www.oasis-open.org Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services. Andreas Kuehne – DSS-X member Coarse Orientation: 'Protocols for central services providing signature generation AND verification' Avoid problems of deployment of infrastructure required to support individual generation All the complexity of verification implemented and deployed once at the server. Reduces overhead of key management: the central server takes care of the required tasks on certs status in both generation and verification. All the details of the policy for the signatures centralized. May keep logs of the verification processes and results. What's already there: DSS is an OASIS Standard ! Official standard since 2008 Many profiles part of DSS Format ( e.g. XAdES, Code Signing ) Scope ( EPM, German Sig. Law ) Transport ( Async ) Requirement for agreed IPR mode caused termination of DSS What's new : DSS-X TC Founded in 2008 Many DSS members joined Maintenance of core spec New profile areas Specializing profiles Extending existing functionalities Into the unknown Complete Profile List: Specializing existing profiles J2SE code signing Extending existing functionalities ebXML Into the unknown Encryption and decryption profile Visible signatures Individual Reports on Signatures … to do … Signature & Service Policy Signed Verification Responses Detailed Look : Get a more detailed knowledge about some selected profiles that may be useful for e-identity applications : Verification reports ebXML J2SE code signing Comprehensive Signature Verification Report Profile Provides support for multiple signatures Comprehensive signature verification reports for : XML-Signatures [RFC 3275], [ETSI 101903] CMS-Signatures [RFC 3852], [ETSI 101733] Time Stamps [RFC 3161], [OASIS DSS] Public-Key Certificates [RFC 5280] Certificate Revocation Lists [RFC 5280] Attribute Certificates [RFC 3281] OCSP-Responses [RFC 2560] Evidence Records [RFC 4998] arbitrary other structures (in additional profiles) Comprehensive Signature Verification Report Profile For each verified signature an individual report is issued, which includes : Details on cryptographic verification of the signature For each certificate in the certification path: Details on the cryptographic verification Details on their status (this may include references or values of CRLs and OCSP responses for instance). Details on certificate in their certification paths Details on the signed and unsigned properties present within the signature. Comprehensive Signature Verification Report Profile If time-stamps are present within the signature,for each one, the report includes: Details on the cryptographic verification of the time- stamp itself. For each certificate in the certification path of time- stamp certificate : Details on the cryptographic verification Details on their status. Details on certificate in their certification paths Details of the checks performed against the Trusted Status Lists ( providing information of the status of the Trusted Services Providers issuing PKI related material ). FormatOK e.g. time-stamps Properties DetailedSignatureReport VerifyManifestResultst SignatureOK CertificatePathValidity PathValiditySummary CertificateIdentifier PathValidityDetail Details on all the cer- tificates in the path (in next slide) CertificateIdentifier PathValidityDetail Subject ChainingOK TSLValidity CertificateValidity ValidityPeriodOK ExtensionsOK Details XML encoded of contents of this CertificateValue certificate. CertificateContent SignatureOK CertificateStatus Details on the status of this certificate (including CRL, OCSP responses) in next slide CertStatusOK RevocationDate RevocationInfo RevocationReason CertificateStatus CRLValidity CRLReference RevocationEvidence OCSPValidity OCSPReference Other Details certification path for the CRL itself Details certification path for the OCSP Response itself Optional Input / Output Structure of IndividualReport Individual Structures ebXML Profile ebXML Messaging (ebMS) is an advanced OASIS Standard messaging protocol: Synchronous or asynchronous SOAP-based messaging Reliable and secure messaging Standard business metadata in document header OASIS Standards version 2.0 (2002), version 3.0 (2007) The DSS-X ebXML profile defines a transport protocol binding to ebMS Complements the transport bindings defined in DSS Leverages the advanced features of ebMS The DSS-X ebXML profile supports: Communities that want to leverage their existing e-business or e-government ebMS infrastructures for DSS services Scenarios such as cross-enterprise document workflows; document archival and retrieval; scanned document handling ebXML usage statement A government agency in the Netherlands uses the DSS ebXML profile inproduction to interact with a remote DSS provider. The service provider provides remote PDF certification of scanned documents. The agency and the provider are currently exchanging several hundreds DSS ebMS messages per day, each containing a medium to large-size (tens of MBs) PDF document. Code Signing details Code signing is crucial for building a trustworthy system of software artifacts. Code signing is supported by many development tools ( like 'ant' ) out-of-the-box ! Secret keys reside in the file system. Lax key management in development department. CS profile advantages Centralized signing pays off in the usual way : Control about secret keys Easy certificate mangement Controlling who signs Tracking what / when / by whom was signed Access can be managed on per-user basis. Even automatic build environments supported. J2SE profile details J2SE defines a special standard on top of PKCS7. New profile applicable for Applets and WebStart applications. DSS already included a profile for Java Micro Edition. Usage statement : Trustable uses the CS profile to build a verification applet. Ant task is available under GPL as well as the DSS implementation. Standardization forecast Public review ebXML Visible Signature Signature Policy Individual Verification Report Other .. Conformance and InterOp tests ? ?? can we agree on an estimated date ?? Further process ?? can we guess a date for ‘going to standard’ ??