De-Mail

De-Mail (pronounced En - Ee -Meil ) is the name of a system based on e- mail technology, but thereof technically separate means of communication for "safe, confidential and verifiable " communication on the Internet. The relevant De - Mail law goes back to a project initiated by the German Federal Ministry of the Interior project, which was initially under the designation citizen portals. Implemented and operated De-Mail is usually by private enterprises, the De-Mail providers ( or umgangsspr also:. De - Mail providers ).

• 4.1 Accreditation Process 4.1.1 Approved auditors and inspection

• 6.1 criticism

• 7.1 Default transport security
• 7.2 Delivery of the message from the sender to the De -Mail provider
• 7.3 Checking and complement the metadata
• 7.4 ensure integrity and encryption
• 7.5 Delivery Confirmation
• 7.6 Transmission of messages to De -Mail provider
• 7.7 Confirmation of receipt
• 7.8 protocols and data formats of De-Mail

• 9.1 Technical design
• 9.2 Privacy
• 9.3 implementation
• 9.4 Legal Aspects

Background

The main objective of De-Mail is confidential, secure and verifiable sending messages and documents over the Internet and receive and thus to establish an electronic counterpart to today's post. The project citizen portals, later De-Mail, also responded to the lack of acceptance of the so-called judicial and administrative mailbox EGVP. Back in 2006, criticized Raoul fair that the alleged safety benefits of EGVP system based on the internationally completely unknown OSCI protocol with e- mail specifications (SMTP / S / MIME) are accessible and thus no need for a government-mandated compulsory communication over a EGVP system is the proprietary standard OSCI. De-Mail takes this criticism to partial and wants to allow private providers based on international standards to offer a secure and legally binding e -mail communication. The end-to -end encryption is in accordance with the Technical Directive an additional option dar. The state does not provide the De-Mail service itself, rather certified providers are entrusted with. These are mortgaged, are thus sovereign act, so far as they make public deliveries.

The German Federal Government is committed to the introduction of De-Mail to the EU Services Directive into national law. The Directive requires that public bodies should accept electronic communication as a binding medium until the end of 2009.

Service level

The Mailbox and Shipping Service De-Mail is the central service for the reliable and confidential communications. De-Mail is complemented by a trusted document filing ( De - safe) and a reliable proof of identity (de- identification ).

Mailbox and Shipping Service De-Mail

To citizens, business and administration cost, can communicate reliably and confidentially electronically via the central service De-Mail. Secure communication is mainly based on TLS -secured communication channels ( transport encryption ).

De-Mail different shipping methods are available that can be used independently:

In addition, a sender may choose the following options before sending a De -Mail:

In addition, the sender 's messages in addition to its own existing components ( qualified) sign or encrypt end-to- end. De-Mail providers are obliged to provide a directory service in which users among other encryption certificates can store in their De - mail addresses.

The shipping methods and options are listed as a header in the final document.

De -mail user accounts and addresses

De-Mail, can use both natural persons, ie citizens and legal persons such as companies, partnerships or public bodies, so authorities and ministries. For opening an account with De-Mail, users must first register once their provider and can be identified. For each address, and the name change, a new registration must be completed. For natural persons, all passport data such as first and last name, registered address and date of birth are taken in this registration under the Money Laundering Act. In identifying, submit about her identity card to the provider. For legal entities - for example companies, organizations or public bodies - including the data of their authorized natural persons can be detected in addition to information on the legal person itself. To identify the provider by a duly authorized person such as the manager or authorized representative shall submit an extract from the Commercial Register.

Since the reliable initial registration is based on the required identification of the communication partner only method accepted that meet high security requirements, for example through the electronic ID card or by establishing identity. These security requirements can be compared with those for opening a bank account.

Each De -mail account is assigned at least one De -mail address in the form of an e- mail address. The addresses of a legal entity must include their name, so the company name. Natural persons may also address additional entertained under a pseudonym, but the pseudonym must be recognizable as such.

