The legal basis for the "Algorithm Catalogue", which provides an overview of which algorithms are suitable for qualified electronic signatures according to the Digital Signature Act, is Annex 1, Section I 2 of the Signature Regulation (SigV) of 22 November 2001:

"In the Federal Gazette, the competent public authority publishes an overview of the algorithms and associated parameters that are to be considered suitable for generating signature keys, hashing data to be signed, or generating and examining qualified electronic signatures, along with a point in time until which that suitability remains valid in each case. This point in time should be at least six years after the assessment and publication. Suitability must be re-determined annually and as required. Suitability is guaranteed if, given the current state of the art in science and technology, the possibility of an unidentifiable forgery of electronic signatures or falsification of signed data can almost certainly be excluded during the specified period. Suitability is determined according to information from the Federal Office for Information Security, taking international standards into account. Industry and science experts must be consulted."

Algorithm Catalogue 2017

The BSI's draft Algorithm Catalogue 2017 is currently in the comments stage. Here you can find a letter, which gives a brief summary of the changes, and a version of the draft in fair copy and with mark-ups of the changes made to the previous version. Please send your comments on the draft to the addresses given in the letter by 6 December 2016.

Update (18 November 2016): A hearing of experts on the Algorithm Catalogue will be held this year on 7 December 2016 at the Federal Network Agency (Mainz building, Canisiusstr. 21, 55122 Mainz, Germany, Room 1083, meeting starts at 10:30 a.m.). We would be delighted to welcome you to this event.

If you wish to attend, please register your interest by 2 December 2016. An informal e-mail sent to either
algokat@bsi.bund.de or qes@bnetza.de will suffice.

Trusted list

Article 22 (1) of the eIDAS Regulation requires every Member State to establish, maintain and publish trusted lists containing information on qualified trust service providers (for which the State in question is responsible), together with information on the trust services they provide. They must be published securely in an electronically signed or sealed format suitable for automatic processing (see Article 22 (2) of the eIDAS Regulation). Information on the national bodies responsible for drawing up the lists is provided to the Commission according to Article 22 (3) of the eIDAS Regulation. For its part, the Commission publishes a trusted list of the information provided on the individual national bodies containing, at a minimum, details of where their lists are published and which certificates are used to sign or seal them (see Article 22 (4) of the eIDAS Regulation).

In Germany, the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (BNetzA) is the competent authority for publishing this trusted list. The corresponding trusted list of the Commission is available here.

According to Article 22 (5) of the eIDAS Regulation, the Commission has, by means of the Implementing Decision (EU) 2015/1505 of 8 September 2015, technical specifications and formats relating to trusted lists, which are based, with few exceptions, on the specifications defined in ETSI TS 119 612 Version 2.1.1.

Additional Technical Guidelines

As part of its competence for security in information technology, and especially for basic cryptographic knowledge in the context of qualified signatures, the BSI has produced, in addition to the Algorithm Catalogue, the following Technical Guidelines containing information, recommendations and specifications on electronic signature methods. They will be revised, where applicable, with regard to the eIDAS Regulation and the Trust Services Act.

• BSI TR-02102-1 (Cryptographic Mechanisms: Recommendations and Key Lengths) contains general cryptographic recommendations based on assessments of selected cryptographic mechanisms.
• BSI TR-03114 (Batch Signatures with the Health Professional Card) describes technical and organisational security measures for generating a limited number of qualified electronic signatures at the same time after a one-time authentication of the signature key owner against the signature creation device (Health Professional Card -- HPC) in a secure operational environment (batch signatures).
• BSI TR-03115 (Convenience Signatures with the Health Professional Card) describes technical and organisational security measures for (conveniently) initiating and generating a limited number of qualified electronic signatures within a period of time controlled by the user and the signature application component.
• BSI TR-03117 (eCards with Contactless Interface as a Signature Creation Device) describes the technical implementation of the eCard strategy for public sector documents on contactless chip cards for initialisation and issue as a prepared secure signature creation device (SSCD) for generating qualified electronic signatures, for personalisation to allow for use as a SSCD for the person using the card, and for generating electronic signatures via the contactless interface.