Digital Signature Service. e-contract.be BVBA info@e-contract.be 2 september 2015

Similar documents
The Belgian e-id: hacker vs developer

Open Source eid Projects

FOR A PAPERLESS FUTURE. Petr DOLEJŠÍ Senior Solution Consultant SEFIRA Czech Republic

Exploring ADSS Server Signing Services

ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance. ETSI All rights reserved

Digital Signature Verification using Historic Data

Best prac*ces in Cer*fying and Signing PDFs

ETSI TS V1.1.1 ( ) Technical Specification

eid Security Frank Cornelis Architect eid fedict All rights reserved

Submitted to the EC on 03/06/2012. COMPETITIVENESS AND INNOVATION FRAMEWORK PROGRAMME ICT Policy Support Programme (ICT PSP) e-codex

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

ETSI TS V1.1.1 ( ) Technical Specification

AlphaTrust PRONTO Enterprise Platform Product Overview

CERTIFICATION PRACTICE STATEMENT UPDATE

Electronic Signature. István Zsolt BERTA Public Key Cryptographic Primi4ves

White Paper. Digital signatures from the cloud Basics and Applications

In accordance with article 11 of the Law on Electronic Signature (Official Gazette of the Republic of Serbia No. 135/04), REGULATION

OASIS Standard Digital Signature Services (DSS) Assures Authenticity of Data for Web Services

Digital Signature: Efficient, Cut Cost and Manage Risk. Formula for Strong Digital Security

e-szigno Digital Signature Application

Making Digital Signatures Work across National Borders

STANDARDISIERUNG FÜR EIDAS IM MANDATE/460

Certificate Path Validation

Digital Signature Service. version : 4.7-SNAPSHOT

Cartão de Cidadão: Autenticação de Papéis do Cidadão

Hungarian Electronic Public Administration Interoperability Framework (MEKIK) Technical Standards Catalogue

Server based signature service. Overview

Electronic Archive Information System

DIRECTOR GENERAL OF THE LITHUANIAN ARCHIVES DEPARTMENT UNDER THE GOVERNMENT OF THE REPUBLIC OF LITHUANIA

IPv4 Shortage Multiple SSL Certificates on a single IP address

Digital Signature Service. version :

BDOC FORMAT FOR DIGITAL SIGNATURES

ETSI TS V1.3.2 ( )

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008

NIST-Workshop 10 & 11 April 2013

PAdES signatures in itext and the road ahead. Paulo Soares

Public Key Infrastructure (PKI)

Digital Signing without the Headaches

Automation for Electronic Forms, Documents and Business Records (NA)

ETSI TS V1.4.2 ( ) Technical Specification. Electronic Signatures and Infrastructures (ESI); XML Advanced Electronic Signatures (XAdES)

ETSI TS V1.1.1 ( ) Technical Specification

HKUST CA. Certification Practice Statement

Embedding digital signature technology to other systems - Estonian practice. Urmo Keskel SK, DigiDoc Product Manager

The Estonian ID Card and Digital Signature Concept

Specifying the content and formal specifications of document formats for QES

An introduction to EJBCA and SignServer

PKI - current and future

Long term electronic signatures or documents retention

SAFE Digital Signatures in PDF

Microsoft vs. Red Hat. A Comparison of PKI Vendors

View from a European Trust Service Provider Server Signing: Return of experience and certification strategy

LinShare project version 0.8 File sharing and vault application

Citizen CA Certification Practice statement

ETSI TS V1.1.2 ( ) Technical Specification

Danske Bank Group Certificate Policy

Technical Description. DigitalSign 3.1. State of the art legally valid electronic signature. The best, most secure and complete software for

ETSI TS V1.1.1 ( )

Government CA Government AA. Certification Practice Statement

StartCom Certification Authority

esignature building block Introduction to the Connecting Europe Facility DIGIT Directorate-General for Informatics

