Cryptography Reference
In-Depth Information
We can see by the example of fax machines what can happen to an unregulated
development: faxes cannot be used as legal evidence, but still, you can order
merchandise, or make reservations, or whatever by fax. People simply think
that the convenience of using faxes is much greater than the loss due to forged
orders, and the business world bets on an insecure system.
But forged digital signatures can have more fateful consequences than faxes; it
depends on the field of use. A legal framework would, therefore, be welcome.
Unfortunately, the effect of the signature law evaporated. Where are the cer-
tification entities, where are the applications that were to make everyday life
easier? Though the law regulated the practical use, it failed to create spaces
of freedom for it. Digital signatures weren't put on an equal footing with
handwritten signatures. A decision to this effect would have been left up to
the court in specific cases. What's more, the BSI (the German Federal Office
for IT Security, which is part of the BND) published technical specifications
for the methods to be used. Many businesses didn't like this at all, argu-
ing that 'we're not going to let them tell us what technology to use'. The
requirements on certification entities entitled to generate and certify public
keys were extremely high. The effect was that there are almost no certification
entities.
Eventually, the EU brought this nasty matter back on track. It demanded uni-
form and more liberal regulations, which the Germans initially didn't like at
all. But eventually, the House of Parliament passed a new signature law in
February 2001. Digital signatures are now supposed to be applicable across all
states concerned, and there are (almost) no technical provisions. In turn, the
certification entities are responsible for damage incurred.
The new law didn't bring about a decisive breakthrough. Similarly to the sad
story about theory and practice in mail encryption, described in Section 7.2.3,
wish and real world are poles apart. Bruce Schneier once said: 'The economic
barriers to security are far greater than the technical ones.' Except in emails,
I only use digital signatures on my electronic income-tax returns. Apart from
the huge problems in the startup phase, I can't get rid of the impression that it
worked much faster, simpler, and was less erroneous with paper and pen.
8.3 What Next?
Now that you've read this topic you will better understand what was said in
Section 1.2.2: cryptology is only a member in a long security chain, but a
