Kantega Secure Identity Witnessed Signed Document Format. Document version 1.0

Size: px

Start display at page:

Download "Kantega Secure Identity Witnessed Signed Document Format. Document version 1.0"

Pauline Stewart
8 years ago
Views:

1 Kantega Secure Identity Witnessed Signed Document Format Document version 1.0

2 Introduction Purpose This document describes the KSI Witnessed Signed Document Format. The format is the one used by id.kantega for storing documents signed by end-users using the witnessed digital signature function. Format Version 1.0 References Short name SAML 2 Core SAML 2 AC Document saml-core-2.0-os saml-authn-context-2.0-os History Version Date Change Author Draft Created Harald Stendal Introduced 'type' attribute on AuthenticationData element Harald Stendal Page 0

0 References Short name SAML 2 Core SAML 2 AC Document saml-core-2.0-os http://www.oasis-open.

3 Page 1

4 Consepts Witnessed Signed Document When the end-user signs a document using the witnessed digital signature function, the outcome is a Ksi Witnessed Signed Document. The document proves that the user has signed the document in the given context. It contains the following information: 1. The user's identity 2. The document which was signed 3. Authentication data which provides for authentication traceablity 4. The signing instant 5. Context information, including the precise version of software used on id.kantega, details about the authentication of the user, and a transaction log showing detailed information about the communication between the involved actors. 6. The document is signed by id.kantega, which acts as as a witness confirming that the end-user has signed the document in the given context. Actors 1. The user - this is the end user which signs the document 2. id.kantega - the entity which provides the digital signature service, and whcih acts as a "witness" 3. Any authenticating authority, if the authentication method involves such Page 2

Authentication data which provides for authentication traceablity 4. The signing instant 5. Context information, including the precise version of software used on id.

5 Format description WitnessedSignedDocument The root element <WitnessedSignedDocument> contains the end-user signed document witnessed by KSI. It consists of the elements <Signer>, <SigningInstant>, <Document>, <Context> and <Witness> Signer The <Signer> element identifies the user which has signed the document. It consists of a single <NameID> element, which uses the same format as the NameID element in SAML 2 (see [SAML 2 Core]). SigningInstant The <SigningInstant> element shows when the Signer signed the Document. Document The <Document> element contains the document which is signed by the end-user. It consists of the following elements Element <MineType> <Description> <Encodings> <Encoding> <Data> Description Mime type of the signed document Short description of the signed document Ordered list of <Encoding> elemenets, describing the encodings applied to the clear-text document to obtain the contents of the <Data> element, for example UTF-8 + Base64 An encoding applied to the document The signed document, after applying the encodings Context The <Context> element describes the context in which the user has signed the document, including detailed description of the authentication of the signer. It consists of the following elements: Element <AuthenticationInstant> Description When the user was authenticated in id.kantega <AuthenticationContext> The authentication context, as defined by SAML 2 (see [SAML 2 AC]) <AuthenticationData> Data which contains details about or proves the authentication, and typically can be used to trace the authentication. The type of data, indicated by Page 3

It consists of a single <NameID> element, which uses the same format as the NameID element in SAML 2 (see [SAML 2 Core]).

6 <TransactionLog> <Software> the 'type' attribute, depends on the authentication method used. Examples include signed or encrypted assertions from an authenticating authority, a challenge signed by the end-users certificate or a signed OCSP Response. The <TransactionLog> element contains detalied information about the communication beween id.kantega and the other actors during signing transaction including the establishment of the authentication context. Description of the the precise version of software components used on id.kantega for the signing transaction. Witness The <Witness> element contains the identity and PKI digital signature of the witnessing entity, which will be Kantega Secure Identity AS. It consists of the following elements: Element Description < NameID > Identifies the witness enitty. Uses the same format as the NameID element in SAML 2 (see [SAML 2 Core]). < Signature > The witness' digital signature of this document. Uses standard XML Digital Signature format. Time Values All time values uses the type datetime in and is expressed in UTC form, with no time zone component. Page 4

The <TransactionLog> element contains detalied information about the communication beween id.

