New Standard For EU-Compliant Electronic Signatures

An anonymous reader writes "ETSI has published a multi-part standard that will facilitate secure paperless business transactions throughout Europe, in conformance with European legislation. The standard defines a series of profiles for PAdES — Advanced Electronic Signatures for PDF documents — that meet the requirements of the European Directive on a Community framework for electronic signatures (Directive 1999/93/EC)."

Good to see.

[palegray.net]

It's good to see some progress being made in the formalization of standards for accepting electronic signatures. I'm reminded of the issues with conventional legal guidelines surrounding hand-written signatures, and look forward to cryptographically verifiable alternatives.

Re:

[timmarhy]

while i agree, it still boils down to a single point of failure - trust. back in the day the bank teller not only got your signature, she knew your face. by far the most effective security we have ever had, it's all been down hill since personalised service was dumped.

Re:

[CarpetShark]

back in the day the bank teller not only got your signature, she knew your face.

Yes, and maybe even enough of your behaviour to know if you're being coerced into withdrawing all your money, or if you just want to.

Re:

[clickety6]

Yeah, but just like fingerprint detectors that was so easily fooled by using a latex cast of the person's
face over your own... have you never seen Mission Impossible?

Re:

[MrMr]

Unless he's a finger puppet.

Re:

[MartinSchou]

And that falls apart as soon as you aren't visiting your local branch. Like when you're in another city.

And while you could just bring cash with you, that's not always an option, like when you're leaving before pay day and not getting back until after pay day. Are you supposed to starve, should you spend eight hours in a car driving back home just to get money and then drive another eight hours to get back to where you were?

At some point convenience needs to play a role.

And keep in mind that the first banks

Adobe Lobby machine

[Anonymous Coward]

Great to see the Adobe Lobby Machine in action. They are really pushing very hard to convince everyone into using PDF at the Service Directive level. OK, there is the ISO 32000-1 standard. But there's more to it than just an open standard. The biggest issue is the risk of vendor lock-in. The big problem with PDF is that there's basically only one vendor supporting the full specification, being Adobe. If you compare this with OOXML you could even state that Microsoft products are less risky as it comes to ve

Re:Adobe Lobby machine

[cbreak]

There are many ways to create PDFs and read PDFs without relying on Adobe. Mac OS X offers wide support for this format, every application that can print can create a PDF file. PDFs can be opened with Preview and many other applications understand it.
LaTeX can create PDF files either directly or with ghostscript, which creates PDFs out of Postcript files.
Many different libraries exist to create a PDF programmatically.
Not all implementations might be feature complete, but it's far from being as proprietary as Office from Microsoft.

Re:

[Yer Mum]

But unless alternative PDF readers can verify electronic signatures, they'll be useless. And more importantly, unless alternative PDF writers can generate electronic signatures, they'll be useless. That's where the money is.

Re:

[The Cisco Kid]

Exactly. I can read pretty much read any random PDF found on the net or sent to me, with my choice of tools (Adobe, xpdf, evince, etc). Likewise, I can produce postscript (which I can convert to pdf that can be read with the same choice of tools [Adobe, xpdf, evince, etc] ) with anything that can 'print' documents on my Debian system

I have yet to see anything approaching that level of interoperability, BY DEFAULT, using MS formats. And if it ever comes, it will be only after MS has lodged every possible pro

Re:

[RMH101]

What does this have to do with the DRM required for ER/ES?

Re:

[CarpetShark]

Mac OS X offers wide support for this format

I believe Apple licenses Display Postscript and probably other PS stuff from Adobe.

Re:

[TheTurtlesMoves]

I use PDF all the time on linux. I don't use a single adobe product, and I do use a commercial product for annotation. Thats not lock in.

You can download the full PDF spec with a pretty standard agreement. The biggest part of the agreement is that the pdf readers you write with the standard will enforce document "no printing/no copying" settings. You don't need to pay a fee that a lot of other standards require before they give the documentation.

PDF as a format is controlled by adobe, but it is open f

Re:

[TheRaven64]

Yes, I found this a good reason to switch away from Adobe Reader; Apple's Preview (as well as being faster) lets me annotate any PDF. My workflow involves a lot of PDFs and no Adobe products at all. I generate images in PDF format from a variety of tools (GraphVis, OmniOutliner, GNUplot, and so on), incorporate them into documents using pdflatex and send them to my publisher. They annotate them and send them back, whereupon I review the annotations in Preview, make changes to the LaTeX source and then se

Re:

[Anonymous Coward]

PDF is now an ISO standard so theoretically no longer controlled by Adobe. The latest specification no longer includes the text about PDF readers enforcing document security settings in exchange for the permission to use the "copyrighted data structures".