The address of a natural person is expected to have the following syntax: @ de - mail.de. .. If a name in the same De-Mail provider several times before, the address is added to a dot and a number. A De - mail address will therefore correspond to the following pattern: erika.mustermann @ provider - XYZ.de - mail.de. Pseudonyms should be prefixed by PN_ as marking the prefix, so that such address as may be [email protected]. Legal persons should be able to receive as a namespace for their De-Mail addresses its own domain of the form . De - mail.de. Thus, the legal person may set up various sub-accounts, such as the names of individual employees or departments.

De - identification

As part of the De-Mail services, there will be an easy way to establish the identity. At the user's request for the De-Mail providers created an ident confirmation which is then sent to the De -mail address of the recipient by De-Mail. This is intended to citizens, for example, may or prove that they are over 18 years old to register at online stores. This content will be signed by the qualified De-Mail provider to confirm the correctness of the transmitted data. The process is set out in a further technical directive.

De - Safe

A common requirement is that important documents are safely stored in electronic form. For this case, to the De-Mail providers provide document safes that allow long-term storage and protection against loss and falsification. Again, all passed to the safe documents are encrypted and integrity protected immediately after receipt. The process is set out in a further technical directive. Statutory requirements for archiving or storage of documents, for example, § 147 Tax Code (AO), are not met by this service.

Registration for the use of the De -mail account

The basis for the use of the De - Mail Services to log on to the user's De -mail account. The De - Mail law distinguishes between two levels of security:

The sender of a De-Mail may require that the receiver securely logs in the above sense, before he gets the message ( § 5 para 4 De-Mail -G); as he may require his suppliers to make the receiver clear that he (the sender) has safely logged in. ( § 5 para 5 De-Mail -G). A secure login is required to set up automatic forwarding to another De -mail address (§ 5 para 11 De-Mail -G). By using the document filing the user can set for each individual file to see if he can only use them for secure registration or even without these requirements will ( § 8, clause 3 De-Mail -G).

Accredited service provider

Accreditation process

§ 17 De-Mail -G provides that the De-Mail providers as part of an accreditation by the Federal Office for Information Security (BSI ), the implementation of technical and organizational measures to prove, for example, the internal or external access to prevent the data by unauthorized persons.

They include what evidence of functionality, interoperability and security, and on the other hand, the detection of data protection. The requirements that should be adhered to the functionality and interoperability, TR -0120 [TR- DM] defined in the Technical Guideline BSI, which covers the following areas: basic IT infrastructure, user account management, post office boxes and shipping services, identifying service Light, documents Safe Light, security. For the examination of these requirements an auditor's report, which is reviewed by the BSI. Upon successful testing, a certificate is issued and published at the request of the provider on the website of the BSI.

To meet the safety requirements, must have a ISO27001 certification on the basis of the IT Baseline Protection - supplemented by specific requirements De-Mail - are performed. The auditor for this purpose creates an audit report, which is tested by BSI. Again, in case of successful tests, a certificate is created, which will be released on request.

For the accreditation of the De-Mail provider must also demonstrate that he meets the data protection requirements. The proof must be provided by a certificate of the Federal Commissioner for Data Protection and Freedom of Information ( BfDI ). For the De-Mail provider must offer the BfDI submit an expert opinion. The basis for evaluating the criteria of BfDI.

The accreditation as a De - mail service provider is not mandatory, provides the service providers, however, on the one hand the advantage that they receive a quality mark, which indicates to the user accreditation. On the other side of the exchange of messages usually only between accredited De-Mail providers will. For this, they must also demonstrate that they offer the De-Mail services interoperable (ie work seamlessly together on a technical level with the other De-Mail providers).

Detailed and current information on certification and accreditation procedures are published on the website of the BSI. The technical specifications have also been published by BSI.

Approved auditors and inspection

The BSI has published on its website auditors for the audit of IT security, interoperability and functionality. The Federal Commissioner for Data Protection and Freedom of Information ( BfDI ) takes a different approach in terms of data protection audit also required in addition to the technical examination: As a reviewer for the privacy test come from the federal government or recognized by a state or publicly appointed or mortgaged expert bodies for data protection used. You must be registered professionally for both legal and technical. Such sites are currently permitted at the Independent Centre for Privacy Protection Schleswig -Holstein ( ULD).

