Open XAd ES Digi Doc Tarvi Martens

Open. XAd. ES & Digi. Doc Tarvi Martens Estonia

The Story January 2002 – first Estonian ID-card is issued March 2002 – ETSI publishes first version of XAd. ES October 2002 – First public occasion of digital signing May 2007 – >2. 2 M digital signatures created, unified signature system for all sectors

“Internal” vs. “free-flowing” Most of web-based applications making use of digital signatures do not allow for downloading the result of signing Notable difference between − “internal signing” – usually just for security reasons − “signed files” – meant for universal distribution

Signatures vs. Containers Container Data Signature External Data

Signature Formats Big zoo before Now stabilizing European standards ahead of U. S. XML-DSIG XAd. ES (ETSI TS 101903) PKCS#7 (CMS) CAd. ES (ETSI TS 101733)

Signature Profiles – XAd. ES example XML-DSIG+ BES/PES T C X L A . . . plus myriad of options within blocks Example : ETSI 101734 & 101934

Signature Policies How validity information is obtained ? Which algorithms/key lengths are used ? What is quality of the signing certificate ? Is long-time validity ensured ? …

Container Formats MS Open. XML (XAd. ES evolving from Latvia) ODF (XML-DSIG) Adobe (CMS) MS <= 2003 (proprietary) Digi. Doc (XAd. ES)

Digi. Doc and Open. XAd. ES stands for Open Source project & community − www. openxades. org Digi. Doc is a petname for (mainly) end-user tools for digital signature handling − Makes use of Open. XAd. ES

Digi. Doc/Open. XAd. ES – a profile of XAd. ES-X-L coming in two flawors − with or without timestamping Validity confirmation obtained when signing Long-time validity provided with Seq. Log Proprietary container

Features/experience Signing with CSP-supported smartcard or Mobile-ID (via Digi. Doc. Service) − Proven support foreign ID-cards − Mobile-ID up and running for a week 5 years of development and field experience Probably the “completest” implemenation of XAd. ES to date

The Scheme “I just signed this document” Doc, Cert (Doc, Cert, time)ok OCSP “At the time I saw this document, corresponding certificate was valid” DB Secure log

Seq. Log Data base of certificates: • Activation • Suspension • End of suspension • Revocation Seq. Log OCSP Signed validity confirmations

Digi. Doc Architecture Application Win 32 Digi. Doc Client portal Application COM-library Web. Service Digi. Doc-library (Win 32/Unix/C/Java) SP C PKCS#11 MSSP XML Mobile phone OCSP ID card

Digi. Doc Portal Simple WWW-application for everyone: − Downloading/uploading of document − Signing and validity confirmation − Verification − Sending document to another portal user − Sorting/Deleting/Archives − Multi-language

Digidoc Portal

Verification Portal http: //digidoccheck. sk. ee Allows to check. ddoc file without ID-card

Digi. Doc Client Provides the same functionality as portal − Signing and obtaining validity confirmation − Verification of signed document Encryption and decryption (XML-ENCRYPT) Does not require uploading document Provides for digital signatures without using Digi. Doc portal Multi-language, multi-PKI support

Digi. Doc Client

Digi. Doc. Service Simple SOAP-based protocol − “I have a file here, make it signed” − “I have got a signed file. What’s inside it? ” Supports mobile authentication and digital signing Best for integration of digital signature handling capability – libraries a changing rapidly, the protocol remains more stable

Digi. Doc library Signing through PKCS#11 and CSP Handling of validity confirmation Handling of XML document Digi. Doc library (Win 32/Unix) CSP Verification Win 32/Unix, C code OCSP DLL & COM under Windows Java implementation Distributed under LGPL terms XML ID card

Document format Based on XML-DSIG standard Contains subset of ETSI TS 101 903 (XAd. ES) extensions − Place, time and of signature − Role of signature holder − Validity confirmation and certificate of OCSP responder

Document format (2) Multiple original documents can be signed at once Original document can be embedded or detached Original document can be XML or any binary format Multiple signatures are supported Just one validity confirmation per signature

Document format Original files Signature Certificate of signer Validity confirmation Certificate of responder

Availability for Lithuania Open. XAd. ES completely free (i. e. specs & libraries) Digi. Doc applications currently available for free use / free download Further developments need support: − Special & new features − Following the everchanging environment − “Vendor support”