Transcript სათაური - PKI - FORUM УКРАЇНА 2013

Civil Registry Agency of the Ministry of Justice, Georgia
Digital Signature Services
in Georgia
Mikheil Kapanadze
E-Document and E-Signature Law
Adopted in 2008
• … and we know that we are late. So, we will have to work hard and fix the gap
There were changes in subsequent years
• Some changes are planned
Along with the E-Signature law, Georgia adopted the technical regulations
• These regulations mainly concern certification authorities
On May 10, 2012 we made a first digital signature on the electronic document
• The president, other government officials and citizens (about 80 persons) put
their signatures using their ID Cards
E-Signature and Digital Signature according the law
Electronic signature
• Defined as any set of the data, created based on electronic sources, which can
be used by the signer to specify his/her association with the document
Digital Signature
• An electronic signature, created using cryptographic manipulation on the data
based on the private key, logically associated to the electronic document
• Associated to the signer only
• It’s possible to identify the signer
• The private key is under the sole control of the signer
• Association with the document allows to detect manipulation on the data
ID Card as secure signature creation device (SSCD)
Private key security
• Signature key (RSA 2048) is generated on the card
• The private key never leaves the card
• The key material can not be extracted from the card
Digital Signature PIN
•
•
•
•
•
•
6 digits
Not generated during card personalization. Must be set by the card holder
The secure envelope does not contain this PIN
The cardholder is supplied with 5-digit transport PIN
The transport PIN can used ONLY ONCE to set the digital signature PIN
It’s not possible to reset the signature PIN by PUK
Additional security measures
No Contactless signatures
• ID Card’s PKI applet is available on contact interface only
Regulations against card readers
• All card terminals, installed at customer service points MUST
support secure PIN entry
• The terminal must be able to use SPE when it deals with Georgian
ID card
• Organizations are recommended to cooperate with CRA to certify
their card terminals before starting operations
Physical security of the ID Card and PIN
Please, memorize your PIN
• It’s not recommended to card holders to write down their signature PIN
• If the card holder can not memorize the PIN, he/she is recommended to
store card and PIN separately
Leaving the card on the entrance of the organizations
• The special regulation will be issued to prohibit leaving the ID card in the
entrance of the building to get the pass
• We understand that it may introduce additional costs to the organizations
but we need to minimize risks
Advanced electronic signatures
Signature type and the demands of the law
• The signature law demands to sign the document using the certificate which is valid
during the signing process
• Thus we need to have revocation information along with the signature
• Secure timestamp is not mandated by the law yet but we are going to change the
law accordingly
• This means that the signer will have to be online to sign the document
ETSI Standards and the signature law
• Signatures of *AdES family of ETSI standards were found to be permitted under the
Georgian signature law
• As the revocation information needs to be stored in the document, the basic
profiles of *AdES can not be used
The format of the signed documents
PDF (ISO 32000-1) with signature extensions
•
•
•
•
•
•
For the signed text documents, PDF is the only format in Georgia now
The format allows to store additional data as attachments
Can be created by the wide range of the software
“Trusted readers” exist
Multiple signatures are allowed
PDF/A is not mandated but highly recommended
Non-text documents
• Currently, signatures can not be made on non-text documents, according the
signature law
• We are working to extend the signature law to support them
The signature format
PAdES-LTV (ETSI TS 102 778-4)
• This is the only signature format now, suitable to Georgian signature law
• It uses non-ISO extensions to PDF defined by ETSI
• It is promised to put these extensions in the next ISO standard
Other profiles
• Other profiles are not immediately compatible with the signature law
• To speed up the signing process in case of multiple signers, it may be possible
to use PAdES Basic/BES/EPES profiles and extend the profile to LTV as soon as
possible
• What ASAP means in this case, needs to be defined in the law
Sign-what-you-see
How we implement the sign-what-you-see concept?
• One of the arguments of selecting PDF was that it can be read by the different tools
on many platforms
• So, the signer can verify the document before signing and after signing
• It’s recommended to use the signed document only when you have reviewed it
after signing
Other security measures
• ID Card demands typing the signature pin on EACH signature operation
• The cardholder may have a simple card reader for personal use but it is highly
recommended to buy one with SPE even for home use
• We do not want to introduce regulations on card terminals for home use as it may
slow down digital signature adoption among the population
Signature tools
Standalone tool
• Developed as Java Web Start application
• Available at https://id.ge
• Can be used to sign confidential documents
Sign ’em Portal
• A web portal which allows file upload and signing
• Uses Java applet to communicate with card
• Allows document sharing to perform multi signatures
• Available at https://id.ge
Adobe Acrobat X/Adobe Reader X
• PKCS#11 driver exists for ID Card PKI
• Adobe Acrobat/Reader X can be configured to use this driver and sign the documents in CRA-independent way
• This method is not officially supported yet but we are working hard on it
Embedding the signature creation in other software
Web Portals
• The applet, written for the Sign ‘em portal can be embedded in any web-based
solution
• It uses easy-to-use interfaces to communicate with the outer world
• We plan to embed it in the unified document management system, used in the
Ministry of Justice and all its agencies (CRA, NAPR, DEA, etc)
Libraries/Frameworks
• We enforce only standards, not tools/libraries/frameworks
• The organizations are free to use any solution available on the market which allows
creation of PAdES-LTV signatures
• It’s strongly recommended to use tools which participate in ETSI PlugTest events for
interoperability
ID.GE – ID Card, Signatures and more
Thank You
Happy Signing! 