250 likes | 381 Views
OpenXAdES & DigiDoc. Tarvi Martens Estonia. The Story. January 2002 – first Estonian ID-card is issued March 2002 – ETSI publishes first version of XAdES October 2002 – First public occasion of digital signing
E N D
OpenXAdES & DigiDoc Tarvi Martens Estonia
The Story • January 2002 – first Estonian ID-card is issued • March 2002 – ETSI publishes first version of XAdES • October 2002 – First public occasion of digital signing • May 2007 – >2.2M digital signatures created, unified signature system for all sectors
“Internal” vs. “free-flowing” • Most of web-based applications making use of digital signatures do not allow for downloadingthe result of signing • Notable difference between • “internal signing” – usually just for security reasons • “signed files” – meant for universal distribution
Signatures vs. Containers Container Data Data Data Data External Data Signature
Signature Formats • Big zoo before • Now stabilizing • European standards ahead of U.S. • XML-DSIG XAdES (ETSI TS 101903) • PKCS#7 (CMS) CAdES (ETSI TS 101733)
Signature Profiles – XAdES example XML-DSIG+BES/PES T C X L A • ... plus myriad of options within blocks • Example : ETSI 101734 & 101934
Signature Policies • How validity information is obtained ? • Which algorithms/key lengths are used ? • What is quality of the signing certificate ? • Is long-time validity ensured ? • …
Container Formats • MS OpenXML (XAdES evolving from Latvia) • ODF (XML-DSIG) • Adobe (CMS) • MS <= 2003 (proprietary) • DigiDoc (XAdES)
DigiDoc and OpenXAdES • OpenXAdES stands for Open Source project & community • www.openxades.org • DigiDoc is a petname for (mainly) end-user tools for digital signature handling • Makes use of OpenXAdES
DigiDoc/OpenXAdES – a profile of XAdES • XAdES-X-L coming in two flawors • with or without timestamping • Validity confirmation obtained when signing • Long-time validity provided with SeqLog • Proprietary container
Features/experience • Signing with CSP-supported smartcard or Mobile-ID (via DigiDocService) • Proven support for foreign ID-cards • Mobile-ID up and running for a week • 5 years of development and field experience • Probably the “completest” implemenation of XAdES to date
The Scheme “I just signed this document” Doc,Cert OCSP DB (Doc,Cert,time)ok “At the time I saw this document, corresponding certificate was valid” Secure log
SeqLog • Data base of certificates: • Activation • Suspension • End of suspension • Revocation SeqLog OCSP Signed validity confirmations
DigiDoc Architecture Application Application Application Win32 Client DigiDoc portal COM-library WebService DigiDoc-library (Win32/Unix/C/Java) CSP PKCS#11 MSSP XML ID card Mobile phone OCSP
DigiDoc Portal • Simple WWW-application for everyone: • Downloading/uploading of document • Signing and validity confirmation • Verification • Sending document to another portal user • Sorting/Deleting/Archives • Multi-language
Verification Portal • http://digidoccheck.sk.ee • Allows to check .ddoc file without ID-card
DigiDoc Client • Provides the same functionality as portal • Signing and obtaining validity confirmation • Verification of signed document • Encryption and decryption (XML-ENCRYPT) • Does not require uploading document • Provides for digital signatures without using DigiDoc portal • Multi-language, multi-PKI support
DigiDocService • Simple SOAP-based protocol • “I have a file here, make it signed” • “I have got a signed file. What’s inside it?” • Supports mobile authentication and digital signing • Best for integration of digital signature handling capability – libraries a changing rapidly, the protocol remains more stable
DigiDoc library (Win32/Unix) CSP XML ID card OCSP DigiDoc library • Signing through PKCS#11 and CSP • Handling of validity confirmation • Handling of XML document • Verification • Win32/Unix, C code • DLL & COM under Windows • Java implementation • Distributed under LGPL terms
Document format • Based on XML-DSIG standard • Contains subset of ETSI TS 101 903 (XAdES) extensions • Place, time and of signature • Role of signature holder • Validity confirmation and certificate of OCSP responder
Document format (2) • Multiple original documents can be signed at once • Original document can be embedded or detached • Original document can be XML or any binary format • Multiple signatures are supported • Just one validity confirmation per signature
Document format Original files Signature Certificateof signer Validityconfirmation Certificateof responder
Availability for Lithuania • OpenXAdES completely free (i.e. specs & libraries) • DigiDoc applications currently available for free use / free download • Further developments need support: • Special & new features • Following the everchanging environment • “Vendor support”