Germany: New Media - The Draft German "Digital Signature Ordinance"

Last Updated: 12 June 1999
On December 20, 1996, the German government presented the draft of a "Multimedia Law" (officially called the "Information and Communications Services Law"; a translation thereof is available on this site) to parliament, which is designed to bring the German legal system into line with the requirements of the "Information Age". One of the most noteworthy portions of the draft law is Article 3, which contains the "Digital Signature Law" and is designed to create a framework for the use of digital signatures in Germany. Section 16 of the Digital Signature Law provides for a "Digital Signature Ordinance" to set the technical details for their use.

The following is a translation of the final version of the Digital Signature Ordinance, also presented to parliament by the German government on December 20, 1996. The Ordinance is concerned with the technical details of using digital signatures in Germany, such as the operation of certification authorities (called "certifiers" here), the validity of certificates, technical components used for digital signatures, and similar matters. The Ordinance is to be passed into law at the same time that the Digital Signature Law is enacted.

GERMAN DRAFT DIGITAL SIGNATURE ORDINANCE (SigV)

FINAL DRAFT, DECEMBER 20, 1996

Translation copyright 1997 Christopher Kuner. Reproduction is permitted, provided that this translator's note, including the above copyright notice, is retained in its entirety. This translation is also available on the World Wide Web at http://ourworld.compuserve.com/homepages/ckuner

1 PROCEDURE FOR THE GRANTING AND REVOCATION OF LICENSES

(1) A license for the operation of a certifier under 4 para. (1) of the Digital Signature Law shall be applied for in writing to the Authority.

(2) The Authority shall make the necessary determinations to check the requirements for the granting of a license. It can require from the applicant the production of the necessary documents, in particular a current extract from the Commercial Register and current certificates under 30, para. 5 of the Federal Central Registry Law for the legal representatives of the certifier. In order to demonstrate the necessary expert knowledge, the applicant shall demonstrate that the persons intended to perform certifications and issue time stamps possesses the necessary professional qualifications.

(3) Before rejecting or revoking a license, the Authority shall grant the applicant a hearing and give him the opportunity to eliminate the grounds for such rejection or revocation.

2 COSTS

(1) Costs (fees and expenses) are imposed for the following public services:

1. The granting of a license or the rejection of such;

2. The revocation of a license;

3. The complete or partial dismissal of an appeal;

4. The issuance of certificates;

5. Checking the examination reports under 15, para. (2) as well as controls under 15, para. (3);

6. Transfer of documentation under 11, para. (2) of the Digital Signature Law.

(2) The following hourly rates shall be used as the basis for calculating fees for public services under para. (1), nos. 1, 4, 5, and 6:

1. Middle-category officials or comparable employees: DM 65.00

2. Upper-category officials or comparable employees: DM 85.00

3. High-category officials or comparable employees: DM 115.00

A quarter of such hourly rate shall be charged for each 15-minute-period during which any work is performed. If public services are performed by employees of the Authority outside its premises, then fees shall also be charged for travel time which is within normal working hours or is specially reimbursed by the Authority, and for waiting time for which those liable for costs are responsible. The Authority shall regularly examine the hourly rates to ensure that they cover costs.

(3) The fee charged for revocation of a license shall be one-quarter less than the fee charged for granting it; it can be reduced by up to a quarter of the fee charged, or no fee need be charged, when equity so requires. A fee up to the amount of the administrative action being challenged shall be charged for the complete or partial denial of an appeal. Such denial, and particularly denial of an appeal which is solely directed against the allocation of costs, is subject to a fee up to ten percent of the amount in dispute.

3 APPLICATION PROCEDURE

(1) The certifier shall identify an applicant under 5 para. (1), sentence 1 of the Digital Signature Law based on a federal identity card or a passport, or by other appropriate means. If an application for a further certificate contains a digital signature of the applicant, then the certifier need not identify him again.

(2) If information concerning a third party is to be included in a certificate under 5, para. (2) of the Digital Signature Law, written permission of such third party or permission containing a digital signature must be presented. The certifier may require that such permission be officially certified. The permission of a legal person shall be signed or marked with a digital signature by a natural person with power of representation; such power must be reliably proved. Such third party shall be informed about the contents of such certificate either in writing or in digital form with a digital signature, and shall informed about the possibility of blocking under 9, para. (1). A professional or other admission shall be proved by presentation of the certificate of admission.

