Universal Electronic Signatures

Tarvi MartensESTONIA

What if you receive digitally signed document

tomorrow?

Probably you should accept and handle it !!!

Rationale

• Existing EU Directive does not provide for solid grounds for unified electronic signature deployment in Europe

• CEN CWA-s and ETSI standards allow for myriad of options

• UES: Attempt to achieve electronic signature deployment and interoperability from the Best Practice experiences

What is UES ?

• UES stands for Universal Electronic Signature

• UES is a concept of electronic signature with aim to universally replace handwritten signature

• UES is going beyond AES (Advanced Electronic Signature as of EU Directive)

• UES is designed for international interoperability

UES provides for…

• UES = “Advanced Electronic Signature” based on “Qualified Certificates” PLUS: electronically signed documents are

equivalent to handwritten ones by legal evidence value

usage domain and signatory role are not restricted

signatory is uniquely identified as a physical person

there are means to identify signing time of the electronic document

electronically signed documents are maintaining their long-term validity

UES are international

UES implementation

• UES implementation requires these components to be adjusted to UES principles: Legislation CA delivering certificates on SSCD Validation services (real-time OCSP) Deployed end-user tools Inter-PKI cooperation

UES actors: CA

• Certification Authority Produces qualified certificates on SSCD

• to uniquely identifiable physical persons

Provides up-to-date certificate validity information to Validation Authority

Generates, exchanges and maintains Trust-service Status Lists (TSL)

• CA details• Valid CA and OCSP certificates• History of validity• XML-profile of ETSI TS 102 231

UES Actors: VA

• Validation Authority Issues validity confirmations using

OSCP protocol (RFC 2650) Operates in real-time:

• acquires validity information from CA-s database• Provides precise time information in responses

(time-stamping)

Logs and archives issued confirmations to provide for long-term validity

VA as an e-notary

OCSP

“When I saw this signed document, corresponding certificate was valid”

CA DB

“I just signed the document using this certificate”

(Doc,Cert,time)ok

Doc,Cert

Secure log

UES Actors: Signer and Verifier

• Signer Generates electronically signed

documents using certificate and validity confirmation

• Verifier Verifies electronic signatures using

(cached) TSL

• Sharing common document format Profile of ETSI TS 101 903 aka “XAdES” -

OpenXAdES

UES architecture (1)

CA

VA

Signer

Verifier

Cert

OCSP

TSLDoc

PKI 2

CA

VA

Signer

Verifier

Cert

OCSP

TSLDoc

PKI 1

UES architecture (2)

CA

VA

Signer

Verifier

Cert

OCSP

TSLDoc

PKI 2

CA

VA

Signer

Verifier

Cert

OCSP

TSL

Doc

PKI 1

Trust model

• Bilateral trust model• Every party has a freedom to choose

trusted parties• CA communicates trust through TSL-s

CA 1 CA 2

CA 3 CA 4

UES Organization

• Currently: Memorandum of Understanding Agreeing with UES principles and model

• Three initial partners Estonia Belgium Finland

• Represented typically by Population Registries (CA-s) and incorporating partner companies

• More formal structure (separate organization – “UES Initiative”) is considered

UES activities

• General coordination• Promotion, info sharing• Liaisons with std. bodies• Sharing enabling technology• TSL distribution• Joint work on different aspects:

Legal issues CA service provision VA service provision Document format, interop testing

UES deployment

• Sign the MoU Allocate resources for the co-operation effort

• Start issuing qualified certificates The hardest part – we assume you do it

already

• Set up your OCSP Almost any commercial OCSP Responder will

do

• Start exchanging TSL-s To be developed

• Distribute and localize end-user apps www.openxades.org

What is OpenXAdES ?

• OpenXAdES is a profile of ETSI TS 101 903 aka XAdES

• OpenXAdES specifications and implementations (C, Java) are available at www.openxades.org

• OpenXAdES is a community driven free software development project

• OpenXAdES profile specification development is coordinated by CC (and by UES organization in the future)

What is DigiDoc ?

• DigiDoc is a set of software applications based on OpenXAdES spec/library

• Applications include: DigiDoc client DigiDoc portal DigiDoc webservice (SOAP)

• Client tested with Estonian, Finnish and Belgium ID-cards

• Multilingual version available now

Digital Signature in Estonia

• Available for 1.5 years• 500 000 potential

users• 200 000 signatures• Client distributed with

ID-card starter kit• Technology integrated

in all major document handling systems and Internet banks

• Innumerable list of uses

DigiDoc library (Win32/Unix)CSP

OCSP

XML ID card

Additional Information

• ID-card issuing http://www.pass.ee • PKI & CA http://www.sk.ee• ID-card practices http://www.id.ee• Digital signature software www.openxades.org

Contact point:tarvi@sk.ee

www.openxades.org/ues

Porvoo V: May 2004Tallinn, Estonia