www.peppol.eu How to implement esignature validation EU-Supply experience
How to implement online validation Background Desired user experience How to implement Piloting, initial experiences Further information Page 2
Digital signature great, but... Basic trusted service provider (TSP) for e-signatures is CA issuing eids as assertions for the claims included in or derived from them PKI models already exist in (most?) Member States But, (A) CAs and their eids/services have - Different properties such as legal status (notably Qualified or not) - Different quality (B) PKI trust models also differ between different markets - Cross-certification, Hierarchy, Bridge-CA, etc How to validate for bidders and contracting authority (1) If a certificate is Valid and Qualified, while (2) Doing this in Efficient and Non-Discriminating way? Page 3
Validation before PEPPOL... Official EU system in place but with some deficiencies Trust status list service Qualified CAs Other CAs Signer s CA Validation Service Signer Country 1 Country 2 Receiver 4
Single point PEPPOL VA Service integration! Official EU system in place but with some deficiencies Trust status list service Qualified CAs OCSP (or CRL) Other CAs Signer s CA Validation Service XKMS Validation Service Response signed by local VS XKMS Web Service, eid validation Signer In any Member State Receiver / TM System 5
Free for PEPPOL participants Contract between Difi and Unizeto on behalf of PEPPOL: http://www.peppol.eu/news/news-archive/electronically-signedagreement-on-esignature The Unizeto VA service is free to use for authorities in PEPPOL Member States during the PEPPOL project Intention of Difi to prolong contract to make service available as a common eid service for all Norwegian public entities EU-Supply and Mercell are considering creation of optional service extensions also for other EU clients Page 6
How to implement online validation Background Desired user experience How to implement Piloting, initial experiences Further information Page 7
Bidders prompted to test certificate early Page 8
Warning provided if certificate cannot be validated as Qualified Page 9
Warnings also if other certificates used than the one earlier validated Page 10
Green light given if certificate can be validated as Qualified through trusted VA Page 11
Authority side validation - OK Page 12
Authority side validation - Failure
How to implement online validation Background Desired user experience How to implement Piloting, initial experiences Further information Page 14
Implementation process Unizeto provides credentials for accessing information on request (contact details given later) JAVA project and some specifications available for download at ftp.unizeto.pl More information available shortly at http://www.peppol.eu/work_in_progress/wp-1- esignature/results/signature-validation-infrastructureonline http://www.peppol.eu/work_in_progress/wp-1- esignature/results/deliverable-1.3-demonstrator-andfunctional-specifications-for-cross-border-use-ofesignatures-in-public-procurement Page 15
Implementation process Standard implementation process Options to test using Unizeto TEST site Unizeto java project available EU-Supply examples following implemented using.net C# Page 16
Process flow Basic flow of integration service. Page 17
Implementation/Coding - Forming the Request public static void AddSignatureToXml(XmlDocument xmldocument, X509Certificate2 signingcertificate) Create request, Append certificate to vallidate 1. Before sending request 2. Sign request with signing certificate 3. Request XML to be sent public object BeforeSendRequest(ref Message request, IClientChannel channel) 1. Create a request containing the raw data of the certificate to verify. All according to standards of http://www.w3.org/tr/xmldsig-core/ 2. Before sending the request to XKMS Service the soap envelope must be signed with a valid signing certificate approved by Unizieto. (Unizeto may also issue Certificates) Page 18
1. Before sending request Extract message from SOAP envelope to allow signing Signing request XML Page 19
2. Sign request XML Page 20
3. Request XML to be sent (SOAP env.) Certificate to be validated EU-Supply (test) signature Page 21
Implementation/Coding Receiving Response 1. Receive Response 2. Validate signature in response with certtificate. Present end result to user public static bool VerifySignatureInSignedXml(XmlDocument xmldocument, X509Certificate2 certificate, string xmlnamespace = "") 1.) Get the response back from the XKMS Service 2.) Validate the signature in the response with the public key of the verification certificate. (obtained by unizieto) Page 22
1. Response XML received Page 23
2. Validate signature in response Standard.NET library used to check Page 24
Testing against test site Must have own test certificate approved by Unizeto for signing of the of the request (and Unizeto keeps copy of public key to validate) Request test certificate from Unizeto to use for validation of signature in response URLs of test site For request signing client: https://standardva.webnotarius.eu/xkms/validate For TSL client: https://standardva.webnotarius.eu:8443/xkms/validate Page 25
Production Must have own prod. certificate approved by Unizeto for signing of the of the request (and Unizeto keeps copy of public key to validate) Request prod. certificate from Unizeto to use for validation of signature in response URLs: For request signing client: https://xkms-1.qva.public.certum.pl/xkms/validate For TSL client: https://xkms-2.qva.public.certum.pl/xkms/validate Page 26
How to implement online validation Background Desired user experience How to implement Piloting, initial experiences Further information Page 27
Initial piloting Experiences in DK, N and LT (from TSA and direct CA validation): Many suppliers very late to get certificates, so early warning required Foreign suppliers lack CA and/or confidence in certificates used Very high availability is required Fall back from XAdES-X to XAdES required to not prevent signing The most common e-ids not enough, and instant response required PEPPOL final preparations now Ensuring all common e-id (then 100+) are supported by VA service Volume piloting starting from pending releases of CTM 6.7.2 LT: > 12 000 e-rfts p.a. (all proposals signed online) FR, PT: > 15 000 e-rfts (increasing share proposals signed online) Others: > 1 000 e-rfts p.a. in States where signing mandatory Page 28
How to implement online validation Background Desired user experience How to implement Piloting, initial experiences Further information Page 29
Contact information Unizeto (www.unizeto.pl): Marcin Kalinowski, Marcin.kalinowski@unizeto.pl Difi (www.difi.no) DIFI e-id programme: Jon Ølnes, jon.olnes@difi.no EU-Supply (www.eu-supply.com) MD: Thomas Beergrehn, thomas.beergrehn@eu-supply.com Page 30