Customer Information Pursuant to Section 6 of the German
Act on Digital Signature [SigG §6]
I
THE INFORMATION DOCUMENTATION ...............................................................................................1
II
LEGAL INFORMATION ...................................................................................................................1
III
SPECIAL FEATURES OF THE MULTIPLE SIGNATURE CARD .........................................................................2
IV
IMPORTANT RULES FOR THE USE OF THE ELECTRONIC SIGNATURE ............................................................2
V
SIGNATURE GENERATION AND VERIFICATION ......................................................................................4
VI
REVOCATION OF CERTIFICATES .......................................................................................................5
VII OPTIONS TO RESTRICT THE QUALIFIED CERTIFICATE ............................................................................6
VIII DATA PROTECTION ......................................................................................................................7
IX
VOLUNTARY ACCREDITATION OF THE CERTIFICATION SERVICE PROVIDER ...................................................7
X
COMPLAINT AND ARBITRATION PROCEDURE........................................................................................7
XI
INFORMATION ABOUT THE POSTIDENT BASIC AND POSTIDENT SPECIAL PROCESSES ......................................7
XII INFORMATION ABOUT THE NOTARIDENT PROCESS................................................................................8
XIII CONTACTS ................................................................................................................................8
I
THE INFORMATION DOCUMENTATION
We want you to know what your electronic signature is and what it can do. The German Act on Digital
Signature also attaches great importance to this. This law provides that you are informed about the
1
use of the electronic signature and that you confirm that you have received this information .
You have received this information in the form of this text! Please read this document carefully.
II
LEGAL INFORMATION
Effect of the electronic signature in legal communications
Using the electronic signature card from D-TRUST GMBH, you can generate a "qualified electronic
2
signature" . This means: When you use your signature card in order to "electronically sign" an
electronic document, this has the same legal effect as if the document of similar contents were to bear
your hand-written signature. Because the "qualified electronic signature" of your signature card has
the same legal effect as your hand-written signature! Any exception to this rule must be explicitly laid
down in law. In court, for example, you will not be able to repudiate that you have signed with your
electronic signature. Whether you attached your signature can be proven beyond any doubt and with
legal effect. Furthermore, it can also be proven in a legally valid manner whether a document was
modified or not after your personal signature was attached.
1
Section 6 of the German Act on Digital Signature sets forth the information requirement as follows:
(1) Pursuant to section 5, subsection 1, the certification authority is obliged to inform the applicant on measures necessary to contribute towards
the security of qualified electronic signatures and the reliable checking thereof. The certification authority must inform the applicant that data
signed by a qualified electronic signature may have to be re-signed as required before the security value of the existing signature decreases
during the course of time.
(2) The certification authority must inform the applicant that a qualified electronic signature has the same legal effect as a hand-written signature
unless anything to the contrary is provided for by law.
(3) For the purposes of information as contemplated in subsections 1 and 2, the applicant must be given a written information statement. The
applicant must confirm that he or she has read such written statement as a precondition for the issuance of a qualified certificate. In as far as
an applicant has already been informed at an earlier point in time in the meaning of subsections 1 and 2, it is not necessary to repeat such
information.
2
In this document, we also use the simplified terms "digital signature" or "electronic signature" which in this case refer to the "qualified electronic
signature".
V1.12_PIN 2.1, 2.4, 3.0
June 2012
page 1 of 8
Information Documentation of D-TRUST GMBH as a Certification Authority Pursuant to
Section 6 of the German Act on Digital Signature [SigG § 6]
On the legal effect of the electronic signature
Any declaration of intention which satisfies the customary legal requirements (capacity to perform legal
acts, etc.) and which is not subject to specific formal requirements is legally effective. Within the
framework of the free weighing of evidence, the form in which an intention materialises - for example,
as an e-mail – can be used as evidence in court.
Furthermore, a declaration of intent to which a "qualified electronic signature" pursuant to the
applicable German Act on Digital Signature is attached also satisfies the formal requirement of the
"legally required written form" under certain conditions and can serve as "prima facie evidence" in
court.
