>According to the Directive, qualified signatures are equivalent with >handwritten ones, so only natural persons were meant to have qualified >certificates. However, in certain countries, electronic invoices have >to be signed with qualified certificates. This led to the situation >where - in some countries - automated mechanisms also create qualified >signatures.
I think this requires a slightly different explanation. In Germany clueless government institutions buy signature devices capable of housing dozens of smart cards in order to with a single manual operation ("handwritten") be able to sign multiple invoices in one step using qualified signatures. In Scandinavia and Estonia somewhat less clueless government institutions have raised specific PKIs that issue "organization certificates" that are similar to EV certs (strict issuance policies), but certify an organization using a VAT, DnB or similar org-id rather than a domain name. These certificates (well the private key if we should be nitpicking..) are automatically signing outgoing messages indicating that they have passed whatever is needed for messages to be "authorized" for external consumption. These certificates are not called or issued as qualified certificates. Employee signatures essentially never leave the homebase. >This is very far away from the original goal. Which is not that surprising since authenticity in the real world is much more important than being able to get money from a CA due to a screw-up. The original EU signature idea that you would be able to do business with anybody because they have a QC, isn't for real because a QC doesn't say if you are a credible person and a CA has no ability bringing bad guys to a court either. In addition, identity schemes tend to be pretty local (my Social Security Number has little value outside of Sweden). If e-mail security had started at that level (domain) instead of S/MIME, the Internet had been a much better place! Anders _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto