How to implement esignature validation

Transcription

1 How to implement esignature validation EU-Supply experience

2 How to implement online validation Background Desired user experience How to implement Piloting, initial experiences Further information Page 2

3 Digital signature great, but... Basic trusted service provider (TSP) for e-signatures is CA issuing eids as assertions for the claims included in or derived from them PKI models already exist in (most?) Member States But, (A) CAs and their eids/services have - Different properties such as legal status (notably Qualified or not) - Different quality (B) PKI trust models also differ between different markets - Cross-certification, Hierarchy, Bridge-CA, etc How to validate for bidders and contracting authority (1) If a certificate is Valid and Qualified, while (2) Doing this in Efficient and Non-Discriminating way? Page 3

4 Validation before PEPPOL... Official EU system in place but with some deficiencies Trust status list service Qualified CAs Other CAs Signer s CA Validation Service Signer Country 1 Country 2 Receiver 4

5 Single point PEPPOL VA Service integration! Official EU system in place but with some deficiencies Trust status list service Qualified CAs OCSP (or CRL) Other CAs Signer s CA Validation Service XKMS Validation Service Response signed by local VS XKMS Web Service, eid validation Signer In any Member State Receiver / TM System 5

6 Free for PEPPOL participants Contract between Difi and Unizeto on behalf of PEPPOL: The Unizeto VA service is free to use for authorities in PEPPOL Member States during the PEPPOL project Intention of Difi to prolong contract to make service available as a common eid service for all Norwegian public entities EU-Supply and Mercell are considering creation of optional service extensions also for other EU clients Page 6

7 How to implement online validation Background Desired user experience How to implement Piloting, initial experiences Further information Page 7

8 Bidders prompted to test certificate early Page 8

9 Warning provided if certificate cannot be validated as Qualified Page 9

10 Warnings also if other certificates used than the one earlier validated Page 10

11 Green light given if certificate can be validated as Qualified through trusted VA Page 11

12 Authority side validation - OK Page 12

13 Authority side validation - Failure

14 How to implement online validation Background Desired user experience How to implement Piloting, initial experiences Further information Page 14

15 Implementation process Unizeto provides credentials for accessing information on request (contact details given later) JAVA project and some specifications available for download at ftp.unizeto.pl More information available shortly at esignature/results/signature-validation-infrastructureonline esignature/results/deliverable-1.3-demonstrator-andfunctional-specifications-for-cross-border-use-ofesignatures-in-public-procurement Page 15

16 Implementation process Standard implementation process Options to test using Unizeto TEST site Unizeto java project available EU-Supply examples following implemented using.net C# Page 16

17 Process flow Basic flow of integration service. Page 17

18 Implementation/Coding - Forming the Request public static void AddSignatureToXml(XmlDocument xmldocument, X509Certificate2 signingcertificate) Create request, Append certificate to vallidate 1. Before sending request 2. Sign request with signing certificate 3. Request XML to be sent public object BeforeSendRequest(ref Message request, IClientChannel channel) 1. Create a request containing the raw data of the certificate to verify. All according to standards of 2. Before sending the request to XKMS Service the soap envelope must be signed with a valid signing certificate approved by Unizieto. (Unizeto may also issue Certificates) Page 18

19 1. Before sending request Extract message from SOAP envelope to allow signing Signing request XML Page 19

20 2. Sign request XML Page 20

21 3. Request XML to be sent (SOAP env.) Certificate to be validated EU-Supply (test) signature Page 21

22 Implementation/Coding Receiving Response 1. Receive Response 2. Validate signature in response with certtificate. Present end result to user public static bool VerifySignatureInSignedXml(XmlDocument xmldocument, X509Certificate2 certificate, string xmlnamespace = "") 1.) Get the response back from the XKMS Service 2.) Validate the signature in the response with the public key of the verification certificate. (obtained by unizieto) Page 22

23 1. Response XML received Page 23

24 2. Validate signature in response Standard.NET library used to check Page 24

25 Testing against test site Must have own test certificate approved by Unizeto for signing of the of the request (and Unizeto keeps copy of public key to validate) Request test certificate from Unizeto to use for validation of signature in response URLs of test site For request signing client: For TSL client: Page 25

26 Production Must have own prod. certificate approved by Unizeto for signing of the of the request (and Unizeto keeps copy of public key to validate) Request prod. certificate from Unizeto to use for validation of signature in response URLs: For request signing client: For TSL client: Page 26

27 How to implement online validation Background Desired user experience How to implement Piloting, initial experiences Further information Page 27

28 Initial piloting Experiences in DK, N and LT (from TSA and direct CA validation): Many suppliers very late to get certificates, so early warning required Foreign suppliers lack CA and/or confidence in certificates used Very high availability is required Fall back from XAdES-X to XAdES required to not prevent signing The most common e-ids not enough, and instant response required PEPPOL final preparations now Ensuring all common e-id (then 100+) are supported by VA service Volume piloting starting from pending releases of CTM LT: > e-rfts p.a. (all proposals signed online) FR, PT: > e-rfts (increasing share proposals signed online) Others: > e-rfts p.a. in States where signing mandatory Page 28

29 How to implement online validation Background Desired user experience How to implement Piloting, initial experiences Further information Page 29

30 Contact information Unizeto ( Marcin Kalinowski, Difi ( DIFI e-id programme: Jon Ølnes, EU-Supply ( MD: Thomas Beergrehn, Page 30