ELECTRONIC PRESENTATION AND E-SIGNATURE FOR ELECTRONIC FORMS, DOCUMENTS AND BUSINESS RECORDS ALPHATRUST PRONTO ENTERPRISE PLATFORM

ETSI TR V0.0.3 ( )

Digital legal archiving

XML Advanced Electronic Signatures (XAdES)

GlobalSign Enterprise Solutions

X.509 Certificate Generator User Manual

How to Time Stamp PDF and Microsoft Office 2010/2013 Documents with the Time Stamp Server

Department of Defense PKI Use Case/Experiences

TrustedX - PKI Authentication. Whitepaper

Operating a CSP in Switzerland or Playing in the champions league of IT Security

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Future directions of the AusCERT Certificate Service

Asymmetric cryptosystems fundamental problem: authentication of public keys

Advanced Electronic Signature

European Federated Validation Service Study. Solution Profile Trustweaver on Demand

CALIFORNIA SOFTWARE LABS

Optimized Certificates A New Proposal for Efficient Electronic Document Signature Validation

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

1. What is Long-Term Docs... 5

Trusted e-id Infrastructures and services in EU

Signicat white paper. Signicat Solutions. This document introduces the Signicat solutions for digital identities and electronic signatures

Axway Validation Authority Suite

Middleware Release Notes

Middleware Release Notes

Adobe PDF for electronic records

Transcription:

Digital Signature Service e-contract.be BVBA info@e-contract.be 2 september 2015

About e-contract.be BVBA Consultancy Projects: eid/security related only SOA security From analysis to operational hosting SaaS: internal product line eid Applet/Chrome, IdP, DSS, Trust Service,... MyCareNet/eHealth platform IAM for bailiffs Auction platform for bailiffs

Electronic Signatures Regulation (EU) No 910/2014 Electronic Signature Advanced Electronic Signatures Qualified Electronic Signatures Digital Signatures QC Qualified Electronic Signatures with SSCD eid

eid Functionality Identification Authentication Who are you? Can you prove who you are? Digital signatures Proof of statement made in time

Digital Signatures G K K Hello world S #%f8kdi%d Hello world H Another message H V true/false #%f8kdi%d

Certificates K K K? K CA K signs X509 certificate K begin, end key purpose... K

Certificate Status CRL: Certificate Revocation List Contains serial numbers of revoked certs Signed by the CA Issued periodically Online Certificate Status Protocol Online query for certificate status Signed by the CA OCSP Responder

eid PKI Topology GlobalSign CA Cert Root CA Cert same key Root CA Cert CRL NRN Cert Citizen CA Cert OCSP Responder CRL Non-rep Cert TSA Cert

eid Card Content PKI Authentication RSA key + Cert Non-repudiation RSA key + Cert Citizen Identity Data Photo Identity File Identity File NRN Signature Address File Address File NRN Signature Root CA Certificate Citizen CA Certificate NRN Certificate PKCS#15 file structure

Advanced Electronic Signatures Link a signature with an identity Capable of identifying the signatory AdES-BES Under control of signatory X509 certificates eid as SSCD (CEN CWA 14169) Integrity verification possible Digital signature

Qualified eid Signatures Equivalent with handwritten signature Non-repudiation Are admissible as evidence in legal proceedings Accepted accross the European Union

Signature Specifications e-signature Expert Group: ETSI AdES PKCS#1 W3C XML Signatures CMS RFC 3852 PDF ISO 32000-1 XAdES CAdES ETSI TS 101 903 V1.4.2 ETSI TS 101 733 V2.1.1 PAdES LTV ETSI TS 102 778-4 V1.1.2 XAdES Baseline Profile CAdES Baseline Profile ETSI TS 103 171 V2.1.1 ETSI TS 103 173 V2.1.1 PAdES Baseline Profile ETSI TS 103 172 V2.1.1

Digital Signature Service XAdES: XML, ZIP documents eid DSS compatible (XAdES-X-L) ETSI XAdES Baseline Profile (long-term) PAdES: PDF documents ETSI PAdES Baseline Profile (long-term) OASIS DSS based protocol Secure and robust communication between DSS and your applications.

