Questions and answers
- Why do we need digital signatures?
Digital media are playing an increasingly significant part in our business and private lives, and data communications are a key aspect of this development. Data communications often give rise to a situation where we communicate and do business with people we do not know.
We cannot be sure the people we communicate with are who they claim to be, and that the data we send and receive will arrive intact. Electronic transactions can never have true legal force and effect if we have no confidence in the person we are communicating with and the content of the communication.
Digital signatures can provide solutions to these two crucial issues - by verifying the identity of the counterpart and the integrity of the content. They allow us to identify the sender of a message beyond all doubt and to establish whether communicated data are intact or have been modified in transit. Digital signatures thus open the way for fully legally binding electronic commerce: the sender of a message can be identified in the eyes of the law and the content of a message can be proven beyond doubt.
- How do digital signatures work?
A digital signature system is based on the use of two different digital keys known as a key pair. Each key pair is made up of a private key and a public key. The two belong together in that anything encrypted with the private key can only be decrypted with the public key.
The private key must always be kept secret, while the public key can be known to anyone because the algorithm used to generate the key pair works in such a way that it is impossible to derive the private key from the public key. A cryptographic system based on the use of a secret private key and a freely available public key is termed "asymmetric".
Signtrust uses an asymmetric cryptographic system known as RSA (after its inventors' initials: Rivest, Shamir and Adleman). A cryptographic system used for data communications in computer networks where the parties involved are unknown to each other needs to be asymmetric, since this is the only kind of system that allows all users who have access to each others' public keys to verify both the identity of the people they communicate with and the integrity of the communicated data.
- How do I digitally sign data or a message?
Let's assume you want to digitally sign an e-mail message, say to order something in a legally binding online transaction or to submit an official application. Write your e-mail as usual in your e-mail application. Depending on the signature application component (the name given to programs that can add digital signatures) installed on your computer, you can sign and encrypt the e-mail from within the e-mail application. Please refer to the manual of the relevant program (signature application component) for details of the process.
- How do I verify a digital signature?
The signature application component (the software you use to sign and encrypt e-mails) installed on your computer will generally include a module for verifying digital signatures. Please refer to the relevant manual for details.
- What does a trust center do?
Trust centres (certification authorities) perform various tasks in a digital signature system.
- Key generation
- Certification of public keys
- Compliant attribute certificates
- Certificate lookup (directory service)
- Certificate revocation (revocation service)
- Official time data (time stamp service)
(See our PKI Glossary for explanations of the above terms.)
- What infrastructure do digital signatures need?
The German Digital Signature Act (Section 15 onwards) provides for the establishment of a public key infrastructure (PKI) for voluntarily accredited certification authorities operating at the highest security level.
The top-level node in this infrastructure is the German Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (BNetzA), which acts as a "root" certification authority BNetzA generates public and private keys for lower-level certification authorities and issues certificates affirming the authorities' ownership of public keys, just as the trust centre operated by Deutsche Post Com, Signtrust Business Division, issues certificates for its customers. The lower-level certification authorities are trust centres like the one operated by Deutsche Post Com GmbH.
The system of digital signatures cannot function without these certification authorities or trust centres. The system requires an authority that generates the key pair for the signature card in a secure environment. Specifically, this involves assigning an individual to a key pair, and certifying this fact to other parties. These services are performed by a trust centre (see "What does a trust centre do?").
The system of digital signatures relies on the existence of authorities that can perform the mandatory assignment of a key pair to an individual. Without the added security of such a system, users of electronic communications lack mutual trust and can never be sure of a given third party's identity or of the integrity of the data they receive. In a system based on digital signatures, the job of creating trust between the parties to electronic communications falls to the trust centres (certification authorities).
In addition to certification authorities, there are also evaluation and certification bodies who have the important task of ensuring on behalf of the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (BNetzA) that equipment sold to generate and verify digital signatures complies with the German Digital Signature Act and Digital Signature Ordinance. BNetzA publishes lists of compliant equipment in the German Federal Gazette.
- What happens in technical terms when I digitally sign something?
When you create a digital signature, a special algorithm is used to compute a hash value (a short form of an e-mail or file). It is similar to a fingerprint in that each message has a different hash value.
The tiniest change in an e-mail or file (even an added space or a change in punctuation) changes the hash value. The hash value is thus a unique digest of the e-mail or file being signed: not a digest in the sense of a human-readable summary, but a numeric code.
