creating signatures at user agents comparing transport bindings
TRANSCRIPT
Creating Signaturesat
User Agents
Comparing Transport Bindings
Use Case
Assumptions• A User-Agent is used as a Signature Creation Device,
possibly by means of an SSCD, but cannot perform all verification functions nor all kinds of complex signature creation functions.
• A User-Agent has limited software & performance capabilities; it cannot manipulate the document itself.
• A User-Agent always initiates the transaction.• A document remains at it’s current location at the
Remote-End.• A remote Digital Signature Service is used to handle the
complexities of the signature creation.• As an example, a User-Agent can be a Mobile Device or
an Applet in the browser.• The OASIS DSS Core is used.
Use Case
Actor
• The End-User of the User-Agent.
System
• The User-Agent, communicating with a remote system for document handling and signature creation.
Use Case
• Basic Flow– Actor selects document.– User Agent remembers the selected document at the
remote end.– Actor requests a signing operation for the document.– User Agent asks the user for a PIN or Password.– Actor enters the PIN or Password– User Agent calculates the signature using the
(Secure) Signature Creation Device and presents the signed document, at the remote end, to the user.
– Actor views the signed document.
System
Aspects• The User Agent is capable of creating a raw digital
signature; it needs the hash of the document to create the raw signature.
• The document is at the Remote End.• Scenario’s
– 1: Remote End requests DSS to do the signature creation; DSS delegates the raw signature creation to the User Agent.
– 2: Remote End calculates the hash, requests the User Agent to create a raw signature and requests DSS to ‘complete’ the signature creation (the request contains the raw signature).
– Case 2 requires the User Agent to have a ‘thin’ implemention of the DSS interface.
– Both cases require 2 interactions between the User Agent and the Remote End for the signature creation.
1 2
UserAgent
RemoteSystem
DigitalSignatureService
(S)SCD@ User Agent
Select document
Sign document
Calculate Hash
DSS-Request(Complex)
DSS-Request(PKCS#1)
DSS-Response
DSS-Response
Prepare requestfor document
Verification,Timestamping,Revocation Info,etc....
SignHash
Sequence Diagram 1 – Delegated DSS
Document signed
1
2
UserAgent
RemoteSystem
DigitalSignatureService
(S)SCD@ User Agent
Select document
Sign document
Calculate Hash
DSS-Request(Complex)
DSS-Request(PKCS#1)
DSS-Response
DSS-Response
Prepare requestfor document
Verification,Timestamping,Revocation Info,etc....
SignHash
Sequence Diagram 2 – Composite DSS
Document signed
1
2
Interaction User Agent
• Initiate Request– Hash is calculated at the ‘Remote End’
• Create signature– Hash is signed at the User Agent
In all cases the client (User Agent) initiates the requests to the Remote End.
Possible Transport Bindings:• PAOS, reverse SOAP.• ebMS v3, using the ‘polling’ mode.• Two separate SOAP calls.
POAS – Sequence 1
(1) Sign document
(2) DSS-Request(PKCS#1)
(2) DSS-Response
(1) Document signed
Calculate Hash
SignHash
DSS
DSS-Response
DigitalSignatureService
DSS-Request(Complex)
Prepare DSS request
Diffe
ren
t se
ssion
!
RemoteSystem
POAS – Sequence 2
(1) Sign document
(2) DSS-Request(PKCS#1)
(2) DSS-Response
(1) Document signed
Calculate Hash
SignHash
DSS
DSS-Request(Complex)
DSS-Response
DigitalSignatureService
RemoteSystem
POAS Usage
• Sequence 1 seems more complex than Sequence 2 – The request/response “(2) DSS-
Request(PKCS#1)” is a new session, initiated by the DSS server ...
– ... That request has to be correlated, by the Remote End, to the first POAS R/R, to put the “(2) DSS-Request(PKCS#1)” into the POAS response.
•
(1) Document signed
(1) Sign document
ebMSv3 – Sequence 1UserAgent
RemoteSystem
DigitalSignatureService
(S)SCD@ User Agent
PUSH(Request(Sign document))
MSH A MSH B MSH A
PULL(Request)
(2) DSS-Request(PKCS#1)
PUSH(Response)
(2) DSS-Response
PULL(Response)
CalculateHash
DSS-Request(Complex)
DSS-Response
Verification,Timestamping,Revocation Info,etc....
SignHash
MSH C
(2) DSS-Response
(2) DSS-Request(PKCS#1)
(1) Document signed
(1) Sign document
ebMSv3 – Sequence 2UserAgent
RemoteSystem
DigitalSignatureService
(S)SCD@ User Agent
PUSH(Request(Sign document))
MSH A MSH B MSH A
CalculateHash
PULL(Request)
PUSH(Response)
PULL(Response)
DSS-Request(Complex)
DSS-ResponseVerification,Timestamping,Revocation Info,etc.
SignHash
ebMS Usage
• Sequence 1 – Requires DSS server to use ebMSv3– Pull Request from User Agent has to be routed via the
Remote System.
• Sequence 2– Does not require DSS server to use ebMSv3– No routing issue
• How does the ebMSv3 ‘client’ compare to the POAS ‘client’ at the User Agent regarding implementation complexity?