Re: crypto component services - is there a market?
Stefan Kelm wrote: Nicholas, .. There's another EU Diretive on simplifying, modernising and harmonising the conditions laid down for invoicing in respect of value added tax. Invoices sent by electronic means shall be accepted by Member States provided that the authenticity of the origin and integrity of the contents are guaranteed: - by means of an advanced electronic signature within the meaning of Article 2(2) of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures; Member States may however ask for the advanced electronic signature to be based on a qualified certificate and created by a secure-signature- creation device, within the meaning of Article 2(6) and (10) of the aforementioned Directive; That's the one I was talking about earlier. eInvoicing slowly seems to take off in a few european countries. I have no idea as to how this Directive has been transposed into UK law, though. I too do not know how the UK has dealt with implementation - the Directive seems to require Member States to accept electronic invoices under the prescribed conditions, but does not prevent them from accepting electronic invoices even without such conditions. My impression, from practical experience of advice given by the UK VAT authorities, is that electronic invoicing in the UK does not require any special guarantees of authenticity or integrity. Nicholas -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto component services - is there a market?
Ian, Stefan is talking about Germany which has issued a plethora of recommendations, laws and what-not to cause ecommerce to leap into life. Unfortunately, they did not understand, and electronic documents are much much harder to do in these environments, with no general added benefit and lots of downside. Moreoever, some other countries blindly copied what the Germans did, thinking that would be a good idea. The Austrians made some of the exact same mistakes but seem to have learned faster than the Germans. The German rules have defied, there is no easy way to get into them ... at least, the Germans have sworn to me it is impossible... Sad but true. This year'll mark the 10th anniversary of our signature law. I reckon nobody will be celebrating that event... Qualified certificates are defined in the European Digital Signature Directive, which is an over-arching design for all the EU countries to pass into local law. Yes, this has already happened and has even been evaluated by the European Commission in 2003: http://www.law.kuleuven.ac.be/icri/itl/elsig.php http://www.secorvo.de/publikationen/electronic-sig-report.pdf It's only under the German code where they try and define it all, as far as I can see. We are talking about a country where they tried to tax servers so as to pay for their TV... Yeah, bloody Germans... :-) Cheers, Stefan. T.I.S.P. - Lassen Sie Ihre Qualifikation zertifizieren vom 25.-30.06.2007 - http://www.secorvo.de/college/tisp/ Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 [EMAIL PROTECTED], http://www.secorvo.de/ PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto component services - is there a market?
Nicholas, Stefan is talking about Germany I realise that, but he said Europe, so I felt a UK counter-example was in order! Point taken. :) However, there are other countries w/ similar rules. Qualified certificates are defined in the European Digital Signature Directive, which is an over-arching design for all the EU countries to pass into local law. Basically, they are personal smart cards operating under (harsh and uneconomic) secure conditions, because they really tried hard to make the results like human signatures. As I read it, the cards are the so-called secure signature creation devices, while the certificates are, well, just certificates. Yep. I received and continue to receive electronic invoices from time to time, but none appear to be digitally signed, nor have I seen evidence of time-stamping in operation. UK probably ignored the whole thing. More power to them. Under Anglo common law this is not an issue, as long as there is a lightweight digsig model shall not be denied legal standing solely on the basis that it is a digsig. Well, we implemented the Directive, which didn't require much change to the law, as you note. But there has been little take-up for a solution in search of a problem. There's another EU Diretive on simplifying, modernising and harmonising the conditions laid down for invoicing in respect of value added tax. Invoices sent by electronic means shall be accepted by Member States provided that the authenticity of the origin and integrity of the contents are guaranteed: - by means of an advanced electronic signature within the meaning of Article 2(2) of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures; Member States may however ask for the advanced electronic signature to be based on a qualified certificate and created by a secure-signature- creation device, within the meaning of Article 2(6) and (10) of the aforementioned Directive; That's the one I was talking about earlier. eInvoicing slowly seems to take off in a few european countries. I have no idea as to how this Directive has been transposed into UK law, though. Cheers, Stefan. T.I.S.P. - Lassen Sie Ihre Qualifikation zertifizieren vom 25.-30.06.2007 - http://www.secorvo.de/college/tisp/ Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 [EMAIL PROTECTED], http://www.secorvo.de/ PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto component services - is there a market?
