Germany is putting its legislative and industrial muscle behind a new secure email system, dubbed De-mail, that aims to become an alternative to conventional paper documents for legally binding transactions. The service earned a prominent place at the opening of the CeBIT trade show in Hanover at the same time as legislation to …
Having just made a sarky "progress" remark at fancy new digital billboards, this genuinely does strike me as a step forward. Good luck with this, Germans!
Electronic communications where made explicitly legal under the EU legislation that our own slow UK parliment put into law back in 2000 (Electronic Communications Act 2000).
Ability to contract is not usually regulated by medium, but what you can prove in court at a later date, and unless the flashy new revenue generator exercise can prove who wrote what, when and where, then it will still be as enforcable as a verbal contract (and yes those are legal, just usually unenforceable)
It's been 4 years now since I got my Bulgarian digital ID and any document signed with it is as valid as a good old sig. It is standard req for e-banking, tax returns, etc.
The el-cheapo smartcard reader bundled with it is a bit of a nightmare. However even with that taken into account it worked on Linux (intel 32) day one 4 years ago and is working on my home system (amd64) today.
Now why you still cannot use something similar in the UK. Well... No comment... Because no comment is necessary...
...and of course it's completely impossible to spoof a from field in an e-mail.
Colour me stupid...
...but isn't this just like GPG signed mail (that's been around for ages) with an official seal of approval?
The issue has never been technology - it's the legal side of things.
If you write into law that a digital signature has the same validity as a physical one (leaving aside how sane/safe) that actually is) you make it an accepted practice. Until such time you can take any digital signature contract and dispute it in court - forcing the signee to prove with science that it's highly likely that this was a valid event. Making it legally accepted foregoes all this.
As an aside, this has been tried before, in many countries. The principal problem remains absolute identification of the end user. I'll sit back and watch the show - I'm sure the Chaos Computer Club will start peeling away at the edges soon..
..except government will have both public and private keys.
"absolute identification of the end user"...
... is a fallacy. As in, it doesn't exist in the real world. Nevermind not being needed in the real world.
Why do we keep chasing this? Probably because most of the shmucks doing the "securing" come to the field with a highly corporate mindset. As you believe in this "absoluteness" you're refusing to provide for redress from the inevitable. In a corporate world, you just fire the compromised employee, even if it wasn't his fault; it's now up to him to prove that in court.
In government, you can't easily do that. As an extreme example, biometrics turns the importance relationship in "my card" vs. "myself" around to the point that it's easier to shoot the compromised citizen than replace his abused identity-on-a-card--replacing his faked-by-someone-else fingerprints isn't easy and there's plenty more citizens where he came from, they keep breeding like rabbits anyway. Yes, this is very cold and callous and even the legislators haven't caught on to the fact that this is what they're doing. Analogously with requiring "ID" everywhere, en passant killing privacy. Is that what you want? I certainly don't.
It would be much better to make our digital systems "good enough" and "resilient against abuse" and /then/ make sure that recovery from abuse is doable and not too time and effort consuming, costly and reputation killing.
Which is why it's much better to recognise digital signatures as being sound enough for use and leave the which signature belongs to whom to, say, contract law. We really should recognise that currently analogue signatures aren't registered or anything and that as long as you keep in mind that this is the same for digital signatures, that can work pretty well too.
It's the belief that we somehow need to bind digital signatures "absolutely" to someone or something that we're shooting ourselves in the foot. So it's time we stopped believing that.
Germany good at e-commerce?
"Germany is already well ahead of most countries in the availability of e-commerce" Really? I find Germany trash at websites, availabillity of online services, gov support, job advertising etc. Maybe becuase we are better at e-commerce? (UK)
It didn't catch on last time, what's different this time
Trustable email didn't catch on last time when the underlying standard was called (amongst other things) X.400. The dumb-as-(whatever) teletype-era protocols lived on.
What, other than the fact that any smartphone has more compute power than the biggest UNIX box of the mid 1980s X.400 era, is different this time?
Not saying it wouldn't be a good idea, mind.
Need a dinosaur icon, please, for those who have been in the industry long enough to know how useful Microsoft certification really is.
I'll have the ring and watch please...
X400 failed, or at least it declined, primarily because of the excruciating prices charged by the providers. This rate depended on the destination (just like snail mail) and the size of the content. 50c per kB wasn't uncommon, although it was cheaper in bulk -- a few cents per kB.
(I once found an application that pinged a keep alive message via X400 every 5 mins - cost the company $30,000 in a couple of months!)
That and X400's committee-designed email addresses of bewildering complexity.
Choose between that and the basically free Simple Mail Transfer Protocol, it was hardly suprising X400 went the way of the Dodo.
This does sound like son of X400.
The service fails to offer end-to-end encryption
De-mail's failure to provide end-to-end encryption calls for either the FAIL icon or the Black Helicopter, take your pick...
Decrypting en-route to "scan for viruses" makes the entire exercise pointless. Messages can be intercepted and -more importantly- changed at this stage. Waste of time.
Consider me bridled
"For one thing consumers are likely to bridle at the idea of paying to send email. [...] Lastly, supporting the service would involve [...] the use of Outlook plug-ins at the consumer end"
You want me to pay *and* you want me to use Outlook. Er, gosh.
Don't be surprised if this does catch on.
If you know how the Germans like to throw formalistic paperwork at each other, then yes, I can see this getting big at least between businesses, even with the payment --that's something the billing department will take care of anyway-- as long as it's cheaper than recorded delivery. Because it's better than a fax for comparable price.