Provider in the accreditation process

( Subsidiary of Francotyp- Postalia ) and Deutsche Telekom AG, two companies have been accredited by the Federal Office for Security in Information Technology (BSI ) as a service provider for De -mail with Mentana-Claimsoft GmbH at the CeBIT 2012. In March 2013, the United Internet AG, which offers under the name 1 & 1 De - Mail GmbH for GMX, WEB.DE, as well as a business solution of 1 & 1, De-Mail - products followed.

Access opening and use

The use of the service by the citizen should be voluntary. The transfer of electronic documents from business and government to consumers is permissible if the recipient has opened access for this (so-called access opening ). In De-Mail Law 7, Section 3 is defined in § that "the publication of the De - mail address in the directory service on a request by the user as a consumer ... alone ... not as a grant of access within the meaning of § 3 paragraph 1 of the Administrative Procedure Act, § 36a paragraph 1 of the First Book of the Social Code or § 87a, paragraph 1, sentence 1 of the Tax Code " is true. The consumer must explicitly declare the approval for sending. The following paths are open to him:

1 The consumer perceives by De-Mail contact with the company or institution on. These can then respond to his request to him.

2 The consumer declares his agreement in other ways that companies and authorities can reach him at his De - mail address. This statement could, for example via a web platform that will help consumers to manage the emitted access openings.

Access openings can also be withdrawn.

Both the establishment of a mailbox and the sending of messages and notification of shipment may be available for a fee. Prerequisite for the introduction of the service is the conclusion of the legislative process for De-Mail law with the consent of the provinces.

Security

From unencrypted e -mail to De-Mail is different in the fact that the messages are sent in sections encrypted.

The existing technical standards should not, however, extended to the operation of De-Mail; Rather, the additional security through the mandatory use of standard functions to be built, which is actually considered optional and are used in practice rarely in full:

• An integral part of De-Mail is to be a mandatory authentication, so that the systems of sender and receiver can ensure the identity of the other side. One possibility for this is the use of digital certificates.
• A section-wise encryption of the transmission paths to provide security against access by unauthorized persons.

For particularly high demands on the confidentiality of the messages have De -mail users as conventional e- mails the ability to encrypt the information transmitted with De-Mail content additionally itself ( so-called " end-to -end encryption "). In this case, the encryption is performed on the computer of the sender and to decrypt the content only on the recipient's machine. For this, however, the installation of additional software may be required, which performs the encryption and decryption. The directory service, which must be obligatory offered by the service provider in De-Mail, supports the user by other users of its public key can be made available. It should therefore be possible to find at a central location for public keys of people to communicate with confidence. This is so far very difficult and provides the essential " stumbling block " for the dissemination of methods for end-to -end encryption ( " Where can I find the valid encryption key of my communication partner "). De-Mail is to be supported in this way, the use of end-to -end encryption and encouraged.

S / MIME or OpenPGP can also be used by the user to map the end-to -end security. The list of main safety functions have been summarized in a document of BMI.

Criticism

There have been 2011 critique of the system, the Chaos Computer Club and other experts had the De-Mail issued a catastrophic testimony in terms of safety. The central point of criticism is the lack of end-to- end encryption, which the De - Mail providers, police, secret services and potential attackers grant access to the unencrypted communication data. The proposed softening of administrative laws, which should enable spite of this defect the use of De-Mail -Government in the future legally, put sensitive data of citizens henceforth from an unacceptable risk.

Linus Neumann, who was charged in 2013 as an IT expert for De-Mail topic in the Bundestag, presented at the 30th Chaos Communication Congress ( 30c3 ) a comprehensive analysis of the De-Mail. In his lecture titled " Bullshit made ​​in Germany", he found clear words: De-Mail is deliberately insecure built to allow German services to spy on German citizens. On the sender and receiver side, and in between on the servers of De-Mail provider, provider or hacker could read the news theoretically. Many features such as the automatic virus scan are on closer inspection not use argument, but on the contrary: Because of the few servers with sensitive data, the attractiveness of an attack from hacker 's point of view even increasing.