Identical effect: Pursuant to sections 126 and following of the German Civil Code [§§ 126 ff BGB],
the legal "qualified electronic signature" has the same effect as a hand-written signature under civil
law if the signed document additionally bears the signatory's name ("electronic form") and if such
electronic form is not explicitly ruled out by law. Such an exclusion at present (September 2001)
concerns the termination and modification of employment contracts (section 623 of the German
Civil Code), the issuing of certificates and references for employees (section 630) as well as
promises of life annuities (section 761), guaranties (section 766), promises (section 780) and
statements of recognition (section 781).
Section 371a of the German Code of Civil Procedure [§ 371a ZPO] Evidence value of electronic
documents
(1) The provisions concerning the evidence value of private instruments are analogously applicable
to private electronic documents which are provided with a qualified electronic signature. The primafacie evidence of authenticity of a statement available in electronic form which is based on
verification according to the Act on Digital Signature can only be questioned by facts which cast
serious doubt on whether the statement was made by the owner of the signature key.
This means that anybody who can use your signature card – i.e. anybody who has the card and the
PIN – can perform acts which are legally binding upon you because he or she has your "digital
signature"! Any electronic signature generated with your digital signature key is generally attributed to
you if:
your certificate was valid at the time of generation and
there are no other facts which disproof the presumption that you deliberately generated the
electronic signature.
III
SPECIAL FEATURES OF THE MULTIPLE SIGNATURE CARD
Pursuant to section 17, subsection 2 of the German Act on Digital Signature, measures must be taken
to ensure specifically in the case of automatically generated signatures ("bulk signatures" or "mass
signatures") that signatures cannot be applied for any purpose other than the set purpose (for
example, signatures for payment orders by large-scale users) and solely by applications which were
previously tested and approved. A suitably tested and approved application should be used in order to
apply signatures generated by a multiple signature card in a legally valid framework. Furthermore, the
user (of the signature card) is responsible for protecting the related software and hardware against
misuse. Please also observe the information provided in the document "Operating Conditions for DTRUST Multicards" which was sent to you together with the application form.
The D-TRUST Card Assistant must be used in order to initialise the signature card. The D-TRUST
Card Assistant consists of a single executable file.
IV
IMPORTANT RULES FOR THE USE OF THE ELECTRONIC SIGNATURE
It is extremely important that you carefully protect your signature card and your PIN against
unauthorised access. Because anybody who is able to use your signature card can perform acts which
are legally binding upon you. Your signature card contains not just your digital ID, but also your
electronic signature!
V1.12_PIN 2.1, 2.4, 3.0
June 2012
page 2 of 8
Information Documentation of D-TRUST GMBH as a Certification Authority Pursuant to
Section 6 of the German Act on Digital Signature [SigG § 6]
Below we have compiled some rules for the secure use of the signature card:
The PIN
The PINs are:
• PIN1 (card PIN) for authentication and encryption
•
as well as PIN2 (signature PIN) for the signature. PIN2 is protected in its as-supplied condition by
a so-called transport PIN. The transport PIN is a security feature of the card which enables you to
see that your personal signature key has been neither used nor misused. Before you use the
signature key for the first time, you are prompted to change PIN2 (refer to the PIN letter,
signature PIN, 5 digits, numerals only!)
► for D-TRUST card 2.x only (minimum of 8 digits; numbers only!).
► for D-TRUST card 3.0 only (minimum of 6 digits; recommended: 8 digits; numbers only!).
It is not until you have made this change that you can use the signature key and hence sign. If you
are not prompted to change PIN2 when you are using your signature card for the first time, or if
the PIN2 communicated to you is not accepted or if your transport PIN has more than 5 digits, this
may mean that your signature card is no longer intact! There is a chance that somebody used
your signature card before you received it. PIN1 (card PIN) is not affected by this.
Our support centre staff will be pleased to assist you if you have any questions concerning the use of
your PINs (for contact details, please see the last page).