Ian, Hmmm... last I heard, qualified certificates can only be issued to individuals, and invoicing (of the e-form that the regulations speak) can only be done by VAT-registered companies. True. Is that not the case? How is Germany resolving the contradictions? By using pseudonyms within the certificate's common name. This is not only done in Germany but in other countries as well. Even CAs (and, at least in Germany, the root CA) are being issued qualified certificates, thus they need to use pseudonyms. The timestamping service by Deutsche Post, e.g., has a qualified certificate with the following DN: Subject DN : CN = TSS DP Com 31:PN OU = Signtrust O = Deutsche Post Com GmbH C = DE Since electronic invoices need to be archived in most countries some vendors apply time-stamps and recommend to re-apply time-stamps from time to time. Easier to invoice with paper! potentially much more expensive, though. Cheers, Stefan. T.I.S.P. - Lassen Sie Ihre Qualifikation zertifizieren vom 25.-30.06.2007 - http://www.secorvo.de/college/tisp/ Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 [EMAIL PROTECTED], http://www.secorvo.de/ PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto component services - is there a market?
Stefan Kelm wrote: Same with digital timestamping. Here in Europe, e-invoicing very slowly seems to be becoming a (or should I say the?) long-awaited application for (qualified) electronic signatures. Since electronic invoices need to be archived in most countries some vendors apply time-stamps and recommend to re-apply time-stamps from time to time. When I was in business in the UK (until last year) (as a VAT-registered individual) I issued electronic invoices when convenient to my clients. I found no general requirement for any signature, let alone a qualified electronic one; I had a professional obligation to sign invoices, which I met by the inclusion of a graphic of a handwritten signature. Invoices were dated and copies kept, but there was no requirement for time-stamping or any particular evidence of date of delivery. I received and continue to receive electronic invoices from time to time, but none appear to be digitally signed, nor have I seen evidence of time-stamping in operation. Nicholas -- Salkyns, Great Canfield, Takeley, Bishop's Stortford CM22 6SX, UK Phone 01279 870285(+44 1279 870285) Mobile 07715 419728(+44 7715 419728) PGP public key ID: 0x899DD7FF. Fingerprint: 5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto component services - is there a market?
re: http://www.garlic.com/~lynn/aadsm26.htm#60 crypto component services - is there a market slightly related discussion of x9.59 financial standard protocol http://www.garlic.com/~lynn/x959.html#x959 supporting hash of invoice in any dispute resolution ... thread from a couple weeks ago http://www.garlic.com/~lynn/aadsm26.htm#44 Governance of anonymous financial services http://www.garlic.com/~lynn/aadsm26.htm#48 Governance of anonymous financial services where the x9.59 transaction is digital signed (and presumably logged/archived as part of various financial regulations). In dispute, both parties can produce their version of any invoice (bill of materials, etc) and differences can be resolved by the hash included in the signed payment transaction. In the mid-90s, the x9a10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for ALL retail payments. It faced a couple issues 1) It was starting to dawn that x.509 identity certificates from the early 90s, frequently overloaded with personal information represented significant privacy and liability issues. As a result there was move to digital certificates that contained some sort of indirect (and/or obfuscated) lookup value ... and were frequently referred to as relying-party-only certificates http://www.garlic.com/~lynn/subpubkey.html#rpo however, it was trivial to show that in any situation where the indirection had to be used for some sort of lookup ... that the public key could be obtained in the same operation ... making the digital certificate redundant and superfluous 2) Some of the other digital signed work for financial transactions in the period ... the appending of a digital certificate to such a transaction was resulting in two orders magnitude payload and processing bloat (for something that was redundant and superfluous) http://www.garlic.com/~lynn/subpubkey.html#bloat 3) The appending of the digital certificate is basically a paradigm operation that supports distribution of trusted information for offline operation (the electronic analog of physical credential, certificate, license, and/or letters of credit/introduction from sailing ship days and earlier). At the time we were working on x9.59 ... there were several claiming that the appending of digital certificates (to financial transactions) was needed to bring financial processing into the modern age. Our reply was that moving from a fundamentally online infrastructure to an offline paradigm actually represented a regression of several decades. It was somewhat after that you started to see work on the rube goldberg OCSP standard. In some respect ... trusted time-stamping is attempting to take the online financial transaction model where there are frequently strict regulations about archiving/auditing and extend it to other types of operations. In the x9.59 financial standard scenario ... the financial archiving/auditing infrastructure was extended to cover invoice, bill-of-materials, etc ... but simply adding their hash to the digital signed financial transaction (and at the same time avoiding the enormous payload and processing bloat seen in various other strategies). - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto component services - is there a market?
Same with digital timestamping. Here in Europe, e-invoicing very slowly seems to be becoming a (or should I say the?) long-awaited application for (qualified) electronic signatures. Since electronic invoices need to be archived in most countries some vendors apply time-stamps and recommend to re-apply time-stamps from time to time. Cheers, Stefan. T.I.S.P. - Lassen Sie Ihre Qualifikation zertifizieren vom 25.-30.06.2007 - http://www.secorvo.de/college/tisp/ Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 [EMAIL PROTECTED], http://www.secorvo.de/ PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto component services - is there a market?
