Duties of the party sending the invoice

Use the qualified electronic signature

Electronic archiving: in compliance with legal requirements for a period of at least 10 years

Legal principles of the duty of storage

GdPdU (principles of data access and auditing of digital documents)

GoBS (principles of proper IT-based accounting systems)

Article 147 Tax Code

Provide data for the financial authorities

Duties of the invoice recipient

Check the electronic signature and document the check

Electronic archiving: in compliance with legal requirements for a period of at least 10 years

There are different types of the simple electronic signature. The main point is that the simple signature does not allow guaranteed and verifiable inferences to be drawn about the identity of the creator and about the integrity of the message. Thus one is unable to determine whether the message is still in its original state or who originally created it. Further, the simple electronic signature does not have a PKI (Public Key Infrastructure), a system that enables digital certificates to be issued. Although this method of signing now suffices in many cases of electronic communication with official agencies and companies.

Examples of a simple signature:A scanned signature

Contact information at the bottom of an e-mail with details of an individual, a company, etc.

RSA signature without a certificate

See signature card.

The electronic signature is a hash value encrypted with the signatory's private key. It is only the hash value, and not the entire message that is encrypted, as the latter would be very time-consuming and only slightly improve security. The integrity and authenticity of the message can be verified using the signatory's public key and by re-determining the hash value of the original document.

The advanced electronic signature already enables the signature key owner or an e-mail address to be identified and inferences to be drawn about the integrity of the message. This electronic signature is generated using cryptographic tools. Biometric features, e.g. a handwritten signature or fingerprint, can also be used.

The identity of the signature key owner or an e-mail address is certified itself or certified by a third party (e.g. a trust centre) in a certificate. Any changes made to the signed document can be seen. Any manipulation will render the signature invalid.

This signature is often generated locally on the computer using a private key. The private key and the public key are stored on the hard disk or some other readable medium, e.g. a floppy disk.

E-mails can generally only be signed using an advanced electronic method, e.g. with a signature card or using the widely-used PGP (Pretty Good Privacy) signature software.

Examples of an advanced electronic signature:E-mail signature

Signature generated based on a software-based key pair with certificate

Signature based on biometric features (fingerprint, handwritten signature, etc.).

The EU Signature Directive, which was agreed late in 1999 and came into effect in January 2000, regulates the general legal terms for electronic signatures (it refers to different forms of the electronic signature) and for certain certification services within the European Union. The Directive was put into the national law of the EU member states. The Federal German government adjusted the Signature Act to the EU's directives. The Signature Act (Act on the General Terms for Electronic Signatures and for Changing Other Regulations—SigG) came into effect in May 2001 after being published in the German Federal Bulletin.

A hash value is a unique checksum of a fixed length (e.g. 128 bits). When a document's content is unchanged, the hash algorithm (a mathematical function) can generate it, exactly the same, an infinite number of times. Just as a fingerprint almost uniquely identifies a person, a hash value almost uniquely identifies a set of electronic data. The least difference in the electronic document results in a changed hash value.

The hash function is required to generate electronic signatures and verify the integrity of an electronically signed file. By using this mathematical function, a sort of compressed unit of a fixed length can be calculated from a binary file of any size. The document cannot be restored from this unique checksum and it is most unlikely that an identical checksum can be generated from a different document. The hash function is calculated by a hash algorithm.

The updated Signature Act, the Act on the General Terms for Electronic Signatures and for Changing Other Regulations (SigG), which came into effect on May 22, 2001 after publication in the German Federal Bulletin, specifies the general terms under which the electronic signature can be regarded as secure in Germany. It also regulates trust centre liability issues. The first Signature Act, which was used as the basis for the Signature Act which is now valid, was agreed back in 1997.

As it may be gathered from the name ("crypto" = "I hide" and "graph" = "the writing"), cryptography deals with the encryption of messages.

The multiple signature card enables large volumes of electronic data to be signed with a single PIN entry. On the software side, before the signature card is activated (PIN confirmed), the maximum number of signatures that can be generated and / or the maximum period of time during which signatures are to be generated must be defined. When either of these two limits is reached, the signature software terminates communication with the signature card.