My beef, apart from the payment --very cleverly done, deutsche post, to get government backing like that for essentially treating email as a postal delivery-- is the "prove your identity" bit. Not because that's bad in and of itself, but because it's still the entrenched "you only have one legal identity" whereas you in reality may have many daily identities. The very existence of businesses shows that it's often useful to separate that sort of thing out, but then there's pen names and stage names and so on. Why shouldn't I be able to do business under them?
"Recorded delivery" to a physical mailbox involves the post dropping a letter in a box at the indicated address with the indicated name on it. That's it. And yes, that'll stand in court even if you claim you didn't empty that box for a fortnight: That's no defence, and too bad you missed the deadline for appealing. You lose.
Why handing over an address and a gpg public key perhaps at the time of signing a contract wouldn't do but needs waving of ID papers around is a bit beyond me. What does that ID card have to do with it, really? What makes the electronic world so different that they need every excuse they can get to fob more ID cardery on you? Just to lock you down? That's good enough reason to not opt in for me. Now just wait until they take the opting anything choice away.
Recorded Delivery, ...
at least with Royal Mail in the UK, requires that the item be signed for, not just dropped in the box. The signature doesn't have to be that of the addressee though.
In Germany there are actually four variants.
Einschreiben: Proof you gave it to the postman.
Einschreiben einwurf: Proof they dropped it in a post box.
Einschreiben eigenhaendig: Proof someone from a list of acceptable signers signed for it.
Einschreiben rueckschein: You get a lila card back with a signature.
That einschreiben einwurf is "good enough" for a bunch of things like the /Mahnverfahren/, a fast-tracked small claims court type of thing. So in the real world there's a bunch of choice, and a lot looser legal requirements that appear to be enough there, that you're not getting with this system.
Any contract can be verbal, in email, fax, paper, or whatever, and any of them can be disputed.
The idea that email cannot be used to enter into binding contracts is idiotic. It can be and is.
What matters is what the court thinks is the truth, on the balance of probabilities. Email fits in there quite solidly alongside fax, and wet signature. That's especially true of low-value transactions.
The idea posted by other above that emailed contracts are unenforcible is wrong. You just turn up with a printout of the email - that's your evidence. It only has to be proved "on the balance of probabilities" so that's fine, unless the other party is prepared to commit fraud and/or lie on oath, which would be idiotic since that carries a prison sentence.
Wheras the "wet signature" - well that's just as deniable as email. Just say "I didn't sign that, someone has forged the document" and you are back to square one.
(Yes I know there is an exception for property contracts. If you think I would trust my house to a digital signature though you are mad.)
Folks consider this announcement more closely
As .de for Germany.
That is a German *joke*.
You can bet they were rolling in the aisles at Deutsche Telekom at that one.
Personally I don't *want* some centralised system to know who I am. I *do* want me to be confirmed as the person who signed a document (or not as the case may be).
This has got to happen in one form or another
Otherwise email in formal circles is merely a memo, an informal note with no importance.
Better it becomes a standard so the various email programs can dovetail in and up to that standard.
DE Mail requires new email address and does not offer end to end encryption
Secure email and legally binding documents should be taken on as a whole by the EU, any solution that is implemented should be use-able across all the EU states without modification to recipient desktop environment nor should they require a new email address to use it.
A qualified advanced signature is required within the EU to sign a legally binding documents, this is defined in ETSI TS 456 101 of how Certificate Authorities are to issue such signatures, DE-Mail does not appear to incorporate this into there system. How exactly DE-Mail addresses this requirement is unknown,
This appears to be a closed circuit mail system, that requires another email address (just what everyone needs). The encryption is only Point to Point(TLS), and does not encrypt the actual data at rest.
Maybe they should look at using SSLPost or something similar, which already provides Secure Email, without the need to change your email address, does not require recipient to install anything, and conforms to EU legislation on signing documents
I guess that's one way round the extensive use of AdBlock here, well done. Direct cut 'n paste from the corporate puffery there or did you change the odd word?
I'll just look this up.......oh looky a paid-for email service, how quaint. Still, feel free to explain how this is in any way comparable to an open standard usable by all, as the connection escapes me entirely.
"Cryptoexpress has reduced Internet Spam to almost zero.". Bollocks, bollocks and thrice bollocks. It may well be that Cryptoexpress users don't get much spam, but I suspect that the reduction this causes when considered against total Internet email volumes is infinitesimal if detectable at all. Looks like it might have a connection to an *increase* in comment spam too, so it's probably a zero-sum game.
Electronic Data Interchange is what the legal eagles use in this country tamperproof, secure repudiateable (able to tell whether that person really sent it) transmission system. Email is insecure, buggy, open to interception and fake able. Nice try.
German Proof of Identity?
Most of the benefit from this sort of EDI comes if you oblige your suppliers to use it. That appears to discriminate -- illegally in at least some cases -- against non-German EU suppliers who won't have proved Demail accounts.
You certainly couldn't oblige vendors to reply to an RFP using Demail for example.
Italy already use it
In Italy "PEC - Posta Elettonica Certificata" (Certified Electtronic Mail) is already in use. It relies on some certified providers to open you a mailbox and keep records of what was sent by whom and to in a non-repudiable way. You have to pay for it, but it can be read and sent with any mail client because it uses standard certificates (mail servers have specific requirements to store data). The German solution looks a bit lame and late, especially if it has specific client requirements.