Re:

[elsJake]

I haven't read the specification but i certainly like the "Obey DRM limitations" check box in the Kpdf settings menu.

Re:

[jimking]

OK, as an Adobe employee and the designated Adobe PDF Platform Architect let me put forward some facts.
o PDF has been an ISO standard for over a year (ISO 32000-1). (A free copy can be obtained here: http://www.adobe.com/devnet/pdf/pdf_reference.html [adobe.com] (bottom of the page).)
o There are no legal restrictions imposed by Adobe to develop software to process PDF. No money, no hassle, never was.
o There are thousands of applications created by hundreds of vendors that process PDF files in some way. (Do a Goog

Re:

[Cheesetrap]

Are you claiming to be a better tool?

Acronym

[mac1235]

ETSI = European Telecommunications Standards Institute. (It's not obvious from the article.) http://en.wikipedia.org/wiki/European_Telecommunications_Standards_Institute [wikipedia.org]

OS Implementation?

[CarpetShark]

Anyone know if this will be implementable in free software? Are there patent/copyright issues?

Re:

[RiotingPacifist]

No software patent issues in Europe, so while you could patent the entire process with a business patent or something, no patent can prevent you from implementing the software parts.

Reference or Link to Standard

[omb]

It would be helpful if someone posted a link to the standard.

TS 102 778-x

[mrt_2394871]

The European Telecommunications Standards Institute's search page is at:
http://pda.etsi.org/pda/queryform.asp [etsi.org]
Search for "pades" in the title will get you the five parts of the standard (well, Technical Specification).

ETSI TS 102 778-x

And thank goodness it's ETSI doing this, since they publish their standards without charge.

What is secure about signatures?

[dhammabum]

I've just had a quick look at the standard - the problem here isn't the mechanism of the signature, but the security of the signature itself. Should the computer on which the signature resides be compromised, the attacker can create and sign documents at will. Also as the standard allows for "serial signatures" which means multiple related signatures for serial authorisation/authentication, it also presents the potential of a man-in-the-middle attack. Why should a company actually trust such a system? I can

Re:

[nOw2]

I can't see this replacing binding contracts between the parties.

If you wish to issue invoices electronically in the EU, they can only be legal (for VAT etc.) if signed correctly.

This varies country by country; sometimes it just needs to be signed by any old self-signed cert, sometimes you need a cert issued by a central tax authority, sometimes a cert issued by a bank, and some countries don't bother at all and you can invoice by plain text if you like.

But anyway; for invoicing at least, signed PDFs can be legally binding contracts.

Re:

[jonbryce]

Britain follows the you can invoice by plain text if you like approach. Dead tree invoices don't need to be signed either, and they usually are not.

Re:

[CXI]

The real problem is that electronic signatures are trying to make an inherently non-secure or verifiable process into something that is secure are verifiable. In truth, written signatures are meaningless, constantly forged and not reliable at all. It's a huge effort to take the office business processes currently in place and actually make them secure enough that a digital signature can work. Take the most basic example where a secretary signs the boss's name. Multiply that by a hundred other exceptions tha

Cool...now we have cementd adobe in place!

[hesaigo999ca]

The biggest vulnerability is adobe pdf reader. Everyone accounts for 99% of pcs use adobe reader (with all its vulnerabilities) and this now has just put the icing on the cake. I hope that most people know to use a different reader then adobe to load the content...
unless of course this new format will only be available by adobe and not allowed by other pdf readers...

They have cemented a known bad file system in place for digital exchange ...great!

Could Be Big

[twmcneil]

Judging from the low number of comments posted in reply to this story, it looks like a lot of people are going "So What?"

This could be big though. Here we have a well known and well defined format (pdf) moving in and occupying this space first before Microsoft. This gives pdf (and Adobe if you wish) a big headstart in defining the market for products based upon this standard.

Next, some people in Redmond will try to figure out how to displace this spec with their own. I think they will find it harder to d

Why do we need a new standard?

[grahamm]

Why are the EU re-inventing the wheel? What is wrong with using existing digital signature specifications such as those defined in RFCs 3851 and 4880?

Re:

[jimking]

ISO 32000-1 (aka PDF 1.7 specification) makes use of many appropriate RFCs. There was no re-inventing here, just an application of standard technology to a widely used document format.

Why PDF?

[jgrahn]

And they tie it to the PDF file format *why* exactly? PGP/OpenPGP/GnuPG have supported signing *any* kind of file since ... well, forever. But I suppose it could have been worse -- they could have spent a few years to design a standard for signing Commodore 64 binaries or something.

Maybe the big thing is really how they plan trust to work -- the article doesn't say and I'm too lazy to check.