universal electronic signatures tarvi martens estonia
TRANSCRIPT
Universal Electronic Signatures
Tarvi MartensESTONIA
What if you receive digitally signed document
tomorrow?
Probably you should accept and handle it !!!
Rationale
• Existing EU Directive does not provide for solid grounds for unified electronic signature deployment in Europe
• CEN CWA-s and ETSI standards allow for myriad of options
• UES: Attempt to achieve electronic signature deployment and interoperability from the Best Practice experiences
What is UES ?
• UES stands for Universal Electronic Signature
• UES is a concept of electronic signature with aim to universally replace handwritten signature
• UES is going beyond AES (Advanced Electronic Signature as of EU Directive)
• UES is designed for international interoperability
UES provides for…
• UES = “Advanced Electronic Signature” based on “Qualified Certificates” PLUS: electronically signed documents are
equivalent to handwritten ones by legal evidence value
usage domain and signatory role are not restricted
signatory is uniquely identified as a physical person
there are means to identify signing time of the electronic document
electronically signed documents are maintaining their long-term validity
UES are international
UES implementation
• UES implementation requires these components to be adjusted to UES principles: Legislation CA delivering certificates on SSCD Validation services (real-time OCSP) Deployed end-user tools Inter-PKI cooperation
UES actors: CA
• Certification Authority Produces qualified certificates on SSCD
• to uniquely identifiable physical persons
Provides up-to-date certificate validity information to Validation Authority
Generates, exchanges and maintains Trust-service Status Lists (TSL)
• CA details• Valid CA and OCSP certificates• History of validity• XML-profile of ETSI TS 102 231
UES Actors: VA
• Validation Authority Issues validity confirmations using
OSCP protocol (RFC 2650) Operates in real-time:
• acquires validity information from CA-s database• Provides precise time information in responses
(time-stamping)
Logs and archives issued confirmations to provide for long-term validity
VA as an e-notary
OCSP
“When I saw this signed document, corresponding certificate was valid”
CA DB
“I just signed the document using this certificate”
(Doc,Cert,time)ok
Doc,Cert
Secure log
UES Actors: Signer and Verifier
• Signer Generates electronically signed
documents using certificate and validity confirmation
• Verifier Verifies electronic signatures using
(cached) TSL
• Sharing common document format Profile of ETSI TS 101 903 aka “XAdES” -
OpenXAdES
UES architecture (1)
CA
VA
Signer
Verifier
Cert
OCSP
TSLDoc
PKI 2
CA
VA
Signer
Verifier
Cert
OCSP
TSLDoc
PKI 1
UES architecture (2)
CA
VA
Signer
Verifier
Cert
OCSP
TSLDoc
PKI 2
CA
VA
Signer
Verifier
Cert
OCSP
TSL
Doc
PKI 1
Trust model
• Bilateral trust model• Every party has a freedom to choose
trusted parties• CA communicates trust through TSL-s
CA 1 CA 2
CA 3 CA 4
UES Organization
• Currently: Memorandum of Understanding Agreeing with UES principles and model
• Three initial partners Estonia Belgium Finland
• Represented typically by Population Registries (CA-s) and incorporating partner companies
• More formal structure (separate organization – “UES Initiative”) is considered
UES activities
• General coordination• Promotion, info sharing• Liaisons with std. bodies• Sharing enabling technology• TSL distribution• Joint work on different aspects:
Legal issues CA service provision VA service provision Document format, interop testing
UES deployment
• Sign the MoU Allocate resources for the co-operation effort
• Start issuing qualified certificates The hardest part – we assume you do it
already
• Set up your OCSP Almost any commercial OCSP Responder will
do
• Start exchanging TSL-s To be developed
• Distribute and localize end-user apps www.openxades.org
What is OpenXAdES ?
• OpenXAdES is a profile of ETSI TS 101 903 aka XAdES
• OpenXAdES specifications and implementations (C, Java) are available at www.openxades.org
• OpenXAdES is a community driven free software development project
• OpenXAdES profile specification development is coordinated by CC (and by UES organization in the future)
What is DigiDoc ?
• DigiDoc is a set of software applications based on OpenXAdES spec/library
• Applications include: DigiDoc client DigiDoc portal DigiDoc webservice (SOAP)
• Client tested with Estonian, Finnish and Belgium ID-cards
• Multilingual version available now
Digital Signature in Estonia
• Available for 1.5 years• 500 000 potential
users• 200 000 signatures• Client distributed with
ID-card starter kit• Technology integrated
in all major document handling systems and Internet banks
• Innumerable list of uses
DigiDoc library (Win32/Unix)CSP
OCSP
XML ID card
Additional Information
• ID-card issuing http://www.pass.ee • PKI & CA http://www.sk.ee• ID-card practices http://www.id.ee• Digital signature software www.openxades.org
Contact point:[email protected]
www.openxades.org/ues
Porvoo V: May 2004Tallinn, Estonia