1 / 25

OpenXAdES & DigiDoc

OpenXAdES & DigiDoc. Tarvi Martens Estonia. The Story. January 2002 – first Estonian ID-card is issued March 2002 – ETSI publishes first version of XAdES October 2002 – First public occasion of digital signing

masao
Download Presentation

OpenXAdES & DigiDoc

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenXAdES & DigiDoc Tarvi Martens Estonia

  2. The Story • January 2002 – first Estonian ID-card is issued • March 2002 – ETSI publishes first version of XAdES • October 2002 – First public occasion of digital signing • May 2007 – >2.2M digital signatures created, unified signature system for all sectors

  3. “Internal” vs. “free-flowing” • Most of web-based applications making use of digital signatures do not allow for downloadingthe result of signing • Notable difference between • “internal signing” – usually just for security reasons • “signed files” – meant for universal distribution

  4. Signatures vs. Containers Container Data Data Data Data External Data Signature

  5. Signature Formats • Big zoo before • Now stabilizing • European standards ahead of U.S. • XML-DSIG  XAdES (ETSI TS 101903) • PKCS#7 (CMS)  CAdES (ETSI TS 101733)

  6. Signature Profiles – XAdES example XML-DSIG+BES/PES T C X L A • ... plus myriad of options within blocks • Example : ETSI 101734 & 101934

  7. Signature Policies • How validity information is obtained ? • Which algorithms/key lengths are used ? • What is quality of the signing certificate ? • Is long-time validity ensured ? • …

  8. Container Formats • MS OpenXML (XAdES evolving from Latvia) • ODF (XML-DSIG) • Adobe (CMS) • MS <= 2003 (proprietary) • DigiDoc (XAdES)

  9. DigiDoc and OpenXAdES • OpenXAdES stands for Open Source project & community • www.openxades.org • DigiDoc is a petname for (mainly) end-user tools for digital signature handling • Makes use of OpenXAdES

  10. DigiDoc/OpenXAdES – a profile of XAdES • XAdES-X-L coming in two flawors • with or without timestamping • Validity confirmation obtained when signing • Long-time validity provided with SeqLog • Proprietary container

  11. Features/experience • Signing with CSP-supported smartcard or Mobile-ID (via DigiDocService) • Proven support for foreign ID-cards • Mobile-ID up and running for a week • 5 years of development and field experience • Probably the “completest” implemenation of XAdES to date

  12. The Scheme “I just signed this document” Doc,Cert OCSP DB (Doc,Cert,time)ok “At the time I saw this document, corresponding certificate was valid” Secure log

  13. SeqLog • Data base of certificates: • Activation • Suspension • End of suspension • Revocation SeqLog OCSP Signed validity confirmations

  14. DigiDoc Architecture Application Application Application Win32 Client DigiDoc portal COM-library WebService DigiDoc-library (Win32/Unix/C/Java) CSP PKCS#11 MSSP XML ID card Mobile phone OCSP

  15. DigiDoc Portal • Simple WWW-application for everyone: • Downloading/uploading of document • Signing and validity confirmation • Verification • Sending document to another portal user • Sorting/Deleting/Archives • Multi-language

  16. Digidoc Portal

  17. Verification Portal • http://digidoccheck.sk.ee • Allows to check .ddoc file without ID-card

  18. DigiDoc Client • Provides the same functionality as portal • Signing and obtaining validity confirmation • Verification of signed document • Encryption and decryption (XML-ENCRYPT) • Does not require uploading document • Provides for digital signatures without using DigiDoc portal • Multi-language, multi-PKI support

  19. DigiDoc Client

  20. DigiDocService • Simple SOAP-based protocol • “I have a file here, make it signed” • “I have got a signed file. What’s inside it?” • Supports mobile authentication and digital signing • Best for integration of digital signature handling capability – libraries a changing rapidly, the protocol remains more stable

  21. DigiDoc library (Win32/Unix) CSP XML ID card OCSP DigiDoc library • Signing through PKCS#11 and CSP • Handling of validity confirmation • Handling of XML document • Verification • Win32/Unix, C code • DLL & COM under Windows • Java implementation • Distributed under LGPL terms

  22. Document format • Based on XML-DSIG standard • Contains subset of ETSI TS 101 903 (XAdES) extensions • Place, time and of signature • Role of signature holder • Validity confirmation and certificate of OCSP responder

  23. Document format (2) • Multiple original documents can be signed at once • Original document can be embedded or detached • Original document can be XML or any binary format • Multiple signatures are supported • Just one validity confirmation per signature

  24. Document format Original files Signature Certificateof signer Validityconfirmation Certificateof responder

  25. Availability for Lithuania • OpenXAdES completely free (i.e. specs & libraries) • DigiDoc applications currently available for free use / free download • Further developments need support: • Special & new features • Following the everchanging environment • “Vendor support”

More Related