UN Economic Commission for Europe

23rd UN/CEFACT FORUM Project Proposal : Trusted Third Party Time-stamping Services

Tahseen A. Khan

23rd UN/CEFACT FORUM – Geneva 7-11 April 2014

UN Economic Commission for Europe

Areas which need to be addressed within Government and Regulatory Domain

1. Standards for Mutual Recognition of Foreign Electronic Signatures 2. Standards for Timestamping Services 3. Standards for Long-term Archival of Authenticated Electronic Documents The Area (1) is addressed by two upcoming Projects.

However, areas (2) and (3) are yet to be addressed by any Project. These two areas are interdependent and overlapping and may be addressed by a single project.

7-11 April 2014 23 rd UN/CEFACT FORUM – Geneva

UN Economic Commission for Europe Mr “Good-Trader” in a country “Utopia” has a Digital Signature Certificate issued by “SecureCA”,a recognized Certifying Authority in “Utopia” and wants to sign a document and send it to Mr “Good-Customer” in another country “Heaven”.

However, “SecureCA” is not a recognized Certifying Authority “Heaven”, and hence the digitally signed document lacks legal validity in “Heaven” . To increase Mr. Good-Trader's traders problems , no recognized Certifying Authority of “Heaven” is having local presence in “Utopia”.

The two countries “Utopia” and “Heaven” can have an arrangement through which Recognized , Licensed Certifying Authorities in both the countries are mutually recognized and Digital Signatures Certificates issued by them are accepted.

7-11 April 2014 23 rd UN/CEFACT FORUM – Geneva

UN Economic Commission for Europe

1. Recommendation for ensuring legally significant trusted trans-boundary electronic interaction.

2. Management of e-Identity.

7-11 April 2014 23 rd UN/CEFACT FORUM – Geneva

UN Economic Commission for Europe

Need for Trusted Timestamping Services

 Exponential increase in number of G2C,G2B,B2B and B2G transactions being carried out electronically.

 Lack irrefutable evidence regarding the existence transaction/document at a particular time instance in past even though such evidence may be required from legal and technical perspectives (for example a design to be patented).

of  Increase in number of documents being authenticated using various forms of Electronic Signatures.

 However Repudiation provided by such mechanisms is short lived due to assurance of Authenticity,Integrity revocation/expiry/suspension of associated and Non Signature Certificate.

7-11 April 2014 23 rd UN/CEFACT FORUM – Geneva

UN Economic Commission for Europe

Need for Trusted Timestamping Services

Consider the following case: Alice signs a Contract with Bob using Digital Signature. After two days Alice lost her private keys used for signing the Contract and got her Signature Certificate revoked.

Bob can legally enforce the contract if he can prove that the Contract Document was signed when the Signature Certificate was valid as Alice could claim that the Contract was signed after she lost private keys and the associated Certificate was revoked and Alice is not liable for signatures made after revocation of the Certificate.

In such scenario, if the signed document was Timestamped by a Trusted Third Party then the Timestamp could be used to prove that the Certificate was valid at the time of signing.

7-11 April 2014 23 rd UN/CEFACT FORUM – Geneva

UN Economic Commission for Europe

Legally valid proof of existence of a document at a particular time.

User submits hash of the document, TSA adds a Timestamp and signs it.

Privacy is maintained as only hash of the document is made available to TSA(CA).

7-11 April 2014 23 rd UN/CEFACT FORUM – Geneva

UN Economic Commission for Europe Why a Project on Timestamping ?

 Although Timestamping is useful for secure long-term Archival of documents, yet the service has limited penetration.

 Lack of awareness about potential benefits it offers.

 Lack of Guidance regarding applications which should utilize Timestamping.

 Lack of Guidance regarding Architectures/mechanisms/Protocols different suitable Applications (e.g.

re-stamping, etc).

when to use Mutiple Timestamping for various Timestamps, 7-11 April 2014 23 rd UN/CEFACT FORUM – Geneva

UN Economic Commission for Europe

Purpose of the Project:-



To identify trade related and other application areas which could potentially benefit from Time-stamping Services.



To provide guidance and suggestions for implementing Time-stamping services for such applications.

7-11 April 2014 23 rd UN/CEFACT FORUM – Geneva

UN Economic Commission for Europe

Scope of the Project:-

 Identification of principles for determining applications which require Time stamping and apply them to identify such applications in areas like e-Trade, e-Banking, Digital Crypto-Currencies, etc.

 Review of current architectures/solutions/protocols for implementing Time stamping Services and suggest suitable architectures/solutions/protocols matching with level of assurance required by various Applications and propose new ones if required.

 Review of various standards, including those for Time-stamping requests and responses,Trusted Time-stamping Authorities(TSAs), TSA Certificates,etc.

 Building a Repository of Open Source and Proprietary Tools for Time-stamping Applications.

 Address interoperability concerns across different implementations and Cross border legal significance of Time-stamps.

7-11 April 2014 23 rd UN/CEFACT FORUM – Geneva

UN Economic Commission for Europe Deliverables

 A Document containing Recommendations covering the above scope and purpose of the Project including solutions for long term archival.

 Annexure containing details of available Time-stamping Tools  Annexure containing case studies of current application using time-stamping  Annexure containing samples illustrating Time-stamping Response and Request, Time-stamping Authority Certificate, etc 7-11 April 2014 23 rd UN/CEFACT FORUM – Geneva

UN Economic Commission for Europe Any Suggestions ?

 A separate Project should be initiated for Timestamping and Long-term Archival ?

OR The Project can be merged with some other Project like “Recommendation for ensuring legally significant trusted trans boundary electronic interactions” or Recommendation 14  Any other suggestions ?

7-11 April 2014 23 rd UN/CEFACT FORUM – Geneva

7-11 April 2014

UN Economic Commission for Europe

Thank You !!!

Questions ??

Controller of Certifying Authorities(CCA) Department of Electronics and Information Technology, Ministry of Communications & Information Technology, Government of India Website:cca.gov.in, E-mail:[email protected]

23 rd UN/CEFACT FORUM – Geneva