The Online Certificate Status Protocol (OCSP) is an Internet protocol that enables the status of X 509 certificates to be queried. This is required, for example, when verifying digital signatures, as certificates with which communication partners mutually identify themselves can be locked before their validity period expires. If a certificate is used in the context of a security-critical application, it must be ascertained that it was not blocked at the time the signature was created. The OCSP is used to always find out a certificate's current status by querying an information service (a so-called OSCP responder). This service is usually operated by the certificate producer and says whether a certain certificate has been issued at all and, if so, whether this certificate has a lock entry and when, if at all, a lock was imposed. An OCSP response is always, in turn, signed by the trust centre to protect it from manipulation.

nexMart only provides the superior, qualified electronic signature. Unlike the simple and advanced signatures, the signature is generated not on the computer but on a signature card. With legal transactions, the qualified electronic signature has the same, binding legal effect as the handwritten signature, unless the law defines it differently. As with the advanced electronic signature, any manipulation will render the signature invalid. The PKI infrastructure is, however, always guaranteed by the trust centre that confirms the certificates issued.

With the qualified electronic signature, the qualified certificate serves two purposes: it can be uniquely associated with the signature key owner and it can verify the certificate's validity. So, in everyday language, this method would be better known as the "electronic signature with qualified certificate". For the sake of simplicity, however, one refers to a "qualified electronic signature" or "qualified signature".

The qualified certificate holds the public key belonging to the certificate owner (the signatory) and other details such as the certificate owner's name and the key pair's validity period. The so-called user certificate is signed by a certification service provider, a trust centre. The trust centre itself also possesses a certificate, the so-called root certificate. This is signed by the trust centre itself and, in turn, it is used to verify the integrity of the user certificate.

The future owner of a key pair for generating qualified signatures is given the key pair when they apply to a trust centre. Qualified certificates are only issued to individuals, not to legal entities. The trust centre needs to run an extensive applicant identification process.

The applicant can restrict the legal consequences of the certificate they want when they submit their application.  E.g. the applicant may specify that a certificate is only used to sign outgoing invoices, so that invoices signed with signatures produced later on are subject to legal consequences, but contracts, for example, are not.

Once the application has been successful, the signature key pair is generated using technical components that ensure that the keys occur only once and are only saved in the secure signature generation unit. This is the signature card, and there is no way the private key can be read from it. The trust centre ensures that the validity of the certificate can be accessed online and that it is kept verifiable.

Unlike the simple and advanced signatures, the signature is generated not on the computer but on the signature card. With legal transactions, the qualified electronic signature has the same, binding legal effect as the handwritten signature, unless the law defines it differently. As with the advanced electronic signature, any manipulation will render the signature invalid. The PKI infrastructure is, however, always guaranteed by the trust centre that confirms the certificates issued.

A Public Key Infrastructure is an "organisational/technical" environment in which certificates are administered by certification service providers. The "organisational/technical" environment is characterised by certain technologies, standards and defined security requirements.

The qualified electronic signature with provider accreditation differs from the qualified electronic signature technically by dint of the root certificate. In the case of the qualified electronic signature with provider accreditation, the root certificate is always issued by the German Federal Network Agency (BNetzA), so it forms the top-most instance in the certificate chain. Certification service providers that wish to undergo provider accreditation need to provide evidence of their security as a trust centre before they commence business, and they are also audited in this respect. Thus one refers to 'verified security'. The Federal Network Agency certify this, too, using a special trust mark. In contrast to this, trust centres that only issue qualified certificates must be able to provide evidence of their security before they commence business, but they are only audited after they commence business. Another difference between a qualified certificate and a qualified certificate with provider accreditation lies in the duration of the legally prescribed verifiability of the certificates that the trust centre issues. The validity of qualified certificates must be kept for audit purposes for a further five years after the certificate has expired. The validity of qualified certificates with provider accreditation must be kept for audit purposes for 30 years after the certificate has expired. Moreover, if a trust centre with provider accreditation ceases business, the Federal Network Agency will take over the responsibility for verifying the validity of the certificate for the legally prescribed period.

