Digital Certificates. PKI and other TTPs. 3.3

Similar documents
EXBO e-signing Automated for scanned invoices

IFY e-signing Automated for scanned invoices

ETSI TS V1.2.2 ( )

ETSI ES V1.1.3 ( )

Internet Engineering Task Force (IETF) Request for Comments: 6283 Category: Standards Track. July 2011

ETSI TS V1.3.1 ( )

ETSI TS V1.5.1 ( )

ETSI TS V1.8.3 ( ) Technical Specification. Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)

ETSI TS V1.2.1 ( ) Technical Specification

EUROPEAN STANDARD Electronic Signatures and Infrastructures (ESI); PAdES digital signatures; Part 2: Additional PAdES signatures profiles

Policy for electronic signature based on certificates issued by the hierarchies of. ANF Autoridad de Certificación

Overview & Specification

Electronic Seal Administrator Guide Published:December 27, 2017

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

eidas-compliant signing of PDF

Guidance for Requirements for qualified trust service providers: trustworthy systems and products

XEP-0290: Encapsulated Digital Signatures in XMPP

Handwritten signatures are EOL Panos Vassiliadis

Comparison of Electronic Signature between Europe and Japan: Possibiltiy of Mutual Recognition

TECHNICAL REPORT Electronic Signatures and Infrastructures (ESI); Guidance on the use of standards for cryptographic suites

Sparta Systems TrackWise Digital Solution

UELMA Exploring Authentication Options Nov 4, 2011

Signature Profile for BankID

ETSI EN V1.1.1 ( )

XML ELECTRONIC SIGNATURES

May English version. General guidelines for electronic signature verification

Cosmos POFESSIONALS OF SAFETY ENGINEERING

Signed Documents

Technical Specification Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)

SSL/TSL EV Certificates

Sparta Systems TrackWise Solution

CertDigital Certification Services Policy

ETSI TR V1.1.1 ( )

Digital Signatures: How Close Is Europe to Truly Interoperable Solutions?

Electronic signature framework

ILNAS/PSCQ/Pr004 Qualification of technical assessors

Controlling digital multisignature with attribute certificate

Resolution of comments on Drafts ETSI EN to ETSI EN May 2014

Cian Kinsella CEO, Digiprove

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

ETSI European CA DAY TRUST SERVICE PROVIDER (TSP) CONFORMITY ASSESSMENT FRAMEWORK. Presented by Nick Pope, ETSI STF 427 Leader

ING Corporate PKI G3 Internal Certificate Policy

Draft ETSI EN V1.0.0 ( )

Xolido Sign Desktop. Xolido Sign Desktop. V2.2.1.X User manual XOLIDO. electronic signature, notifications and secure delivery of documents

Digital signatures: How it s done in PDF

MINIMAL-FOOTPRINT MIDDLEWARE FOR THE CREATION OF QUALIFIED SIGNATURES

ISO/IEC INTERNATIONAL STANDARD

ETSI TS V1.1.1 ( )

ETSI TS V1.2.1 ( )

e-sign and TimeStamping

Adobe Sign and 21 CFR Part 11

Sparta Systems Stratas Solution

Profile for High-Performance Digital Signatures

Utimaco eidas Update. June Thorsten Groetker CTO. Utimaco HSM Business Unit Aachen, Germany 2017 Utimaco eidas Update, June 2017 Page 1

SPECIFIC CERTIFICATION PRACTICES AND POLICY OF

Signature Validity States

EDTA, itext and INBATEK Conference. Bangkok, July 27, 2017

Electronic Signature Format. ECOM Interoperability Plug Test 2005

European Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the EU internal market

TIME STAMP POLICY (TSA)

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

The current status of Esi TC and the future of electronic signatures

Transforming the Document Signing Process

Final draft ETSI EN V1.1.0 ( )

The X.509 standard, PKI and electronic documents

WORKSHOP CWA AGREEMENT November 2001

Test Signature Policy Version 1.0

RSA-PSS in XMLDSig. Position Paper W3C Workshop Mountain View

AlphaTrust PRONTO - Transaction Processing Overview

EPC e-mandates e-operating Model. Detailed Specification

Protection Profiles for Signing Devices

KeyOne. Certification Authority

Improving the Security of Workflow-based System using Multiple XML Digital Signature

The Basic Terms and Legal Aspects of The ESA from The Practical and Security Points of View

IMES DISCUSSION PAPER SERIES

eidas Interoperability Architecture Version November 2015

Certification Practice Statement

Sándor Szőke, Dr. Microsec Ltd. Migration of national PKI Services to eidas conformant Trust Services case study in Hungary

ETSI Electronic Signatures and Infrastructures (ESI) TC

Enabling a World-Class National ICT Sector

SC27 WG4 Mission. Security controls and services

A human-readable summary of the X.509 PKI Time-Stamp Protocol (TSP)

Signe Certification Authority. Certification Policy Degree Certificates

eidas Regulation in the context of Cybersecurity: Electronic seals and website certificates: Two sides of a (gold) medal?

