Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Standard For EU-Compliant Electronic Signatures

timothy posted more than 4 years ago | from the ja-das-war-ich dept.

Security 42

An anonymous reader writes "ETSI has published a multi-part standard that will facilitate secure paperless business transactions throughout Europe, in conformance with European legislation. The standard defines a series of profiles for PAdES — Advanced Electronic Signatures for PDF documents — that meet the requirements of the European Directive on a Community framework for electronic signatures (Directive 1999/93/EC)."

cancel ×

42 comments

Sorry! There are no comments related to the filter you selected.

Good to see. (2, Insightful)

palegray.net (1195047) | more than 4 years ago | (#29410495)

It's good to see some progress being made in the formalization of standards for accepting electronic signatures. I'm reminded of the issues with conventional legal guidelines surrounding hand-written signatures, and look forward to cryptographically verifiable alternatives.

Re:Good to see. (2, Insightful)

timmarhy (659436) | more than 4 years ago | (#29410553)

while i agree, it still boils down to a single point of failure - trust. back in the day the bank teller not only got your signature, she knew your face. by far the most effective security we have ever had, it's all been down hill since personalised service was dumped.

100% PURE AFRICAN NIGGER (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29410975)

I am all that is called jigaboo.

Re:Good to see. (1)

CarpetShark (865376) | more than 4 years ago | (#29411325)

back in the day the bank teller not only got your signature, she knew your face.

Yes, and maybe even enough of your behaviour to know if you're being coerced into withdrawing all your money, or if you just want to.

Re:Good to see. (1)

clickety6 (141178) | more than 4 years ago | (#29411447)

Yeah, but just like fingerprint detectors that was so easily fooled by using a latex cast of the person's
face over your own... have you never seen Mission Impossible?

Re:Good to see. (0)

Anonymous Coward | more than 4 years ago | (#29412227)

A fingerprint detector that is fooled by a cast of the person's face.... Somehow I think you messed that one up

Re:Good to see. (1)

MrMr (219533) | more than 4 years ago | (#29412313)

Unless he's a finger puppet.

Re:Good to see. (1)

MartinSchou (1360093) | more than 4 years ago | (#29412079)

And that falls apart as soon as you aren't visiting your local branch. Like when you're in another city.

And while you could just bring cash with you, that's not always an option, like when you're leaving before pay day and not getting back until after pay day. Are you supposed to starve, should you spend eight hours in a car driving back home just to get money and then drive another eight hours to get back to where you were?

At some point convenience needs to play a role.

And keep in mind that the first banks weren't about meeting your local teller. It was about giving your money to a local banker who would then, for a fee of course, give you a writ explaining his partners at your destination that you were entitled to a certain amount of money. This writ could easily be hidden on your body, allowing you to bring a large fortune with you without needing a large entourage to guard it.

New standard for EU-Compliant toilets (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29410543)

It's an unfortunate inevitability of life -- everybody poops. And
while this task can occasionally provide us with an opportunity to
relax or engage in some deep thinking, there are other instances when
this basic undertaking becomes a chore no person should have to
endure. Whether or not these stooling sessions can be tolerated, is
often determined by one single factor: where it is taking place? If
you're alone in the privacy of your own home, why not make an hour of
it and get some reading in? However, if you're at work with your boss
sitting in the adjacent stall, you'd better hold off on dropping
anything for fear of creating an embarrassing splash. With that in
mind though, things could be worse, and here are eight examples of how
much worse..

8-The Wilderness Toilet

This is essentially taking a #2 in a wall-less bathroom. Sure,
you're in a pretty remote location, but it's not so remote that they
haven't needed to accommodate other people with full bowels. At any
second, some fellow hiker could round that nearby group of trees and
put an eyeball on you while you prepare to release yesterday's granola
bar. It's also safe to assume that since this toilet is on a path
intended for people who want to get away from the hectic bustle of
society, that same society's emphasis on cleanliness and sterile
toilets is far removed as well. And since the act of pooping leaves
man at nearly his most helpless, this would seem like the ideal time
for a voracious wild animal to attack. So, not only is this an
uncomfortable practice, but it's a dangerous one as well.

7-School

Kids can be merciless. They will go to great measures to find any
points of weakness in their unfortunate victims, and to a youth,
finding out that someone has been pooping presents an incredible
opportunity for ridicule. Yet, at times your body requires you to crap
at these academic establishments, and so you are immediately presented
with the impossible task of somehow taking an undetectable dump, or
completely leaving school. If you excuse yourself from class, the time
you spend in the bathroom will surely be recorded by your callous
peers, and upon return, you will be thoroughly mocked. If you try and
poop in between class, you'll be too worried about the possibility of
being tardy, and you'll probably pinch it off before you're completely
done. And even if you muster up the courage to attempt this risky
procedure, there's always the risk of someone walking in and berating
you while you take part in what should be one of mankind's most
private moments. So please children, let each other poop in peace.

