Translation and Commentary by Christopher Kuner
Translation copyright 1997 Christopher Kuner. Reproduction is permitted, provided that this translator's note, including the above copyright notice, is retained in its entirety.
Commentary: This is a translation of the final version of the Digital Signature Law (Article 3 of the "Multimedia Law") which was approved by the German parliament (Bundestag) on June 13, 1997. It is all but certain that the Law will enter into force without further changes; at the time this introduction was written, the only uncertainty was whether the Federal Council (Bundesrat), which is controlled by the opposition parties, would demand that a Consultative Committee (Vermittlungsausschuss) be called, which would result in entry into force being delayed until at least November 1; otherwise, the law is set to enter into force on August 1, 1997.
There has been little change to the final version of the Digital Signature Law from the version presented to the Bundestag on December 20, 1996 (changes are marked in boldface); perhaps the most significant change is a new limitation in § 12, para. 2 on the power of the criminal justice and intelligence authorities to gain access to the identities of holders of pseudonyms. Despite much debate, it was ultimately decided not to include a provision concerning liability.
The Digital Signature Law is a technical law, since it does not deal with the legal validity of digital signatures; rather, its purpose is to provide the conditions for a secure infrastructure for the use of digital signatures in Germany. While compliance with the Law is "voluntary", the German government is open about its intention to create a de facto standard for the use of digital signatures; for this reason, it is a matter for concern that the Federal Office for Information Security (BSI), an NSA-type government agency, is deeply involved in setting technical standards under the law. Thus, there is reason to doubt that the Law will lead to a competitive, market-driven procedure for digital signatures in Germany.
Readers should note that much important detail on the use of digital signatures in Germany will be contained in the pending Digital Signature Ordinance and security catalogues for technical components and certification authorities. Moreover, the Federal Justice Ministry is now at work on further legislation regarding the legal effect and validity of digital signatures.
The informational duties under Council Directive 83/189/EWG of March 28, 1983 concerning an informational procedure in the area of norms and technical regulations (ABl. EG No. L 109, p. 8), last amended by European Parliament and Council Directive 94/10/EG of March 23, 1994 (ABl. EG No. L 100, p. 30) have been complied with.
§ 1
Objective and Area of Application
(1) The purpose of this law is to create general conditions for digital signatures under which they may be deemed secure and forgeries of digital signatures or falsifications of signed data may be reliably ascertained.
(2) The application of other procedures for digital signatures is permitted insofar as digital signatures are not legally required under this law.
§ 2
Definitions
(1) A digital signature within the meaning of this law is a seal on digital data created with a private signature key, which seal allows, by use of the associated public key to which a signature key certificate of a certifier or of the Authority under § 3 is affixed, the owner of the signature key and the unforged character of the data to be ascertained.
(2) A certifier within the meaning of this law is a natural or legal person which attests to the attribution of public signature keys to natural persons and holds a license therefor under § 4.
(3) A certificate within the meaning of this law is a digital attestation concerning the attribution of a public signature key to a natural person to which a digital signature is affixed (signature key certificate), or a special digital attestation which refers unmistakably to a signature key certificate and contains further information (attribute certificate).
(4) A time stamp within the meaning of this law is a digital attestation of a certifier to which a digital signature is affixed that certain digital data was presented to it at a certain time.
§ 3
The Authority
The granting of licenses and the issuance of certificates used to sign other certificates, as well as supervision of compliance with this law and with the Legal Ordinance under § 16, rest with the Authority under § 66 of the Telecommunications Act.
§ 4
Granting of Licenses for Certifiers
(1) The operation of a certifier requires a license of the Authority, which is to be granted upon application.
(2) The license shall be denied if there are factual grounds for the assumption that the applicant does not possess the reliability necessary for the operation of a certifier, if the applicant does not demonstrate that it possesses the necessary expert knowledge for the operation of a certifier, or if it can be expected that the further requirements for the operation of a certifier under this law and the Legal Ordinance under § 16 will not be present upon commencing operations.
(3) An applicant possesses the necessary reliability if it can guarantee that it will comply as license holder with the relevant legal requirements for the operation of a certifier. The necessary expert knowledge is present if those persons working for the certifier possess the necessary knowledge, experience, and qualifications. The further requirements for the operation of the certifier are present if the measures for fulfilling the security requirements of this law and the Legal Ordinance under § 16 are promptly notified to the Authority in a security plan, the implementation of which has been examined and verified by an instance recognized by the Authority.
(4) The license may contain subsidiary provisions insofar as necessary to ensure that the certifier fulfills the requirements of this law and the Legal Ordinance under § 16 upon commencing and during operations.
