Enter search term

Search term

Extended Service

• Subscribe newsletter
• Unsubscribe newsletter
• RSS-Feeds

Information

Further information from the Bundesnetzagentur in its capacity as competent authority under section 3 of the Signature Act

Update of the FAQs on qualified electronic signatures

There is an updated version of the FAQ (frequently asked questions, FAQ) available here. The old version is still available for download.

electronic residence title - eAT

The electronic residence title (eAT) has, amongst other features, a function for creating Qualified Electronic Signatures. A qualified certificate is required for this, and can be virtually added to your electronic residence title by a Certification Service Provider.

Please note that this is not currently offered by any provider at present. No details are available yet regarding expected availability.

For any further questions relating to the signature function of the new electronic residence title please contact the Federal Office for Migration and Refugees. Additional information can also be found here online.

For the use of signature cards that require a personal identification number (PIN) to be entered, the Bundesnetzagentur recommends using certified card readers with their own keypad. This effectively counteracts attempts at PIN logging. A certificate of confirmation according to the signature act for card readers to use the signature feature of the electronic residence title has not yet been submitted to the Bundesnetzagentur.

Important information on the use of the new root certificate (14R-CA)

The Bundesnetzagentur announces that for its role as root certification authority it has issued a new root certificate (14R-CA) and the associated cross certificates (13R-CA with 14R-CA, 14R-CA with 13R-CA).
The new service certificates are:

• twelve certificates for OCSP (14R-OCSP 1:PN to 12:PN),
• four certificates for CRL (14R-CRL 1:PN to 4:PN),
• two certificates for TSS (14R-TSS 1:PN to 2:PN).

The qualified certificates can already be accessed and examined in the Bundesnetzagentur directory and are expected to be first used in the directory service on 24 October 2011.

Update 25 October 2011: The certificates are used since today (25 October 2011) in the directory service of the Bundesnetzagentur.

Information on card reader use associated with the signature function of the new personal identity card

The use of the signature function on the identity card with the "AusweisApp" is only possible with card readers which have their own pinpad and are certified to the BSI-TR-03119 technical guideline.

There is currently no card reader on the market which is sufficiently certified.

For the use of signature cards that require a personal identification number (PIN) to be entered, the Bundesnetzagentur recommends using certified card readers with their own keypad. This effectively counteracts attempts at PIN logging. When using the signature function of your personal identity card, please always ensure that your PC has up-to-date virus protection and use a firewall where possible.

Update 21 October 2011: Meanwhile, card readers are available that are certified by the technical guideline BSI TR-03119. More information is available here: https://www.ausweisapp.bund.de/pweb/cms/kartenleser.jsp A certificate of confirmation according to the signature act for card readers to use the signature feature of the new identity card has not been submitted to the Bundesnetzagentur.

 

Important information: Security breaches discovered in certified card readers

The Bundesnetzagentur draws attention to that fact that a security breach has been established for the KAAN TriB@nk chip card terminal with firmware 79.22, certified to section 17(4) sentence 1 of the SigG. This breach of security also exists for the certified chip card terminals EMV-TriCAP Reader (Art. No. HCPNCKS/A03, firmware 69.18), SecOVID Reader III (Art. No. HCPNCKS/B05, firmware 69.18) and KAAN TriB@nk (Art.-Nr. HCPNCKS/C05, Firmware 68.17).  The breach makes it possible for potentially damaging firmware to be imported into the card reader. This means that there is no longer any guarantee that the card reader meets all signature-related legal requirements (ie secure PIN entry).

The KAAN TriB@nk chip card terminal security breach can be remedied with a "Firmware 79.23 for KAAN TriB@nk" security patch (SHA-1-Prüfsumme der Datei KAAN_TriBank-79.23_40.exe: e14bd5ef9eb3388865626ddbfeb8d02375eaaf89). The manufacturer has submitted a declaration for this firmware to the Bundesnetzagentur, in accordance with section 17(4) sentence 2 of the SigG. The Bundesnetzagentur advises users of this chip card terminal to run this security patch.

Update 7 June 2010:The certifications of the chip card terminals have been declared invalid effective 17 April 2010.

Update 17 January 2011: The KAAN TriB@nk chip card terminal (Article No. HCPNCKS/C08, firmware version 79.23), along with the EMV-TriCAP Reader (Article No. HCPNCKS/A04, firmware version 82.23) and SecOVID Reader III (Article No. HCPNCKS/B07, firmware version 82.23) terminals received product certification on 29 October 2010.

Amendment to Ordinance on Electronic Signature (SigV)

The fifth amendment to the Ordinance on Electronic Signature of 16 November 2001 became effective 15 November 2010. This primarily deals with amendments to the identification and handover procedures, along with the Certification Service Providers' documentation duties. In conjunction with the fourth amendment to the SigV which came into effect on 1 November 2010 and which was concerned with the embedding in the Ordinance of the new personal identity card as a means of identification, a change to the existing procedures for qualified certificate applications from Certification Service Providers is possible and to be expected.