6-Your New Girlfriend/Boyfriend's House

Let's say you're about to leave your newly-acquired significant
other's residence after your first sleep over, when nature suddenly
decides this would be the perfect moment to defecate. Maybe it's the
nerves after a night of apprehensive tongue-kissing and heavy petting,
or maybe it's the three-bean taco salad you ate prior to the
caressing, but whatever the case, your body's telling you it needs to
be relieved immediately. Now the bathroom in this situation is
certainly not the problem; it's clean, and probably provides some sort
of reading material. The problem is what will happen to this new and
delicate relationship once the odorous evidence of your actions hits
the air. There may be an air-freshener, or perhaps you're carrying
some matches, but that will only mask the smell, and the psychological
damage of having your body demonstrate what it's like at its most foul
will forever remain in the nostrils of their brain. This will
permanently change how your significant other looks at you.

5-The Port-a-Potty

Here's what the Port-a-Potty brings to waste elimination sessions:
One--They're typically found in unfamiliar, public locations that can
make an already-taxing exercise more stressful. Especially, as you,
the pooper, realize there's a massive line of concert or tractor-pull
attendees waiting outside who will soon discover you've not taken a
#1. Two--Extremely unclean facilities that, due to their often-remote
locations, don't easily accommodate cleaners. Three--The disgusting
split-second glimpse you get of that mysterious dung-urine-water that
you're about to add to, right before either gingerly setting yourself
atop the seat or hovering an inch above said seat. I wish man hadn't
invented this monstrous building.

4-The House Party

You're attending what some annoying guy is describing as the most
legendary party ever, when the large amount of spirits you've consumed
starts to disrupt your bowels. So you immediately locate that massive
line of people looking to empty their alcohol, and join the
congregation awaiting the one bathroom in the entire house. Luckily,
the line moves fairly quickly due to the fairer sex's ability to
utilize a single toilet in large groups, and the fact that the
majority of people are just urinating. Unfortunately, as you reach the
front, the line continues to grow behind you with people just as
anxious to relieve themselves. Only they're not taking a #2 like you
are. As you finally enter what is always a very unkempt bathroom and
proceed to clean off all the errant urine around the stool, you become
completely aware that what you're about to do is going to take some
time. Not only will the massive and continuously growing line become
increasingly upset as you attempt to poop, but eventually your
bathroom-disrupting exploits will be known by all at this bash. And
that same annoying man who termed this party as legendary, will term
your dump "the crap heard around the party." Good luck hooking up
now.

3-The Airport

Now certainly there are dirtier bathrooms than this, and as far as
public pooping goes, it can be a lot worse. However, there is one
aspect of the airport restroom that has recently made us all question
what else those toilet stall walls have seen. And that's Senator Larry
Craig. It's hard enough for me to get over the fact that maybe 5
minutes ago another man sat on this seat and emptied his waste, but to
think that maybe a publicly elected official was in here copulating
with a random stranger pushes me over the edge. How do I overcome that
fear? Can I simply lay strips of toilet paper down over the seat, as
if I was taking a normal #2? Or do I select the one odd stall without
a door, knowing that surely a heterosexual Senator would be
uncomfortable accosting me an exposed setting? No, ultimately what I
must do is hold it. Hold it until I get on the plane and am able to
enter a restroom where it's well known that people never engage in the
act of fornication.

2-The Gas Station

Simply put, these are the most vile, repugnant, and unkempt
bathrooms on the planet. Since the opening of any gas station, not
once has an employee walked into that waste collecting room with the
intention of tidying things up a bit. The poo that sits unflushed in
the toilet is the same poo that has sat in that lavatory for the past
25 years, and it now has begun to move freely on its own. Attempting
to wash your hands in this room will only lead to the contraction of
some sort of a disease and the walls appear to have some sort of goo
running down them, which originates at the ceiling. Also, this room
seems like a strange place for a security camera to be located.

