[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: German Law and OCSP

To: "'Ambarish Malpani'" <ambarish@xxxxxxxxxxxx>, "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: RE: German Law and OCSP
From: Hans Nilsson <hans.nilsson@xxxxxxxxxxx>
Date: Sun, 30 Jan 2000 10:28:47 +0100

Ambarish,

I agree with you, that no legislation should get into that level of
technology. And I dont think they do that, not even in Germany and Italy.
IMHO I think prof Lioy is overinterpreing the German and Italian
legislations, stating what they require and not require at a very technical
detail. Based on our experience in the German market, the regulations in
SigG and SigV are very fuzzy and open to interpretations. The reply on what
is needed sometimes depends on what authority in Germany you are talking to.

Your question regarding German Law and OCSP may be related to the following.
As you may know, the Germans have specified their own flavour of OCSP, with
somewhat different semantics:

Der Zustand good sagt aus, daß das Zertifikat von der zugehörigen
Zertifizierungsstelle
ausgestellt wurde, dem Verzeichnisdienst bekannt ist und zum Zeitpunkt
thisUpdate nicht
gesperrt ist.

(For non-German speakers: "Good" means that the certificate is issued by the
CA, known in the Directory and not revoked)

This is quite a different interpretation of "good" from RFC 2560, where
"good" not necessarily means that the certificate has been issued!!!

Maybe this should not even be called OCSP any longer. The Germans themselves
also call this a "Verification Service".

On the other hand, the recently adopted European Directive on Electronic
Signatures does not specify any binding requirements for signature
verification, only some general recommendations in Annex IV. This means,
quite correctly, that this level of technical detail for court evidence
should not be laid down in laws or regulations, but develop through "market
best practices". In the CEN Workshop on Electronic Signatures, we are now
going to try to interpret these recommendations and write them down in a
standard called "guideline for signature verification". THERE we can specify
details for a specific technology like X.509 certificates, CRL and OCSP.

Regards
Hans

> -----Original Message-----
> From:	Ambarish Malpani [SMTP:ambarish@valicert.com]
> Sent:	Saturday, January 29, 2000 6:35 PM
> To:	'ietf-pkix@imc.org'
> Subject:	German Law and OCSP
> 
> 
> Hi Guys,
>     I recently read a document that seemed to indicate that
> the German Digital Signature Law or some related documents
> specified that you can use OCSP to check the revocation status
> of a cert, but they allowed you to send over all 0's as the
> hash of the CA's public key.
> 
>     Does anybody know more about whether the statement above
> is true or not? If it is, I am concened that they might not be
> using OCSP correctly.
> 
>     Anybody with more information?
> 
> Regards,
> Ambarish

Follow-Ups:
- Re: German Law and OCSP
  - From: Michael Herfert

Prev by Date: German Law and OCSP
Next by Date: subscribe
Previous by thread: Re: German Law and OCSP
Next by thread: Re: German Law and OCSP
Index(es):
- Date
- Thread