1 / 20

OASIS Digital Signature Services

www.oasis-open.org. OASIS Digital Signature Services . Juan Carlos Cruellas Andreas Kuehne Stefan Drees Ernst Jan van Nigtevecht Frank Cornelis Oscar Burgos. Agenda. Digital Signature Services (DSS): Mission statements of DSS* Technical Committees. Offerings / Use Cases:

ismet
Download Presentation

OASIS Digital Signature Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. www.oasis-open.org OASIS Digital Signature Services Juan Carlos Cruellas Andreas Kuehne Stefan Drees Ernst Jan van Nigtevecht Frank Cornelis Oscar Burgos

  2. Agenda • Digital Signature Services (DSS): • Mission statements of DSS* Technical Committees. • Offerings / Use Cases: • DSS — The Interface to the Signing service. • Signature Validation— Push it to the Cloud ! • As Time goes by — YourSignatures ? • Capable Client Devices — Local Signing ? • Conformance & Interoperability — Upcoming Event

  3. OASIS Digital Signature Services (DSS) TC1: • Mission: • “Defining an XML interface to process digital signatures for Web services and other applications” • Deliverables (A set of OASIS standards, in 2007): • Core protocols, elements, bindings and profiles. • OASIS Digital Signature Services eXtended (DSS-X) TC2(successor of DSS TC extending and maintaining DSS). • Mission: • “Advancing digital signature services standards for XML” • Notes: • 1)Completed in 2007 to accommodate for OASIS IPR policy changes2) Created in 2007 operating under OASIS RF IPR mode

  4. OASIS DSS Standards: • The interface to the Signing Services. • Protocols for central Signature Generation services: • No more problems with infrastructure deployments • Support for individual generation delegated • Reduces overhead of key management: • Central server in charge of required tasks • Like e.g. certificate status in Generation. • All details of Signature Policies centralized. • Enables centralized auditing.

  5. Verification — Push it to the cloud ! • DSS OASIS Standards: • Protocols for central Signature Verification services: • Verification (with all its complexity) ? • Implemented at and Deployed to the server once. • Reduce overhead of key management: • Central server in charge of required tasks ! • Like e.g. certificate status in Validation. • All details of Signature Policies centralized, enables: • Exhaustive (standardised) validation reports • Log of all validation processes and results • Caching (of CRL, OCSP, TSL, ...) !

  6. As Time goes by — Your signatures ? • DSS capable central Servers take care ! • DSS OASIS Standards: • Protocols for central Signature Upgrade services: • A) You may send a signature and request that: • it is time-stamped with a signature time-stamp • Or — if it already has one — cf. B • B) You may request to: • include in the signature all the validation material (OCSP responses, certificates in the certification path, etc.) • and then time-stamp this “bundle” for achieving a long-term signature.

  7. Personal key pairs must be controlled personally ? • Yes, of course ! • But all the boringandburdensome rest of the “signing party” … ? • No, Thanks ! • Delegate“impersonaltasks”involved to server ! • DSS-X TC is working on such a standard: • “Local Computation of Signature Values”

  8. Finally, what if you want to check if your server: • Interoperates well with other Implementations ? • Complies to DSSStandards ? Yes, Please  ! • DSS-X TC is Scoping, Preparingand Organizing: • Remote Event where participants will be able to: • Test their servers Conformity: • With a subset of the DSS protocols • Test the Interoperabilityof their Servers • With all other participating Servers

  9. Useful information: • DSS-X TC Public page: • https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss-x • Raise comments sending an email to: • dss-x-comment@lists.oasis-open.org • Access the documents archives at: • https://www.oasis-open.org/committees/documents.php?wg_abbrev=dss-x

  10. Q&A

  11. DSS concept. Conventional approach • Deploy key to each user • Handle Interface to all PKI functions • Security depends on user

  12. DSS concept. DSS approach Internal user Authentication & authorisation Directory System PKI CertificateManagement DSS Server

  13. classical DSS-domain new DSS (X) http://www.eid-stork.eu/ ISO/IEC 24727 / CEN TS 15480 („European Citizen Card“) DSS also forms the basis for the emerging standard eID-framework ?

  14. Ebxml Messaging Transport Binding for DSS. • Specifies how DSS messages are encoded and carried using OASIS ebXML Message Service (Ebxml MS: transport mechanism for e-business ). • Binding for robust channel between DSS clients and servers and ebxm features (i.e. asynchronous messaging). • Profile for managing visible signatures. • Need to display (mostly in signed documents) information on the digital signatures to human beings, parts of which may also be signed. • Clients will instruct servers to incorporate this visual information in the created signatures. Servers will also verify this signed visual information. • Profile for supporting centralized encryption/decryption. • Aims at providing protocols for requesting centralized encryption/decryption operations (CMS and XML Encryption). • Combination of encryption and signature.

  15. Features: encryption/decryption of ¡parts of a document, encryption for different recipients, etc.. • Profile for detailed individual verification reports. • Individually report on each signature found in a document and incorporation in each one relevant details of the verification process, satisfying the business requirement of logging them. • Profile for signed verification responses. • Aims at allowing to DSS clients to request that the verification response is actually signed by the verifying server. • Responses that may be seen as signed receipts of the verification of a certain signed document • Profile for handling signature policies. • Request generation/verification of a digital signature following a certain set of rules (signature policy). • Different documents may require different types of signatures, generated and verified following different rules and processes. • Analysis of inter-relationships among existing profiles.

  16. Paving the way (II): Interoperability events: • Standards more and more complex. Interoperability is an issue. • Interoperability tests: • Very useful for progressing towards interoperability. • Provide feedback to the Standardization Bodies from actual implementers, helping in getting better standards (identify wrong or ambiguous parts, identify new requirements, etc.). • Face to face: XML Sec maintenance WG in 2007. • BUT now ALSO REMOTE interoperability events. • ETSI owns a portal supporting remote interoperability tests on XAdES signatures. It has conducted two Remote Interoperability events on XAdES (high figures of participation from Europe and Asia) and organized a third one for next year on XAdES and CAdES. See details at • http://xades-portal.etsi.org/pub/XAdES.shtml • Also former DSS TC organized a restricted interoperability test between the TC members.

  17. DSS-X overview • ebXML Messaging Transport Binding for DSS. • Guidance: cross-matrix for existing profiles joint usage

  18. Current status of specifications • Committee Specifications: • Profile for requesting generation and/or verification of visible signatures. • Profile for generation of a multi-signature verification report providing detailed information on the signature verification process. • ebXML Messaging Transport Binding for DSS.

  19. Additional activities • The DSS-X is defining an interoperability event on DSS and DSS-X specifications: • Contacts between OASIS and ETSI for jointly organize a formal remote interoperability event. • DSS-X TC members are completing a the first version of the test suite. • ETSI would provide a portal supporting the conduction of remote interoperability events. • Initial plans: to be ready for making such event during the first half of 2011.

  20. Additional activities • The DSS-X has started the production of a cross-matrix for clarifying joint usage of the differen DSS and DSS-X profiles.

More Related