1-The Squat Toilet

The squat toilet, or the "no toilet" as I like to call it, is a
terribly-designed contraption that requires the dumper to hover over a
small hole and precisely aim his or her stool before releasing
it. Since this is the primary toilet in certain parts of the world, a
wide-eyed Westerner can be certain that his first attempt at hitting
this two-inch mark will most likely result in a fresh log between his
feet. Leading to the realization that if your dung is just going to
end up on the ground, there is no reason to stand in this dank, public
restroom to drop it. Also, you'll have to completely remove any
clothing below the waist, since you're most likely opposed to getting
your feces on your pants. TP can also be a problem in some of the
squat toilets since a number of them aren't equipped to handle this
apparent Western extravagance. Instead, squat toilet patrons are
content using their hand and some water, which they believe is just as
effective and just as sanitary. Ultimately, using these toilets will
make you homesick.

Adobe Lobby machine (1, Insightful)

Anonymous Coward | more than 4 years ago | (#29410613)

Great to see the Adobe Lobby Machine in action. They are really pushing very hard to convince everyone into using PDF at the Service Directive level. OK, there is the ISO 32000-1 standard. But there's more to it than just an open standard. The biggest issue is the risk of vendor lock-in. The big problem with PDF is that there's basically only one vendor supporting the full specification, being Adobe. If you compare this with OOXML you could even state that Microsoft products are less risky as it comes to vendor locking. You can at least open an OOXML or ODF file with some unzipper and have a look at the XML files in case the specification documents are incomplete. This is something you can totally forget when using the PDF standard.

The same applies to the signature extensions. XMLDSig and XAdES come with very good specifications. And even if a product (like OpenOffice.org or Office 2007) has some specific signature implementation/requirement, you can still investigate the plain XML files and find the details. This is absolutely not the case for Adobe PDF signatures... trying to find out what the hell they're doing inside the CMS signature is very hard.

I hope one day people will realize the major risk that vendor lock-in triggers. Having some open standard is not sufficient, you also need an accessible file format to avoid risk of complete vendor lock-in.

Re:Adobe Lobby machine (4, Informative)

cbreak (1575875) | more than 4 years ago | (#29410863)

There are many ways to create PDFs and read PDFs without relying on Adobe. Mac OS X offers wide support for this format, every application that can print can create a PDF file. PDFs can be opened with Preview and many other applications understand it.
LaTeX can create PDF files either directly or with ghostscript, which creates PDFs out of Postcript files.
Many different libraries exist to create a PDF programmatically.
Not all implementations might be feature complete, but it's far from being as proprietary as Office from Microsoft.

Re:Adobe Lobby machine (2, Interesting)

Yer Mum (570034) | more than 4 years ago | (#29411003)

But unless alternative PDF readers can verify electronic signatures, they'll be useless. And more importantly, unless alternative PDF writers can generate electronic signatures, they'll be useless. That's where the money is.

Re:Adobe Lobby machine (2, Insightful)

The Cisco Kid (31490) | more than 4 years ago | (#29411019)

Exactly. I can read pretty much read any random PDF found on the net or sent to me, with my choice of tools (Adobe, xpdf, evince, etc). Likewise, I can produce postscript (which I can convert to pdf that can be read with the same choice of tools [Adobe, xpdf, evince, etc] ) with anything that can 'print' documents on my Debian system

I have yet to see anything approaching that level of interoperability, BY DEFAULT, using MS formats. And if it ever comes, it will be only after MS has lodged every possible protest and done everything else possible to prevent it.

Re:Adobe Lobby machine (0)

Anonymous Coward | more than 4 years ago | (#29411127)

And even then, it will probably require violating a dozen MS patents.

Re:Adobe Lobby machine (1)

RMH101 (636144) | more than 4 years ago | (#29413001)

What does this have to do with the DRM required for ER/ES?

Re:Adobe Lobby machine (1)

CarpetShark (865376) | more than 4 years ago | (#29412477)

Mac OS X offers wide support for this format

I believe Apple licenses Display Postscript and probably other PS stuff from Adobe.

Re:Adobe Lobby machine (2, Informative)

TheTurtlesMoves (1442727) | more than 4 years ago | (#29411029)

I use PDF all the time on linux. I don't use a single adobe product, and I do use a commercial product for annotation. Thats not lock in.

You can download the full PDF spec with a pretty standard agreement. The biggest part of the agreement is that the pdf readers you write with the standard will enforce document "no printing/no copying" settings. You don't need to pay a fee that a lot of other standards require before they give the documentation.

PDF as a format is controlled by adobe, but it is open format in that everyone can implement readers and writers without restriction.

Re:Adobe Lobby machine (0)

Anonymous Coward | more than 4 years ago | (#29411339)

However, the most common reader (i.e. Adobe's) allows adding comments to a PDF only if the document has been cryptographically signed by Adobe Acrobat Professional. That's quite a clever racket indeed, if your business partners expect to be able to use the commenting feature. Mine do, so I pay for an Adobe license for that single feature.

