ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open...
Transcript of ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open...
![Page 1: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/1.jpg)
ETSI Security weekeIDAS Thematic stream
Open source for creation and validation of signatures
Sophia Antipol is, France25/06/2015
Robert Bielecki (ARhS SpikeSeed, Luxembourg)[email protected]
![Page 2: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/2.jpg)
Context
Findings
Standards
Principles
Validation report
Intrinsic interoperability2
![Page 3: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/3.jpg)
Context
3
ETSI PlugtestsX/C/PAdES/ASiC/eSIGN
SD-DSS Open sourceJava Library
Cross-border signature validation
Various EU projectseJustice/eCodex/TED/CheckLex
![Page 4: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/4.jpg)
Findings
Significant differences in the interpretation of standards
Strong influence of national laws
Habits related to countries and organizations
The weight of the existing
The lack of a common way of expressing the result of validation
Signature validation in the European context remains quite difficult
Common/Shared language needs to be defined4
![Page 5: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/5.jpg)
Interoperability issue
http://en.wikipedia.org/
![Page 6: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/6.jpg)
Possible Solutions
Improving standards
Adoption of a common
Open Source library
6
![Page 7: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/7.jpg)
A regular validation process
Signed dataSigned data
SignatureSignature
Signature Valid
ation A
pplication
Constraint
Constraint
Validation Report
7
![Page 8: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/8.jpg)
Current Situation
8
![Page 9: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/9.jpg)
Observation: Who should read the report?
End user without any knowledge of signing
End user knowing the general concepts of signing
Helpdesk
Digital signature Expert
9
![Page 10: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/10.jpg)
Observation: What rules must be checked?
10
![Page 11: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/11.jpg)
What’s the solution
As IT experts we are not able to provide common
validation policy, however we can provide a mechanism to express
it!
11
![Page 12: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/12.jpg)
StandardsSignature/Validation
Policies
2002 Final
ETSI TR 102 038
XML format for signature policies
2015 Draft
ETSI TS 119 172-1
Signature policies: human readable
2016
ETSI TS 119 172-2
XML format for Signature Policies
12
![Page 13: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/13.jpg)
Standards
Validation
2001 Info
RFC 3126
Formats for long term electronic
signatures/beginnings
2012 Final
ETSI TS 102 853
Signature validation procedures and
policies
2015 Finalising
ETSI EN 319 102-1
Procedures for Creation and Validation of
…/Part 1: Creation and Validation
13
![Page 14: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/14.jpg)
Standards
Report
2010 Final
OASIS DSS v1.0
Profile for Comprehensive Multi-Signature Verification Reports
Version 1.0
2016
ETSI TS 119 102-2
Signature Validation Report Structure
14
![Page 15: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/15.jpg)
Pragmatic approach
Definition of
constraints
Execution of
validation rules
Report generation• Diagnostic
data• Detailed Report• Simple Report
15
![Page 16: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/16.jpg)
Validation policy: constraints
<SigningCertificate><Recognition Level="FAIL"/><AttributePresent Level="FAIL"/><DigestValuePresent Level="FAIL"/><DigestValueMatch Level="FAIL">true</DigestValueMatch><IssuerSerialMatch Level="WARN">true</IssuerSerialMatch>
• Levels:• IGNORE – the rule is ignored• INFORM – when checking the rule the data are reported• WARN – when processing the rule FAIL is transformed to simple warning• FAIL – the process of the validation is stopped
NOTE: The use of warning can lead to exotic results
16
![Page 17: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/17.jpg)
Validation reports
• Diagnostic data• Signature format abstraction• These data never change in time
• Detailed report• It contains a descriptive account of findings from the
execution of all the rules defined in the ETSI standard and in the validation policy (constraint.xml)
• It is difficult to understand by an end-user• Simple report
• A simplified version of the detailed report easily understood by non-IT user
All these reports are encoded using XML, which allows the implementer to easily manipulate and extract information for further analysis
17
![Page 18: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/18.jpg)
HTML based Validation Report
18
![Page 19: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/19.jpg)
Validation Report & Open Source SD-DSS
SD-DSS framework
Validation constraints•ETSI 119 172-2
Validation Process•ETSI 102 853•ETSI 319 102-1
Validation Report•ETSI 319 102-2
19
![Page 20: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/20.jpg)
Intrinsic interoperability
20
Standards Libraries ReferenceStandards
are affected
Library is the guardian of
interoperability
![Page 21: ETSI Security week eIDAS Thematic stream€¦ · ETSI Security week eIDAS Thematic stream Open source for creation and validation of signatures Sophia Antipolis, France 25/06/2015](https://reader035.fdocuments.us/reader035/viewer/2022081522/5f0736e07e708231d41be093/html5/thumbnails/21.jpg)
Thank you for your attention