4 INSTRUCTION OF THE APPLICANT

(1) The certifier shall instruct the applicant in connection with 6, sentences 1 and 3 of the Digital Signature Law, in particular concerning the following measures which are necessary to guarantee the security of digital signatures:

1. The private signature key is to be kept under personal control. Upon loss, the signature key certificate is to be immediately blocked. If the certificate has expired or the signature key is no longer required for some other reason, then the key is to be rendered unusable.

2. Personal identity numbers or passwords used for identification with respect to the holder of data concerning the key are to be kept confidential. A change is to be made immediately upon disclosure or the suspicion of disclosure of such identification data.

3. Technical components are to be used for the creation and checking of digital signatures, and for the representation of data to be signed or of signed data to be checked, which meet the requirements under 14, paras. (1) and (2) of the Digital Signature Law, and the security of which has been verified under 14, paras. (4) or (5) of the Digital Signature Law. They shall be protected from unauthorized access.

4. If a certificate contains data under 7, para. (1) no. 7 or para. (2) of the Digital Signature Law and such data is important for the contents of signed data, the certificate shall be included in the digital signature for such data.

5. If a point in time may be important for the evidentiary value of signed data, a time stamp is to be affixed as needed.

6. If data are needed in signed form for longer than five years, then a further digital signature should be affixed upon expiration of such period, to the extent that such period is not extended under 18, para. (2).

7. When checking signatures, such person shall determine whether, in his judgment, the particular signature key certificate and attribute certificate were valid at the time the signature was created, whether the certificates contain restrictions under 7, para. (1) no. 7 of the Digital Signature Law, whether the certificates are included in the digital signature as necessary (see no. 4), and whether the data contain a time stamp as necessary (see no. 5).

(2) Further instruction may be dispensed with if an applicant already has a certificate.

5 CREATION AND STORAGE OF SIGNATURE KEYS AND IDENTIFICATION DATA

(1) If signature keys are created by the signature key owner, then the certifier shall convince itself that the signature key owner used appropriate technical components. This also applies to personal identity numbers, passwords, or other data which serve to identify the signature key owner to the holder of data concerning the key.

(2) If signature keys or identification data under para. (1), sentence 2 are provided by the certifier, then the certifier shall take steps to exclude the unnoticed disclosure of private keys or identification data and their storage by the certifier.

6 DELIVERY OF SIGNATURE KEYS AND IDENTIFICATION DATA

Insofar as the certifier provides signature keys or identification data under 5, para. (2), it shall personally deliver the private signature key and the identification data to the intended signature key owner and have such delivery confirmed in writing by such owner, unless the owner requests a different means of delivery in writing.

7 VALIDITY OF CERTIFICATES

(1) The validity period of a certificate may be no longer than three years. The time between the issuance and the beginning of the certificate's validity period may be no longer than six months.

(2) The validity of an attribute certificate shall be no longer than the validity of the signature key certificate to which it refers.

8 PUBLIC CERTIFICATE REGISTRIES

(1) The certifier shall record certificates issued by it for a period of at least ten years from the beginning of their validity in a registry in accordance with the provisions of 5, para. (1), sentence 2 of the Digital Signature Law.

(2) The Authority shall record certificates issued by it for a period of at least 15 years from begin of their validity in a registry in accordance with the provisions of 4, para. (5), sentence 3 of the Digital Signature Law. Insofar as foreign certificates are recognized, this also applies to the public signature keys of the highest certifiers in such foreign countries. The Authority shall publish the telecommunication connections under which the certificates are accessible in the Federal Gazette.

(3) Following expiration of the time periods mentioned in paras. (1) and (2), the certifier and the Authority shall make possible an examination of their certificates upon application in a particular case until expiration of the time period mentioned in 13, para. (3).

9 PROCEDURE FOR BLOCKING CERTIFICATES

(1) The certifier shall make known to signature key owners and third parties whose information is incorporated in a certificate, as well as to the Authority, a telephone number under which they may at any time have certificates immediately blocked.

