Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ptx 3 hours ago

What does "electronic signing documents" mean? Keys used for signing? Or merely some documents that were signed with electronic signing?

einr 2 hours ago | parent | next [-]

To the best of my understanding it means that a system made by CGI for digital signing of documents (as in: you get something like a PDF from a government agency and need to digitally sign it and send it back) has had its source code and/or some data belonging to it leaked.

Skatteverket, the Swedish tax authority, has been quoted in media as confirming that they use CGI's system for digital document signing but that none of their data nor that of any citizens has been leaked.

https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...

"One of the government agencies that uses CGI’s services is the Swedish Tax Agency, which was notified of the incident by the company. However, according to the Swedish Tax Agency, its users have nothing to worry about.

“Neither our data nor our users’ data has been leaked. It is a service we use for e-signatures that has been affected, but there is no data from us or our users there,” says Peder Sjölander, IT Director at the Swedish Tax Agency."

ptx 31 minutes ago | parent [-]

So if no data was leaked from the tax agency or from the users, then the leaked "digital signing documents" must have belonged to the only remaining party, which is CGI, so perhaps they were just some marketing documents about the benefits of their digital signing service?

einr 22 minutes ago | parent [-]

The original phrasing from the attacker, from the website that put the data up for download/sale, was ”documents (for electronic signing)” which implies that they’re documents that would be signed in said system. I would take all of this with a large helping of salt though. CGI claims it’s not real production data anyway; maybe it is and maybe it’s not.

The best case scenario is in line with what CGI claims: these are lorem ipsum fake docs from an old git repo for a test instance of the system.

nunobrito 3 hours ago | parent | prev [-]

If that is case, then it would have been wrong from the beginning for any government to keep hold of the private keys for the signature on my citizen card.

Because in that case they can sign documents on my behalf without my permission. In a court case, it would be near impossible for me to prove that the government gave my private key to someone else and that it wasn't me signing an incriminating document.

ptx 2 hours ago | parent | next [-]

I apparently didn't phrase that very well. If what is the case? I was trying to ask which case was the case, not trying to claim that something specific was the case.

I'm familiar with electronic signatures, and I know what documents are, but I have never heard the phrase "electronic signing documents" and don't know what that is supposed to mean. What kind of documents? Documents about signing, documents that were signed, documents in the sense that files containing keys could be considered documents, or what?

nunobrito 2 hours ago | parent [-]

In Portugal we were early adopters for digital signatures on citizen cards.

You use the card reader, insert your gov-issued identification and can sign PDF papers which have legal validity since the private key from the citizen card was used.

Now imagine someone signing random legal documents with your ID for things like debts, opening companies or subscritions to whatever.

whizzter an hour ago | parent | prev [-]

We might've lucked out here, there is some signature data on ID cards today and official _plans_ to make a government backed signing service, but practically _nobody_ uses them in practice to just revoking all those keys will be a minor issue.

Currently most Swede's use a private bank consortisum controlled ID solution for most logins and signatures.