Re:Adobe Lobby machine (0)

Anonymous Coward | more than 4 years ago | (#29411461)

I can add comments to mac created pdfs just fine.

Re:Adobe Lobby machine (0)

Anonymous Coward | more than 4 years ago | (#29411635)

Interesting. Do you add them in Preview on a mac, or in Acrobat Reader?

Re:Adobe Lobby machine (2, Interesting)

TheRaven64 (641858) | more than 4 years ago | (#29411729)

Yes, I found this a good reason to switch away from Adobe Reader; Apple's Preview (as well as being faster) lets me annotate any PDF. My workflow involves a lot of PDFs and no Adobe products at all. I generate images in PDF format from a variety of tools (GraphVis, OmniOutliner, GNUplot, and so on), incorporate them into documents using pdflatex and send them to my publisher. They annotate them and send them back, whereupon I review the annotations in Preview, make changes to the LaTeX source and then send them the final result for publication.

Re:Adobe Lobby machine (1, Informative)

Anonymous Coward | more than 4 years ago | (#29411625)

PDF is now an ISO standard so theoretically no longer controlled by Adobe. The latest specification no longer includes the text about PDF readers enforcing document security settings in exchange for the permission to use the "copyrighted data structures".

Re:Adobe Lobby machine (1)

elsJake (1129889) | more than 4 years ago | (#29412487)

I haven't read the specification but i certainly like the "Obey DRM limitations" check box in the Kpdf settings menu.

Re:Adobe Lobby machine (1)

jimking (1641823) | more than 4 years ago | (#29504193)

OK, as an Adobe employee and the designated Adobe PDF Platform Architect let me put forward some facts.
o PDF has been an ISO standard for over a year (ISO 32000-1). (A free copy can be obtained here: http://www.adobe.com/devnet/pdf/pdf_reference.html [adobe.com] (bottom of the page).)
o There are no legal restrictions imposed by Adobe to develop software to process PDF. No money, no hassle, never was.
o There are thousands of applications created by hundreds of vendors that process PDF files in some way. (Do a Google search on PDF Software.)
o There are many of those that can create and verify PDF digital signatures. (Do a Google search on PDF Signatures.)
o People who are not developers have no desire to decipher the innards of the files that are on their computers, XML, binary or whatever.
o People in Europe use PDF files widely and they want a digital signature capability that meets the European Commission (EC) requirements. The new ETSI/ESI standard (TS 102 778), that was the subject of this press release, provides that. It is nicknamed PAdES (PDF based) and joins two previous ETSI signature standards CAdES (CMS Based) and XAdES (XML based) to support the ECs Advanced Electronic Signature (AdES) requirements. Europeans want these standards and the solutions they support!
o Security does not reside in a passive file. It resides in the software that processes that file.

Secure Paperless Business Transactions? (-1)

Anonymous Coward | more than 4 years ago | (#29410689)

S.P.B.T.? They may as well be trading grains of denim lint like the US'ians.

This is what I think of EU and it's sister Union of North America: [youtube.com] more straying from the original exclusive jurisdictions and pulled into a slaughterhouse that only a quasi psychiatrist-conspiracytheorist historian could navigate through pro-per.

That's what you call it when you interact with corporations: constant regulation and re-defenitions. What was once a simple trade using lawful money of a man to a man, has now been obfuscated. People get angrier, because they don't know how to Pen a contract payable in said gold or silver specie, and so it all washes down in the anals of history as another necessary compromise to condition money into corporate units of "currency" that doesn't float around in its own value like a numismatic token from Lakota Nationals or through NorFed.

PAdES? P.A.d.E.S.? What's with the bullshit generator today? Couldn't they just name it somthing fluffy like PayPal?

Re:Secure Paperless Business Transactions? (0)

Anonymous Coward | more than 4 years ago | (#29410761)

Mod parent -1: Not-sharpest-tool-in-shed

Re:Secure Paperless Business Transactions? (2, Informative)

Cheesetrap (1597399) | more than 4 years ago | (#29410853)

Are you claiming to be a better tool?

OS Implementation? (2, Interesting)

CarpetShark (865376) | more than 4 years ago | (#29411363)

Anyone know if this will be implementable in free software? Are there patent/copyright issues?

Re:OS Implementation? (1)

RiotingPacifist (1228016) | more than 4 years ago | (#29411995)

No software patent issues in Europe, so while you could patent the entire process with a business patent or something, no patent can prevent you from implementing the software parts.

Reference or Link to Standard (1)

omb (759389) | more than 4 years ago | (#29411367)

It would be helpful if someone posted a link to the standard.

