Kantega Secure Identity Witnessed Signed Document Format. Document version 1.0



Similar documents
Signature policy for TUPAS Witnessed Signed Document

Digital Signature Web Service Interface

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

ASSIST NOTIFICATIONS

SmarterMeasure Inbound Single Sign On (SSO) Version 1.3 Copyright 2010 SmarterServices, LLC / SmarterServices.com PO Box , Deatsville, AL 36022

Server based signature service. Overview

This Working Paper provides an introduction to the web services security standards.

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

xmlns:emcs=" xmlns:tms="

The Vetuma Service of the Finnish Public Administration SAML interface specification Version: 3.5

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Certificates in a Nutshell. Jens Jensen, STFC Leader of EUDAT AAI TF

1. Lifecycle of a certificate

>

SAML-Based SSO Solution

Biometric Single Sign-on using SAML

Authentication Context Classes for Levels of Assurance for the Swedish eid Framework

Electronic Submission of Medical Documentation (esmd) CDA Digital Signatures. January 8, 2013

Test Plan for Liberty Alliance SAML Test Event Test Criteria SAML 2.0

OIO SAML Profile for Identity Tokens

Appendix 1 Technical Requirements

How To Use Saml 2.0 Single Sign On With Qualysguard

The Direct Project. Implementation Guide for Direct Project Trust Bundle Distribution. Version March 2013

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

SAFE Digital Signatures in PDF

Using Entrust certificates with Adobe PDF files and forms

INTEGRATING THE ESANTÉ DSP INTO GECAMED

SAML and OAUTH comparison

Using SAML for Single Sign-On in the SOA Software Platform

BS1000 command and backlog protocol

Embedding digital signature technology to other systems - Estonian practice. Urmo Keskel SK, DigiDoc Product Manager

SAML-Based SSO Solution

E-Authentication Federation Adopted Schemes

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Symplified I: Windows User Identity. Matthew McNew and Lex Hubbard

Public Key Infrastructure (PKI)

X-Road. egovernment interoperability framework

Corporate Access File Transfer Service Description Version /05/2015

TIB 2.0 Administration Functions Overview

Adobe 8 SAFE Signatures Configuration Procedure Draft

BDOC FORMAT FOR DIGITAL SIGNATURES

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

T his feature is add-on service available to Enterprise accounts.

PostSignum CA Certification Policy applicable to qualified personal certificates

COMMERCIAL-IN-CONFIDENCE

Web Services Trust and XML Security Standards

This section includes troubleshooting topics about certificates.

Agenda. How to configure

A Security Flaw in the X.509 Standard Santosh Chokhani CygnaCom Solutions, Inc. Abstract

AllSeen Summit 2015: IoT: Taking PKI Where No PKI Has Gone Before Presented by: Scott Rea DigiCert Sr. PKI Architect ALLSEEN ALLIANCE

Network Security. Chapter 10. Application Layer Security: Web Services. Part I: Introduction to Web Services

E-Signing Functional description

Digital Signature: Efficient, Cut Cost and Manage Risk. Formula for Strong Digital Security

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

IAM Application Integration Guide

SEZ SEZ Online Manual- DSC Signing with Java Applet. V Version 1.0 ersion 1.0

StreamServe Persuasion SP5 Encryption and Authentication

OIOSAML Rich Client to Browser Scenario Version 1.0

Managed Services PKI 60-day Trial Quick Start Guide

7 Key Management and PKIs

Egyptian Best Practices Securing E-Services

Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)

SSO Eurécia. and external Applications. Purpose

How to implement esignature validation

CS 356 Lecture 28 Internet Authentication. Spring 2013

Secure XML API Integration Guide. (with FraudGuard add in)

Developer Guide to Authentication and Authorisation Web Services Secure and Public

Validating Digital Signatures in Adobe

FICOM S (THE FINNISH FEDERATION FOR TELECOMMUNICATIONS AND TELEINFORMATICS) APPLICATION GUIDELINE FOR ETSI S MSS STANDARDS: V2.