The PUK
D-TRUST signature cards (all cards except for D-TRUST multi-sign cards 2.x) are supplied with two
so-called PUKs. These are special PINs which you can use to reset the retry counters of PIN1 (card
PIN) and PIN2 (signature PIN). This means: One of the PINs of the signature card was blocked
because of
► ten incorrect attempts (D-TRUST card 2.x) or
► three incorrect attempts (D-TRUST card 3.0) to enter
the corresponding PIN (card error message: "Card blocked"). You can then enter the corresponding
PUK in order to unblock the card again. It is not possible to change the existing PINs by entering the
PUK. The number of unblocking operations using the PUK is currently limited to
► 60 attempts (D-TRUST card 2.x)
► 10 attempts (D-TRUST card 3.0).
After 10 attempts to enter an incorrect PUK of your D-TRUST card 2.x (this restriction does not apply
to the D-TRUST card 3.0), the card is blocked because an attempt to misuse the card is assumed.
Reactivation of the card is then no longer possible. The only remedy in this case is to apply for a
replacement card – against payment.
Our support centre staff will be pleased to assist you if you have any questions concerning the use of
your PINs and PUKs (for contact details, please see the last page).
Personal custody
Always keep your signature card in your personal custody!
The PIN identifies you as the legitimate user of the chip card. Therefore, never disclose your PINs
under any circumstances whatsoever! Make sure that nobody watches you while you are entering
the PINs. If you believe or even only suspect that the PIN has been disclosed to third parties,
change it immediately!
Avoid PINs which are easy to guess (dates of birth, telephone numbers) and do not use the same
PIN for your signature card, your PC access, your online banking functions or your EC card. This
would make it too easy for eavesdroppers.
V1.12_PIN 2.1, 2.4, 3.0
June 2012
page 3 of 8
Information Documentation of D-TRUST GMBH as a Certification Authority Pursuant to
Section 6 of the German Act on Digital Signature [SigG § 6]
Do not use the same number string for PIN2 (signature PIN) and PIN1 (card PIN). Use different
PINs. This is particularly important if you also use the signature card in non-secured
environments.
Protecting the technical components for signature checking and signature generation
"Secure signature generation units" must be used to generate electronic signatures. The signature
card of D-TRUST GmbH is such a tested and confirmed, secure signature generation unit.
Make sure to use secure application programs at all times, because these are tested and verified
and make it possible to detect forged signatures and manipulated documents. The latest version
of this list can be found on the Internet on the website of the Federal Network Agency at:
(http://www.bundesnetzagentur.de).
Do not modify the software programs of your signature application components. This is the only
way to ensure that they are in conformity with the German Act on Digital Signature.
Protect your personal computer against unauthorised access, for example, by boot protection.
Make sure that an effective anti-virus program is installed and make sure prior to signing that your
PC is free from viruses. If the signing software is changed by viruses, the software is no longer in
conformity with the requirements for qualified signatures.
We recommend card readers with an integrated keypad. They warrant a higher security level.
If necessary, you can check whether you have received the correct and non-corrupted software of
the D-TRUST Card Assistant. The hash value of the D-TRUST Card Assistant is displayed in the
3
download area. You can use a tool offered by the Federal Network Agency (BNetzA) which
generates hash values in order to check whether the hash value of the D-TRUST Card Assistant
displayed on the D-TRUST website matches the hash value of the downloaded application of the
D-TRUST Card Assistant which you have generated. Should you need any assistance in setting
up this tool, our support staff will be glad to assist you.
Need to renew signatures
If a document bears an electronic signature over an extended period of time, the authentication of the
signature may become insecure because the signature certificate may have become invalid or
revoked in the meantime. It is therefore necessary to electronically re-sign such data in due time using
the latest signature technology available at that time. This new electronic signature then includes the
previous signature and the current time stamp.
V
SIGNATURE GENERATION AND VERIFICATION
Signature generation
Before generating the signature, check the contents of the digital document by means of the viewer
component which is automatically opened when the signature is generated. This viewer component
must be part of a tested and verified software for digital signatures. This is the only way to ensure that
you really see the relevant - i.e. the signed – text. In order to now confirm and sign the contents, enter
PIN2 (the signature PIN) of your signature card. That's it!
