Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Published byDesirae Oldford Modified over 9 years ago

Similar presentations

Presentation on theme: "Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X."— Presentation transcript:

1 Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X co-chair Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X co-chair

2 n Paving the way (I): l OASIS DSS Standards. Protocols for central services providing signature generation AND verification. n Avoid problems of deployment of infrastructure required to support individual generation n All the complexity of verification implemented and deployed once at the server. n Reduces overhead of key management: the central server takes care of the required tasks on certs status in both generation and verification. n All the details of the policy for the signatures centralized. n May keep logs of the verification processes and results.

3 DSS concept. Conventional approach n Deploy key to each user n Handle Interface to all PKI functions n Security depends on user

4 PKI Certificate Management Directory System Internal user Authentication & authorisation DSS concept. DSS approach

5 DSS also forms the basis for the emerging standard eID-framework DSS (X) ISO/IEC 24727 / CEN TS 15480 („European Citizen Card“) ? http://www.eid-stork.eu/ classical DSS-domain new

6 n OASIS Digital Signature Services TC produced a set of OASIS standards, including the core protocols and a number of profiles. n When IPR modes changed, it was closed. n New OASIS Digital Signature Services eXtended TC created operating under OASIS RF IPR mode.

7 l Ebxml Messaging Transport Binding for DSS. n Specifies how DSS messages are encoded and carried using OASIS ebXML Message Service (Ebxml MS). n Ebxml MS: designed for supporting e-business. Communities using it as regular transport mechanism, may use this binding. n Robust channel between DSS clients and servers. n Make use of all the Ebxml MS features, including asynchronous messaging. l Profile for managing visible signatures. n Need to display (mostly in signed documents) information on the digital signatures to human beings. Parts of this information may also be signed. n Aims at defining mechanisms enabling clients interacting with DSS servers, to incorporate this visual information in the created signatures.

8 n In verification, DSS servers should be able to also verify some of the displayed information. l Profile for supporting centralized encryption/decryption. n Aims at providing protocols for requesting centralized encryption/decryption operations. n Works with CMS ContentInfo and with elements (binary and XML documents). n Allows to request encryption/decryption of only certain parts of a document. n Allows to request encryption for different intended recipients and operate with the corresponding encryption keys. n The combination of encryption and signature is also an issue for this profile.

9 l Profile for detailed individual verification reports. n Aims at incorporating the capability of reporting individually on each signature found in a document. Also aims at incorporating in each report relevant details of the verification process. n Business requirement: log the details of the verification process, including the certificates whose status were checked, the time-stamps verified, the CRLs checked, the OCSP responses requested and checked, attribute certificates verified, commitment endorsed by the signer, etc…. And this for each signature found in the signed document. l Profile for signed verification responses. n Aims at allowing to DSS clients to request that the verification response is actually signed by the verifying server. n Business requirement: to get responses that may be seen…

10 n …as signed receipts of the verification of a certain signed document. l Profile for handling signature policies. n Aims at allowing clients to request generation/verification of a digital signature following a certain set of rules (signature policy), and also allowing servers to report on the signature policy used for verifying certain signatures. n Business requirement: different documents may require different types of signatures, generated and verified following different rules and processes. This information is the signature policy. A server may be able to operate under different policies and allow to clients to select the suitable one.

11 l Analysis of inter-relationships among existing profiles. n Requirement: the number of different DSS profiles requires the production of a document explaining their inter- relationships in order to make a right usage of them. n Paving the way (II): Interoperability events: l Standards more and more complex. Interoperability is an issue. l Interoperability tests: n Very useful for progressing towards interoperability. n Provide feedback to the Standardization Bodies from actual implementers, helping in getting better standards (identify wrong or ambiguous parts, identify new requirements, etc)

12 l Face to face: XML Sec maintenance WG in 2007. l BUT now ALSO REMOTE interoperability events. n ETSI owns a portal supporting remote interoperability tests on XAdES signatures. It has conducted two Remote Interoperability events on XAdES (high figures of participation from Europe and Asia) and organized a third one for next year on XAdES and CAdES. See details at n http://xades-portal.etsi.org/pub/XAdES.shtml http://xades-portal.etsi.org/pub/XAdES.shtml l Also former DSS TC organized a restricted interoperability test between the TC members.

13 n New coming areas for digital signatures include trusted services supporting electronic business, with specific requirements on the signatures. One example: l “Registered Electronic Mail”. ETSI is about to publish its Technical Specification TS 102 640: “Registered Electronic Mail (REM): Architecture, Formats and Policies”. l REM: an “ enhanced form of mail transmitted by electronic means (e-mail) which provides evidence relating to the handling of an e-mail including proof of submission and delivery “. l This TS specifies a generic architecture for the provision of this type of services, proposals for formats of signed evidences and requirements on the corresponding digital signatures. This spec also acknowledges the existence of centralized services for generation and verification of digital signatures for evidences (DSS set of protocols).

Download ppt "Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X."

Similar presentations

Universal Electronic Signatures Tarvi Martens ESTONIA.

Universal Electronic Signatures Tarvi Martens ESTONIA.
OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.
17 March 2010 Workshop on Efficient and Effective eGovernment FASTeTEN : a Flexible Technology in Different European Administrative Contexts

17 March 2010 Workshop on Efficient and Effective eGovernment FASTeTEN : a Flexible Technology in Different European Administrative Contexts
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Education applications and the FAST project. Jonathan Gay Co-ordinator for Sheffield.

Education applications and the FAST project. Jonathan Gay Co-ordinator for Sheffield.
AFACT eCOO WG interim meeting - Conference Call 1st March of 2011 Mahmood Zargar eCOO Experiences and Standards.

AFACT eCOO WG interim meeting - Conference Call 1st March of 2011 Mahmood Zargar eCOO Experiences and Standards.
Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session esMD Requirements, Priorities and Potential Workgroups – 2:00pm.

Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session esMD Requirements, Priorities and Potential Workgroups – 2:00pm.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Mountain View 25, 26 Sept 2007 The importance of incorporating XAdES extensions into ongoing XML-Sig work W3C Workshop on Next Steps for XML Signature.

Mountain View 25, 26 Sept 2007 The importance of incorporating XAdES extensions into ongoing XML-Sig work W3C Workshop on Next Steps for XML Signature.
S.1 Using a Global Validation Service to Unite Communities Jon Shamah EMEA Head of Sales, BBS eSecurity.

S.1 Using a Global Validation Service to Unite Communities Jon Shamah EMEA Head of Sales, BBS eSecurity.
Summary of ETSI/ESI activities Andrea Caccia ETSI/ESI TB member Note: This document expresses only the views of its author.

Summary of ETSI/ESI activities Andrea Caccia ETSI/ESI TB member Note: This document expresses only the views of its author.
Developments in cooperation between research and standardization related to security and secure communications Presentation at eMayor clustering event,

Developments in cooperation between research and standardization related to security and secure communications Presentation at eMayor clustering event,
21 mai 2015 Bridges between Certification Authorities.

21 mai 2015 Bridges between Certification Authorities.
M.Sc. Hrvoje Brzica Boris Herceg, MBA Financial Agency – FINA Ph.D. Hrvoje Stancic, assoc. prof. Faculty of Humanities and Social Sciences Long-term Preservation.

M.Sc. Hrvoje Brzica Boris Herceg, MBA Financial Agency – FINA Ph.D. Hrvoje Stancic, assoc. prof. Faculty of Humanities and Social Sciences Long-term Preservation.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.

European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google