Bodo, > Does DIN EN 45011 apply to SigG certification for devices and > products? If so, what are the SigG Certification Bodies' (<URL: > http://www.bsi.de/aufgaben/projekte/pbdigsig/main/pub.htm>) "documented > procedures for withdrawal of licences, certificates and marks of > conformity" when it comes to violation of functionality specifications > (violation of the standards for BER, in this case)? Devices and products conformable with the german signature law have to be evaluated through ITSEC. But, regardless of ITSEC TeleSec didn't violate any rules relevant to the law. Even if they would have redefined X.509v3 to fit their needs that would have been okay. To answer your question: no, there are no rules for the withdrawal of CA licences. Strictly spoken, there even are no rules for the licensing of CAs: the federal agency operating the root CA cannot reject a licence if hardware, software and the CA's security concept have been evaluated. This is bad and the responsible people know about this but... Cheers, Stefan. ______________________________________________________________________________ Stefan Kelm PGP key: "finger [EMAIL PROTECTED]" or via key server DFN-PCA <[EMAIL PROTECTED]> Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/ 22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