Technical concept

The technical concept is described within the technical guidelines that are published on the BSI website.

Standard transport security

Both the communication of De-Mail users with their De -Mail provider as well as the communication of De-Mail providers with each other always runs over TLS -secured communication channels. Presented to a user by the realized level of security is not sufficient, he may in addition end-to- end encrypted - his messages or documents and / or content ( qualified) sign.

Sending the message from the sender to the De -Mail provider

The message is transmitted from the user's web or messaging client to the mailbox service of the provider.

Testing and completion of the metadata

Immediately after receiving the message from the sender checks the De-Mail provider, transmitted with the message metadata. Among other things, specified as the sender address in the message De - mail address must be assigned to the De -mail account, sent the message from the sender. Also the level of authentication of the sender must be at least high, if he has the De-Mail - specific shipping option selected sender confirmed. After examining the metadata of the message content is checked for malware. Then added the De-Mail provider of the sender additional metadata, including the current time.

Integrity protection and encryption

With the aim of securing the integrity of the De-Mail provider of the sender of the message, including metadata adds a hash value. However, a hash value is no integrity protection in the sense of a message authentication code dar. For messages that are sent sender confirmed with the shipping option, the hash value is additionally qualified by the provider electronically signed and the signature is stored in the metadata of the message ( header).

Following the De-Mail provider encrypts the message content both for themselves and for the De-Mail provider of the recipient.

Shipping confirmation

Immediately prior to the transfer of the message to the recipient or recipients, the De-Mail provider of the sender - if requested by the sender - a qualified signed shipping confirmation from. The shipping confirmation will be sent to the sender as an attachment to a De-Mail.

The shipping confirmation will include, among others, the hash value of the original message and the date of transmission. This allows the sender to prove to third parties that he has sent the referenced message at any given time.

Transmission of messages to De -Mail provider

De-Mail is backed by the De-Mail provider of the sender using SMTP TLS transferred to the De-Mail provider of the recipient. After acceptance of the message, a copy of the message is decrypted temporary and message integrity check. An optionally available for redirection is processed. Then, the provider of the recipient, the encrypted message in the recipient's mailbox stores and discards the decrypted message copy.

Confirmation of receipt

Immediately after filing the message in the mailbox of the recipient, the De-Mail provider of the recipient of a confirmation of receipt to the sender of the message - if desired by the sender. This confirmation of receipt of the message is called by BSI in its technical guideline also acknowledgment of receipt. The De-Mail provider signs the acknowledgment qualified and sends it to the sender as an attachment to a De-Mail back. The confirmation includes among others the hash value of the original message and the time of filing the message in the mailbox of the recipient. The sender of the original message with the confirmation of receipt can prove to third parties that the receiver at a certain point had access to a particular message.

Protocols and data formats of De-Mail

For the De -mail communication, two communication routes are relevant: first, the distance between the user and his De-Mail providers and on the other the "internal" distance between two De-Mail providers.

For the communication channel between the user and the provider there is the safety requirement that the communication must be via a mutually authenticated and confidential channel such as SSL / TLS. This can also be realized through OSCI Transport. The technical implementation and thus the choice of the transport protocol and the data formats used may be made individually between De - Mail providers and users. Also be used in principle, different protocols and data formats, and thus the client applications sender and receiver. De-Mail provider must support the client applications at least web browser with HTTPS. In addition, are also e- mail client with SMTP for sending and POP3 or IMAP for receiving messages - each used over a secure communication channel - possible.

The protocols and data formats between two De-Mail providers are in contrast to the channel between the user and the De-Mail provider specified exactly, so that all providers uniform ( interoperable ) can communicate with each other. To secure the communication between two De-Mail providers always comes SSL / TLS used. About this encrypted channel SMTP is to deliver messages and data format as the default e -mail format ( Internet Message Format ) are used.