This unique hash value is then passed on to the Signtrust signature card for generation of a digital signature. The card uses the private key stored on it to encrypt the hash value and passes the encrypted value back to the program creating the signature. The encrypted hash value of the e-mail or file is the actual digital signature. As any modification to the e-mail or file would result in a different hash value, the recipient can verify that an e-mail or file has not been altered in transit by computing a new hash value from the received e-mail or file and comparing it with the one that came with it. The certificate contains the sender's public key. In other words, the key needed for verifying the digital signature comes with the message. Since each key pair is unique, any digitally signed message can be traced to a unique sender (and owner of a private key).
- What do I need to know about digitally signing data and messages?
The Signtrust signature card is a secure tool for digitally signing and encrypting data and messages. However, certain rules need to be observed when using it to prevent its inherent security from being compromised. The rules that apply to you as a signature card user are as follows:
- Check what you are signing before you sign it. Use the viewer that is integrated into the signature application component you are using to be sure you know exactly what you are signing.
- You always have the option to check your own digital signatures to verify the correctness of your digitally signed data.
- Make certain that all devices, equipment and programs you need for generating digital signatures are in proper working order. Take appropriate steps to prevent unauthorized access to these components.
- Only use devices, equipment and programs that are certified compliant with the German Digital Signature Act (see next section).
- Make certain that all devices, equipment and programs you use to generate digital signatures have been properly installed in a trustworthy manner and only use them in accordance with their specifications and user manuals.
- Make certain that the computer you use at your workplace has been installed and is administered in a trustworthy manner and that only trustworthy software is used on it.
- Use security products such as virus scanners and firewalls to safeguard the integrity of the systems you use to generate digital signatures.
- Observe these rules to prevent the legal force and effect of your digital signatures from being compromised.
- What requirements must technical components for generating digital signatures satisfy under the German Digital Signature Act?
Under the German Digital Signature Act (Section 15 onwards), the security of digital signatures provided by voluntarily accredited certification authorities is assured by close vetting of all trust centre equipment, software and even personnel. The equipment and software provided to holders of cards used for generating digital signatures must likewise satisfy the stringent requirements of the Act.
Equipment and software is deemed secure if it has been evaluated and certified as compliant with the Act by a recognized evaluation and certification body (see "What infrastructure are digital signatures based on?"). All products that have been tested and deemed secure are listed in the German Federal Gazette. The Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (BNetzA) publishes a list of all certified components on its web site (www.bundesnetzagentur.de).
Please check there that the equipment and software you are using meet the requirements.
You should protect the products and programs (signature application components) you use to generate digital signatures and only use them in secure surroundings. Always keep the computer you use to generate digital signatures free of viruses and other malevolent programs such as Trojan horses and worms, as these can compromise the security of your digital signatures.
The list on the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway BNetzA web site shows the applications and operating systems for which genuine Signtrust devices and programs have been evaluated.
- What do I need to know about verifying digital signatures?
If you digitally sign data and messages yourself, you will probably receive digitally signed data and messages from others as well. You will then want to make certain that the sender's details in such messages and data are correct and that nothing has been modified in transit.
As signature and attribute certificates can expire or be revoked, you need to verify that all relevant certificates were valid at the time of signing. You can do this by using the directory service provided by Deutsche Post Com, Signtrust Business Division. The Deutsche Post Com certification authority is required always to use unrevoked certificates when signing.
If you are in any doubt, you can verify its certificates with the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (BNetzA). The RegTP Directory Service is available online. It also allows you to verify that the BNetzA certificate is still valid. You should also check whether a certificate contains any restrictions. If it does, check that the relevant signature key certificate or attribute certificate is attached with the data and has been incorporated in the digital signature. You should also make certain that data have a timestamp if this is relevant.
- How long does a digital signature remain valid?
Electronics and software are advancing all the time. Because of this, the routines and parameters used to generate digital signatures are only deemed effective for a certain period of time, after which they are reassessed and if necessary modified to account for technological change.
If you need to keep digitally signed data longer than the period of time for which the routines and parameters used to generate it are deemed effective, you will need to re-sign your data using new routines and parameters, incorporating the old signature into the new one. The data must also be time-stamped when you add the new signature. The Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (BNetzA) publishes a list of suitable algorithms together with the length of time they are deemed to remain effective. A certificate can be valid for a maximum of five years.
- What do I need to know about using the Signtrust signature card?
You use your Signtrust signature card to generate digital signatures. There are certain rules you should observe in connection with your card:
- Always keep your Signtrust signature card in your personal possession and safe from theft, and never entrust it to another person.