Signature application software which is not tested is not in conformity with the German Act on Digital
and can, in principle, smuggle hidden text into the document which may then oblige you to buy the
famous cat in the bag.
3
www.bundesnetzagentur.de
V1.12_PIN 2.1, 2.4, 3.0
June 2012
page 4 of 8
Information Documentation of D-TRUST GMBH as a Certification Authority Pursuant to
Section 6 of the German Act on Digital Signature [SigG § 6]
Revocation procedure: You have two options for having your certificate revoked:
Either call the hotline of our revocation service: (++49 30) / 25 93 91 - 600 for the registered
operation, or 601 for operation with provider accreditation. This revocation hotline is available
around the clock, as demanded by the German Act on Digital Signature.
Send your written revocation request to our revocation service at the following address:
Bundesdruckerei GmbH c/o D-TRUST GmbH, Kommandantenstraße 15, 10969 Berlin,
Germany.
If you call the hotline in order to have your certificate revoked, you will have to identify yourself as the
authorised owner by stating the revocation password which you have chosen in your application. If you
state the correct revocation password, revocation is then carried out immediately.
If you have your certificate revoked in writing, your right to revoke is checked on the basis of your
personal details and your hand-written signature. The signature on your application form then serves
as a specimen signature. The certificate is then revoked on the day the certification authority of DTRUST GmbH receives your letter. You can also choose a date in the future for revocation to come
into effect. Retroactive revocation, in contrast, is not possible, nor does the German Signature Law
permit temporary revocation because a revocation, once made, cannot be reversed.
If the owner of a certificate fails to perform his or her contractual obligations, the certification authority
is also entitled to revoke the certificate.
If your certificate contains further information involving third parties, these are then also authorised to
have your certificate revoked. Suppose that your certificate states that your spouse is authorised to
represent you, he or she is then also authorised under the German Act on Digital Signature to have
your certificate revoked.
A revocation application must contain the following details:
Revocation application by telephone
- Name of the caller,
- Name of the certificate owner
if the caller is not the owner
- If possible, certificate ID or
signature card ID
- Revocation password
VII
Revocation application by letter
- Name of the sender
- Name of the certificate owner if the sender
is not the owner
- If possible, certificate ID or
signature card ID
- If possible, revocation password
- The signature of the sender
- Revocation time
OPTIONS TO RESTRICT THE QUALIFIED CERTIFICATE
The qualified signature certificate can include monetary restrictions, restrictions of type and scope, as
well as additional information. If your certificate includes restrictions in terms of type and scope and if
such restrictions ("monetary restrictions", i.e. financial limits, for example) are relevant for the use of a
document signed by you, you must add your certificate to the document and include it in the electronic
signature.
Monetary restriction
You can define in the certificate that the signature is only valid for contracts representing a value
below a defined amount (monetary restriction).
Restrictions in terms of type and scope
User-defined text that can be added to describe the purposes for which the signature can be used.
Example: This certificate is only valid for signing electronically sent invoices of XY Ltd.
V1.12_PIN 2.1, 2.4, 3.0
June 2012
page 6 of 8
Information Documentation of D-TRUST GMBH as a Certification Authority Pursuant to
Section 6 of the German Act on Digital Signature [SigG § 6]
Additional information
User-defined text of up to 2,048 characters, such as academic title (“Diplom Ingenieur”, “Diplom
Volkswirt”).
VIII DATA PROTECTION
D-TRUST like any other certification authority is subject to the applicable data protection laws and
regulations. Retrieval of the data of a certificate from the repository service by the general public is
only permitted if the certificate owner has explicitly agreed thereto in his or her application. Otherwise
only the status of the certificate can be viewed, i.e. "valid", "unknown" or "invalid" ("revoked").
D-TRUST does not collect any data which is not needed for its certification activities. Any data
collected is protected against unauthorised access. The certification authority takes the measures
necessary for this purpose. Personal data is not disclosed unless in response to a court decision. DTRUST GmbH does not use any data made available to it for any purposes other than those of its
certification operations. There is no further commercial use whatsoever.