EUROPEAN STANDARD Electronic Signatures and Infrastructures (ESI); Time-stamping protocol and time-stamp token profiles

ETSI TC ESI WORK ON ELECTRONIC REGISTERED DELIVERY SERVICES AND REGISTERED ELECTRONIC MAIL

IAS2. Electronic signatures & electronic seals Up-dates - feedbacks from :

SONERA MOBILE ID CERTIFICATE

EUROPEAN STANDARD Electronic Signatures and Infrastructures (ESI); Time-stamping protocol and time-stamp profiles

1. Document Information. 2. Related documents / References. 3. Version control

Digital Certificates Demystified

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

EUROPEAN STANDARD Electronic Signatures and Infrastructures (ESI); XAdES digital signatures; Part 2: Extended XAdES signatures

Update on Security, Privacy and Safety Standards

Digitalisation and electronic signatures

Validation Policy r tra is g e R ANF AC MALTA, LTD

Certification Authority. The X.509 standard, PKI and electronic documents. X.509 certificates. X.509 version 3. Critical extensions.

Add or remove a digital signature in Office files

IBM. Security Digital Certificate Manager. IBM i 7.1

Transcription:

Digital Certificates. PKI and other TTPs. 3.3 1

Certification-service providers Spanish Law 59/03 Art. 2.2 or Directive 1999/93/EC Art. 2.11: Certification-service providers means an entity or a legal or natural person who issues electronic certificates or provides other services related to electronic signatures. 2

Certification Service Providers What Services? Key Certification Digital time stamping Key deposit Key directory etc... 3

Trusted third parties Def.: Independent, unbiased third party that contributes to the ultimate security and trustworthiness of computer-based information transfers. 4

Digital time stamping Timestamp service is provided by a trusted third party known as Time Stamp Authority. Specify time and date bind securely to a message It can be proven that a data item existed before a certain point in time. 5

Digital time stamping Applications to PKI as lifetime extension of digital signature Provides support for non-repudiation As certificates are revoked due to their loss, or eventually expire, digital signatures cannot be allowed to suddenly become invalid A Trusted Time-Stamping Service can provide a trusted time anchor Certifying that a certain a document has been signed while the signatory s certificate was valid Otherwise, it is easy to repudiate signatures in the future, cancelling validity of contracts etc. 6

Digital time stamping Classification of time-stamping schemes: simple schemes linking schemes distributed schemes trusted archival 7

Digital time stamping Simple: Independent time-stamps (TS) Example: digital signature on pair (time, document) Time-Stamp Requester (User) H n S (H n, T n ) TSA 8

Digital time stamping Electronic signature CLIENT TIME STAMP AUTHORITY Date (T) M DIGEST Digital fingerprint (D) D T Digital fingerprint with time stamp and signature D T 9

Digital time stamping Linking: TS includes data from other TS s H i Client i M i Digest D i H i+1 Client i+1 M i+1 Digest D i+1 H i+2 10

Digital time stamping Linking (general scheme): Aggregation: all documents received in a small time interval the aggregation round - are considered simultaneously and the output depends on all them Linking: output of the aggregation round is taken and linked to previous aggregation round values Publication: TSA publishes periodically the most recent TS in a widely-witnessed medium, committing itself to all the previous issued ones 11

Digital time stamping Publication in a widely witnessed medium... RH(i-1) RH(i) Time-stamps: linked round outputs H i j = H (H i x, H (x+1) j ) H18 Output of the aggregation round H12 H14 H34 H56 H58 H78 Documents considered in an aggregation round y1 y2 y3 y4 y5 y6 y7 y8 Time-stamp requester submission 12

Digital time stamping Distributed: Multiple users/tsas cooperate to generate a TS, possibly using a secure distribution of secret data Other: Not all the timestamping schemes can be classified into these three sections 13

Digital time stamping IETF PKIX-TSP (RFC 3161) PKIX Time-Stamp Protocol Describes a format of a request sent to a TSA and the returned response. Also it establishes several security relevant requirements to TSA operation. 14

Digital time stamping ETSI ETSI TS 102 023: Policy requirements for time-stamping authorities ETSI TS 101 861: Time stamping profile 15

Digital time stamping ISO ISO/IEC 18014-1: Time-stamping services framework ISO/IEC 18014-2: Mechanisms producing independent tokens ISO/IEC 18014-3: Mechanisms producing linked tokens 16

Digital time stamping Synchronization with trusted time servers Network time protocol (NTP) UDP Protocol Port 123 17

Digital time stamping Processes Time stamp Verification Renewal 18

Electronic signature electronic signature means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication 19

Qualified electronic signatures Qualified electronic signatures: Requirements of electronic signatures to have the same legal effects as the hand-written signature (and so, to be admissible as evidence in legal proceedings): Be an advanced signature Be based upon a qualified certificate Have been generated by a secure signature creation device 20

Advanced electronic signature advanced electronic signature means an electronic signature which meets the following requirements: (a) it is uniquely linked to the signatory; (b) it is capable of identifying the signatory; (c) it is created using means that the signatory can maintain under his sole control; and (d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable; 21