Stefan Kelm wrote: Same with digital timestamping. Here in Europe, e-invoicing very slowly seems to be becoming a (or should I say the?) long-awaited application for (qualified) electronic signatures. Hmmm... last I heard, qualified certificates can only be issued to individuals, and invoicing (of the e-form that the regulations speak) can only be done by VAT-registered companies. Is that not the case? How is Germany resolving the contradictions? Since electronic invoices need to be archived in most countries some vendors apply time-stamps and recommend to re-apply time-stamps from time to time. Easier to invoice with paper! iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto component services - is there a market?
Stefan Kelm wrote: Here in Europe, e-invoicing very slowly seems to be becoming a (or should I say the?) long-awaited application for (qualified) electronic signatures. Since electronic invoices need to be archived in most countries some vendors apply time-stamps and recommend to re-apply time-stamps from time to time. recent post/thread with some discussion of the business of digital certificates ... as distinct from either digital and/or electronic signatures. http://www.garlic.com/~lynn/2007h.html#28 sizeof() was: The Perfect Computer - 36 bits? one of the exploits for the changing the burden of proof scenario (mentioned in the above post) ... since the incentive is significant ... is where the merchant produces a digital signature plus corresponding digital certificate purported to be from the other party. the underlying digital signature stuff was designed for providing authentication and integrity for the transaction. there was never any provisions for it to ever provide intent and/or handle the situation of establishing the inverse ... i.e. in traditional digital signature digital certificate paradigm ... there is no way of proving what, if any, digital signature and digital certificate were originally appended to the transaction/invoice. this somewhat gets into the area of non-repudiation services (where some of the trusted time-stamping have periodically wandered into) ... i.e. for individuals, digital signature isn't representative of a human signature and intent ... it is purely does (what digital signatures were originally designed for) authentication and integrity. other parts of the same thread related to digital signatures http://www.garlic.com/~lynn/2007h.html#20 sizeof() was: The Perfect Computer - 36 bits? http://www.garlic.com/~lynn/2007h.html#22 sizeof() was: The Perfect Computer - 36 bits? http://www.garlic.com/~lynn/2007h.html#26 sizeof() was: The Perfect Computer - 36 bits? http://www.garlic.com/~lynn/2007h.html#27 sizeof() was: The Perfect Computer - 36 bits? possibly being able to force changing of burden of proof ... is analogous to some past discussions about dual-use attack ... again where there was possibility of allowing digital signatures to wander into the arena of human signatures and intent ... a thread that started in this mailing list http://www.garlic.com/~lynn/aadsm17.htm#57 dual-use digital signature vulnerability http://www.garlic.com/~lynn/aadsm17.htm#59 dual-use digital signature vulnerability http://www.garlic.com/~lynn/aadsm18.htm#1 dual-use digital signature vulnerability http://www.garlic.com/~lynn/aadsm18.htm#2 dual-use digital signature vulnerability http://www.garlic.com/~lynn/aadsm18.htm#3 dual-use digital signature vulnerability http://www.garlic.com/~lynn/aadsm18.htm#56 two-factor authentication problems http://www.garlic.com/~lynn/aadsm19.htm#27 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#41 massive data theft at MasterCard processor http://www.garlic.com/~lynn/aadsm19.htm#43 massive data theft at MasterCard processor http://www.garlic.com/~lynn/aadsm20.htm#0 the limits of crypto and authentication http://www.garlic.com/~lynn/aadsm21.htm#5 Is there any future for smartcards? http://www.garlic.com/~lynn/aadsm21.htm#13 Contactless payments and the security challenges http://www.garlic.com/~lynn/aadsm23.htm#13 Court rules email addresses are not signatures, and signs death warrant for Digital Signatures - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: crypto component services - is there a market?
i am not sure what you mean by crypto component services. Can you please elaborate? saqib http://www.full-disk-encryption.net On 4/16/07, Travis H. [EMAIL PROTECTED] wrote: So back when I was reading about secure logging I thought it'd be a fun service to offer, but it doesn't seem like a product that the average business would be interested in; it seems more like something that would be a component of a larger system, or used by other systems. Same with digital timestamping. Does anyone think there is a market for these point solutions? -- Kill dash nine, and its no more CPU time, kill dash nine, and that process is mine. -- URL:http://www.subspacefield.org/~travis/ For a good time on my UBE blacklist, email [EMAIL PROTECTED] -- Saqib Ali, CISSP, ISSAP http://www.full-disk-encryption.net - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]