Dr. Woitass, why was the Spanish pilot project successful, and how do you evaluate the future of the digital signatures?
Woitass: The pilot project at the Spanish Ministry of Defense not only involved the development of a PKI, but also the evaluation of several IT security applications that made the use of a PKI worthwhile. The project implemented a certificate-based logon to Windows and encrypted and signed e-mails and PDF documents. The digital signature is actually one of the difficult points in the project. But in a ministry as large as this one, digital signatures will enable fully electronic processing of a variety of administrative procedures that still require printouts and manual signatures today.
Because the legal framework for the use of digital signatures already exists and the technology has already been developed, we now for the first time have excellent opportunities to realize business processes with purely electronic processing. Public agencies are currently the forerunners in this development. The arguments of process optimization and cost reduction will ultimately also convince companies of the benefit of using digital signatures. Manual document processing involves a great time of time and cost, and it leads to media breaks. Comprehensive electronic processing, however, reduces process costs through automation.
How do employees at the Ministry of Defense produce a signature, and how are the employees authenticated?
Woitass: Employees authenticate themselves at their workplace computers with a special certificate that also helps encrypt and sign e-mails. To meet the highest security requirements, user-specific certificates and private keys are stored on a smart card – in this case, a Ceres card issued by the Spanish mint (Fábrica Nacional de Moneda y Timbre: FNMT). In the future, this card will be used at a transregional level in public agencies. The actual signature certificate creates the legally biding, electronic signature. The authentication certificate, however, guarantees only the identity of the user and the integrity of the e-mails.
How have you resolved the conflict between a high security standard and a user-friendly and simple procedure?
Woitass: Our plug-in is completely integrated with the e-mail application and the PKI of the Ministry of Defense. It checks the list of certificates and includes certification. Integration is transparent to users. When sending an e-mail, users simply indicate that the e-mail should be encrypted. The security functions are then executed automatically.
Does it make sense to connect only one, isolated agency to a security infrastructure, the PKI? Don’t external mail partners have to authenticate themselves as well?
Woitass: Above all, this project involved encryption of internal mail traffic. The size of the ministry meant that the project affected several tens of thousands of employees. You can certainly assume that a later phase will include additional ministries. The PKIs of individual ministries would then exist beneath a superordinate root PKI for the government to make all security functions available to all the ministries. Citizens or other institutions could also be integrated. Doing so would enable the creation of an individual certificate for each citizen, based upon data from the citizen’s Spanish ID card and tax number. The user-specific certificate could then be used with electronic tax returns, which are already being used.
Acceptance of payment by electronic signature would mean creation of nationwide PKIs. How can the setup costs for the KPIs be justified so that governments can afford them?
Woitass: The governmental issuing office functions as a trust center and administers the nationwide, root PKI. The customers of the trust center do not need a great deal of investment to set up and operate the PKI: costs are settled by usage, say for each certificate issued. The trust center finances itself based upon the enormous number of potential customers, which can be governmental agencies, companies, and even private persons.
Would it be less expensive for an agency or company to use a digital signature by purchasing an SAP solution with built-in user authentication?
Woitass: SAP AG offers a series of standard solutions, such as electronic files for e-government. Agencies can use these solutions to map their paper-based processes in IT-supported processes. An important reason for the use of paper is for a signature on documents and instruments. An electronic equivalent must map the manual signature. Legislators have since created the legal basis for a digital signature. With its SECUDE securedoc product, SECUDE offers a plug-in for the SAP solutions so that digital signatures can be easily and cost-effectively integrated into SAP solutions.
In which SAP solutions are authentication solutions from SECUDE integrated?
Woitass: Strong user authentication based upon digital certificates was integrated into the Basis technology of SAP as part of a development partnership between SECUDE GmbH and SAP AG. It’s available for almost all SAP solutions. In addition to internal, password-based logon, SAP solutions offer an additional, external, and parallel mechanism. The SECUDE solution implements this kind of external authentication. In the context of an additional joint project, the option to use digital signatures on documents directly in SAP applications was integrated. SECUDE supplies the required cryptographic procedure and integration with the appropriate signature tokens. SECUDE and SAP are also implementing a document management system for the German Federal Supreme Court that enables judges and officials to sign documents digitally. External paper documents – like those from lawyers – can be verified with the system. Compliance with the German law on signatures is guaranteed.
How much of an international standard exists for digital signatures – arising from the efforts of the United Nations Commission on International Trade Law (UNCITRAL), for example?
Woitass: In 1997, UNCITRAL issued a Model Law on Electronic Commerce with Guide to Enactment. All countries are free to orient their own efforts to the model law. But it unfortunately does not create international standardization or recognition. Several attempts at standardization are underway, but at the European level rather than an international level. In Germany, a tendency toward specifically German standards exists. The German law on signatures is such a (legal) standard. The problem doesn’t really primarily involve a new definition of standards. Rather, it involves the practical realization and pragmatic adjustment to meet the existing framework of economic use.