WebNow Single Sign-On Solutions

This section includes troubleshooting topics about single sign-on (SSO) issues.

Integrating EJBCA and OpenSSO

E-Signing Integration guide

Provisioning and deprovisioning in an identity federation

An Introduction to Secure . Presented by: Addam Schroll IT Security & Privacy Analyst

Secure XML API Integration Guide - Periodic and Triggered add in

How to create a SP and a IDP which are visible across tenant space via Config files in IS

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

SAML v2.0 for.net Developer Guide

FERMILAB CENTRAL WEB HOSTING SINGLE SIGN ON (SSO) ON CWS LINUX WITH SAML AND MOD_AUTH_MELLON

Copyright: WhosOnLocation Limited

.INFO Agreement Appendix 1 Data Escrow Specification (22 August 2013)

CoSign for 21CFR Part 11 Compliance

ADFS Integration Guidelines

SAML Security Option White Paper

Siemens PKI Certificate Authority (CA) Hierarchy

Transcription:

Kantega Secure Identity Witnessed Signed Document Format Document version 1.0

Introduction Purpose This document describes the KSI Witnessed Signed Document Format. The format is the one used by id.kantega for storing documents signed by end-users using the witnessed digital signature function. Format Version 1.0 References Short name SAML 2 Core SAML 2 AC Document saml-core-2.0-os http://www.oasis-open.org saml-authn-context-2.0-os http://www.oasis-open.org History Version Date Change Author Draft 2007-01-09 2007-01-09 Created Harald Stendal 1.0 2007-01-19 Introduced 'type' attribute on AuthenticationData element Harald Stendal Page 0

Page 1

Consepts Witnessed Signed Document When the end-user signs a document using the witnessed digital signature function, the outcome is a Ksi Witnessed Signed Document. The document proves that the user has signed the document in the given context. It contains the following information: 1. The user's identity 2. The document which was signed 3. Authentication data which provides for authentication traceablity 4. The signing instant 5. Context information, including the precise version of software used on id.kantega, details about the authentication of the user, and a transaction log showing detailed information about the communication between the involved actors. 6. The document is signed by id.kantega, which acts as as a witness confirming that the end-user has signed the document in the given context. Actors 1. The user - this is the end user which signs the document 2. id.kantega - the entity which provides the digital signature service, and whcih acts as a "witness" 3. Any authenticating authority, if the authentication method involves such Page 2

Format description WitnessedSignedDocument The root element <WitnessedSignedDocument> contains the end-user signed document witnessed by KSI. It consists of the elements <Signer>, <SigningInstant>, <Document>, <Context> and <Witness> Signer The <Signer> element identifies the user which has signed the document. It consists of a single <NameID> element, which uses the same format as the NameID element in SAML 2 (see [SAML 2 Core]). SigningInstant The <SigningInstant> element shows when the Signer signed the Document. Document The <Document> element contains the document which is signed by the end-user. It consists of the following elements Element <MineType> <Description> <Encodings> <Encoding> <Data> Description Mime type of the signed document Short description of the signed document Ordered list of <Encoding> elemenets, describing the encodings applied to the clear-text document to obtain the contents of the <Data> element, for example UTF-8 + Base64 An encoding applied to the document The signed document, after applying the encodings Context The <Context> element describes the context in which the user has signed the document, including detailed description of the authentication of the signer. It consists of the following elements: Element <AuthenticationInstant> Description When the user was authenticated in id.kantega <AuthenticationContext> The authentication context, as defined by SAML 2 (see [SAML 2 AC]) <AuthenticationData> Data which contains details about or proves the authentication, and typically can be used to trace the authentication. The type of data, indicated by Page 3