The German Act on Digital Signature (section 10, subsection 2) provides that certificate owners "are
on request to be granted access to inspect and view any data and process steps relating to them".
IX
VOLUNTARY ACCREDITATION OF THE CERTIFICATION SERVICE PROVIDER
In addition to the strict requirements which a certification authority must fulfil pursuant to the German
Act on Digital Signature, a certification authority can have its technical components and processes
checked and audited by a licensed body. Following successful completion of such an audit, the
Federal Network Agency can accredit the certification service provider (CSP). D-TRUST GmbH was
awarded the accreditation document in March 2002. D-Trust GmbH offers qualified certificates both
with and without provider accreditation. The key which D-TRUST GmbH in its capacity as CSP uses to
sign its customers’ certificates, for instance, within the scope of its accredited operations is certified by
the Federal Network Agency and hence forms part of the certificate which the Federal Network
Agency has issued to D-TRUST GmbH. In just the same manner in which you can search in D-TRUST
GmbH’s repository service for certificates issued by D-TRUST GmbH, you can also search for
certificates in the Federal Network Agency’s repository service which the Federal Network Agency has
issued to accredited certification service providers, such as D-TRUST GmbH. If you have a certificate
with provider accreditation, your certificate, just like any other qualified certificate, can be certified on
the first stage via the repository service of the CSP, such as D-TRUST, whilst, on the second stage,
the certificate of the CSP can be additionally verified by the repository service of the Federal Network
Agency. This strengthens the trust in your certificate even further. D-TRUST keeps the qualified
certificates issued in a repository for a term that begins with the date of their issuance and ends at the
date of expiration stated in the respective certificate, plus at least another five years after the end of
the year in which the certificate expires. In the case of accredited operation, even for another
corresponding 30 years. In the event that operations are discontinued, the law contains provisions to
ensure that a third party takes over the documentation and certificates.
X
COMPLAINT AND ARBITRATION PROCEDURE
Should you have any problems or questions which you cannot settle with our support on an amicable
basis, you can refer the case to the Federal Network Agency as your contact partner for complaints
and arbitration; furthermore, you can also obtain details of such proceedings from the Federal Network
Agency.
XI
INFORMATION ABOUT THE POSTIDENT BASIC AND POSTIDENT SPECIAL PROCESSES
Detailed information about the Postident Basic and Postident Special processes can be found on DTRUST GmbH's website at https://www.d-trust.net/inernet/files/Postident_info.pdf. If you have no
access to this information, you can request this per e-mail or by telephone by contacting our support
as shown below.
V1.12_PIN 2.1, 2.4, 3.0
June 2012
page 7 of 8
Information Documentation of D-TRUST GMBH as a Certification Authority Pursuant to
Section 6 of the German Act on Digital Signature [SigG § 6]
XII
INFORMATION ABOUT THE NOTARIDENT PROCESS
Please take the application form, prior to signing, to a notary public, submit your ID document or
passport in order to identify yourself, and sign the application form before the notary public. Have the
notary public certified that you have signed the application form in person (section 20 (1) of the
German Notary Public Code [BNotO §20 (1)]). Then send the authentication statement, together with
the other application documents, do D-TRUST GmbH's address shown below. The costs of this
procedure are laid down in the German Court and Notary Cost Regulations [KostO] and must be paid
by you. D-TRUST GmbH will not pay or refund these costs.
XIII CONTACTS
Important addresses
Your technical support:
D-TRUST GMBH
Tel.: + 49 (0) 30 / 25 93 91 610
Fax: + 49 (0) 30 / 25 93 91 22
[email protected]
Your certification authority:
D-TRUST GMBH
Kommandantenstraße 15
10969 Berlin, Germany
Tel.: + 49 (0) 30 / 25 93 91 – 0
Fax: + 49 (0) 30 / 25 93 91 –22
[email protected]
www.D-TRUST.net
V1.12_PIN 2.1, 2.4, 3.0
June 2012
Revocation hotline:
Tel.: + 49 (0) 30 / 25 93 91
– 600 (registered operation)
– 601 (operation with provider accreditation)
page 8 of 8