(2) It shall block a certificate under the requirements of 8 of the Digital Signature Law if an application of a signature key owner, its legal representative, or a third party with a legitimate interest under para. (1) is presented with a digital signature or in writing, or if an agreed authentication procedure was used.

(3) The blocking of certificates shall be unmistakably indicated in the registry under 8 with information concerning the time, and may not be revoked.

10 RELIABILITY OF PERSONNEL

The certifier shall convince itself of the reliability of persons who assist in the issuance of signature key certificates or time stamps. In particular, it may require presentation of a certificate under 30, para. 1 of the Federal Central Registry Law. Unreliable persons may not take part in such procedure.

11 PROTECTION OF TECHNICAL COMPONENTS

The certifier shall take measures to protect technical components and private signature keys used for the creation of certificates and time stamps from unauthorized access.

12 SECURITY PLAN

(1) The security plan under 4, para. (3) of the Digital Signature Law shall contain all security measures as well as, in particular, an overview of the technical components used and a representation of the organizational procedure of certification activity. The plan shall be immediately amended in case of any changes affecting security.

(2) The Authority shall maintain a catalogue of appropriate security measures and shall publish them in the Federal Gazette. Such measures should be considered when drawing up a security plan. The catalogue shall be drawn up based on data from the Federal Office for Security in Information Technology in consultation with business and scientific experts.

13 DOCUMENTATION

(1) Documentation under 10 of the Digital Signature Law shall cover the security plan (including any changes), examination reports under 15, paras. (1) and (2), contractual agreements with applicants, and certificates received from the Authority. The following shall be documented: with regard to certificate applications received and agreements with signature key owners, a copy of the identity card presented or of some other proof of identity; with regard to information concerning third parties in a certificate, the documentation necessary for them to be included; the granting of a pseudonym; proof of the required instruction; certificates which have been created, including the time of issuance and delivery, as well as acknowledgment of delivery; blocking of certificates; and information under 15, para. (2) of the Digital Signature Law. If the Authority provides signature keys or identification data under 5, para. (2), then the time of delivery and confirmation thereof shall be documented. Records kept in digital form shall be digitally signed.

(2) Documentation under para. (1) shall be kept for at least 33 years from the time of issuance of the signature key certificate and shall be secured in such a way that it is accessible during this time. Documentation about information under 12, para. (2), sentence 2 of the Digital Signature Law shall be kept for at least ten years.

14 TERMINATION OF ACTIVITIES

(1) A certifier wishing to terminate its activities shall inform the Authority at least four months prior thereto.

(2) Before terminating its activities, the certifier shall inform the signature key owner of its intention to terminate its activities as a certifier at least three months beforehand with regard to each certificate which is not blocked and which has not expired at the time of terminating its activities, shall instruct him regarding whether another certifier will take over the certificate, and shall name such certifier. If this is not the case, then, following expiration of the time period mentioned in para. (1), all certificates shall be blocked which were not already blocked or had not expired at such time. The signature key owners of certificates to be blocked shall be informed thereof.

(3) Notice to the Authority and instruction of the signature key owners shall be done in writing or in digital form with a digital signature.

(4) A certifier which takes over the documentation under 11, para. (2) of the Digital Signature Law or the Authority shall record the certificates which have been taken over in a registry under 8.

15 CONTROL OF CERTIFIERS

(1) A certifier shall present its security plan and the results of the examination under 4, para. (3), sentence 3 of the Digital Signature Law to the Authority no later than one month before its planned commencement of activities.

(2) A certifier shall cause a new examination to be conducted following any substantial changes, or at least every two years, and shall immediately present the results thereof to the Authority.

(3) The Authority may carry out examinations at reasonable intervals and if there is reason to believe that the provisions of the Digital Signature Law or this Ordinance have been violated.

16 REQUIREMENTS FOR TECHNICAL COMPONENTS

(1) The technical components necessary for the creation of signature keys shall be designed in such a way that, with near-absolute certainty, a key only occurs once and the private key may not be calculated from the public key. The confidentiality of the private key must be assured, and it may not be copied. Any changes to the technical components with regard to technical security must be perceptible to the user.

