www.oasis-open.

org

Digital Signatures and e-Identity. Getting the best out of DSS / DSS-X services.

Andreas Kuehne DSS-X member

Coarse Orientation:
'Protocols for central services providing signature generation AND verification'
Avoid problems of deployment of infrastructure required to support individual generation Reduces overhead of key management: the central server takes care of the required tasks on certs status in both generation and verification. All the complexity of verification implemented and deployed once at the server. Details of the policy for the signatures centralized. Get this using one standardized protocol !

What's already there:

DSS is an OASIS Standard !
Official standard since 2008

Many profiles part of DSS

Format ( e.g. XAdES, Code Signing ) Scope ( EPM, German Sig. Law ) Transport ( Async )

Requirement for agreed IPR mode caused termination of DSS

What's new :
DSS-X TC
Founded in 2008 Many DSS members joined

Maintenance of core spec New profile areas

Specializing profiles Extending existing functionalities Into the unknown

Complete Profile List:

Specializing existing profiles
J2SE code signing

Extending existing functionalities

ebXML

Into the unknown

Encryption and decryption profile Visible signatures Individual Reports on Signatures Signature & Service Policy Signed Verification Responses

Detailed Look :
Get a more detailed knowledge about some selected profiles that may be useful for e-identity applications : Verification reports
Detailed information about verification results.

ebXML
Transporting DSS requests using the OASIS standard.

J2SE code signing

Supporting the java code signing standard.

Comprehensive Signature Verification Report Profile

Provides support for multiple signatures Comprehensive signature verification reports for :
XML-Signatures [RFC 3275], [ETSI 101903] CMS-Signatures [RFC 3852], [ETSI 101733] Time Stamps [RFC 3161], [OASIS DSS] Public-Key Certificates [RFC 5280] Attribute Certificates [RFC 3281] Certificate Revocation Lists [RFC 5280] OCSP-Responses [RFC 2560] Evidence Records [RFC 4998] arbitrary other structures (in additional profiles)

Comprehensive Signature Verification Report Profile

For each verified signature an individual report is issued, which includes : Details on cryptographic verification of the signature For each certificate in the certification path:
Details on the cryptographic verification Details on their status (this may include references or values of CRLs and OCSP responses for instance). Details on certificate in their certification paths

Details on the signed and unsigned properties present within the signature.

Comprehensive Signature Verification Report Profile

If timestamps are present within the signature, for each one, the report includes Details on the cryptographic verification of the timestamp itself. Details on each certificate in the certification path of time-stamp certificate Same procedure for attribute certificates Usage statement for the Verification Report Profile : The structures used in the verification report profile are successfully used by german eCard API implementors.

FormatOK e.g. time-stamps Properties DetailedSignatureReport VerifyManifestResult SignatureOK CertificatePathValidity

PathValiditySummary

CertificateIdentifier

PathValidityDetail

Details on all the certificates in the path (in next slide)

CertificateIdentifier PathValidityDetail Subject ChainingOK TSLValidity CertificateValidity ValidityPeriodOK ExtensionsOK CertificateValue CertificateContent SignatureOK CertificateStatus Details on the status of this certificate (including CRL, OCSP responses) in next slide

Details XML encoded of contents of this certificate.

CertStatusOK RevocationDate RevocationInfo CertificateStatus CRLValidity CRLReference RevocationEvidence OCSPValidity OCSPReference Other Details certification path for the CRL itself RevocationReason

Details certification path for the OCSP Response itself

Optional Input / Output

Structure of IndividualReport

Individual Structures

ebXML Profile
ebXML Messaging (ebMS) is an advanced OASIS Standard messaging protocol:
Synchronous or asynchronous SOAP-based messaging Reliable and secure messaging Standard business metadata in document header OASIS Standards version 2.0 (2002), version 3.0 (2007)

The DSS-X ebXML profile defines a transport protocol binding to ebMS

Complements the transport bindings defined in DSS Leverages the advanced features of ebMS

The DSS-X ebXML profile supports:

Communities that want to leverage their existing e-business or e-government ebMS infrastructures for DSS services Scenarios such as cross-enterprise document workflows; document archival and retrieval; scanned document handling

ebXML usage statement

A government agency in the Netherlands uses the DSS ebXML profile inproduction to interact with a remote DSS provider. The service provider provides remote PDF certification of scanned documents. The agency and the provider are currently exchanging several hundreds DSS ebMS messages per day, each containing a medium to large-size (tens of MBs) PDF document.

Code Signing details

Code signing is crucial for building a trustworthy system of software artifacts. Code signing is supported by many development tools ( like 'ant' ) out-of-the-box ! Lax key management in development department. Secret keys reside in the file system. Uncontrolled passing of keys. Usually no revocation process in place.

CS profile advantages
Centralized signing pays off in the usual way : Control about secret keys Easy certificate management Controlling who signs Tracking what / when / by whom was signed Access can be managed on per-user basis. Even automatic build environments supported.

J2SE profile details

J2SE defines a special standard on top of PKCS7. New profile applicable for Applets and WebStart applications. DSS already included a profile for Java Micro Edition. Usage statement : Trustable uses the CS profile internally to build its applets. Ant task is available under GPL as well as the DSS implementation.

Standardization forecast
Public review
ebXML Visible Signature Signature Policy Individual Verification Report Other ..

Conformance and InterOp tests

planned for September / October 2009

Further process
Approval of new profiles as OS : end of 2009 Updated DSS Core : end of 2009 Cross matrix for existing profiles : First term of 2010

http://www.turbophoto.com

Questions ?
OASIS Digital Signature Services eXtended ( DSS-X )
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss-x

Chairs : Stefan Drees ( stefan@drees.name) Juan Carlos Cruellas ( cruellas@ac.upc.edu) Andreas Kuehne ( kuehne@trustable.de )