- If you ever lose your Signtrust signature card, have the certificate that belongs to it revoked immediately. To do this by telephone, call this number:
(0800) 1 00 82 63
or write to this address:
Deutsche Post Com GmbH,
Signtrust Business Division,
PO Box 10 01 13,
Under the German Digital Signature Act, when a digital signature key certificate is revoked, all attribute certificates that are associated with it must likewise be revoked.
- Only use your Signtrust signature card with devices and equipment that you are familiar with and know to be reliable. Observe all instructions regarding security and use all devices, equipment and programs in accordance with their specifications and user manual.
- Wherever possible, only use your Signtrust signature card with components that have been certified for the purpose. You can find out which components are certified on the BNetzA web site.
- If your Signtrust signature card is damaged, it may be that someone has tried to tamper with it. If you do not know how the damage arose, you are best advised to revoke your signature key certificate.
- What do I need to know about my six-digit PIN?
Before you can digitally sign anything, you need to enter your six-digit PIN. Anyone who has this PIN can sign in your name, so always keep your PIN absolutely secret. Make certain that nobody can gain knowledge of your PIN, and be especially careful that nobody is watching when you type it in. Change your PIN immediately if you know or suspect that someone else has gained knowledge of it.
When deciding what number to use as your PIN, be sure to choose one that nobody can guess based on other things they know about you. Avoid numbers based on your date of birth, telephone numbers and the like. Avoid using the same PIN for different applications, cards and authentication procedures. To comply with the strict requirements of the German Digital Signature Act, Signtrust does not keep a copy of your PIN. For added security, you receive the PIN for your Signtrust signature card in two separate parts.
If a wrong PIN is entered three times in succession, your signature card permanently blocks access to your private key and it can no longer be used for digital signing. Because of this, be careful to enter the right PIN at all times.
- How do I look after my six-digit PIN?
Digital signatures use encryption to verify the integrity of data and the sender's identity. When a message is digitally signed, however, only the digital signature (the encrypted hash value of the data) and the certificate are sent in encrypted form. The message body is left unencrypted. On their own, then, digital signing does not protect your data.
Besides a key pair for digitally signing messages and data, however, the Signtrust signature card also contains two additional asymmetric key pairs. One of these is for securely encrypting your messages and data. You can use encryption either together with a digital signature or on its own. The third key pair on the Signtrust signature card is for authentication.
All keys on the Signtrust signature card are generated to the same strict security requirements. The certificates belonging to the encryption and the authentication key pair are listed along with your digital signature certificate in the directory service of Deutsche Post Com, Signtrust Business Division.
- What do I need to know about attribute certificates?
If you have an attribute certificate that contains limitations on use or states that you hold a power of attorney or professional or other authorisations, and if this is materially relevant to digitally signed data, the attribute certificate should be attached to the data and digitally signed as well.
Attributes in an attribute certificate have no effect unless you include them with your messages so that your opposite number is aware of them.
- What is the effect of having a pseudonym in a certificate?
If you decide to have a pseudonym in your certificate, the certificate will contain only the pseudonym and no other personal data. Pseudonyms are identified by the entry ":PN,1,de" in the certificate.
Pseudonyms can only be assigned once in the customer base of Deutsche Post Com, Signtrust Business Division. If more than one user applies for the same pseudonym, they are numbered, e.g. "Pseudonym:PN,1,de", "Pseudonym:PN,2,de", etc. Under the German Digital Signature Act, Signtrust must disclose the identity of any customer who uses a pseudonym to law enforcement agencies on request if disclosure is deemed necessary to investigate criminal or administrative offences, to avoid risk to public security or to fulfil the tasks legally required of the constitutional protection agencies at national and regional level, the Federal Intelligence Service, military counterintelligence or the customs investigation authorities.
Signtrust must keep a record of any such disclosure. The requesting agency must notify the customer that the pseudonym has been revealed when there is no longer any risk of such notification obstructing the agency in its statutory duties or where any such risk is outweighed by the customer's interests.
- What conditions must be satisfied for my digital signature to be recognized as mine in commercial and legal transactions?
Every digital signature generated with your private key will be recognized as yours if your certificate is valid when you generate the signature. Because signing involves entering a PIN that you are required to keep secret, all digital signatures based on your certificate are assumed to have been created of your own volition.
The only time a digital signature is not recognized as having been generated by the holder of the corresponding private key is when this assumption is refuted by established facts. A compliant digital signature of the kind you generate using a Signtrust signature card and software has the same legal force and effect as a handwritten signature wherever the law so provides.
- How do I obtain a Signtrust signature card?
