Translation and Commentary by Christopher Kuner
Translation copyright 1997 Christopher Kuner. Reproduction is permitted, provided that this translator's note, including the above copyright notice, is retained in its entirety.
Commentary: After months of delay, the German government finally released a further draft of the Digital Signature Ordinance; the previous draft was released on December 20, 1996. While the structure of this draft follows that of the Dec. 20 1996 draft, there have been wholesale changes to it (indicated in boldface), in particular the following:
(1) Increases in the fees for activities of civil servants (§ 2);
(2) Tightening of written form requirements for certificate applications (§ 3(1));
(3) More detailed requirements for public certificate registries (§ 8);
(4) Reworking of the provisions concerning technical components (§§ 16 and 17).
Further changes to the Ordinance are expected. The government's plan is to have the Federal Cabinet pass the Ordinance into law by the end of September 1997. The Digital Signature Law, under the authority of which the Ordinance is to be enacted, was passed by the cabinet on July 13 and will enter into force on August 1, 1997.
At the same time, the BSI (a federal agency concerned with IT security) is working on the catalogues for certification authorities and technical components, with a view toward finalizing them by the end of September as well. The entire process is being pushed along very quickly by the Federal Government, which has been the focus of some criticism. The extensive changes to the Ordinance also make it doubtful that all relevant points can be adequately considered and incorporated within the time frame the government has set.
Procedure for the Granting, Revocation and Withdrawal of Licenses
(1) A license for the operation of a certifier under § 4 para. (1) of the Digital Signature Law shall be applied for in writing to the Authority.
(2) The Authority shall make the necessary determinations to evaluate the requirements for the granting of a license. It can require from the applicant the production of the necessary documents, in particular a current extract from the Commercial Register and current certificates under § 30, para. 5 of the Federal Central Registry Law for the legal representatives of the certifier. In order to demonstrate the necessary expert knowledge, the applicant shall demonstrate that the persons intended to perform certifications or issue time stamps possess the necessary professional qualifications.
(3) Before rejecting, revoking, or withdrawing a license, the Authority shall grant the applicant a hearing and give him the opportunity to eliminate the grounds for such rejection, revocation, or withdrawal.
(1) Costs (fees and expenses) are imposed for the following public services:
1. The granting of a license for the operation of a certifier;
2. The rejection of a license application;
3. The revocation or withdrawal of a license;
4. The complete or partial dismissal of an appeal;
5. The issuance of certificates;
6. Evaluating the examination reports under § 15, para. (1));
7. Examinations under § 15, para. (2), if a violation of the Digital Signature Law or of this Ordinance is ascertained in the course of an examination;
8. Transfer of documentation under § 11, para. (2) of the Digital Signature Law.
Costs shall also be imposed if a license application or an appeal is withdrawn following commencement of processing but before its completion.
(2) The following hourly rates shall be used as the basis for calculating fees for public services under para. (1), nos. 1, 5, 6, 7, and 8:
1. Middle-category officials or comparable employees: DM 85.00
2. Upper-category officials or comparable employees: DM 105.00
3. High-category officials or comparable employees: DM 135.00
A quarter of such hourly rate shall be charged for each 15-minute-period during which any work is performed. If public services are performed by employees of the Authority outside its premises, then fees shall also be charged for travel time which is within normal working hours or is specially reimbursed by the Authority, and for waiting time for which those liable for costs are responsible.
(3) Section 15 of the Act on Administrative Costs shall apply in case of rejection or withdrawal of a license application or the withdrawal or retraction of a license. A fee up to the amount of the administrative action being challenged shall be charged for the complete or partial denial of an appeal. Such denial and withdrawal of an appeal which is solely directed against the allocation of costs can be subject to a fee up to ten percent of the amount in dispute.
Application Procedure for the Issuance of Certificates
(1) The certifier shall identify an applicant under § 5 para. (1), sentence 1 of the Digital Signature Law based on a federal identity card or a passport, or by other appropriate means. An application for a certificate must be signed in writing.
(2) If information concerning representation of a third party is to be included in a certificate under § 5, para. (2) of the Digital Signature Law, such power of representation must be reliably demonstrated and written permission of such third party or permission containing a digital signature must be presented. The power of representation for such third party must be reliably proved. Such third party shall be informed about the contents of such certificate either in writing or in digital form with a digital signature, and shall be informed about the possibility of blocking under § 9, para. (1). A professional or other admission must be proved by, in particular, presentation of the certificate of admission.