TS 102 778-x (5, Informative)

mrt_2394871 (1174545) | more than 4 years ago | (#29411429)

The European Telecommunications Standards Institute's search page is at:
http://pda.etsi.org/pda/queryform.asp [etsi.org]
Search for "pades" in the title will get you the five parts of the standard (well, Technical Specification).

ETSI TS 102 778-x

And thank goodness it's ETSI doing this, since they publish their standards without charge.

What is secure about signatures? (1)

dhammabum (190105) | more than 4 years ago | (#29411881)

I've just had a quick look at the standard - the problem here isn't the mechanism of the signature, but the security of the signature itself. Should the computer on which the signature resides be compromised, the attacker can create and sign documents at will. Also as the standard allows for "serial signatures" which means multiple related signatures for serial authorisation/authentication, it also presents the potential of a man-in-the-middle attack. Why should a company actually trust such a system? I can't see this replacing binding contracts between the parties.

Re:What is secure about signatures? (1)

nOw2 (1531357) | more than 4 years ago | (#29412049)

I can't see this replacing binding contracts between the parties.

If you wish to issue invoices electronically in the EU, they can only be legal (for VAT etc.) if signed correctly.

This varies country by country; sometimes it just needs to be signed by any old self-signed cert, sometimes you need a cert issued by a central tax authority, sometimes a cert issued by a bank, and some countries don't bother at all and you can invoice by plain text if you like.

But anyway; for invoicing at least, signed PDFs can be legally binding contracts.

Re:What is secure about signatures? (1)

jonbryce (703250) | more than 4 years ago | (#29414343)

Britain follows the you can invoice by plain text if you like approach. Dead tree invoices don't need to be signed either, and they usually are not.

Re:What is secure about signatures? (1)

CXI (46706) | more than 4 years ago | (#29413445)

The real problem is that electronic signatures are trying to make an inherently non-secure or verifiable process into something that is secure are verifiable. In truth, written signatures are meaningless, constantly forged and not reliable at all. It's a huge effort to take the office business processes currently in place and actually make them secure enough that a digital signature can work. Take the most basic example where a secretary signs the boss's name. Multiply that by a hundred other exceptions that happen all day, every day in an office. You have to completely undo all the bad habits and/or create complex delegation systems in order to avoid having to change how entire departments work.

Cool...now we have cementd adobe in place! (1)

hesaigo999ca (786966) | more than 4 years ago | (#29412407)

The biggest vulnerability is adobe pdf reader. Everyone accounts for 99% of pcs use adobe reader (with all its vulnerabilities) and this now has just put the icing on the cake. I hope that most people know to use a different reader then adobe to load the content...
unless of course this new format will only be available by adobe and not allowed by other pdf readers...

They have cemented a known bad file system in place for digital exchange ...great!

Could Be Big (1)

twmcneil (942300) | more than 4 years ago | (#29412591)

Judging from the low number of comments posted in reply to this story, it looks like a lot of people are going "So What?"

This could be big though. Here we have a well known and well defined format (pdf) moving in and occupying this space first before Microsoft. This gives pdf (and Adobe if you wish) a big headstart in defining the market for products based upon this standard.

Next, some people in Redmond will try to figure out how to displace this spec with their own. I think they will find it harder to discredit ETSI than it was for them to discredit Peter Quinn. And I hope they find it harder to buy ETSI than it was for them to buy ISO.

Why do we need a new standard? (1)

grahamm (8844) | more than 4 years ago | (#29414179)

Why are the EU re-inventing the wheel? What is wrong with using existing digital signature specifications such as those defined in RFCs 3851 and 4880?

Re:Why do we need a new standard? (1)

jimking (1641823) | more than 4 years ago | (#29498431)

ISO 32000-1 (aka PDF 1.7 specification) makes use of many appropriate RFCs. There was no re-inventing here, just an application of standard technology to a widely used document format.

Why PDF? (1)

jgrahn (181062) | more than 4 years ago | (#29416615)

And they tie it to the PDF file format *why* exactly? PGP/OpenPGP/GnuPG have supported signing *any* kind of file since ... well, forever. But I suppose it could have been worse -- they could have spent a few years to design a standard for signing Commodore 64 binaries or something.

Maybe the big thing is really how they plan trust to work -- the article doesn't say and I'm too lazy to check.

Re:Why PDF? (0)

Anonymous Coward | more than 4 years ago | (#29432689)

Note that PGP / etc create a signature envelope around the document. The signature format described in the standard embeds the signature into the document itself, where it can be viewed just like a more typical wet ink signature. Also means only one app is required to both view and verify the signed doc.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>