(5) The Authority issues the certificates for signature keys that are used to sign certificates. The provisions for the issuance of certificates by certifiers apply correspondingly for the Authority, which shall maintain access to the certificates which it has issued at all times and for everyone in a verifiable manner over publicly-accessible telecommunications channels. This also applies to information concerning the addresses and telephone numbers of certifiers, the blocking of signature key certificates which it has issued, the termination of and the prohibition against operating a certifier, as well as the withdrawal or revocation of licenses.
(6) Costs (fees and expenses) shall be imposed for public services under this law and the Legal Ordinance under § 16.
§ 5
Issuance of Certificates
(1) The certifier shall reliably identify persons who apply for a certificate. It shall confirm the attribution of a public signature key to an identified person by a signature key certificate and shall maintain access to such, as well as to attribute certificates, at all times and for everyone over publicly-accessible telecommunications channels in a verifiable manner and with the agreement of the signature key owner.
(2) Upon request of an applicant, the certifier shall record information concerning the applicant's power of representation for a third party or its professional or other licensing in the signature key certificate or in an attribute certificate, insofar as such licensing or the consent of the third party that the power of representation be recorded is reliably demonstrated.
(3) Upon request of an applicant, the certifier shall record a pseudonym in the certificate in place of the applicant's name.
(4) The certifier shall take measures so that data for certificates cannot be forged or falsified in a way which is not visible. It shall furthermore take steps so that the confidentiality of private signature keys is guaranteed. Private signature keys may not be stored by a certifier.
(5) It shall use reliable personnel for the exercise of certification activities, and shall use technical components in accordance with § 14 for making signature keys accessible and creating certificates. This also applies to technical components which make possible the verification of certificates under para. 1, sentence 2.
§ 6
Duty of Instruction
The certifier shall instruct the applicant under § 5 para. 1 concerning the measures necessary to contribute to secure digital signatures and their reliable verification. It shall instruct the applicant concerning which technical components fulfill the requirements of § 14, paras. 1 and 2, as well as concerning the attribution of digital signatures created with a private signature key. It shall point out to the applicant that data with digital signatures may need to be re-signed before the security value of an available signature decreases with time.
§ 7
Contents of Certificates
(1) A signature key certificate shall contain at least the following:
1. The name of the signature key owner, to which an additional notation must be affixed if there is the possibility of confusion, or an unmistakable pseudonym attributable to the signature key owner which shall be identified as such;
2. the attributed public signature key;
3. the algorithms with which the public key of the signature key owner as well as the public key of the certifier can be used;
4. the number of the certificate;
5. the beginning and end of the certificate's validity;
6. the name of the certifier; and
7. information as to whether use of the signature key is limited to specific types and scopes of applications.
(2) Information concerning the power of representation for a third party or concerning professional or other licensing may be recorded both in the signature key certificate and in an attribute certificate.
(3) A signature key certificate may contain further information only if the party affected gives his consent.
§ 8
Blocking of Certificates
(1) A certifier shall block a certificate if a signature key owner or his representative so request, if the certificate was issued based on false information under § 7, if the certifier has ended its activities and they are not continued by another certifier, or if the Authority orders blocking under § 13, para. 5, sentence 2. The blocking shall indicate the time from which it applies. Retroactive blocking is not permitted.
(2) If a certificate contains information about a third party, such party as well may demand blocking of the certificate.
(3) The Authority shall block certificates issued by it under § 4, para. 5 if a certifier terminates its activities or its license is withdrawn or revoked.
§ 9
Time Stamps
A certifier shall affix a time stamp to digital data upon request. Section 5, para. 5, sentences 1 and 2 apply accordingly.
§ 10
Documentation
A certifier shall document the security measures taken to comply with this law and the Legal Ordinance under § 16 as well as the issued certificates in such a way that the data and its unfalsified condition may be verified at any time.
§ 11
Termination of Activities
(1) Upon termination of its activities, a certifier shall notify this to the Authority as soon as possible and shall ensure that certificates valid at the time of termination are taken over by another certifier or are blocked.
(2) It shall transfer documentation under § 10 to the certifier that takes over its certificates, or otherwise to the Authority.
(3) It shall immediately notify the Authority of any application for the opening of bankruptcy or composition proceedings.
§ 12
Data Protection
(1) The certifier may collect personal data only directly from the affected person and only insofar as necessary for the purposes of a certificate. Collecting data from a third party is only permissible if the person affected gives his consent. Data may only be used for purposes other than those described in sentence 1 if this law or another legal provision so permits or the person affected has given his consent.
(2) In the case of a signature key owner using a pseudonym, the certifier shall transmit data concerning his identity to the proper authorities upon request, insofar as this is necessary to prosecute crimes or misdemeanors, to protect against dangers for the public safety or public order, or to fulfill the legal duties of the constitutional protection authorities of the federal government and the federal states, the federal security service, the military security service or the criminal customs authorities. Such information shall be documented. The requesting authorities shall inform the signature key owner about disclosure of the pseudonym as soon as the exercise of their legal duties will no longer be thereby impaired, or if the signature key owner's interest in being so informed outweighs other considerations.