Instruction of the Applicant
(1) The certifier shall instruct the applicant in connection with § 6, sentences 1 and 3 of the Digital Signature Law, in particular concerning the following measures which are necessary to guarantee the security of digital signatures:
1. The storage medium containing the private signature key is to be kept under personal control. Upon loss, the signature key certificate is to be immediately blocked. If the storage medium containing the private signature key is no longer required, then the key is to be rendered unusable and the signature key certificate is to be blocked, if it has not already expired.
2. Personal identity numbers or passwords used for identification with respect to the storage medium containing the private key are to be kept confidential. A change is to be made immediately upon disclosure or suspicion of disclosure of such identification data.
3. Technical components are to be used for the creation and evaluation of digital signatures, and for the representation of data to be signed or of signed data to be evaluated, which meet the requirements of the Digital Signature Law and this Ordinance, and the security of which has been verified under the Digital Signature Law and this Ordinance. They shall be protected from unauthorized access.
4. If a certificate contains data under § 7, para. (1) no. 7 or para. (2) of the Digital Signature Law and such data is important for the evidentiary value of signed data, the certificate shall be attached to the data and shall be included in the digital signature.
5. If a point in time may be important for the evidentiary value of signed data, a time stamp is to be affixed.
6. If data are needed in signed form over a long period, then a further digital signature should be affixed under § 18.
7. When examining digital signatures, it shall be ascertained whether the signature key certificate and attribute certificate were valid at the time the signature was created, whether the certificates contain restrictions under § 7, para. (1) no. 7 of the Digital Signature Law, whether the certificates are included in the digital signature as necessary (see no. 4), and whether the data contain a time stamp as necessary (see no. 5).
(2) Further instruction may be dispensed with if an applicant already has a certificate.
Creation and Storage of Signature Keys and Identification Data
(1) If signature keys are created by the signature key owner, then the certifier shall convince itself that the signature key owner used appropriate technical components. This also applies to personal identity numbers, passwords, or other data which serve to identify the signature key owner to the holder of data concerning the key. The certifier shall further convince itself that the applicant used appropriate technical components under the Digital Signature Law and this Ordinance for the storage and use of the private signature key.
(2) If signature keys or identification data under para. (1), sentence 2 are provided by the certifier, then the certifier shall take steps to exclude the unnoticed disclosure of private keys or identification data and their storage by the certifier.
Delivery of Signature Keys and Identification Data
Insofar as the certifier provides signature keys or identification data under § 5, para. (2), it shall personally deliver the private signature key and the identification data to the intended signature key owner and have delivery confirmed in writing by such owner, unless the owner requests a different means of delivery in writing.
Validity of Certificates
(1) The validity period of a certificate may be no longer than five years. The time between the issuance and the beginning of the certificate's validity period may be no longer than six months.
(2) The validity of an attribute certificate shall be no longer than the validity of the signature key certificate to which it refers.
Public Certificate Registries
(1) The certifier shall record certificates which it has issued in a registry under § 5, para. (1), sentence 2 of the Digital Signature Law for at least as long as the algorithm and applicable parameters contained in the certificate are judged to be suitable under § 17, para. (2), but not for longer than the time period mentioned in § 13, para. (2).
(2) The Authority shall record certificates issued by it for the period mentioned in para. (1) in a registry in accordance with the provisions of § 4, para. (5), sentence 3 of the Digital Signature Law. Insofar as foreign certificates are recognized, this also applies to the public signature keys of the highest certifiers in such foreign countries. The Authority shall publish in the Federal Gazette the telecommunication connections under which such certificates are accessible, and shall notify them directly to the certifiers.
(3) Following expiration of the time periods mentioned in para. (1), the certifier and the Authority shall make possible an examination of the certificates upon application in a particular case until expiration of the time period mentioned in § 13, para. (2).
Procedure for Blocking Certificates
(1) The certifier shall make known to signature key owners and third parties about whom information concerning a power of representation is incorporated in a certificate, as well as to the Authority, a telephone number under which they may at any time have certificates immediately blocked, and shall offer an authentication procedure therefor.
(2) The certifier shall block a certificate under the requirements of § 8 of the Digital Signature Law if an application of a signature key owner, its legal representative, or a third party with a legitimate interest under para. (1) is presented with a digital signature or in writing, or if an agreed authentication procedure was used.
(3) The blocking of certificates shall be unmistakably indicated in the registry under § 8 with information concerning the time, and may not be revoked.