Status

The project "Citizen Portal" is implemented by the German government, together with private sector partners. The project was presented in November 2008 for the first time publicly at the IT summit in Darmstadt. On 4 February 2009 a bill the federal government has been decided.

Instead of the previous bill for the regulation of citizen portals is now a new bill called " draft law for the regulation of De-Mail services and to amend other provisions - De - Mail law " with the federations and associations for comment.

The Financial Times Germany reported in September 2009 that the German Post AG delayed the legislative process in order to provide its own service e- mail cover an edge.

A De- mail pilot project in the Friedrichshafen area ran a half year ( October 2009-March 2010 ). The pilot systems are available via the previous users still available.

The following year, the De - Mail law ( law for the regulation of De-Mail services and to amend other provisions of 28 April 2011) was adopted and entered into force on 3 May 2011.

The introduction of De-Mail was initially planned for spring / summer 2011, but was delayed. The BSI justifies this with the lengthy certification process of the services provided by the future De-Mail providers for testing.

In December 2011, the BSI announced via press release that it had " the Mentana-Claimsoft AG granted an ISO 27001 certificate on the basis of IT baseline protection ". The certificate contains additional aspects of the Technical Guideline TR 01201 De-Mail. The company is the first with the necessary safety requirements for accreditation. 3 February 2012 published Peter Schaar, the BfDI ( Federal Commissioner for Data Protection and Freedom of Information ), via press release that he has this company also issued a Privacy Certificate for the planned there De - Mail service.

The German Telekom announced in March 2012, to start the service for major companies in the same month. Small and medium-sized businesses and private customers can use it since 31 August 2012. After the German post their default e- mail letter could not prevail with the legislator, wanted to offer De -mail too from December 2012. In April 2013, the German postal backed down and ceased its De-Mail plans.

Also, the internet provider 1 & 1 wanted after successful accreditation to BSI in the second half of 2012 [ deprecated] offer a service for business customers.

By 2012, announced the services GMX and web.de (both United Internet AG) that they will be offering De-Mail, you have to wait, however, until a successful accreditation, which was then exhibited them in March 2013.

Criticism

Technical concept

De-Mail used to secure the communication between both users and providers as well as between two providers mutually authenticated and encrypted communication channels. When shipping therefore the message content is not integrity protected on the supply side and encrypted for the provider of the recipient. Furthermore, the provider of the recipient must be the message contents before transmission to him decrypt, verify and encrypt again. This is irreversible and no so-called end-to -end encryption.

However, the user can also at De -mail messages his self-sign and end - to-end encryption. De - Email support this operation, including through a directory service, can publish their own encryption certificates in the user. A testing service for the qualified electronic signature is intended to help the user easily to verify the electronic signature.

If a message is not encrypted by the user, it is in principle possible that employees of the provider can read along or change the news. This risk should be addressed by technical and organizational measures are checked in the certification process. Thus, the provider must demonstrate, inter alia, through the implementation of an appropriate role concept and other technical measures that individual employees of a provider can not access the messages of the users.

De-Mail is not technically compatible with the established electronic judicial and administrative mailbox EGVP with which the electronic communication with the courts and administrations will be realized today. An interface is well- planned, however. Communication between De -mail and regular e- mail addresses will not be possible.

Privacy Policy

Prior to the establishment of a De-Mail mailbox you have to identify what is required for a normal mailbox or to the delivery of letters. Due to the architecture of De-Mail all data and contacts to flow to the person traceable together in one place; the use of multiple, non- connected to mount type identities is not possible.

The stored personal data of the user are for a variety of security and intelligence agencies without a warrant requestable ( § 113 TKG), the identity behind a De - mail address is for about 250 registered with the Federal Network Agency authorities in an online procedure available ( § 112 TKG), take place in the approximately 140 telecommunications providers every day almost 100,000 hits on customer data. According to § 16 of the De-Mail law obtained in certain cases also private information about the name and address of a user. This requires, among other things, that the third party data needed to pursue a legal claim against the user that has arisen with the use of De-Mail.

