Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services. www.oasis-open.org Andreas Kuehne – DSS-X member.

Published byDonna May Modified over 8 years ago

Similar presentations

Presentation on theme: "Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services. www.oasis-open.org Andreas Kuehne – DSS-X member."— Presentation transcript:

1 Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services. www.oasis-open.org Andreas Kuehne – DSS-X member

2 'Protocols for central services providing signature generation AND verification' Avoid problems of deployment of infrastructure required to support individual generation All the complexity of verification implemented and deployed once at the server. Reduces overhead of key management: the central server takes care of the required tasks on certs status in both generation and verification. All the details of the policy for the signatures centralized. May keep logs of the verification processes and results. Coarse Orientation:

3 DSS is an OASIS Standard ! Official standard since 2008 Many profiles part of DSS Format ( e.g. XAdES, Code Signing ) Scope ( EPM, German Sig. Law ) Transport ( Async ) Requirement for agreed IPR mode caused termination of DSS What's already there:

4 DSS-X TC Founded in 2008 Many DSS members joined Maintenance of core spec New profile areas Specializing profiles Extending existing functionalities Into the unknown What's new :

5 Specializing existing profiles J2SE code signing Extending existing functionalities ebXML Into the unknown Encryption and decryption profile Visible signatures Individual Reports on Signatures … to do … Signature & Service Policy Signed Verification Responses Complete Profile List:

6 Get a more detailed knowledge about some selected profiles that may be useful for e-identity applications : Verification reports ebXML J2SE code signing Detailed Look :

7 Provides support for multiple signatures Comprehensive signature verification reports for : XML-Signatures [RFC 3275], [ETSI 101903] CMS-Signatures [RFC 3852], [ETSI 101733] Time Stamps [RFC 3161], [OASIS DSS] Public-Key Certificates [RFC 5280] Certificate Revocation Lists [RFC 5280] Attribute Certificates [RFC 3281] OCSP-Responses [RFC 2560] Evidence Records [RFC 4998] arbitrary other structures (in additional profiles) Comprehensive Signature Verification Report Profile

8 For each verified signature an individual report is issued, which includes : Details on cryptographic verification of the signature For each certificate in the certification path: Details on the cryptographic verification Details on their status (this may include references or values of CRLs and OCSP responses for instance). Details on certificate in their certification paths Details on the signed and unsigned properties present within the signature. Comprehensive Signature Verification Report Profile

9 If time-stamps are present within the signature,for each one, the report includes: Details on the cryptographic verification of the time- stamp itself. For each certificate in the certification path of time- stamp certificate : Details on the cryptographic verification Details on their status. Details on certificate in their certification paths Details of the checks performed against the Trusted Status Lists ( providing information of the status of the Trusted Services Providers issuing PKI related material ). Comprehensive Signature Verification Report Profile

10 DetailedSignatureReport Properties FormatOK Details on all the cer- tificates in the path (in next slide) VerifyManifestResultst e.g. time-stamps SignatureOK CertificatePathValidity CertificateIdentifierPathValiditySummaryPathValidityDetail

11 TSLValidityCertificateValidity Details on the status of this certificate (including CRL, OCSP responses) in next slide Subject CertificateIdentifier ChainingOK ValidityPeriodOK ExtensionsOK CertificateValue CertificateContent SignatureOK CertificateStatus Details XML encoded of contents of this certificate.

12 CertificateStatus RevocationInfo CertStatusOK Details certification path for the CRL itself RevocationEvidence CRLValidity CRLReference RevocationDate RevocationReason OCSPValidity OCSPReference Other Details certification path for the OCSP Response itself

13 Optional Input / Output

14 Structure of IndividualReport Individual Structures

15 ebXML Profile ebXML Messaging (ebMS) is an advanced OASIS Standard messaging protocol: Synchronous or asynchronous SOAP-based messaging Reliable and secure messaging Standard business metadata in document header OASIS Standards version 2.0 (2002), version 3.0 (2007) The DSS-X ebXML profile defines a transport protocol binding to ebMS Complements the transport bindings defined in DSS Leverages the advanced features of ebMS The DSS-X ebXML profile supports: Communities that want to leverage their existing e-business or e-government ebMS infrastructures for DSS services Scenarios such as cross-enterprise document workflows; document archival and retrieval; scanned document handling

16 ebXML usage statement A government agency in the Netherlands uses the DSS ebXML profile inproduction to interact with a remote DSS provider. The service provider provides remote PDF certification of scanned documents. The agency and the provider are currently exchanging several hundreds DSS ebMS messages per day, each containing a medium to large-size (tens of MBs) PDF document.

17 Code Signing details Code signing is crucial for building a trustworthy system of software artifacts. Code signing is supported by many development tools ( like 'ant' ) out-of-the-box ! Secret keys reside in the file system. Lax key management in development department.

18 CS profile advantages Centralized signing pays off in the usual way : Control about secret keys Easy certificate mangement Controlling who signs Tracking what / when / by whom was signed Access can be managed on per-user basis. Even automatic build environments supported.

19 J2SE profile details J2SE defines a special standard on top of PKCS7. New profile applicable for Applets and WebStart applications. DSS already included a profile for Java Micro Edition. Usage statement : Trustable uses the CS profile to build a verification applet. Ant task is available under GPL as well as the DSS implementation.

20 Public review ebXML Visible Signature Signature Policy Individual Verification Report Other.. Conformance and InterOp tests ? ?? can we agree on an estimated date ?? Further process ?? can we guess a date for ‘going to standard’ ?? Standardization forecast

Download ppt "Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services. www.oasis-open.org Andreas Kuehne – DSS-X member."

Similar presentations

Universal Electronic Signatures Tarvi Martens ESTONIA.

Universal Electronic Signatures Tarvi Martens ESTONIA.
17 March 2010 Workshop on Efficient and Effective eGovernment FASTeTEN : a Flexible Technology in Different European Administrative Contexts

17 March 2010 Workshop on Efficient and Effective eGovernment FASTeTEN : a Flexible Technology in Different European Administrative Contexts
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
M.Sc. Hrvoje Brzica Boris Herceg, MBA Financial Agency – FINA Ph.D. Hrvoje Stancic, assoc. prof. Faculty of Humanities and Social Sciences Long-term Preservation.

M.Sc. Hrvoje Brzica Boris Herceg, MBA Financial Agency – FINA Ph.D. Hrvoje Stancic, assoc. prof. Faculty of Humanities and Social Sciences Long-term Preservation.
European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.

European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CS526 – Advanced Internet And Web Systems Semester Project Public Key Infrastructure (PKI) By Samatha Sudarshanam.

CS526 – Advanced Internet And Web Systems Semester Project Public Key Infrastructure (PKI) By Samatha Sudarshanam.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Similar presentations

Ads by Google