DSS History: 3rd generation ZETES 2008 DContract 2004 DSS blueprint 2005 FedICT 2008 eid Applet ETSI plugtests 2005 -... e-contract.be BVBA - 2012 jtrust eid DSS (EOL) DSS 2013

DSS Architecture https://www.e-contract.be/dss/ https://www.e-contract.be/dss-ws/ Add Signature... Upload Document View Document View Document Signatures Download Document DSS portal Sign Document DSS

DSS Design eid Applet DSSP WS JCA jsignatures TSA eid Chrome Trust Service PKI DSS Java EE 6 JBoss EAP 6.4.3 Java EE 6 runtime Oracle Java 1.7/1.8 Java MySQL 7 5.1.73 CentOS 6.7 Linux OS

Digital Signature Service Protocol Client Browser Relying Party DSS Visit site Upload PDF Signature Request View document & sign document using eid Signature Response Download PDF Relying Party Document Repository Verify Signature SSL WS-SecureConversation

Service-centric versus document-centric Don't bother the end-user with signed documents. Signed documents stored in RP repository: Loss of data Hard-disks crash Laptops get stolen Accidental removal of files Virus may corrupt files User has multiple devices: laptop, tablet, Signature archival (XAdES-A, PAdES document timestamp) Access-control via verification portal Application context-aware signature verification Further processing of signed data possible

DSS Portal

DSS Web Service

DSS Google Chrome eid web browser runtime fragmentation

AdES implementation in DSS basic signature: allows multiple signatures XAdES: co-signatures PAdES: sign the entire PDF document AdES-BES: digest signatory certificate AdES-T: timestamp 3rd party certification of signing time AdES-LTV: include revocation data capture signing certificate validity status at signing time

ETSI PAdES Signature time-stamp Document time-stamp

Signature Validation

Visible PDF Signatures

Visualisation Profiles DSS can be extended with new profiles Customers can design their own profile Reference codes: printable PDF documents

Signatory Role From the contractual context Explicit via: PAdES: Reason field Location field XAdES: SignerRole SignatureProductionPlace

Authorization Based on OASIS XACML 2.0 Policy Relying party can restrict signatories SERIALNUMBER=123456789,.*,C=BE Implemented in DSSP 1.1.0 Doccle uses this extension

Secure Environment Law July 9, 2001 chapter 4, art. 6 betrouwbare systemen en producten te gebruiken Certification Practice Statement (Citizen CA) 4.5.1 Verplichtingen van de Burger 9.4.1 Plichten van de Burger 9.4.3 Aansprakelijkheid van de Burger ten opzichte van de Vertrouwende Partijen CCID Secure PIN pad readers CEN CWA 14170 CC Security Target

DSS Roadmap Protocol features Metadata for bootstrapping Message level encryption PAdES-A & XAdES-A Android support Office ODF/OOXML support ISO 27001

DSS Protocol SDK https://www.e-contract.be/sites/dssp/ SDKs for Java, PHP, and.net 3.5/4.0+ Source code at https://github.com/e-contract

DSS as a Service Managed service by e-contract.be BVBA SLA 3th line support Regular updates: Bug fixes, security fixes New features Professional monitoring Fail-over system

Licensing Model Dedicated enviroment (like Mobistar, Doccle) 99,95% SLA Shared environment as fail-over (worst-case) Set up cost Maintenance cost Pricing per signature creation Bandwidth Timestamps Multiple signature verifications

References eid Identity Provider Mobistar, Proximus MIVB, Air Cargo Systems Van Lanschot, Bolero KBC DSS Registratie Huurgarantiefonds Subsidieloket Provincie Antwerpen Doctar CoronaDirect Belfius Doccle

Q&A e-contract.be BVBA Frank Cornelis (former eid Architect FedICT) info@e-contract.be https://www.e-contract.be

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information