OASIS Digital Signature Services and ETSI standards - PowerPoint

Document Sample
OASIS Digital Signature Services and ETSI standards - PowerPoint Powered By Docstoc

   Digital Signatures and
Getting the best out of DSS /
      DSS-X services.

                 Andreas Kuehne – DSS-X member
Coarse Orientation:
   'Protocols for central services providing signature
    generation AND verification'
        Avoid problems of deployment of infrastructure
         required to support individual generation
        All the complexity of verification implemented and
         deployed once at the server.
        Reduces overhead of key management: the central
         server takes care of the required tasks on certs status
         in both generation and verification.
        All the details of the policy for the signatures
        May keep logs of the verification processes and
What's already there:
   DSS is an OASIS Standard !
        Official standard since 2008

   Many profiles part of DSS
        Format ( e.g. XAdES, Code Signing )
        Scope ( EPM, German Sig. Law )
        Transport ( Async )

   Requirement for agreed IPR mode caused
    termination of DSS
What's new :
   DSS-X TC
        Founded in 2008
        Many DSS members joined

   Maintenance of core spec

   New profile areas
        Specializing profiles
        Extending existing functionalities
        Into the unknown
Complete Profile List:
   Specializing existing profiles
        J2SE code signing
   Extending existing functionalities
        ebXML
   Into the unknown
        Encryption and decryption profile
        Visible signatures
        Individual Reports on Signatures
        … to do …
        Signature & Service Policy
        Signed Verification Responses
Detailed Look :
   Get a more detailed knowledge about some selected
    profiles that may be useful for e-identity applications :

        Verification reports

        ebXML

        J2SE code signing
Comprehensive Signature
Verification Report Profile
   Provides support for multiple signatures
   Comprehensive signature verification reports for :
        XML-Signatures [RFC 3275], [ETSI 101903]
        CMS-Signatures [RFC 3852], [ETSI 101733]
        Time Stamps [RFC 3161], [OASIS DSS]
        Public-Key Certificates [RFC 5280]
        Certificate Revocation Lists [RFC 5280]
        Attribute Certificates [RFC 3281]
        OCSP-Responses [RFC 2560]
        Evidence Records [RFC 4998]
        arbitrary other structures (in additional profiles)
Comprehensive Signature
Verification Report Profile
   For each verified signature an individual report is issued,
    which includes :
      Details on cryptographic verification of the signature

      For each certificate in the certification path:

             Details on the cryptographic verification
             Details on their status (this may include references or values
              of CRLs and OCSP responses for instance).
             Details on certificate in their certification paths
        Details on the signed and unsigned properties present
         within the signature.
Comprehensive Signature
Verification Report Profile
   If time-stamps are present within the signature,for each
    one, the report includes:
       Details on the cryptographic verification of the time-

         stamp itself.
       For each certificate in the certification path of time-

         stamp certificate :
              Details on the cryptographic verification
              Details on their status.
              Details on certificate in their certification paths
        Details of the checks performed against the Trusted
         Status Lists ( providing information of the status of the Trusted
         Services Providers issuing PKI related material ).
                                                      e.g. time-stamps



       PathValiditySummary    CertificateIdentifier      PathValidityDetail

                                   Details on all the cer-
                                   tificates in the path
                                   (in next slide)

TSLValidity           CertificateValidity

  Details XML encoded
  of contents of this                       CertificateValue


    Details on the status
    of this certificate
    (including CRL, OCSP
    responses) in next slide

                        RevocationEvidence              OCSPValidity


       Details certification
       path for the CRL itself

                           Details certification
                           path for the OCSP
                           Response itself
Optional Input / Output
Structure of IndividualReport

                 Individual Structures
    ebXML Profile
   ebXML Messaging (ebMS) is an advanced OASIS
    Standard messaging protocol:
        Synchronous or asynchronous SOAP-based messaging
        Reliable and secure messaging
        Standard business metadata in document header
        OASIS Standards version 2.0 (2002), version 3.0 (2007)
   The DSS-X ebXML profile defines a transport protocol
    binding to ebMS
        Complements the transport bindings defined in DSS
        Leverages the advanced features of ebMS
   The DSS-X ebXML profile supports:
        Communities that want to leverage their existing e-business or
         e-government ebMS infrastructures for DSS services
        Scenarios such as cross-enterprise document workflows;
         document archival and retrieval; scanned document handling
ebXML usage statement
   A government agency in the Netherlands uses the DSS
    ebXML profile inproduction to interact with a remote
    DSS provider.
   The service provider provides remote PDF certification
    of scanned documents.
   The agency and the provider are currently exchanging
    several hundreds DSS ebMS messages per day, each
    containing a medium to large-size (tens of MBs) PDF
Code Signing details
   Code signing is crucial for building a trustworthy
    system of software artifacts.
   Code signing is supported by many development tools
    ( like 'ant' ) out-of-the-box !
   Secret keys reside in the file system.
   Lax key management in development department.
CS profile advantages
   Centralized signing pays off in the usual way :
           Control about secret keys
           Easy certificate mangement
           Controlling who signs
           Tracking what / when / by whom was signed

   Access can be managed on per-user basis.

   Even automatic build environments supported.
J2SE profile details
   J2SE defines a special standard on top of PKCS7.
   New profile applicable for Applets and WebStart
   DSS already included a profile for Java Micro Edition.

Usage statement :
   Trustable uses the CS profile to build a verification
   Ant task is available under GPL as well as the DSS
Standardization forecast
   Public review
        ebXML
        Visible Signature
        Signature Policy
        Individual Verification Report
        Other ..
   Conformance and InterOp tests ?
    ?? can we agree on an estimated date ??
   Further process
    ?? can we guess a date for ‘going to standard’ ??