Training for developers of X-Road interfaces Name Date

X-Road: what, why and for whom? X-Road provides to the members means for secure data exchange Using public internet Using data services (web services) Independent of the platform and architecture of the information system of a member Universality and IT security

Functioning of X-Road from the dataservice developer’s perspective Members are divided into providers of dataservices and users of dataservices Each member must pass the following stages: Affiliation of membership Description of dataservices and granting access rights Data exchange Long-term validation of transaction

Affiliation For development of dataservices, affiliation is required with X-Road development environment, where RIA is providing trust services

Development of dataservices and access rights Provider of the dataservice develops and describes the X-Road dataservice for provision. User of dataservice develops the necessary client application for the dataservice. User of dataservice requests access rights to the necessary dataservice. Provider of dataservice grants to other members access rights for using the dataservice.

Data exchange Drafting and signing a SOAP message, using OCSP validation (user) Creation of encrypted channel and transmission of message Verification of e-stamp and addition of body of SOAP message to message log Processing of messages in the information system of the provider Signature of response in the security server of the provider Sending response and closing the channel Verification of response signature and use of data

Technologies used in data exchange

Long-term validation of transaction Timestamping of messages Input to central monitoring (metainformation)

Security of X-Road Security is ensured by: Distributed architecture Security servers Standard technologies A member must ensure that nothing happens to the message between the security server and information system Confidentiality Availability Integrity

Distribution of X-Road Decentralised control Direct communication between members X-Road Center does not interfere with communication Maintains freedom of members Ensures authenticity of members

X-Road Center does not interfere with communication Universal membership Freedom of choice Direct communication

Role of X-Road Center Registration of members and verification of conformity User support (questions related to the installation of a security server, administration and organisational processes) Monitoring the ecosystem Supervision over members Organisation of the provision of trust services

Benefit of X-Road for the state Overview of the entire ecosystem Overview of communication between the parties Universality Improvement of ecosystem Saving resources

Development of X-Road through versions X-Road version Primary (and supported) version of message protocol Stage of e-state Main reasons for new version Version 1.0 (2001-2002) 1.0 First 40–50 e-services, predecessor of state portal www.eesti.ee, first ID cards Version 2.0 (2002-2003) 2.0 (1.0) XML-RPC → SOAP, WSDL Appearance of SOAP protocol Version 3.0 (2003-2004) 400–500 e-services Various updates: MS Active Directory-based user administration in MISP, etc. Version 4.0 (2005-2009) Over 40 million requests annually Focus on security (log encrypting option, etc.), RIHA Version 5.0 (2009-2017) 3.1 (3.0, 2.0) Over 2800 e-services Adoption of new technological developments, change in WSDL style (RPC/Encoded→Document/Literal wrapped), MISP2, new cryptoalgorithms Version 6.0 (2015- ...) 4.0 Cooperation with Finland Adoption of e-stamp to ensure integrity of messages. The need to get rid of legacy. The need to bring data exchange into conformity with the Digital Signatures Act

Main differences between X-Road versions 5 and 6: Message exchange Digital stamp added to message in security server (e-stamp) conforms to the Electronic Identification and Trust Services for Electronic Transactions Act No Yes Generation and preservation of evidential value In cooperation between security server and central server Security server ensures evidential value Message log Text file Database and ASiC-E containers in file system Message protocol 2.0, 3.0, 3.1 4.0 Digitas stamp/E-stamp verification capability In central server Through a verifier component installed with the security server

Main differences between X-Road versions 5 and 6: Description of SOAP profile Message header Changes related to hierarchical identifier: identifier of subsystem (security server client) and service identifier Message body There are no obligatory additional requirements in the content of messages. Version 6.0 has no obligation to use ‘request’ and ‘response’ elements or to duplicate request message in a response message. Namespace of messages is not fixed.

Main differences between X-Road versions 5 and 6: Rights and certificates Membership Differentiation of users and providers of service Members are organizations which affiliate just once. Member identifier is hierarchical and includes token of X-Road instance, information about member class (private, public) and registry code of authority. Service rights/access rights Database (e.g. ‘xkogu’) grants access rights to authorities Access rights are administered on the level of subsystem. Each subsystem is bound to X-Road member.  Subsystem Subsystem uses signature certificate of sub-authority Subsystem uses an e-stamp certificate of X-Road members Security server identifier unique identifier independent of the address and certificate of the security server  Certificates issued by RIA Qualified trust service provider

Main differences between X-Road versions 5 and 6: trust services Consumption of trust services Security server does not perform OCSP and timestamp requests Security server performs OCSP and timestamp requests at least with frequency specified in security policy Asynchronous services Supported Not supported

Main differences between X-Road versions 5 and 6: Other functionality Encoding service Supported Not supported International universality Support of several interfacing components

Thank You! First name Surname firstname.surname@amet.ee The training materials for developers of X-Road interfaces have been compiled with funding from the structural funds support scheme “Raising Public Awareness about the Information Society” of the European Regional Development Fund.