Upload
molly-chandler
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
OpenXAdES & DigiDocOpenXAdES & DigiDoc
Tarvi Martens
Estonia
The StoryThe Story
January 2002 – first Estonian ID-card is issued
March 2002 – ETSI publishes first version of XAdES
October 2002 – First public occasion of digital signing
May 2007 – >2.2M digital signatures created,
unified signature system for all sectors
““Internal” vs. “free-flowing”Internal” vs. “free-flowing”
Most of web-based applications making use of digital signatures do not allow for downloading the result of signing
Notable difference between− “internal signing” – usually just for security
reasons− “signed files” – meant for universal distribution
Signatures vs. ContainersSignatures vs. Containers
Signature
Data
DataData
Data
Container
External Data
Signature FormatsSignature Formats
Big zoo before
Now stabilizing
European standards ahead of U.S.
XML-DSIG XAdES (ETSI TS 101903)
PKCS#7 (CMS) CAdES (ETSI TS 101733)
Signature Profiles – Signature Profiles – XAdES exampleXAdES example
... plus myriad of options within blocks
Example : ETSI 101734 & 101934
XML-DSIG+BES/PES
T C X L A
Signature PoliciesSignature Policies
How validity information is obtained ?
Which algorithms/key lengths are used ?
What is quality of the signing certificate ?
Is long-time validity ensured ?
…
Container FormatsContainer Formats
MS OpenXML (XAdES evolving from Latvia)
ODF (XML-DSIG)
Adobe (CMS)
MS <= 2003 (proprietary)
DigiDoc (XAdES)
DigiDoc and OpenXAdESDigiDoc and OpenXAdES
OpenXAdES stands for Open Source project & community− www.openxades.org
DigiDoc is a petname for (mainly) end-user tools for digital signature handling− Makes use of OpenXAdES
DigiDoc/OpenXAdES – DigiDoc/OpenXAdES – a profile of XAdES a profile of XAdES
XAdES-X-L coming in two flawors− with or without timestamping
Validity confirmation obtained when signing
Long-time validity provided with SeqLog
Proprietary container
Features/experienceFeatures/experience
Signing with CSP-supported smartcard or Mobile-ID (via DigiDocService)− Proven support for foreign ID-cards− Mobile-ID up and running for a week
5 years of development and field experience
Probably the “completest” implemenation of XAdES to date
The SchemeThe Scheme
OCSP
“At the time I saw this document, corresponding certificate was valid”
“I just signed this document”
(Doc,Cert,time)ok
Doc,Cert
Secure log
DB
SeqLogSeqLog
SeqLog
Data base of certificates:• Activation• Suspension• End of suspension• Revocation
OCSPSigned validity confirmations
DigiDoc ArchitectureDigiDoc Architecture
DigiDoc-library (Win32/Unix/C/Java) CSPPKCS#11
OCSP
XML ID card
Win32 Client
DigiDoc portal
Application
COM-library WebService
ApplicationApplication
MSSP
Mobile phone
DigiDoc PortalDigiDoc Portal
Simple WWW-application for everyone:−Downloading/uploading of document
−Signing and validity confirmation
−Verification
−Sending document to another portal user
−Sorting/Deleting/Archives
−Multi-language
Digidoc PortalDigidoc Portal
Verification PortalVerification Portal
http://digidoccheck.sk.ee
Allows to check .ddoc file without ID-card
DigiDoc DigiDoc ClientClient
Provides the same functionality as portal− Signing and obtaining validity confirmation− Verification of signed document
Encryption and decryption (XML-ENCRYPT)Does not require uploading documentProvides for digital signatures without using DigiDoc portalMulti-language, multi-PKI support
DigiDoc ClientDigiDoc Client
DigiDocServiceDigiDocService
Simple SOAP-based protocol− “I have a file here, make it signed”− “I have got a signed file. What’s inside it?”
Supports mobile authentication and digital signing
Best for integration of digital signature handling capability – libraries a changing rapidly, the protocol remains more stable
DigiDoc libraryDigiDoc library
Signing through PKCS#11 and CSPHandling of validity confirmationHandling of XML documentVerification
Win32/Unix, C codeDLL & COM under WindowsJava implementationDistributed under LGPL terms
DigiDoc library (Win32/Unix)CSP
OCSP
XML ID card
Document formatDocument format
Based on XML-DSIG standard
Contains subset of ETSI TS 101 903 (XAdES) extensions−Place, time and of signature
−Role of signature holder
−Validity confirmation and certificate of OCSP responder
Document format (2)Document format (2)
Multiple original documents can be signed at once
Original document can be embedded or detached
Original document can be XML or any binary format
Multiple signatures are supported
Just one validity confirmation per signature
Document formatDocument format
SignatureCertificateof signer
Validityconfirmation
Certificateof responder
Original files
Availability for LithuaniaAvailability for Lithuania
OpenXAdES completely free (i.e. specs & libraries)
DigiDoc applications currently available for free use / free download
Further developments need support:− Special & new features− Following the everchanging environment− “Vendor support”