The Signature Ordinance regulates the procedure and the technical requirements for electronic signatures via the Signature Act.

A signature card includes a crypto chip. It saves the private signature key, and the private encryption and authentication key, in a form that cannot be read. A signature card for generating electronic signatures with a qualified certificate (a qualified signature) can only be applied for by an individual and only belongs to this individual. Signature cards for generating qualified signatures are issued by certification service providers (CSPs)—so-called trust centres.

Registration agencies act as intermediaries between individuals who wish to have a signature key pair and the trust centre that issues them. The registration agency checks the applicant's identity, passes it to the trust centre, and later passes the signature key pair to the applicant, e.g. on a signature card.

A software-based certificate is a PKCS-12 file (with file extensions *.p12 and *.pfx) which holds the signature certificate and the private key. In contrast to the signature card, software-based certificates can be duplicated any number of times and stored on different media (e.g. USB stick, hard disk). Access to the PKCS-12 file is password-protected.

SSL is a widely-used data encryption procedure. It was developed by Netscape and is meant to ensure secure data traffic over the Internet.

A batch signature enables multiple files to be signed in a single batch while only entering the PIN once. A prerequisite is, e.g., the use of a signature card that permits multiple signatures (a multiple signature card) to be generated while using the PIN just once to confirm.

See certification service provider.

With symmetric encryptions, an identical key is usually used to both encrypt and decrypt. The benefit of symmetric encryption is speed. Symmetric encryption and decryption is extremely rapid. It is recommended that the key is changed frequently.

Encryption refers to the use of a cryptographic algorithm, a mathematical function and a special key for ciphering. Information is converted to data that can no longer be read or understood. This is used to keep the information secret vis-à-vis third parties. The simplest example is the Caesar algorithm, via which every letter is moved 4 places down the alphabet, so that the word "Billy" becomes the word "Xmppc". Here, the private key would be: "Move the letters 4 places down."

Certification service providers (CSPs), also known as trust centres, ensure the general security for the Public Key Infrastructure (PKI). They are the principal trust institutions, as they rigorously assign a key pair to an individual. The trust centre issues public and private keys (signature key pair) to the participants and they verify the applicants' identity for this purpose. Thus the assignment of an individual to a public key is specified by the trust centres, and rubber-stamped by a certificate that includes, e.g., the public key and details of the individual. A trust centre provides other services such as the directory service, the blocking service and the timestamp service. Trust centre operators include, e.g., D-TRUST GmbH (a fully-owned subsidiary of the German Federal Printing Agency), S-TRUST (Deutscher Sparkassen Verlag GmbH), Signtrust (Deutsche Post AG) and Telesec (Deutsche Telekom AG). In Germany, there is the option of voluntary accreditation through the Federal Network Agency (www.BNetzA.de) which then acts as the root certification agency and, in turn, issues signature key pairs and the associated certificates to the trust centres.

A certificate is the public key with such details as the owner, the issuer, key use and the term of usage. A certificate is usually signed by the certification service provider. With signed messages, the signatory's certificate is usually sent with the message. Most certificates are in the X 509 and PGP formats.

The German Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railways (BNetzA) regulates the telecommunications and post market. Under the Signature Act, the BNetzA is the body responsible and, after running a check, is responsible for generating signature key pairs for the certification service providers who provide voluntary accreditation and for issuing the relevant certificates and a trust mark. In this respect, the agency acts as the root instance. Companies producing signature software must show the BNetzA that they comply with the Signature Act by providing a producer declaration. The BNetzA comes under the Federal Ministry of Economics and is based in Bonn. www.BNetzA.de

The asymmetric encryption procedure works with two different keys: the secret, private key and the generally accessible public key. These belong together, and one cannot be calculated without the other. The keys are selected in such a way that the message coded using the public key can only be deciphered with the secret private key and, vice-versa, a message encrypted using the private key can only be decoded with the public key. Asymmetric encryption is used, e.g., when generating and verifying electronic signatures.