A retention of all De -mail correspondence (see § 100 TKG) includes the bill of non-standard clearly.

User ID and Password to a De-Mail mailbox are upon request by a law enforcement authority, a police authority, the Federal Office for Protection of the Constitution, the Federal Intelligence Service or the military without a warrant issue ( § 113 TKG). The documents and information located in the De-Mail mailbox are thus not as protected as paper documents or letters in their own home. Although the right to password prompt occurs on all e- mail accounts. There, but you can protect yourself with anonymous mailboxes, multiple identities and foreign accounts from access, which is not possible with De-Mail.

Although the application for a De-Mail - address should be voluntary, it is feared that government agencies and companies that have so far offered their services anonymously or without checking the customer specifications, in fact gradually a single, personal, identity- tested e- mail address to the requirement of the offer of their will make services. The aim of the project is actually, according to the Ministry of the Interior to make " the non-anonymous and secure electronic communication becomes the norm ." The unique identification in the Internet can be used for example to exclude certain groups of customers, such as due to alleged lack of credit history or even just because Missliebigkeit or criticism of the company.

The Working Group on Data Retention draws the conclusion from the use of De-Mail "could only be discouraged ." To prevent a de facto constraint on the use of De-Mail, the service must be boycotted, so that it does not translate.

Implementation

On the implementation of the service is involved with the Deutsche Telekom a former state-owned enterprise. The Strato AG criticized the approval practice applied after they had been excluded itself by its own account from participation.

Nevertheless, the legally required proof of a Privacy Framework for De-Mail provider to increase the trustworthiness compared to other e- mail providers.

Legal Aspects

The results of the use of De-Mail depend mainly on what probative De-Mail is metered. This is still unclear.

Lawyers like Wolfgang quilt Ling, Vice President of the Administrative Court of Rhineland- Palatinate, criticize the possibility provided for by law to deliver official notices without acknowledgment of receipt electronically. This would allow decisions in existing power grow without the person ever knowing. For in contrast to the conventional mailbox technical and financial conditions would be required for the ongoing monitoring of the electronic mailbox, the creation and maintenance of citizens can not be required without further notice.

No statements are made to change the Zustellfiktion whose date could apply unlike the paper mail, including Sundays and holidays.

Further offers De-Mail as well as e- mail no functionality to meet the so-called writing requirement (§ 126 BGB). If documents that need it, are sent using De-Mail, the user must create a digital signature. For according to § 2 No. 2 Signature Act, a qualified electronic signed document will be sent which has the same legal characteristics. The digital signature, the user must, however, create by hand with an independent program. However, to replace the need for a signature by the simple De-Mail stand at present, the planned 2013 eGovernment law.

Unclear is who should bear the burden of proving an abuse. The Chaos Computer Club is concerned that the burden of proof - similar to the misuse of debit cards - the consumer (user) could be. Because of the identity is now performed in Telekom shops and Hermes collection points can hardly be ensured that the identity has been tested secure.

Financing

Financing of the De-Mail service via monthly contributions and an electronic franking ( "e - Porto "). In March 2014 free rates for residential customers have been introduced.

Demarcation to other offers

E- mail letter

Observers see that the traditional letter writing is substituted by De -mail offers. The expected decline of traditional mail will change dramatically according to Christian Schlesiger the business model of Deutsche Post. Not least because the company has launched a competing product with similar security features on the market: the e- mail letter, which began operations on 14 July 2010. Sometimes the difference between E- mail letter and De -mail was not perceived by the public.

However, since only the De - Email solution was defined as legally binding by the policy authorities can work with legally binding communication only with products that meet the De - mail standard. On the legislative level, therefore, put the De-Mail in this area against the e- mail letter.

The German Post AG as an effort to let accredit their existing e- mail letter service as De -mail offering, a in April 2013. The attempt failed because of the requirements of data protection for data reduction when used PostIdent.

Comparable services in Europe

Finland

Netposti

Italy

Posta elettronica certificata (PEC )

Austria

Electronic Delivery

Czechia

Datové schránky