In addition to your application, which you would normally complete and print out online at www.signtrust.de, Signtrust needs a photocopy of your official identity card or passport. If you have an official identity card, photocopy both sides. If you have a passport, photocopy the pages of your passport that contain your personal details. In either case, sign the copy so that your signature goes across your photograph. Note that if you use a passport or a foreign identity card, Signtrust will also need an original certificate of domicile issued within the last three months.
Your signature across the photograph should match the one on your card or passport so that we can compare the two. If you are unable to complete the application online, call our support line and we will send you a set of application documents by e-mail or post for you to complete and return to us. Some time later, you will receive your online application for you to sign and add details such as your account number and revocation password. The online application includes a coupon that you take to a Deutsche Post retail outlet to show your identity.
Please take your online application, your identity card or passport together with copies, and your PostIdent coupon to a Deutsche Post retail outlet, where the counter staff will confirm your identity and send your completed documents to Signtrust. Please make sure you have all the completed application documents, and present them loose (not in an envelope) to the counter staff so that they can be sent in a special internal Deutsche Post envelope together with the staff's official identification. Your Signtrust signature card will be sent to you a few days later.
There are two mailing options:
- With confirmation of receipt. The signature card and the first part of your PIN is sent to your registered domicile, or to an alternative address of your choice such as your place of work. The signature card comes with a reply coupon, which you cut or tear off, complete, sign and return to Signtrust. Only then is the certificate set up in the directory service and you will receive the transport PINs to activate and use the signature card.
- Personal delivery subject to verification of addressee's identity. A mail carrier will deliver your signature card to you in person after verifying your identity using the same means of identification as you presented at the retail outlet when you sent your application. This option is even more secure than the first, but only permits delivery to your registered domicile. If you are out when the mail carrier calls, you will be left a note to pick up your signature card at a specified retail outlet.
Whichever option you choose, make certain that the envelope actually contains your card before you place your first signature on the accompanying letter of confirmation. Your second signature confirms that you have read the information leaflet.
The identification procedures used by Signtrust are highly secure and fully satisfy the requirements of the German Digital Signature Act. This is in your own interest.
If the security procedure has been compromised in any way or you have not received your signature card within 14 days of your identification being verified at the retail outlet, please call Signtrust:
or (0700) 7 44 68 78 78
(12,4 cents per minute or part thereof)
- What is the legal background to digital signatures?
The statutory foundation for digital signatures in Germany is the Digital Signature Act ("Gesetz über Rahmenbedingungen für elektronische Signaturen"). This is the result of May 2001 amendments to the original Digital Signature Act, which came onto the statute books on August 1, 1997. The Act provides for the establishment of a public key infrastructure (PKI) for digital signatures in Germany. On the basis of the Act, secondary legislation was enacted in 1997 in the form of the Digital Signature Ordinance ("Signaturverordnung") and two lists of measures detailing technical requirements.
- Where can I find information on technical or legal issues?
One place to obtain information about digital signatures is the Internet. Legal and technical background information is available on the web site of the German Federal Office for Information Security (BSI - www.bsi.de, in German). The German Federal Ministry of Economics and Technology (BMWi) ) runs a site focusing on the German Information and Communication Services Act (www.iukdg.de).
The Bundesnetzagentur The Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (BNetzA) ) issues key pairs and certificates for all trust centres in Germany and also provides various information on its web site. The TÜV IT web site (www.tuevit.de) contains information on certified components.
Further information is available from the Signtrust support line:
or (0700) 7 44 68 78 78
(12,4 cents per minute or part thereof)
- What happens to my personal data?
The trust centre of Deutsche Post Com, Signtrust Business Division, fully complies with the law on data privacy in all dealings with customer data. The data that certificate holders choose to include in their certificates are - subject to holder approval - available for public viewing in the Signtrust directory service. Deutsche Post Com, Signtrust Business Division, does not collect, process or use any personal data other than that which it must collect, process and use in order to operate a certification authority.
Signtrust takes all steps necessary to protect its customers' personal data from unauthorized access. Nothing is passed on to any third party except by court order. Signtrust uses the data provided by its customers solely within its trust centre operations and does not put them to any commercial use.
- Where can I look up certificates online and where can I find information on Signtrust digital signatures?
The directory service of Deutsche Post Com, Signtrust Business Division, can be accessed on the Signtrust web site (www.signtrust.de).
You can also use this service to look up Signtrust certificates whose holders allow their certificates to be viewed. The web site also contains a large amount of information about Signtrust digital signatures.
- Can I apply offline?
Yes, this is possible. The application will be made on paper. Please call our hotline.
Unfortunately, we will have to charge you for the additional costs associated with paper applications.
Signtrust support hotline:
or (0700) 7 44 68 78 78
(12,4 cents per minute or part thereof)