Civil Registry Agency of the Ministry of Justice, Georgia Digital Signature Services in Georgia...
-
Upload
paul-holland -
Category
Documents
-
view
226 -
download
1
Transcript of Civil Registry Agency of the Ministry of Justice, Georgia Digital Signature Services in Georgia...
Civil Registry Agency of the Ministry of Justice, Georgia
Digital Signature Services in Georgia
Mikheil Kapanadze
E-Document and E-Signature Law
• … and we know that we are late. So, we will have to work hard and fix the gap
Adopted in 2008
• Some changes are planned
There were changes in subsequent years
• These regulations mainly concern certification authorities
Along with the E-Signature law, Georgia adopted the technical regulations
• The president, other government officials and citizens (about 80 persons) put their signatures using their ID Cards
On May 10, 2012 we made a first digital signature on the electronic document
E-Signature and Digital Signature according the law
• Defined as any set of the data, created based on electronic sources, which can be used by the signer to specify his/her association with the document
Electronic signature
• An electronic signature, created using cryptographic manipulation on the data based on the private key, logically associated to the electronic document
• Associated to the signer only• It’s possible to identify the signer• The private key is under the sole control of the signer• Association with the document allows to detect manipulation on the data
Digital Signature
ID Card as secure signature creation device (SSCD)
• Signature key (RSA 2048) is generated on the card• The private key never leaves the card• The key material can not be extracted from the card
Private key security
• 6 digits• Not generated during card personalization. Must be set by the card holder• The secure envelope does not contain this PIN• The cardholder is supplied with 5-digit transport PIN• The transport PIN can used ONLY ONCE to set the digital signature PIN• It’s not possible to reset the signature PIN by PUK
Digital Signature PIN
Additional security measures
• ID Card’s PKI applet is available on contact interface only
No Contactless signatures
• All card terminals, installed at customer service points MUST support secure PIN entry
• The terminal must be able to use SPE when it deals with Georgian ID card
• Organizations are recommended to cooperate with CRA to certify their card terminals before starting operations
Regulations against card readers
Physical security of the ID Card and PIN
• It’s not recommended to card holders to write down their signature PIN• If the card holder can not memorize the PIN, he/she is recommended to
store card and PIN separately
Please, memorize your PIN
• The special regulation will be issued to prohibit leaving the ID card in the entrance of the building to get the pass
• We understand that it may introduce additional costs to the organizations but we need to minimize risks
Leaving the card on the entrance of the organizations
Advanced electronic signatures
• The signature law demands to sign the document using the certificate which is valid during the signing process
• Thus we need to have revocation information along with the signature• Secure timestamp is not mandated by the law yet but we are going to change the
law accordingly• This means that the signer will have to be online to sign the document
Signature type and the demands of the law
• Signatures of *AdES family of ETSI standards were found to be permitted under the Georgian signature law
• As the revocation information needs to be stored in the document, the basic profiles of *AdES can not be used
ETSI Standards and the signature law
The format of the signed documents
• For the signed text documents, PDF is the only format in Georgia now• The format allows to store additional data as attachments• Can be created by the wide range of the software• “Trusted readers” exist• Multiple signatures are allowed• PDF/A is not mandated but highly recommended
PDF (ISO 32000-1) with signature extensions
• Currently, signatures can not be made on non-text documents, according the signature law
• We are working to extend the signature law to support them
Non-text documents
The signature format
• This is the only signature format now, suitable to Georgian signature law• It uses non-ISO extensions to PDF defined by ETSI• It is promised to put these extensions in the next ISO standard
PAdES-LTV (ETSI TS 102 778-4)
• Other profiles are not immediately compatible with the signature law• To speed up the signing process in case of multiple signers, it may be possible
to use PAdES Basic/BES/EPES profiles and extend the profile to LTV as soon as possible
• What ASAP means in this case, needs to be defined in the law
Other profiles
Sign-what-you-see
• One of the arguments of selecting PDF was that it can be read by the different tools on many platforms
• So, the signer can verify the document before signing and after signing• It’s recommended to use the signed document only when you have reviewed it
after signing
How we implement the sign-what-you-see concept?
• ID Card demands typing the signature pin on EACH signature operation• The cardholder may have a simple card reader for personal use but it is highly
recommended to buy one with SPE even for home use• We do not want to introduce regulations on card terminals for home use as it may
slow down digital signature adoption among the population
Other security measures
Signature tools
• Developed as Java Web Start application• Available at https://id.ge • Can be used to sign confidential documents
Standalone tool
• A web portal which allows file upload and signing• Uses Java applet to communicate with card• Allows document sharing to perform multi signatures• Available at https://id.ge
Sign ’em Portal
• PKCS#11 driver exists for ID Card PKI• Adobe Acrobat/Reader X can be configured to use this driver and sign the documents in CRA-independent way• This method is not officially supported yet but we are working hard on it
Adobe Acrobat X/Adobe Reader X
Embedding the signature creation in other software
• The applet, written for the Sign ‘em portal can be embedded in any web-based solution
• It uses easy-to-use interfaces to communicate with the outer world• We plan to embed it in the unified document management system, used in the
Ministry of Justice and all its agencies (CRA, NAPR, DEA, etc)
Web Portals
• We enforce only standards, not tools/libraries/frameworks• The organizations are free to use any solution available on the market which allows
creation of PAdES-LTV signatures• It’s strongly recommended to use tools which participate in ETSI PlugTest events for
interoperability
Libraries/Frameworks
ID.GE – ID Card, Signatures and more
Thank You Happy Signing!