(3) Section 38 of the Federal Data Protection Act shall apply, with the proviso that an examination may also be made even if there are no grounds for a violation of data protection provisions.
§ 13
Control and Implementation of Responsibilities
(1) The Authority may take steps with regard to certifiers in order to ensure compliance with this law and the Legal Ordinance. It may also and in particular forbid the use of inappropriate technical components and forbid the exercise of licensed activities temporarily in whole or in part. Persons who give the false impression of having a license under § 4 may be forbidden to perform certification.
(2) Certifiers shall allow the Authority to enter their business and operational premises during normal business hours for the purpose of supervision under para. 1, sentence 1, and upon request shall present any relevant books, drawings, receipts, writings, and other records for inspection, and shall provide information and necessary assistance. The person required to provide the information may refuse to provide it with regard to questions, the answering of which would subject him or one of his family members mentioned in § 383, para. 1, nos. 1 through 3 of the Civil Procedure Code to the danger of criminal prosecution or to a procedure under the Law on Misdemeanors. The person required to provide the information shall be informed of this right.
(3) In case of non-compliance with the duties arising under this law or the Legal Ordinance, or upon the coming into existence of a ground for refusing a license, the Authority shall revoke such license, if measures in accordance with para. 1, sentence 2 seem likely to be unsuccessful.
(4) In case of withdrawal or revocation of a license or the termination of activities of a certifier, the Authority shall ensure that such activity is taken over by another certifier or that contracts with signature key owners are wound up. This also applies with regard to an application for the opening of bankruptcy or composition proceedings, if the licensed activity is not being continued.
(5) The validity of certificates issued by a certifier shall be unaffected by withdrawal or revocation of a license. The Authority may order blocking of certificates if facts justify the assumption that certificates have been forged or are not sufficiently secure from forgery, or that the technical components used for application of signature keys demonstrate security defects which allow the forgery of digital signatures or the falsification of signed data to go undetected.
§ 14
Technical Components
(1) During the creation and storage of signature keys and the creation and checking of digital signatures, technical components shall be used which have security features that make forgery of digital signatures and falsification of signed data reliably noticeable and protect against the unauthorized use of private signature keys.
(2) For the representation of data which is to be signed, technical components with security features shall be used which show unmistakably and in advance the creation of a digital signature and allow a determination of the data to which the digital signature refers. For the checking of signed data, technical components shall be used which have security features that allow it to be determined whether the signed data are unchanged, to which data the digital signature refers, and to which signature key owner the digital signature is to be attributed.
(3) With regard to technical components with which signature key certificates are maintained in a verifiable or accessible manner in accordance with § 5, para. 1, sentence 2, measures shall be taken in order to protect the certificate registries from unauthorized alteration and access.
(4) With regard to technical components under paras. 1 through 3, they shall be sufficiently examined under the state of the art and the fulfillment of the requirements shall be verified by an instance recognized by the Authority.
(5) It can be assumed that the requirements under paras. 1 through 3 regarding technical security are fulfilled with regard to technical components which are placed in circulation or legally manufactured in accordance with the rules or requirements of another Member State of the European Union or of another Contracting State of the Treaty on the European Economic Area, and which guarantee the same level of security. In individual cases and when there is a good reason, the Authority may require a demonstration that the requirements under para. 1 have been fulfilled. Insofar as a confirmation of an instance recognized by the Authority is required to be presented to demonstrate technical security requirements within the meaning of paras. 1 through 3, then confirmations by instances licensed in other Member States of the European Union or in other Contracting States of the European Economic Area shall be considered, if the technical requirements, examinations, and examination procedures on which the examination reports of such instances are based are equivalent to the those of instances recognized by the Authority.
§ 15
Foreign Certificates
(1) Digital signatures which may be checked with a public signature key for which a foreign certificate of another Member State of the European Union or of another Contracting State of the Treaty on the European Economic Area exists are equivalent to digital signatures under this law, insofar as they demonstrate an equivalent level of security.
(2) Para. 1 also applies to other States, insofar as supranational or international agreements concerning the recognition of certificates have been concluded.
§ 16
The Legal Ordinance
The federal government is empowered to promulgate by Legal Ordinance the provisions necessary to implement §§ 3 through 15, with regard to:
1. Further details of the procedure for granting, withdrawal, and revocation of a license, as well as the procedure upon termination of a certifier's operations;
2. The circumstances giving rise to fees under § 4, para. 6 and the amount of fees;
3. Further structuring of the duties of certifiers;
4. The validity period of signature key certificates;
5. Further structuring of control over certifiers;
6. Further requirements for the technical components as well as examination of technical components and confirmation that the requirements have been fulfilled;
7. The time period after which a new digital signature should be used, as well as the procedure therefor.
END