Transcript Interoperability Requirements for Electronic Signatures

OpenXAdES & DigiDoc
Tarvi Martens
Estonia
The Story
January 2002 –
first Estonian ID-card is issued
March 2002 –
ETSI publishes first version of XAdES
October 2002 –
First public occasion of digital signing
May 2007 –
>2.2M digital signatures created, unified
signature system for all sectors
“Internal” vs. “free-flowing”
Most of web-based applications
making use of digital signatures
do not allow for downloading
the result of signing
Notable difference between
− “internal signing” – usually just for security
reasons
− “signed files” – meant for universal distribution
Signatures vs. Containers
Container
Data
Data
Data
Data
Signature
External Data
Signature Formats
Big zoo before
Now stabilizing
European standards ahead of U.S.
XML-DSIG  XAdES (ETSI TS 101903)
PKCS#7 (CMS)  CAdES (ETSI TS
101733)
Signature Profiles –
XAdES example
XML-DSIG+
BES/PES
T
C
X
L
A
... plus myriad of options within blocks
Example : ETSI 101734 & 101934
Signature Policies
How validity information is obtained ?
Which algorithms/key lengths are used ?
What is quality of the signing certificate ?
Is long-time validity ensured ?
…
Container Formats
MS OpenXML (XAdES evolving from Latvia)
ODF (XML-DSIG)
Adobe (CMS)
MS <= 2003 (proprietary)
DigiDoc (XAdES)
DigiDoc and OpenXAdES
OpenXAdES stands for Open Source
project & community
− www.openxades.org
DigiDoc is a petname for (mainly) end-user
tools for digital signature handling
− Makes use of OpenXAdES
DigiDoc/OpenXAdES –
a profile of XAdES
XAdES-X-L coming in two flawors
− with or without timestamping
Validity confirmation obtained when signing
Long-time validity provided with SeqLog
Proprietary container
Features/experience
Signing with CSP-supported smartcard or
Mobile-ID (via DigiDocService)
− Proven support for foreign ID-cards
− Mobile-ID up and running for a week
5 years of development and field experience
Probably the “completest” implemenation of
XAdES to date
The Scheme
“I just signed this
document”
Doc,Cert
OCSP
DB
(Doc,Cert,time)ok
“At the time I saw this
document, corresponding
certificate was valid”
Secure log
SeqLog
Data base of certificates:
• Activation
• Suspension
• End of suspension
• Revocation
SeqLog
OCSP
Signed validity confirmations
DigiDoc Architecture
Application
Application
Application
Win32
Client
DigiDoc
portal
COM-library WebService
DigiDoc-library (Win32/Unix/C/Java) CSP
PKCS#11
MSSP
XML
Mobile phone
OCSP
ID card
DigiDoc Portal
Simple WWW-application for everyone:
− Downloading/uploading of document
− Signing and validity confirmation
− Verification
− Sending document to another portal user
− Sorting/Deleting/Archives
− Multi-language
Digidoc Portal
Verification Portal
http://digidoccheck.sk.ee
Allows to check .ddoc file without ID-card
DigiDoc Client
Provides the same functionality as portal
− Signing and obtaining validity confirmation
− Verification of signed document
Encryption and decryption (XML-ENCRYPT)
Does not require uploading document
Provides for digital signatures without using
DigiDoc portal
Multi-language, multi-PKI support
DigiDoc Client
DigiDocService
Simple SOAP-based protocol
− “I have a file here, make it signed”
− “I have got a signed file. What’s inside it?”
Supports mobile authentication and digital signing
Best for integration of digital signature handling
capability – libraries a changing rapidly, the
protocol remains more stable
DigiDoc library
Signing through PKCS#11 and CSP
Handling of validity confirmation
Handling of XML document DigiDoc library (Win32/Unix)
CSP
Verification
XML
Win32/Unix, C code
OCSP
DLL & COM under Windows
Java implementation
Distributed under LGPL terms
ID card
Document format
Based on XML-DSIG standard
Contains subset of ETSI TS 101 903
(XAdES) extensions
− Place, time and of signature
− Role of signature holder
− Validity confirmation and certificate of
OCSP responder
Document format (2)
Multiple original documents can be signed at
once
Original document can be embedded or
detached
Original document can be XML or any binary
format
Multiple signatures are supported
Just one validity confirmation per signature
Document format
Original files
Signature
Certificate
of signer
Validity
confirmation
Certificate
of responder
Availability for Lithuania
OpenXAdES completely free (i.e. specs &
libraries)
DigiDoc applications currently available for
free use / free download
Further developments need support:
− Special & new features
− Following the everchanging environment
− “Vendor support”