Qualified certificates Law 59/03 Art. 11.1: The electronic certificates which are issued by a certification-service provider are qualified certificates, when the provider fulfils the requisites established in this law as regards verification of identity and other circumstances of the applicants and the reliability and guarantees of provided certification services. 22

Qualified certificates Law 59/03 Art. 11.2 or Directive 1999/93/EC Annex I: Qualified certificates must contain: 1. an indication that the certificate is issued as a qualified certificate; 2. a unique identity code of the certificate; 3. the identification of the CSP (cert. service provider) and State in which it is established; 4. the advanced electronic signature of the CSP issuing it; 5. The name of the signatory or a pseudonym, which should be identified as such; 23

Qualified certificates 6. signature verification data which correspond to signature creation under the control of the signatory; 7. an indication of the beginning and end of the period of validity of the certificate; 8. limitations on the scope of use of the certificate, if applicable; and 9. limits on the value of transactions for which the certificate can be used, if applicable. 24

XML Digital Signature (XMLDSig) Authentication, data integrity, non-repudiation Joint W3C/IETF effort XML syntax for representing signature of web resources and portions thereof Procedures for computing and verifying such signatures Canonicalization of XML data Trust in key is out-of-scope W3C Recommendation + IETF RFC 3075 JSR-105: XML Digital Signature APIs 25

XML Digital Signature (XMLDSig) Signature of digital content is a two-stage process First, the digital content is digested and the resulting value is placed in an XML element Second, the digested value is picked and signed After the XML (or some part thereof) is digitally signed, the resulting XML signature is represented as an XML element that is identified as <Signature> 26

XML Digital Signature (XMLDSig) The original content is related to the digital signature based on these XML signature type definitions: Enveloping signature: The <Signature> element includes the element that is digitally signed. The digitally signed element becomes the child of the <Signature> element Enveloped signature: The <Signature> element becomes a child element of the data being signed. The <Signature> element refers to the signed element by using information in its <Reference> element Detached signature: The <Signature> element and the signed element are kept separate 27

XML Digital Signature (XMLDSig) In addition to a reference to the digital content being signed, the <Signature> element includes information about the following: The method used to canonicalize the digital content The algorithm used to generate the signature for the canonicalized element to be signed Additional information that specifies how to process the element to be signed before it is digested 28

XML Digital Signature (XMLDSig) Signature SignedInfo CanonicalizationMethod SignatureMethod Reference Transforms DigestMethod DigestValue SignatureValue KeyInfo 29

XML Digital Signature (XMLDSig) A certificate can be included with public key <X509Certificate>MIID5jCCA0+gA...lVN</X509Certificate> 30

Enhanced electronic signatures Classes of signature: Level of legal certainty: Explanation: General electronic signature as required in 5.2 Can not be denied legal effect (art 5.2) Any electronic signature that is not a qualified electronic signature. Qualified electronic signature - as specified in 5.1 (Annex I, II, III) Same legal effect as hand-written signature (art 5.1) Minimum technical level required for the signer so that his electronic signature can be considered as legally equivalent with a handwritten signature. Enhanced electronic signature (applicable to both general and qualified electronic signatures) Enhancement of technical evidence Additional technical requirements for a verifier, such as timestamping, but also for the signer, to enhance technical security and obtain protection against certain threats. 31

XML Advanced Electronic Signatures (XAdES) ETSI TS 101 903 + W3C Specification (http://www.w3.org/tr/xades/) Defines XML formats for advanced electronic signatures that remain valid over long periods compliant with the European Directive 1999/93/EC incorporate additional useful information in common uses cases (includes evidence as to its validity even if the signer or verifying party later attempts to deny the validity of the signature) Provides for really usable signatures 32

XML Advanced Electronic Signatures (XAdES) XAdES formalises 6 types of signatures and specifies roles and their responsibilities It builds on XMLDSIG in following ways: XAdES-BES (Basic Electronic Signature) XAdES-EPES (Explicit Policy Electronic Signature) XAdES-T (with Time Stamp) XAdES-C (Complete Validation Data) XAdES-X (Extended Validation Data) XAdES-XL (Extended Long Validation Data) XAdES-A (Archival) 33

XML Advanced Electronic Signatures (XAdES) Source: W3C XAdES 2003 34

XML Advanced Electronic Signatures (XAdES) Source: W3C XAdES 2003 35

XML Advanced Electronic Signatures (XAdES) Source: W3C XAdES 2003 36

Electronic invoices Def.: e-invoice is an electronic harmonized trade document, or instruction, that details the goods sent / services delivered or goods received / services obtained with a statement of the due and payable amount together with a statement of any Value Added Taxes applicable. It is transmitted through electronic means from the seller to the buyer. Its authenticity and integrity are preserved. 37

Electronic invoices A relatively complex format is needed (EDIFACT, XML, PDF, html, doc, xls, gif, jpeg or txt) Facturae format (www.facturae.es) It must guarantee the e-invoice s integrity and authenticity Qualified electronic signatures fulfill this requirement It must reflect the consent of both parties (issuer and receiver) 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback