Translation and Commentary by Christopher Kuner
Translation copyright 1998 Christopher Kuner. Reproduction is permitted, provided that this translator's note, including the above copyright notice, is retained in its entirety.
Commentary: The following announcement sets forth the firms certified by the German government to perform certifications of technical components and security plans under the Digital Signature Law and Digital Signature Ordinance. The BSI, a government computer-security agency which is also involved in law enforcement, was originally to be designated as the sole such certification agency, and designation of other, private firms to perform such certifications is regarded as a victory for those in the government favoring a more flexible approach to application of the German digital signature legislation.
The original German version of the announcement is available in the Internet.
Announcement of February 9, 1998 on digital signatures under the Digital Signature Law and Digital Signature Ordinance
The Regulatory Authority for Telecommunications and Post (RegTP) as the Authority under § 3 of the Digital Signature law (SigG) of July 22, 1997 (BGBl. I S. 1872) publishes the following for the practical implementation of the Digital Signature Law and the Digital Signature Ordinance (SigV) of October 22, 1997 (BGBl. I S. 2498):
1. Publication under § 17 paragraph 4 SigV of recognised instances for the certification of technical components under § 14 paragraph 4 SigG:
- 1.1 The following is recognised:
Bundesamt für Sicherheit in der Informationstechnik
Postfach 20 03 63
53133 Bonn
- 1.2 The following are temporarily recognised:
1.2.1
debis Systemhaus Information Security Services GmbH
-Zertifizierungsstelle-
Rabinstr. 8
53111 Bonn
1.2.2
TÜV Informationstechnik GmbH
Prüfstelle für IT-Sicherheit
Im Teelbruch 122
45129 Essen
1.2.3
TÜV PRODUCT SERVICE GmbH
IQSE-Prüfstelle für IT-Systeme
Ridlerstraße 31
80339 München
The temporary recognition of the instances named under 1.2 will be converted into permanent recognition, when the regulatory authority for telecommunication and post receives a confirmation by the Federal Office for Information Security (BSI) that the security certificates issued by this instance under § 4 paragraph 4 of the Law Establishing the BSI demonstrate comparable security to those issued by the BSI.
2. Publication of recognised instances for the examination and certification of the implementation of security plans under § 4 paragraph 3 sentence 3 SigG:
- 2.1 The following is recognised:
Bundesamt für Sicherheit in der Informationstechnik
Postfach 20 03 63
53133 Bonn
- 2.2 The following are temporarily recognised:
2.2.1
debis Systemhaus Information Security Services GmbH
-Zertifizierungsstelle-
Rabinstraße 8
53111 Bonn
2.2.2
TÜV Informationstechnik GmbH
Prüfstelle für IT-Sicherheit
Im Teelbruch 122
45129 Essen
2.2.3
TÜV PRODUCT SERVICE GmbH
IQSE-Prüfstelle für IT-Systeme
Ridlerstraße 31
80339 München
The temporary recognition of those instances named under 2.2 will be converted into permanent recognition when their general expertise has been proved based on practical experience in the area of administrative and technical security plans (presentation of references) and specific expertise relating to digital signatures under the Digital Signature Law and Digital Signature Ordinance by carrying out a successful examination of a security plan under § 4 paragraph 3 sentence 3 SigG under the control of the Regulatory Authority for Telecommunications and Post (together with the BSI).
3. Recognition of further instances within the meaning of number 1 and number 2 by the Regulatory Authority for Telecommunications and Post is possible, when the appropriate conditions have been met.
4. At the moment, to the knowledge of the Regulatory Authority for Telecommunications and Post the following instances are able to conduct examinations of the security of technical components under § 14 paragraph 4 SigG together with § 17 paragraph 1 SigV:
IABG
Abteilung ITE
Einsteinstraße 20
85521 Ottobrunn
Tele-Consulting GmbH
Prüflabor für IT-Sicherheit
Siedlerstraße 22-24
71126 Gäufelden
debis Systemhaus Information Security Services GmbH
- Zertifizierungsstelle -
Rabinstraße 8
53111 Bonn
TÜV PRODUCT SERVICE GmbH
IQSE-Prüfstelle für IT-Systeme
Ridlerstraße 31
80339 München
TÜV Informationstechnik GmbH
Prüfstelle für IT-Sicherheit
Im Teelbruch 122
45129 Essen
Competence Center Informatik GmbH
Prüfstelle IT-Sicherheit
Lohberg 10
49716 Meppen
VST Vossloh System-Technik GmbH
Prüfstelle für IT-Sicherheit
Edisonstraße 3
24145 Kiel
TÜV Nord e.V.
Software & Elektronik Labor
Große Bahnstraße 31
22525 Hamburg
Bundesamt für Sicherheit in der Informationstechnik
Postfach 20 03 63
53133 Bonn
5. Under § 17 paragraph 2 sentence 1 SigV, the Regulatory Authority for Telecommunications and Post hereby publishes in the appendix an overview of the algorithms and appropriate parameters deemed appropriate for the creation of signature keys, for hashing data to be signed or creating and checking digital signatures, as well as the time during which such appropriateness lasts.
6. In order to establish a uniform practice of examination and confirmation, a working group is to be formed for information exchange and for substantive questions.
The recognised certification centres under number 1 and number 2 will be members; the Regulatory Authority for Telecommunications and Post will be the chairman.
It is intended that the working group meet bi-annually at fixed dates, and otherwise as needed.
7. Although drafting of the technical catalogues under § 12 paragraph 2 and § 16 paragraph 6 SigV is not yet completed, this should not hinder the named instances from beginning their work.
Mainz, February 9, 1998
Z 32, Regulatory Authority for Telecommunication and Post (RegTP)
pp.
Schwemmer