Information on signature function of new personal identity card

Source: Bundesdruckerei; Urheber bzw. Nutzungsrechtinhaber: Bundesministerium des Innern

The personal identity card which can be applied for from 1 November 2010 has, amongst other features, a function for creating Qualified Electronic Signatures. A qualified certificate is required for this, and can be virtually added to your identity card by a Certification Service Provider.

Please note that this is not currently offered by any provider at present. No details are available yet regarding expected availability.

For any further questions relating to the signature function of the new identity card please contact the Federal Ministry of the Interior (www.BMI.Bund.de). Additional information can also be found online at www.personalausweisportal.de

Information for the "point of single contact"

Information can be found here for the "point of single contact" as per Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market and for companies/authorities interested in topics relating to Certification Service Providers (accreditation, notification, stopping operations) and evaluation and certification bodies.

Important note in connection with verifying Qualified Electronic Signatures based on unsuitable algorithms

The Agency wishes to point out that the result of the verification of Qualified Electronic Signatures by signature application components within the meaning of section 2 para 11b of the Signature Act (SigG) must be reliably verified and appropriately displayed in accordance with section 15(2) para 2a of the Ordinance on Electronic Signature (SigV) even when the verified signature is based on an algorithm classified as no longer suitable and hence as not sufficiently secure.

more

Note in connection with the use of voluntary marks of approval

According to Internet publications, some service providers use voluntary marks of approval to demonstrate that their offer is in conformity with the Signature Act and the Ordinance on Electronic Signature .

The Agency wishes to point out that such marks are not permitted as proof of conformity. Proof that products, signature application components and technical components conform to the Act and the Ordinance is given solely by product certification and published manufacturer's declarations. Products are certified solely by the recognised (evaluation and) certification bodies according to section 18 of the Act, and declarations are issued solely by the manufacturer of the product.

Note in connection with generating third-party signatures

According to Internet publications, some service providers use Qualified Electronic Signatures for third-party data. Two models have been described:

1.      Signing by means of signature cards and PINS assigned to members of the service provider's staff: a service provider has power of attorney to sign the client's bills on his behalf, using his certificate.

2.      Signing by means of the client's signature card and signature PIN: in this case the client obtains a signature card and signature PIN of his own and provides them to the service provider who then carries out the signing.

The Agency wishes to point out that Qualified Electronic Signatures are possible with model 1 if the power of attorney is clear to others, eg by the use of an attribute on the certificate. Model 2 is not compliant; consequently, qualified signatures cannot be generated by this process.

Important note in connection with product certification for secure signature creation devices

According to reports in the press, there are special signature cards in microSD format with which Qualified Electronic Signatures can be generated. The Agency wishes to point out that currently, there are no certified secure signature creation devices of the microSD card type that meet the exacting requirements of the Signature Act. In practical terms this means that qualified signatures are not possible with a microSD card.

Note in connection with signature renewals (section 17 of the Ordinance)

In line with the legal requirements the Agency's SHA-1 and RSA 1024 qualified certificates and the certificates from the accredited Certification Service Providers issued by the Agency with SHA-1 and RSA 1024 have been provided with signature renewals. The signature renewals (timestamps) have been entered in the LDAP node under the attribute "signatureRenewals" and can be queried using LDAP as from now; the associated specification document can be downloaded in pdf below.

Spezifikation Übersignatur, Version 2.0, Stand 10.03.2008 (pdf, 156 kb)

Note in respect of certificates from notified Certification Service Providers (CSPs): Time from which certificates issued by them can be legally classified as "qualified certificates"

Please note that, under section 2 para 7 in conjunction with section 4(3) sentence 1 of the Signature Act and section 1(1) and (2) of the Ordinance on Electronic Signature, qualified certificates may only be legally issued by a notified Certification Service Provider as from the time the provider has submitted the prescribed notification to the Agency. Dates of notification can be found here.

Only from this date is a notified Certification Service Provider deemed to meet the requirements of sections 4 to 14 of the Act (cf section 2 para 7 in conjunction with section 4(3) sentence 1 of the Act). Accordingly, signatures created with certificates issued before this time do not constitute qualified signatures within the meaning of the Act, cf section 2 para 3.a) in conjunction with section 2 para 7 of the Act.

Important note in connection with the use of suitable algorithms

The root's conversion activities for new key lengths and new hash algorithms were completed on 17 August 2007. Since that date the Agency has been able to make available accredited certificates with a key length of 2048 bit RSA.

The conversion of the Agency's repository took place on 13 December 2007.

Since the afternoon of 13 December the Agency's OCSP information and CRL have been provided with RSA 2048 and SHA-512. Please take note of this before verifying Qualified Electronic Signatures; you may need to make changes to your signature application components.