Hacker News new | ask | show | jobs
by johnfonesca 965 days ago
>it makes it easy to switch document signer provider etc since they all are forced to implement the same interface.

eIDAS was introduced in 2016. Now 7 years later there still isn't a API specification for interoperability (there are drawings though https://blog.eid.as/new-apis-for-the-eidas-ecosystem/ )

In the meantime, any digital signature done in EU must be done with a certificate issued only by the "select" CA to be considered "valid".
3 comments
bux93 965 days ago
>In the meantime, any digital signature done in EU must be done with a certificate issued only by the "select" CA to be considered "valid".

article 25 of EIDAS 1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.

link
Jensson 965 days ago
> Now 7 years later there still isn't a API specification for interoperability

The standard existed 2016, I did a short stint for a company that was implemented eIDAS back then.

They even have a test suite you can use to check how well you comply with the standard: https://ec.europa.eu/digital-building-blocks/wikis/display/D...

It is very archaic to work with though, but at least they try to have a standard.

link
johnfonesca 965 days ago
The ETSI checker you have linked doesn't have anything to do with CA API interoperability and "switch document signer provider". That's just a basic tool which validates if a signature is PADES/ETSI compliant or not.

The real value in eIDAS would be "unlocked" if they would release a proper API specification with which a digital signatures application would integrate with any EIDAS CA to emit/sign certificates. And then enforce that any eIDAS compliant CA would implement this API.

In practice that means any company/digital signatures product could do a integration with this API once and then be able to use ANY certification authority they want/need/offer best prices for certificates.

Without this API, eIDAS is just a marketing moniker because the power belongs to the selected Certification Authorities. They set the prices, they choose WHOM can integrate with them to isse certificates and there is NO interoperability between them. This doesnt allow for a open market and makes the top players control everything while shouting "standards" and "eIDAS".....

link
account42 965 days ago
Why is that website using a domainhack (with a non-EU ccTLD) rather than a proper .eu domain? Doesn't exactly inspire confidence that these people should have anything to do with security standards.
link