Reliability of Personnel
The certifier shall convince itself of the reliability of persons who assist in the certification process or the issuance of time stamps. In particular, it may require presentation of a certificate under § 30, para. 1 of the Federal Central Registry Law. Unreliable persons may not take part in the certification process and the issuance of time stamps.
Protection of Technical Components
The certifier shall take measures to protect from unauthorized access technical components and private signature keys used for the creation of certificates and time stamps and for keeping certificates accessible for examination.
(1) The security plan under § 4, para. (3) of the Digital Signature Law shall contain all security measures as well as, in particular, an overview of the technical components used and a representation of the organizational procedure of certification activity. The plan shall be immediately amended in case of any changes affecting security.
(2) The Authority shall maintain a catalogue of appropriate security measures and shall publish them in the Federal Gazette. Such measures should be considered when drawing up a security plan. The catalogue shall be drawn up based on data from the Federal Office for Security in Information Technology in consultation with business and scientific experts.
(1) Documentation under § 10 of the Digital Signature Law shall cover the security plan (including any changes), examination reports under § 15, paras. (1) and (2), contractual agreements with applicants, and certificates received from the Authority. The following shall be documented: with regard to certificate applications received and agreements with applicants, a copy of the identity card presented or of some other proof of identity; with regard to information concerning third parties in a certificate, the documentation necessary for them to be included; the granting of a pseudonym; proof of the required instruction of the applicant and third parties; certificates which have been created, including the time of issuance and delivery of certificates; and information under § 12, para. (2) of the Digital Signature Law. If the certifier provides signature keys or identification data under § 5, para. (2), then the time of delivery and confirmation thereof shall be documented. Records kept in digital form shall be digitally signed.
(2) Documentation under para. (1) shall be kept for at least 35 years from the time of issuance of the signature key certificate and shall be secured in such a way that it is accessible during this time. Documentation about information under § 12, para. (2), sentence 2 of the Digital Signature Law shall be kept for at least ten years.
Termination of Activities
(1) A certifier wishing to terminate its activities under § 11, para. (1) of the Digital Signature Law shall inform the Authority at least four months prior thereto.
(2) Before terminating its activities, the certifier shall inform the signature key owner of its intention to terminate its activities as a certifier at least three months beforehand with regard to each certificate which is not blocked and which has not expired at the time of terminating its activities, shall instruct him regarding whether another certifier will take over the certificate, and shall name such certifier. If another certifier does not take over the certificates, then, following expiration of the time period mentioned in para. (1), all certificates shall be blocked which were not already blocked or had not expired at such time. The signature key owners of certificates to be blocked shall be informed thereof.
(3) Notice to the Authority and instruction of the signature key owners shall be done in writing or in digital form with a digital signature.
(4) A certifier which takes over the documentation under § 11, para. (2) of the Digital Signature Law or the Authority shall record the certificates which have been taken over in a registry under § 8, paras. (1) and (3).
Control over Certifiers
(1) A certifier shall have an examination conducted under § 4, para. (3), sentence 3 of the Digital Signature Law following any substantial changes, or at least every two years, and shall immediately present the results thereof to the Authority.
(2) The Authority may carry out examinations at reasonable intervals and if there is reason to believe that the provisions of the Digital Signature Law or this Ordinance have been violated.
Requirements for Technical Components
(1) The technical components necessary for the creation of signature keys shall be designed in such a way that, with near-absolute certainty, a key only occurs once and the private key may not be calculated from the public key. The confidentiality of the private key must be assured, and it may not be copied. Any changes to the technical components relevant to technical security must be perceptible to the user.
(2) The technical components necessary for the creation or examination of digital signatures must be designed so that the private signature key may not be calculated from the signature, and so that the signature may not be falsified in any other way. The private signature key should be able to be used only after identification of the owner by possession and knowledge, and should not be revealed during use. Biometric characteristics may also be used for identification of the signature key owner. The technical components necessary to collect identification data must be designed so that such data is not revealed and is stored only in the storage medium containing the private signature key. Any changes to the technical components relevant to technical security must be perceptible to the user.
