>According to the Directive, qualified signatures are equivalent with
>handwritten ones, so only natural persons were meant to have qualified
>certificates. However, in certain countries, electronic invoices have
>to be signed with qualified certificates. This led to the situation
>where - in some countries - automated mechanisms also create qualified
>signatures.
I think this requires a slightly different explanation. In Germany clueless
government institutions buy signature devices capable of housing dozens
of smart cards in order to with a single manual operation ("handwritten")
be able to sign multiple invoices in one step using qualified signatures.
In Scandinavia and Estonia somewhat less clueless government institutions
have raised specific PKIs that issue "organization certificates" that are
similar to EV certs (strict issuance policies), but certify an organization
using a VAT, DnB or similar org-id rather than a domain name. These
certificates (well the private key if we should be nitpicking..) are
automatically signing outgoing messages indicating that they have passed
whatever is needed for messages to be "authorized" for external
consumption. These certificates are not called or issued as qualified
certificates. Employee signatures essentially never leave the homebase.
>This is very far away from the original goal.
Which is not that surprising since authenticity in the real world is
much more important than being able to get money from a CA due to
a screw-up. The original EU signature idea that you would be able to do
business with anybody because they have a QC, isn't for real because
a QC doesn't say if you are a credible person and a CA has no ability
bringing bad guys to a court either. In addition, identity schemes tend
to be pretty local (my Social Security Number has little value outside
of Sweden).
If e-mail security had started at that level (domain) instead of S/MIME,
the Internet had been a much better place!
Anders
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
