Security of Information Technology Systems" (GMBl. of August 8, 1992, p. 545 et seq.), as follows:
1. For technical components for the creation, loading, or storage of private signature keys, or for the creation and checking of digital signatures, at least level "E 4", with a valuation of security mechanisms of "high".
2. For technical components for the representation of data to be signed or signed data to be checked, for the use of technical components under § 16, para. (2), or for the collection of identification data, at least level "E 2", with a valuation of security mechanisms of at least "medium". If such items are offered to third parties for use in the course of business, then at least level "E 4" and a valuation of security mechanisms of "high" are necessary.
3. For technical components with which certificates are to be verifiably maintained or made accessible under § 5, para. (1), sentence 2 of the Digital Signature Law, at least level "E 4", with a valuation of security mechanisms of "high".
(2) Confirmation of fulfillment of the requirements for technical components under para. (1) no. 1 is limited to five years, but may be extended repeatedly for up to five years, insofar as a renewed security evaluation allows this.
(3) The Authority shall publish in the Federal Gazette the recognized instances under § 14, para. (4) of the Digital Signature Law as well as the technical components which have received confirmation from such instances, and shall notify them directly to the certifiers. The time period for which confirmation of technical components applies shall also be given.
Renewed Digital Signatures after a Certain Time Period
(1) If data is needed in signed form for a long time, then it should contain the date of issuance and should be re-signed with a digital signature containing a time stamp after five years at the latest. Insofar as earlier digital signatures have retained their security value, the new signature must include these.
(2) If the security confirmation of the technical components used for the creation of digital signatures is extended under § 17, para. 2, then the time period mentioned in para. (1) is extended correspondingly.
Entry into Force
This Legal Ordinance enters into force as of [ ].