(2) The technical components necessary for the creation or examination of digital signatures must be designed so that the private signature key may not be calculated from the signature, and so that the signature may not be falsified in any other way. The private signature key should be able to be used only after identification of the owner by possession and knowledge, and should not be revealed during use. Further characteristics, such as biometrics, may be used for identification of the signature key owner. The technical components necessary to collect identification data must be designed so that such data is not revealed and is stored only in the storage medium containing the private signature key. Any changes to the technical components with regard to technical security must be perceptible to the user.

(3) The data to be signed for representation and the technical components necessary for use of technical components under para. (2) shall be designed so that such person can sufficiently perceive the creation of a digital signature and the contents of the data which the signature covers. The technical components necessary for the examination of a digital signature must be designed so that the contents of the data which the digital signature covers are sufficiently perceptible and an accurate confirmation of correctness can be guaranteed. If technical components under sentences 1 or 2 are offered to third parties for use in the course of business, then they must be automatically checked upon use for authenticity and for any changes relevant to technical security, and any such changes must be perceptible to the user.

(4) The technical components by which certificates are to be verifiably maintained or accessed under 5, para. (1), sentence 2 of the Digital Signature Law must be designed so that only authorized persons can make entries and changes, the blocking of a certificate cannot be revoked in a way which goes unnoticed, and information can be checked for authenticity. Only certificates which are verifiably maintained need not be publicly accessible. Any changes to the technical components with regard to technical security must be perceptible to the operator.

(5) The Authority shall maintain a catalogue of appropriate security measures, to be published in the Federal Gazette, which measures should be taken into consideration regarding the technical components. The catalogue shall be drawn up based on data from the Federal Office for Security in Information Technology in consultation with business and scientific experts.

17 CHECKING OF TECHNICAL COMPONENTS

(1) The technical components must be checked for fulfillment of the requirements of the "Criteria for the Evaluation of the Security of Information Technology Systems" (GMBl. of August 8, 1992, p. 545 et seq.), as follows:

1. For technical components for the creation, loading, or storage of private signature keys, or for the creation and checking of digital signatures, at least level "E 4", with a valuation of security mechanisms of "high".

2. For technical components for the representation of data to be signed or signed data to be checked, for the use of technical components under 16, para. (2), or for the collection of identification data, at least level "E 2", with a valuation of security mechanisms of at least "medium". If such items are offered to third parties for use in the course of business, then at least level "E 4" and a valuation of security mechanisms of "high" are necessary.

3. For technical components with which certificates are to be verifiably maintained or made accessible under 5, para. (1), sentence 2 of the Digital Signature Law, at least level "E 4", with a valuation of security mechanisms of "high".

(2) Confirmation of fulfillment of the requirements for technical components under para. (1) no. 1 is limited to five years, but may be extended repeatedly for up to five years, insofar as a renewed security evaluation allows this.

(3) The Authority shall publish in the Federal Gazette the recognized instances under 14, para. (4) of the Digital Signature Law as well as the technical components which have received confirmation from such instances, and shall notify them directly to the certifiers. The time period for which confirmation of technical components applies shall also be given.

18 RENEWED DIGITAL SIGNATURES AFTER A CERTAIN TIME PERIOD

(1) If data is needed in signed form for a long time, then it should contain the date of issuance and should be re-signed with a digital signature containing a time stamp after five years at the latest. Insofar as earlier digital signatures have retained their security value, the new signature must include these.

(2) If the security confirmation of the technical components used for the creation of digital signatures is extended under 17, para. 2, then the time period mentioned in para. (1) is extended correspondingly.

19 ENTRY INTO FORCE

This Legal Ordinance enters into force as of [ ].

The content of this article is intended to provide a general guide to the subject matter. It is therefore recommended that specific professional advice is sought before any action is taken.

For further information please contact Stefan Volker, Gleiss Lutz Hootz Hirsch & Partners, Maybachstrabe 6, D-70469 Stuttgart, Germany, Tel.: +49/711/8997-0, Fax: +49/711/855096, e-mail: 100775.126@compuserve.com

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions