Digital Signatures and eIdentity'

1
www.oasis-open.org
Digital Signatures and e-Identity.Getting the
best out of DSS / DSS-X services.
Andreas Kuehne DSS-X member
2
Coarse Orientation

• 'Protocols for central services providing
  signature generation AND verification'
• Avoid problems of deployment of infrastructure
  required to support individual generation
• Reduces overhead of key management the central
  server takes care of the required tasks on certs
  status in both generation and verification.
• All the complexity of verification implemented
  and deployed once at the server.
• Details of the policy for the signatures
  centralized.
• Get this using one standardized protocol !

3
What's already there

• DSS is an OASIS Standard !
• Official standard since 2008
• Many profiles part of DSS
• Format ( e.g. XAdES, Code Signing )
• Scope ( EPM, German Sig. Law )
• Transport ( Async )
• Requirement for agreed IPR mode caused
  termination of DSS

4
What's new

• DSS-X TC
• Founded in 2008
• Many DSS members joined
• Maintenance of core spec
• New profile areas
• Specializing profiles
• Extending existing functionalities
• Into the unknown

5
Complete Profile List

• Specializing existing profiles
• J2SE code signing
• Extending existing functionalities
• ebXML
• Into the unknown
• Encryption and decryption profile
• Visible signatures
• Individual Reports on Signatures
• Signature Service Policy
• Signed Verification Responses

6
Detailed Look

• Get a more detailed knowledge about some selected
  profiles that may be useful for e-identity
  applications
• Verification reportsDetailed information about
  verification results.
• ebXMLTransporting DSS requests using the OASIS
  standard.
• J2SE code signingSupporting the java code
  signing standard.

7
Comprehensive Signature Verification Report
Profile

• Provides support for multiple signatures
• Comprehensive signature verification reports for
  
• XML-Signatures RFC 3275, ETSI 101903
• CMS-Signatures RFC 3852, ETSI 101733
• Time Stamps RFC 3161, OASIS DSS
• Public-Key Certificates RFC 5280
• Attribute Certificates RFC 3281
• Certificate Revocation Lists RFC 5280
• OCSP-Responses RFC 2560
• Evidence Records RFC 4998
• arbitrary other structures (in additional
  profiles)

8
Comprehensive Signature Verification Report
Profile

• For each verified signature an individual report
  is issued, which includes
• Details on cryptographic verification of the
  signature
• For each certificate in the certification path
• Details on the cryptographic verification
• Details on their status (this may include
  references or values of CRLs and OCSP responses
  for instance).
• Details on certificate in their certification
  paths
• Details on the signed and unsigned properties
  present within the signature.

9
Comprehensive Signature Verification Report
Profile

• If timestamps are present within the signature,
  for each one, the report includes
• Details on the cryptographic verification of the
  time-stamp itself.
• Details on each certificate in the certification
  path of time-stamp certificate
• Same procedure for attribute certificates
• Usage statement for the Verification Report
  Profile
• The structures used in the verification report
  profile are successfully used by german eCard API
  implementors.

10
FormatOK
Properties
DetailedSignatureReport
VerifyManifestResult
SignatureOK
CertificatePathValidity
CertificateIdentifier
PathValiditySummary
PathValidityDetail
Details on all the cer- tificates in the path (in
next slide)
11
CertificateIdentifier
PathValidityDetail
Subject
ChainingOK
TSLValidity
CertificateValidity
ValidityPeriodOK
ExtensionsOK
Details XML encoded of contents of
this certificate.
CertificateValue
CertificateContent
SignatureOK
CertificateStatus
Details on the status of this certificate
(including CRL, OCSP responses) in next slide
12
CertStatusOK
RevocationDate
RevocationInfo
RevocationReason
CertificateStatus
CRLValidity
CRLReference
OCSPValidity
RevocationEvidence
OCSPReference
Other
13
Optional Input / Output
14
Structure of IndividualReport
15
ebXML Profile

• ebXML Messaging (ebMS) is an advanced OASIS
  Standard messaging protocol
• Synchronous or asynchronous SOAP-based messaging
• Reliable and secure messaging
• Standard business metadata in document header
• OASIS Standards version 2.0 (2002), version 3.0
  (2007)
• The DSS-X ebXML profile defines a transport
  protocol binding to ebMS
• Complements the transport bindings defined in DSS
• Leverages the advanced features of ebMS
• The DSS-X ebXML profile supports
• Communities that want to leverage their existing
  e-business or e-government ebMS infrastructures
  for DSS services
• Scenarios such as cross-enterprise document
  workflows document archival and retrieval
  scanned document handling

16
ebXML usage statement

• A government agency in the Netherlands uses the
  DSS ebXML profile inproduction to interact with a
  remote DSS provider.
• The service provider provides remote PDF
  certification of scanned documents.
• The agency and the provider are currently
  exchanging several hundreds DSS ebMS messages per
  day, each containing a medium to large-size (tens
  of MBs) PDF document.

17
Code Signing details

• Code signing is crucial for building a
  trustworthy system of software artifacts.
• Code signing is supported by many development
  tools ( like 'ant' ) out-of-the-box !
• Lax key management in development department.
• Secret keys reside in the file system.
• Uncontrolled passing of keys.
• Usually no revocation process in place.

18
CS profile advantages

• Centralized signing pays off in the usual way
• Control about secret keys
• Easy certificate management
• Controlling who signs
• Tracking what / when / by whom was signed
• Access can be managed on per-user basis.
• Even automatic build environments supported.

19
J2SE profile details

• J2SE defines a special standard on top of PKCS7.
• New profile applicable for Applets and WebStart
  applications.
• DSS already included a profile for Java Micro
  Edition.
• Usage statement
• Trustable uses the CS profile internally to build
  its applets.
• Ant task is available under GPL as well as the
  DSS implementation.

20
Standardization forecast

• Public review
• ebXML
• Visible Signature
• Signature Policy
• Individual Verification Report
• Other ..
• Conformance and InterOp tests
• planned for September / October 2009
• Further process
• Approval of new profiles as OS end of 2009
• Updated DSS Core end of 2009
• Cross matrix for existing profiles First term
  of 2010

21
http//www.turbophoto.com
22
Questions ?

• OASIS Digital Signature Services eXtended( DSS-X
  )
• Chairs Stefan Drees ( stefan_at_drees.name) Juan
  Carlos Cruellas ( cruellas_at_ac.upc.edu)
• Andreas Kuehne ( kuehne_at_trustable.de )

http//www.oasis-open.org/committees/tc_home.php?w
g_abbrevdss-x