Digital Signatures in Reality. Tarvi Martens SK

Transcription

1 Digital Signatures in Reality Tarvi Martens SK

2 Free-flowing digital documents Estonia has deployed digitally signed documents which are recognised universally. These are: Perfectly legal For use in arbitrary domain Providing for long-term validity Complie to international standards and EU directive

3 Components Needed Law SSCD ID-Card PKI Services Digital Signature System

4 The Law Estonian Digital Signature Act 2000 Recognizes only Advanced Digital Signatures in EU Directive context Requires Qualified Certificates Gives the power to digital signature equal to handwritten one without limitations Provides for supervision of CA-s and TSA-s Physical-person-only

5 The ID-card Project Started in 1997 Law on personal identification documents: Feb, 1999 Government accepted plan for launching ID-card: May, 2000 First card issued: Jan 28, 2002 Today: over cards (Estonian population: 1.4M)

6 The Card Compulsory for all residents Contains: Personal data file Certificate for authentication (along with address Certificate for digital signature

7 DigiDoc DigiDoc is environment for providing digitally signed documents Contains: WWW-portal Client programs Programming library Document format Distributed as a free system

8 DigiDoc architecture Application Win32 Client DigiDoc portal Application Application COM-library WebService DigiDoc-library (Win32/Unix/C/Java) CSP PKCS#11 XML ID card OCSP

9 DigiDoc Portal Simple WWW-application for everyone: Downloading/uploading of document Signing and validity confirmation Verification Sending document to another portal user Sorting/Deleting/Archives

10 Digidoc Portal

11 Verification Portal Allows to check.ddoc file without ID-card

12 DigiDoc Client Provides the same functionality as portal Signing and obtaining validity confirmation Verification of signed document Does not require uploading document to some server Provides for digital signatures without using DigiDoc portal

13 Digidoc Client

14 DigiDocService Simple SOAP-based protocol I have a file here, make it signed I have got a signed file. What s inside it? Best for integration of digital signature handling capability libraries a changing rapidly, the protocol remains more stable

15 DigiDoc library Signing through PKCS#11 and CSP Handling of validity confirmation Handling of XML document Verification DigiDoc library (Win32/Unix) CSP Win32/Unix, C code DLL & COM under Windows Java implementation Distributed under LGPL terms OCSP XML ID card

16 Document format Based on XML-DSIG standard Contains subset of ETSI TS (XAdES) extensions Place, time and of signature Role of signature holder Validity confirmation and certificate of OCSP responder

17 Document format (2) Multiple original documents can be signed at once Original document can be embedded or detached Original document can be XML or any binary format Multiple signatures are supported Just one validity confirmation per signature

18 Document format (3) Original files Signature Certificate of signer Validity confirmation Certificate of responder

19 Universal Electronic Signatures Tarvi Martens SK

20 Probably you should accept and handle it!!! What if you receive digitally signed document tomorrow?

21 Rationale Existing EU Directive does not provide for solid grounds for unified electronic signature deployment in Europe CEN CWA-s and ETSI standards allow for myriad of options UES: Attempt to achieve electronic signature deployment and interoperability from the Best Practice experiences

22 What is UES? UES stands for Universal Electronic Signature UES is a concept of electronic signature with aim to universally replace handwritten signature UES is going beyond AES (Advanced Electronic Signature as of EU Directive) UES is designed for international interoperability

23 UES provides for UES = Advanced Electronic Signature based on Qualified Certificates PLUS: electronically signed documents are equivalent to handwritten ones by legal evidence value usage domain and signatory role are not restricted signatory is uniquely identified as a physical person there are means to identify signing time of the electronic document electronically signed documents are maintaining their long-term validity UES are international

24 UES implementation UES implementation requires these components to be adjusted to UES principles: Legislation CA delivering certificates on SSCD Validation services (real-time OCSP) Deployed end-user tools Inter-PKI cooperation

25 UES actors: CA Certification Authority Produces qualified certificates on SSCD to uniquely identifiable physical persons Provides up-to-date certificate validity information to Validation Authority Generates, exchanges and maintains Trust-service Status Lists (TSL) CA details Valid CA and OCSP certificates History of validity XML-profile of ETSI TS

26 UES Actors: VA Validation Authority Issues validity confirmations using OSCP protocol (RFC 2650) Operates in real-time: acquires validity information from CA-s database Provides precise time information in responses (time-stamping) Logs and archives issued confirmations to provide for long-term validity

27 VA as an e-notary I just signed the document using this certificate Doc,Cert (Doc,Cert,time)ok OCSP CA DB When I saw this signed document, corresponding certificate was valid Secure log

28 UES Actors: Signer and Verifier Signer Generates electronically signed documents using certificate and validity confirmation Verifier Verifies electronic signatures using (cached) TSL Sharing common document format Profile of ETSI TS aka XAdES - OpenXAdES

29 UES architecture (1) OCSP VA Signer Doc Cert CA TSL Signer OCSP Cert VA CA PKI 1 Verifier Doc TSL PKI 2 Verifier

30 UES architecture (2) OCSP VA Signer Cert CA TSL Signer OCSP Cert VA CA PKI 1 Verifier Doc TSL PKI 2 Verifier Doc

31 Trust model Bilateral trust model Every party has a freedom to choose trusted parties CA communicates trust through TSL-s CA 1 CA 2 CA 3 CA 4

32 UES deployment Sign the MoU Allocate resources for the co-operation effort Start issuing qualified certificates The hardest part we assume you do it already Set up your OCSP Almost any commercial OCSP Responder will do Start exchanging TSL-s To be developed Distribute and localize end-user apps

33 What is OpenXAdES? OpenXAdES is a profile of ETSI TS aka XAdES OpenXAdES specifications and implementations (C, Java) are available at OpenXAdES is a community driven free software development project OpenXAdES profile specification development is coordinated by SK

34 Additional Information ID-card issuing PKI & CA ID-card practices Digital signature software Contact point: