23rd UN/CEFACT FORUM

UN Economic Commission for Europe

23rd UN/CEFACT FORUM23rd UN/CEFACT FORUM23rd UN/CEFACT FORUM23rd UN/CEFACT FORUM

7-11 April 2014 23rd UN/CEFACT FORUM – Geneva

Tahseen A. Khan

Project Proposal : Trusted Third Party Time-stamping Services


23rd UN/CEFACT FORUM – Geneva7-11 April 2014

Areas which need to be addressed within Government and Regulatory Domain

1. Standards for Mutual Recognition of Foreign Electronic Signatures

2. Standards for Timestamping Services

3. Standards for Long-term Archival of Authenticated Electronic Documents

The Area (1) is addressed by two upcoming Projects.However, areas (2) and (3) are yet to be addressed by any Project. These two areas are interdependent and overlapping and may be addressed by a single project.



Mr “Good-Trader” in a country “Utopia” has a Digital Signature Certificate issued by “SecureCA”,a recognized Certifying Authority in “Utopia” and wants to sign a document and send it to Mr “Good-Customer” in another country “Heaven”.

However, “SecureCA” is not a recognized Certifying Authority “Heaven”, and hence the digitally signed document lacks legal validity in “Heaven” . To increase Mr. Good-Trader's traders problems , no recognized Certifying Authority of “Heaven” is having local presence in “Utopia”.

The two countries “Utopia” and “Heaven” can have an arrangement through which Recognized , Licensed Certifying Authorities in both the countries are mutually recognized and Digital Signatures Certificates issued by them are accepted.



1.Recommendation for ensuring legally significant trusted trans-boundary electronic interaction.

2.Management of e-Identity.



Need for Trusted Timestamping Services

Exponential increase in number of G2C,G2B,B2B and B2G transactions being carried out electronically.

Lack irrefutable evidence regarding the existence of transaction/document at a particular time instance in past even though such evidence may be required from legal and technical perspectives (for example a design to be patented).

Increase in number of documents being authenticated using various forms of Electronic Signatures.

However assurance of Authenticity,Integrity and Non-Repudiation provided by such mechanisms is short lived due to revocation/expiry/suspension of associated Signature Certificate.



Need for Trusted Timestamping Services

Consider the following case:-

Alice signs a Contract with Bob using Digital Signature. After two days Alice lost her private keys used for signing the Contract and got her Signature Certificate revoked.

Bob can legally enforce the contract if he can prove that the Contract Document was signed when the Signature Certificate was valid as Alice could claim that the Contract was signed after she lost private keys and the associated Certificate was revoked and Alice is not liable for signatures made after revocation of the Certificate.

In such scenario, if the signed document was Timestamped by a Trusted Third Party then the Timestamp could be used to prove that the Certificate was valid at the time of signing.



Legally valid proof of existence of a document at a particular time.User submits hash of the document, TSA adds a Timestamp and signs it.Privacy is maintained as only hash of the document is made available to TSA(CA).



Why a Project on Timestamping ?

Although Timestamping is useful for secure long-term Archival of documents, yet the service has limited penetration.

Lack of awareness about potential benefits it offers.

Lack of Guidance regarding applications which should utilize Timestamping.

Lack of Guidance regarding different Timestamping Architectures/mechanisms/Protocols suitable for various Applications (e.g. when to use Mutiple Timestamps, re-stamping, etc).



Purpose of the Project:-

To identify trade related and other application areas which could potentially benefit from Time-stamping Services.

To provide guidance and suggestions for implementing Time-stamping services for such applications.



Scope of the Project:- Identification of principles for determining applications which require Time-

stamping and apply them to identify such applications in areas like e-Trade, e-Banking, Digital Crypto-Currencies, etc.

Review of current architectures/solutions/protocols for implementing Time-stamping Services and suggest suitable architectures/solutions/protocols matching with level of assurance required by various Applications and propose new ones if required.

Review of various standards, including those for Time-stamping requests and responses,Trusted Time-stamping Authorities(TSAs), TSA Certificates,etc.

Building a Repository of Open Source and Proprietary Tools for Time-stamping Applications.

Address interoperability concerns across different implementations and Cross-border legal significance of Time-stamps.



Deliverables

A Document containing Recommendations covering the above scope and purpose of the Project including solutions for long-term archival.

Annexure containing details of available Time-stamping Tools

Annexure containing case studies of current application using time-stamping

Annexure containing samples illustrating Time-stamping Response and Request, Time-stamping Authority Certificate, etc



Any Suggestions ?

A separate Project should be initiated for Timestamping and Long-term Archival ?

OR

The Project can be merged with some other Project like “Recommendation for ensuring legally significant trusted trans-boundary electronic interactions” or Recommendation 14

Any other suggestions ?



Thank You !!!

Questions ??

Controller of Certifying Authorities(CCA)Department of Electronics and Information Technology,Ministry of Communications & Information Technology,

Government of IndiaWebsite:cca.gov.in, E-mail:[email protected]