<TransactionLog> <Software> the 'type' attribute, depends on the authentication method used. Examples include signed or encrypted assertions from an authenticating authority, a challenge signed by the end-users certificate or a signed OCSP Response. The <TransactionLog> element contains detalied information about the communication beween id.kantega and the other actors during signing transaction including the establishment of the authentication context. Description of the the precise version of software components used on id.kantega for the signing transaction. Witness The <Witness> element contains the identity and PKI digital signature of the witnessing entity, which will be Kantega Secure Identity AS. It consists of the following elements: Element Description < NameID > Identifies the witness enitty. Uses the same format as the NameID element in SAML 2 (see [SAML 2 Core]). < Signature > The witness' digital signature of this document. Uses standard XML Digital Signature format. Time Values All time values uses the type datetime in http://www.w3.org/2001/xmlschema, and is expressed in UTC form, with no time zone component. Page 4

Example The following XML structure is an example of the a Witnessed Signed Document, using Tupas as authentication mechanism. Note: Some of the fields are truncated fro brevity. The complete XML is available as a separate document. <?xml version="1.0" encoding="utf-8"?> <WitnessedSignedDocument Id="DocumentRoot"> <Signer> <NameID Format="urn:kantega:ksi:3.0:nameid-format:fnr">010100-123D</NameID> </Signer> <SigningInstant>2007-01-05T17:37:12.401Z</SigningInstant> <Document> <MimeType>text/plain</MimeType> <Description>This is the description of the signed document</description> <Encodings> <Encoding>UTF-8</Encoding> <Encoding>Base64</Encoding> </Encodings> <Data>SGVy(...)mw=</Data> </Document> <Context> <AuthenticationInstant>2007-01-05T17:37:08.447Z</AuthenticationInstant> <AuthenticationContext>urn:ksi:names:SAML:2.0:ac:tupas</AuthenticationContext> <AuthenticationData type="tupas"> <Assertion Type="tupas-certificate"> <AuthenticatingAuthority>Nordea</AuthenticatingAuthority> <TupasCertificate keyversion="0021">qjay(...)bra==</tupascertificate> </Assertion> </AuthenticationData> <TransactionLog> <LogEntry><Timestamp>2007-01-05T17:37:02.618Z</Timestamp><Message>User started authentication (...) <LogEntry><Timestamp>2007-01-05T17:37:05.619Z</Timestamp><Message>User chose to use Nordea(200)(...) Page 0

<LogEntry><Timestamp>2007-01-05T17:37:05.634Z</Timestamp><Message>Created Tupas certificate request for Nordea (URL=https://solo3.nordea.fi/cgi-bin/SOLO3011): A01Y_ACTION_ID=701&(...) <LogEntry><Timestamp>2007-01-05T17:37:05.619Z</Timestamp><Message>User claims to be 010100-123D(...) <LogEntry><Timestamp>2007-01-05T17:37:08.447Z</Timestamp><Message>Valid response received from (...) <LogEntry><Timestamp>2007-01-05T17:37:08.447Z</Timestamp><Message>Authentication response data (...) <LogEntry><Timestamp>2007-01-05T17:37:08.447Z</Timestamp><Message>Identity claim confirmed by N(...) <LogEntry><Timestamp>2007-01-05T17:37:08.447Z</Timestamp><Message>User identified as 010100-123(...) <LogEntry><Timestamp>2007-01-05T17:37:10.775Z</Timestamp><Message>User opened document</message(...) <LogEntry><Timestamp>2007-01-05T17:37:12.385Z</Timestamp><Message>The user accepted and signed (...) </TransactionLog> <Software> <Component Name="KSI" Version="3.8.0"/> <Component Name="TupasModule" Version="1.0.0"/> <Component Name="SignatureModule" Version="3.2.1"/> </Software> </Context> <Witness> <NameID Format="urn:kantega:ksi:3.0:nameid-format:orgnr">989584022</NameID> <Signature> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#DocumentRoot"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>D5v/974MYV5ip2anbUQweZigTW4=</DigestValue> </Reference> </SignedInfo> <SignatureValue>At5ThM(...)ielxk=</SignatureValue> <KeyInfo> <X509Data> <X509Certificate>MIICKKADA(...)wIFoA==</X509Certificate> </X509Data> </KeyInfo> </Signature> </Witness> </WitnessedSignedDocument> Page 1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information