The european union is demanding digitally signed invoices.

http://www.bundesfinanzministerium.de/Anlage22461/BMF-Schreiben-vom-28.-Januar-24-Adobe-Acrobat-5.0.pdf

http://www.fm.nrw.de/cgi-bin/fm/custom/pub/content.cgi?lang=1&ticket=guest&oid=871

I don't know what CAcert can do about this. AFAIK there is a legal obligation to use a "qualified digital signature" (qualifizierte digitale Signatur) and there are some restrictions that cannot be fulfilled by CAcert.

fs

Which restrictions cannot be fulfilled by CAcert?

Is there an english translation of that? What does it mean to "demand" digitally signed invoices?

"demand": If you are writing invoices and send them electronically at least the German tax office will not accept any invoice that is not digitally signed. And there are some very detailled requirements about who may sign these certificates. If an invoice is not accepted that means that you will get into serious trouble if you're running a business because your accounting is considered flawed.


07.06.2005 (fs):

I try to explain a little bit further why CAcert certs must not be used for signing digital invoices. All my comments are only valid for German law - there may be other countries (even in the European Union) where the situation is different! Standard disclaimer: IANAL.

Sorry, if I have to refer to several articles written in German but most German laws were not translated into English... As I'm only referring to the German situation this may be a bit less of a problem (allthough I think this is the same in the whole EU).

Every digital invoice must be signed with a qualified digital signature ("qualifizierte elektronische Signatur"). More details in http://www.heise.de/ix/artikel/2005/04/086/

The term "qualified digital signature" has a special meaning in law speak. It means you have to use a certificate which is issued by a CA which is authorized to produce those qualified certificates. It also requires the certificates to be stored on a chip card or HSM (on certified hardware) in a way the owner can not read/disclose it. The software to produce and verify the signatures also must be certified and validated.

You can find more detailed descriptions of the requirements for getting certified in the Signaturverordnung (http://www.bsi.bund.de/esig/basics/legalbas/sigv2001.pdf).

The whole process is so costly that there are only three trust centers in Germany that may issue these certificates and they will charge for it. One thing you have to know is that a document signed by your "qualified digital signature" is treated as you would have signed it by hand. You may buy cars with that signature and signing legally binding contracts for loans!

I hope that it is now clear to everybody that CAcert will not (read: "is not able to") offer any certificats that will allow you to sign your digital invoices in Germany so that the tax office will accept these invoices.

Other countries have less strict signature requirements for "dematerialized" or "legal" invoicing. Some require only "advanced" instead of "qualified" certificates, and those could come from CAcert (however I think the CA has to have an insurance covering a certain amount of money in case of failure).

See this english text on the definition made in the directove of the EU on digital signatures: http://www.securityfocus.com/infocus/1756

DigitalInvoice (last edited 2009-08-25 19:55:37 by BerndEckenfels)