Openxades digidoc
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

OpenXAdES & DigiDoc PowerPoint PPT Presentation


  • 64 Views
  • Uploaded on
  • Presentation posted in: General

OpenXAdES & DigiDoc. Tarvi Martens Estonia. The Story. January 2002 – first Estonian ID-card is issued March 2002 – ETSI publishes first version of XAdES October 2002 – First public occasion of digital signing

Download Presentation

OpenXAdES & DigiDoc

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Openxades digidoc

OpenXAdES & DigiDoc

Tarvi Martens

Estonia


The story

The Story

  • January 2002 – first Estonian ID-card is issued

  • March 2002 – ETSI publishes first version of XAdES

  • October 2002 – First public occasion of digital signing

  • May 2007 – >2.2M digital signatures created, unified signature system for all sectors


Internal vs free flowing

“Internal” vs. “free-flowing”

  • Most of web-based applications making use of digital signatures do not allow for downloadingthe result of signing

  • Notable difference between

    • “internal signing” – usually just for security reasons

    • “signed files” – meant for universal distribution


Signatures vs containers

Signatures vs. Containers

Container

Data

Data

Data

Data

External Data

Signature


Signature formats

Signature Formats

  • Big zoo before

  • Now stabilizing

  • European standards ahead of U.S.

  • XML-DSIG  XAdES (ETSI TS 101903)

  • PKCS#7 (CMS)  CAdES (ETSI TS 101733)


Signature profiles xades example

Signature Profiles – XAdES example

XML-DSIG+BES/PES

T

C

X

L

A

  • ... plus myriad of options within blocks

  • Example : ETSI 101734 & 101934


Signature policies

Signature Policies

  • How validity information is obtained ?

  • Which algorithms/key lengths are used ?

  • What is quality of the signing certificate ?

  • Is long-time validity ensured ?


Container formats

Container Formats

  • MS OpenXML (XAdES evolving from Latvia)

  • ODF (XML-DSIG)

  • Adobe (CMS)

  • MS <= 2003 (proprietary)

  • DigiDoc (XAdES)


Digidoc and openxades

DigiDoc and OpenXAdES

  • OpenXAdES stands for Open Source project & community

    • www.openxades.org

  • DigiDoc is a petname for (mainly) end-user tools for digital signature handling

    • Makes use of OpenXAdES


Digidoc openxades a profile of xades

DigiDoc/OpenXAdES – a profile of XAdES

  • XAdES-X-L coming in two flawors

    • with or without timestamping

  • Validity confirmation obtained when signing

  • Long-time validity provided with SeqLog

  • Proprietary container


Features experience

Features/experience

  • Signing with CSP-supported smartcard or Mobile-ID (via DigiDocService)

    • Proven support for foreign ID-cards

    • Mobile-ID up and running for a week

  • 5 years of development and field experience

  • Probably the “completest” implemenation of XAdES to date


The scheme

The Scheme

“I just signed this document”

Doc,Cert

OCSP

DB

(Doc,Cert,time)ok

“At the time I saw this document, corresponding certificate was valid”

Secure log


Seqlog

SeqLog

  • Data base of certificates:

  • Activation

  • Suspension

  • End of suspension

  • Revocation

SeqLog

OCSP

Signed validity confirmations


Digidoc architecture

DigiDoc Architecture

Application

Application

Application

Win32 Client

DigiDoc portal

COM-library

WebService

DigiDoc-library (Win32/Unix/C/Java)

CSP

PKCS#11

MSSP

XML

ID card

Mobile phone

OCSP


Digidoc portal

DigiDoc Portal

  • Simple WWW-application for everyone:

    • Downloading/uploading of document

    • Signing and validity confirmation

    • Verification

    • Sending document to another portal user

    • Sorting/Deleting/Archives

    • Multi-language


Digidoc portal1

Digidoc Portal


Verification portal

Verification Portal

  • http://digidoccheck.sk.ee

  • Allows to check .ddoc file without ID-card


Digidoc client

DigiDoc Client

  • Provides the same functionality as portal

    • Signing and obtaining validity confirmation

    • Verification of signed document

  • Encryption and decryption (XML-ENCRYPT)

  • Does not require uploading document

  • Provides for digital signatures without using DigiDoc portal

  • Multi-language, multi-PKI support


Digidoc client1

DigiDoc Client


Digidocservice

DigiDocService

  • Simple SOAP-based protocol

    • “I have a file here, make it signed”

    • “I have got a signed file. What’s inside it?”

  • Supports mobile authentication and digital signing

  • Best for integration of digital signature handling capability – libraries a changing rapidly, the protocol remains more stable


Digidoc library

DigiDoc library (Win32/Unix)

CSP

XML

ID card

OCSP

DigiDoc library

  • Signing through PKCS#11 and CSP

  • Handling of validity confirmation

  • Handling of XML document

  • Verification

  • Win32/Unix, C code

  • DLL & COM under Windows

  • Java implementation

  • Distributed under LGPL terms


Document format

Document format

  • Based on XML-DSIG standard

  • Contains subset of ETSI TS 101 903 (XAdES) extensions

    • Place, time and of signature

    • Role of signature holder

    • Validity confirmation and certificate of OCSP responder


Document format 2

Document format (2)

  • Multiple original documents can be signed at once

  • Original document can be embedded or detached

  • Original document can be XML or any binary format

  • Multiple signatures are supported

  • Just one validity confirmation per signature


Document format1

Document format

Original files

Signature

Certificateof signer

Validityconfirmation

Certificateof responder


Availability for lithuania

Availability for Lithuania

  • OpenXAdES completely free (i.e. specs & libraries)

  • DigiDoc applications currently available for free use / free download

  • Further developments need support:

    • Special & new features

    • Following the everchanging environment

    • “Vendor support”


  • Login