Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services. Andreas Kuehne –...
Transcript of Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services. Andreas Kuehne –...
Digital Signatures and Digital Signatures and e-Identity.e-Identity.
Getting the best out of DSS / Getting the best out of DSS / DSS-X services. DSS-X services.
www.oasis-open.org
Andreas Kuehne – DSS-X memberAndreas Kuehne – DSS-X member
'Protocols for central services providing signature generation AND verification'Avoid problems of deployment of infrastructure
required to support individual generationAll the complexity of verification implemented and
deployed once at the server.Reduces overhead of key management: the central
server takes care of the required tasks on certs status in both generation and verification.
All the details of the policy for the signatures centralized.
May keep logs of the verification processes and results.
Coarse Orientation:
DSS is an OASIS Standard !Official standard since 2008
Many profiles part of DSSFormat ( e.g. XAdES, Code Signing )Scope ( EPM, German Sig. Law )Transport ( Async )
Requirement for agreed IPR mode caused termination of DSS
What's already there:
DSS-X TCFounded in 2008Many DSS members joined
Maintenance of core spec
New profile areasSpecializing profiles Extending existing functionalities Into the unknown
What's new :
Specializing existing profilesJ2SE code signing
Extending existing functionalitiesebXML
Into the unknownEncryption and decryption profileVisible signatures Individual Reports on Signatures… to do …Signature & Service PolicySigned Verification Responses
Complete Profile List:
Get a more detailed knowledge about some selected profiles that may be useful for e-identity applications :
Verification reports
ebXML
J2SE code signing
Detailed Look :
Provides support for multiple signatures Comprehensive signature verification reports for :
XML-Signatures [RFC 3275], [ETSI 101903] CMS-Signatures [RFC 3852], [ETSI 101733] Time Stamps [RFC 3161], [OASIS DSS] Public-Key Certificates [RFC 5280] Certificate Revocation Lists [RFC 5280] Attribute Certificates [RFC 3281] OCSP-Responses [RFC 2560] Evidence Records [RFC 4998] arbitrary other structures (in additional profiles)
Comprehensive Signature Verification Report Profile
For each verified signature an individual report is issued, which includes :Details on cryptographic verification of the signatureFor each certificate in the certification path:
Details on the cryptographic verification Details on their status (this may include references or values
of CRLs and OCSP responses for instance). Details on certificate in their certification paths
Details on the signed and unsigned properties present within the signature.
Comprehensive Signature Verification Report Profile
If time-stamps are present within the signature,for each one, the report includes:Details on the cryptographic verification of the time-
stamp itself.For each certificate in the certification path of time-
stamp certificate : Details on the cryptographic verification Details on their status. Details on certificate in their certification paths
Details of the checks performed against the Trusted Status Lists ( providing information of the status of the Trusted
Services Providers issuing PKI related material ).
Comprehensive Signature Verification Report Profile
DetailedSignatureReport
Properties
FormatOK
Details on all the cer-tificates in the path(in next slide)
VerifyManifestResultst
e.g. time-stamps
SignatureOK
CertificatePathValidity
CertificateIdentifierPathValiditySummary PathValidityDetail
PathValidityDetail
TSLValidity CertificateValidity
Details on the status of this certificate (including CRL, OCSP responses) in next slide
Subject
CertificateIdentifier
ChainingOK
ValidityPeriodOK
ExtensionsOK
CertificateValue
CertificateContent
SignatureOK
CertificateStatus
Details XML encodedof contents of thiscertificate.
CertificateStatus
RevocationInfo
CertStatusOK
Details certificationpath for the CRL itself
RevocationEvidence
CRLValidity
CRLReference
RevocationDate
RevocationReason
OCSPValidity
OCSPReference
Other
Details certificationpath for the OCSPResponse itself
Optional Input / Output
Structure of IndividualReport
Individual Structures
ebXML Profile ebXML Messaging (ebMS) is an advanced OASIS
Standard messaging protocol: Synchronous or asynchronous SOAP-based messaging Reliable and secure messaging Standard business metadata in document header OASIS Standards version 2.0 (2002), version 3.0 (2007)
The DSS-X ebXML profile defines a transport protocol binding to ebMS
Complements the transport bindings defined in DSS Leverages the advanced features of ebMS
The DSS-X ebXML profile supports: Communities that want to leverage their existing e-business or
e-government ebMS infrastructures for DSS services Scenarios such as cross-enterprise document workflows;
document archival and retrieval; scanned document handling
ebXML usage statement A government agency in the Netherlands uses the DSS
ebXML profile inproduction to interact with a remote DSS provider.
The service provider provides remote PDF certification of scanned documents.
The agency and the provider are currently exchanging several hundreds DSS ebMS messages per day, each containing a medium to large-size (tens of MBs) PDF document.
Code Signing details
Code signing is crucial for building a trustworthy system of software artifacts.
Code signing is supported by many development tools ( like 'ant' ) out-of-the-box !
Secret keys reside in the file system. Lax key management in development department.
CS profile advantages Centralized signing pays off in the usual way :
Control about secret keys Easy certificate mangement Controlling who signs Tracking what / when / by whom was signed
Access can be managed on per-user basis.
Even automatic build environments supported.
J2SE profile details J2SE defines a special standard on top of PKCS7. New profile applicable for Applets and WebStart
applications. DSS already included a profile for Java Micro Edition.
Usage statement : Trustable uses the CS profile to build a verification
applet. Ant task is available under GPL as well as the DSS
implementation.
Public review ebXMLVisible SignatureSignature PolicyIndividual Verification ReportOther ..
Conformance and InterOp tests ??? can we agree on an estimated date ??
Further process ?? can we guess a date for ‘going to standard’ ??
Standardization forecast