0

Every document that needs to be eIDAS compliant needs to have a qualified timestamp. If we take an email as a document, then the email, based on eIDAS regulations, needs to have an qualified timestamp issued by a qualified CA. As I know, no email client supports to add a qualified timestamp to an email.

Is the email server sent timestamp enough ?

Giulio Ferraiuolo
  • 1
  • *"Is the email server sent timestamp enough ?"* - which server sent timestamp? Do you mean the received header in the mail? This is not part of a S/MIME or PGP signature and outside of any attached signed documents and thus can be easily faked. This means it is not suitable. – Steffen Ullrich Sep 10 '21 at 12:25
  • @SteffenUllrich So based on this, we can say that emails are not suited to even be eIDAS compliant ? – Giulio Ferraiuolo Sep 10 '21 at 12:30
  • @SteffenUllrich Wouldn't it be better to add the option of adding certified timestamps to emails ? Every important email would have bulletproof evidence, that it was created and sent at the time it was really meant to. – Giulio Ferraiuolo Sep 10 '21 at 12:33
  • Most email is not even signed and/or encrypted in the first place. But there are eiDAS compliant mail services like DE-Mail which also add the necessary timestamps. – Steffen Ullrich Sep 10 '21 at 12:41
  • @SteffenUllrich Thank you for your answers. I am trying to understand the whole concept of eIDAS. So for someone that needs to be eIDAS compliant, just signing the documents right should be enough ? – Giulio Ferraiuolo Sep 10 '21 at 12:45
  • *"... to be eIDAS __compliant__, just signing the documents __right__ ..."* - isn't that basically saying that you are doing it right if you are doing it right? – Steffen Ullrich Sep 10 '21 at 13:24
  • @SteffenUllrich I meant - as long as I'm signing my documents right am I going to be eIDAS compliant ? - I don't need to use my qualified sign on emails using the standarts for qualified signing (having a token and using a qualified timestamp) – Giulio Ferraiuolo Sep 10 '21 at 13:44
  • I think it is more complex then that. It's not a simple "eIDAS compliant" or not. See [How to take an electronic signature to court across Europe](https://www.signicat.com/blog/how-to-take-an-electronic-signature-to-court-across-europe) – Steffen Ullrich Sep 10 '21 at 14:03

0 Answers0