Long term electronic signatures or documents retention

Size: px

Start display at page:

Download "Long term electronic signatures or documents retention"

Mervyn Garrett
9 years ago
Views:

1 Long term electronic s or documents retention IWAP 2004 Yuichi Suzuki SECOM IS Laboratory IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 1

2 Problem of validity period of certificate PKI does work well in a validity period of public key certificate However, after expiration of certificate No more secure the public key, even if the key does not compromise Should not use the key for verifying the Then, digital can not verify Too short the validity period Usually the period is one to three years Many legislations require to keep documents over 5 years, 10 years, or more than 30 years IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 2

for verifying the Then, digital can not verify Too short the validity period Usually the period is one to three years

3 Signature verification Usual PKI environment We can not verify the after revocation or expiration of the certificate Before certificate expiration After certificate expiration Allow validation Can not confirm validation After more than ten years Algorithm compromise Signature Verify Certificate revocation Verify Verify Verify Loose revocation information Forge IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 3

confirm validation After more than ten years Algorithm compromise Signature Verify Certificate

4 e-document law Strong requirement exist to eliminate paper documents and written documents e-documents law: Japanese government is preparing Scan paper documents to make e-documents The e-documents could be original, Ok to destroy the original papers To keep the integrity of scanned data Only the trusted document officers can scan the paper documents He/her must sign digitally on the scanned documents Digital time stamp also required Requirement for long term validation IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 4

keep the integrity of scanned data Only the trusted document officers can scan the paper documents He/her must sign digitally on

5 Requirement for long term If first verification of a was correct, then Could verify the over long term period After the verification period expired After the key algorithm become week Re-verification of the Verify certification path Verify no revocation Correct existed before revocation, then Verify the by the public key IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 5

week Re-verification of the Verify certification path Verify no revocation Correct existed

6 To keep long term Two methods for long term s Notary service Need trusted third party Collect all evidences at first verification Required stable standard format IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 6

7 Notary services Can trust notary organization over long time? Government service? Private service? Bankrupt Cease business Standard for notary services RFC 3029 Data Validation and Certification Server Protocols Certification of Possession of Data Certification of Claim of Possession of Data Validation of Digitally Signed Document Validation of Public Key Certificates Experimental RFC, we need more stable standard IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 7

Certification of Possession of Data Certification of Claim of Possession of Data Validation of Digitally Signed

8 Collect all evidences in format At the first verification Fix signing time Time stamp on value Collect all certificates on certification path Collect all revocation information Before expiration of time stamp certificate or fear of key or hash algorithm compromise Time stamp all above data archive timestamp IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 8

information Before expiration of time stamp certificate or fear of key or hash

9 Standard format for long term Two standards have been proposed ETSI TS (RFC 3126) (ASN.1 extension of CMS Signed Data) ETSI TS (W3C Note) XAdES XML format extension ES-C ES-X ES-T Signature Policy ID Elect. Signature (ES) Signed Attributes Digital Signature Timestamp over digital Complete certificate and revocation references Complete certificate and revocation Data Basic format Hash value of Certificates and CRL, ARLs IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 9

10 Archiving Time Stamp Time stamp based on PKI also has fixed life time ex. RFC 3161 time stamp token has digital Encapsulate by another new time stamp Archive time stamping before expiration of inner timestamp certificate and/or cryptographic algorithm compromise ES-X Time Stump Time Stump Time Stump IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 10

time stamping before expiration of inner timestamp certificate and/or cryptographic

11 Summary Long term retention is necessary We have to re-verify the again to arbitrate the disputes Stable standards are needed for verification capability over long term period Some standards had been proposed We have to confirm the stability and usability of these standards IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 11

over long term period Some standards had been proposed We have to confirm the

12 IWAP 2004 Yuichi Suzuki (SECOM IS Lab) 12

PKI - current and future

PKI - current and future Workshop for Japan Germany Information security Yuichi Suzuki [email protected] SECOM IS Laboratory Yuichi Suzuki (SECOM IS Lab) 1 Current Status of PKI in Japan Yuichi