(3) The technical components necessary to represent the data to be signed must be designed so that the person signing can unequivocally determine the data which the signature covers, and so that a digital signature is only made upon instigation of such person and is first displayed unmistakably. The technical components necessary for the examination of signed data must be designed so that the examiner can unmistakably determine the data which the digital signature covers as well as the signature key owner, and so that the correctness of the digital signature can be reliably examined and correctly displayed. The technical components for examination of certificates must show unmistakably whether the certificates which have been examined were contained in the certificate registry and whether they were valid and not blocked at the indicated time. The technical components must, as necessary, sufficiently show the contents of the data which has been or is to be signed. If technical components under sentences 1 or 4 are offered to third parties for use in the course of business, then an unmistakable interpretation of the data must be ensured and such technical components must be automatically evaluated upon use for authenticity. Any changes relevant to technical security must be perceptible to the user.
(4) The technical components by which certificates are to be verifiably maintained under § 4, para. (5), sentence 3 or § 5, para. (1), sentence 2 of the Digital Signature Law must be designed so that only authorized persons can make entries and changes, the blocking of a certificate cannot be revoked in a way which goes unnoticed, and information can be evaluated for authenticity. Such information must indicate whether the certificates which have been examined were contained in the certificate registry and whether they were valid and not blocked at the indicated time. Only certificates which are verifiably maintained need not be publicly accessible. Any changes to the technical components relevant to technical security must be perceptible to the operator.
(5) Technical components used to create a time stamp under § 9 of the Digital Signature Law must be designed so that the valid legal time at the time of creation of the time stamp is incorporated into them in unfalsified condition. Any changes to the technical components relevant to technical security must be perceptible to the operator.
(6) The Authority shall maintain a catalogue of appropriate security measures, to be published in the Federal Gazette, which measures should be taken into consideration regarding the technical components. The catalogue shall be drawn up based on data from the Federal Office for Security in Information Technology in consultation with business and scientific experts.
Evaluation of Technical Components
(1) The evaluation of technical components under § 14, para. (4) of the Digital Signature Law is to be performed under the "Criteria for the Evaluation of the Security of Information Technology Systems" (GMBl. of August 8, 1992, p. 545 et seq.). The evaluation of technical components for the creation of signature keys or for the storage or use of private signature keys and for technical components offered to third parties for use in the course of business must cover at least the level "E 4", and otherwise at least the level "E2". The valuation of security mechanisms must be "high" and and the algorithms and applicable parameters must be suitable under para. (2).
(2) The Authority shall publish in the Federal Gazette an overview of the algorithms and applicable parameters considered suitable for the creation of signature keys, the hashing of data to be signed, or the creation and examination of digital signatures, as well as the time period for which such suitability exists in each case, which must be at least six years after evaluation and publication. Such suitability is to be reevaluated annually and as necessary. Suitability exists if within a particular time period the imperceptible forgery of digital signatures or falsification of signed data can be excluded with near absolute certainty under the scientific and technical state-of-the-art. Suitability is to be determined based on data from the Federal Office for Security in Information Technology in consultation with business and scientific experts.
(3) Confirmation of fulfillment of the requirements for technical components under § 14, para. (4) of the Digital Signature Law must state to which requirements under § 16 the confirmation applies and under which conditions of usage, which algorithms and applicable parameters under para. (2) are used, the minimum time period for which they are suitable, and based on which level under § 1 the technical components were evaluated. A copy of the evaluation report and the confirmation is to be deposited with the Authority. The Authority may, upon indications of flaws in the evaluations or in confirmed technical components, or at random, obtain the expert opinion of an independent third party as to whether the technical components were evaluated under § 1 and whether they fulfill the requirements of the Digital Signature Law and this Ordinance. Affected manufacturers, distributors, and evaluation centers must provide the necessary assistance. If such assistance is not provided or if it turns out that confirmed technical components were not sufficiently evaluated or do not fulfill the requirements, then the Authority may declare confirmations which have been granted to be invalid.
(4) The Authority shall publish the instances recognized under § 14, para. (4) of the Digital Signature Law as well as the technical components that have been confirmed by such instances under para. (3) and shall publish them in the Federal Gazette and notify them directly to the certifiers. With regard to technical components, notification is to be made as to until what time the confirmation is valid. If recognition is withdrawn or a confirmation declared invalid this must also be published in the Federal Gazette and notified directly to the certifiers.
New Digital Signatures
If data is needed in signed form for a longer time than the algorithms and applicable parameters used are judged to be suitable under § 17, para. (2), then such data should be resigned with a new digital signature before expiration of the period of adequacy of the algorithms and applicable parameters. Such signature must contain earlier digital signatures and a time stamp.
Entry into Force
This Legal Ordinance enters into force as of [ ].