7 Example The following XML structure is an example of the a Witnessed Signed Document, using Tupas as authentication mechanism. Note: Some of the fields are truncated fro brevity. The complete XML is available as a separate document. <?xml version="1.0" encoding="utf-8"?> <WitnessedSignedDocument Id="DocumentRoot"> <Signer> <NameID Format="urn:kantega:ksi:3.0:nameid-format:fnr"> D</NameID> </Signer> <SigningInstant> T17:37:12.401Z</SigningInstant> <Document> <MimeType>text/plain</MimeType> <Description>This is the description of the signed document</description> <Encodings> <Encoding>UTF-8</Encoding> <Encoding>Base64</Encoding> </Encodings> <Data>SGVy(...)mw=</Data> </Document> <Context> <AuthenticationInstant> T17:37:08.447Z</AuthenticationInstant> <AuthenticationContext>urn:ksi:names:SAML:2.0:ac:tupas</AuthenticationContext> <AuthenticationData type="tupas"> <Assertion Type="tupas-certificate"> <AuthenticatingAuthority>Nordea</AuthenticatingAuthority> <TupasCertificate keyversion="0021">qjay(...)bra==</tupascertificate> </Assertion> </AuthenticationData> <TransactionLog> <LogEntry><Timestamp> T17:37:02.618Z</Timestamp><Message>User started authentication (...) <LogEntry><Timestamp> T17:37:05.619Z</Timestamp><Message>User chose to use Nordea(200)(...) Page 0

0:nameid-format:fnr">010100-123D</NameID> </Signer> <SigningInstant>2007-01-05T17:37:12.

8 <LogEntry><Timestamp> T17:37:05.634Z</Timestamp><Message>Created Tupas certificate request for Nordea (URL= A01Y_ACTION_ID=701&(...) <LogEntry><Timestamp> T17:37:05.619Z</Timestamp><Message>User claims to be D(...) <LogEntry><Timestamp> T17:37:08.447Z</Timestamp><Message>Valid response received from (...) <LogEntry><Timestamp> T17:37:08.447Z</Timestamp><Message>Authentication response data (...) <LogEntry><Timestamp> T17:37:08.447Z</Timestamp><Message>Identity claim confirmed by N(...) <LogEntry><Timestamp> T17:37:08.447Z</Timestamp><Message>User identified as (...) <LogEntry><Timestamp> T17:37:10.775Z</Timestamp><Message>User opened document</message(...) <LogEntry><Timestamp> T17:37:12.385Z</Timestamp><Message>The user accepted and signed (...) </TransactionLog> <Software> <Component Name="KSI" Version="3.8.0"/> <Component Name="TupasModule" Version="1.0.0"/> <Component Name="SignatureModule" Version="3.2.1"/> </Software> </Context> <Witness> <NameID Format="urn:kantega:ksi:3.0:nameid-format:orgnr"> </NameID> <Signature> <SignedInfo> <CanonicalizationMethod Algorithm=" <SignatureMethod Algorithm=" <Reference URI="#DocumentRoot"> <DigestMethod Algorithm=" <DigestValue>D5v/974MYV5ip2anbUQweZigTW4=</DigestValue> </Reference> </SignedInfo> <SignatureValue>At5ThM(...)ielxk=</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIICKKADA(...)wIFoA==</X509Certificate> </X509Data> </KeyInfo> </Signature> </Witness> </WitnessedSignedDocument> Page 1

447Z</Timestamp><Message>Valid response received from (...) <LogEntry><Timestamp>2007-01-05T17:37:08.447Z</Timestamp><Message>Authentication response data (...) <LogEntry><Timestamp>2007-01-05T17:37:08.447Z</Timestamp><Message>Identity claim confirmed by N(.

Signature policy for TUPAS Witnessed Signed Document

Signature policy for TUPAS Witnessed Signed Document Policy version 1.0 Document version 1.1 1 Policy ID and location Policy ID Name URL urn:signicat:signaturepolicy:tupas wsd:1.0 Signature policy for