Instructions for the live webinar:
This is an interactive session. Click on *Connect audio* to Please note that this There will be time for hear the presenters but webinar will be recorded. questions and answer at the please mute your end of the presentation via microphones. Menti. We hope you will share your views. Welcome to the live webinar Agenda for today
About CEF
Digital signatures
Digital signatures, electronic signatures & DSS
Live coding session, Q&A
3 Meet your hosts for today
Apostolos (Tolis) Apladas Olivier Barette Pierrick Vandenbroucke
eSignature product owner eSignature technical lead eSignature DSS lead developer
Lara Puscas | Unsplash 4 01
About CEF
5 The eIDAS Regulation (EU 910/2014)
The eIDAS Regulation (EU 910/2014) establishes the rules for the use of trust services in Europe, enabling this way cross-border secure interactions and helping to implement the Digital Single Market. eIDAS-compliant qualified electronic signatures are:
Equal to handwritten Accepted in all signature Member States
Qualified electronic signatures have the Qualified electronic signatures used in same legal validity as its handwritten cross-border electronic transactions are counterpart. accepted in all Member States.
Admissible in court Highly secured
Qualified electronic signatures are Encryption technology is used to verify legally binding and admissible in legal the integrity of the signed document and proceedings. the identity of the signatory. 6 Connecting Europe Facility (CEF) programme
CEF is a programme of the European Commission whose mission is to increase the interconnection between trans- European networks by helping public administrations, businesses and citizens to fully benefit from what digital has to offer.
It promotes the adoption of common digital standards by:
• Providing technical support to Public Administrations, businesses and other organizations in their digital transition;
• Helping them develop secure, interoperable digital services;
• Providing funding to projects that can contribute to a more connected Europe.
This support package comes in the form of Building Blocks.
7 eSignature
eSignature is a CEF building eSignature block consisting of a set of standards, tools and services that allows the creation and Fast verification of electronic signatures. The electronic signatures produced with Reliable eSignature are compliant with eIDAS (EU 910/2014), and therefore recognized in the Secure European Union and further.
8 How can you use eSignature to build your signing solution?
You can build your signing You can test the You can obtain a digital solution with CEF’s open- interoperability and certificate for eSignature, source library, Digital conformity of your own e- eSeal or website Signature Software (DSS), signature solutions with our authentication from a Trust and enjoy out-of-the-box ETSI signature Service provider, using our compliance with the eIDAS Conformance Checker and Trusted List Browser to regulation (EU 910/2014) our Qualified electronic choose from over 200+ and related standards. signature validation test active TSPs. cases.
A qualified trust service provider (QTSP) is a TSP who provides one or more qualified trust services (QTS) and is granted the qualified status by the national supervisory body.
9 Current status An overview of the current status of eSignature*
TLSO Community 30 different countries are part of the TLSO Community. The goal of this community is to DSS Libraries help set up Trusted Lists and to keep them The DSS Libraries have been downloaded error-free. The countries in green are the more than 31.449 times TLSOs known to be very active members of the community
Iceland
Sweden Qualified Trust Service Finland Conformance Checks Providers Estonia There are 197 Qualified Trust Service Latvia Lithuania 34.196 performed conformance checks Providers active in the EU Netherlands Poland using ETSI Conformance Checker Belgium Germany Luxembourg Czech Republic Slovakia Austria Hungary Slovenia Croatia Romania Italy Portugal Greece Projects Malta Reuse of eSignature 58 Generic projects have been awarded to There are 63 initiatives that reuse eSignature (and eID). eSignature
*Numbers collected as of September 2016 10 Current Status – Success Story eSignature service used to sign agreement with the World Bank
It is the first international document the Commission signs using its own Qualified Electronic Signature service
In a Twitter post on the same day, the Commissioner for Budget and Administration, described the e-signing of the agreement "a huge leap forward" in the Commission's target to become fully digital by 2024.
It also marks the first time the Commission made use of EU Sign's newly introduced cloud-based qualified digital certificates
11 11 What is DSS ? DSS is an open-source library
A digital signature framework Written in java Focused on the creation, augmentation and Guaranteed portability on numerous platforms. validation of interoperable eSignatures Supports Java version 1.8 and above.
Multiple ancillary features Validation relying on Member States' Trusted Lists Independent timestamp creation, PAdES Visible Status of Trust Service Provider/Trust Service, signatures, HTML and PDF validation reports, compensation of information, path validation. certificate validation ...
Supports EU standards Flexible library Signature formats and packaging methods. Can be integrated in different topologies: stand-alone applications, server-based (REST/SOAP, web Signature validation procedures. application), or mixed combination; Can be used in its entirety or on a module-by-module basis; Can be adapted to numerous usages via configuration files or extension points.
12 Where do we come from ? A brief history
eSignature Directive 1999/93/EC Early required formats First EU Directive on electronic signature ETSI TS 101 903 XAdES-BES and XAdES-EPES ETSI TS 101 733 CAdES-BES and CAdES-EPES ETSI TS 102 778 PAdES-BES and PAdES-EPES
Services Directive 2006/123/EC Standardization framework Directive on services in the internal market. EC mandate M460 to CEN/CENELEC & ETSI to Among others, need for cross-border processing rationalise eSignature standardisation in Europe of documents signed electronically. 2011 - 2015 ETSI TR 119 000
Commission Decision 2011/130/EU Validation relying on Member States' Trusted Lists Establishing minimum requirements for the cross-border processing of documents signed Commission Decision 2009-767-EC electronically by competent authorities under Directive 2006/123/EC “eIDAS” Regulation (EU) n°910/2014: Qualified electronic signature
13 DSS through years
2017 v5.0 Compliance to eIDAS. Validation of qualified electronic signature, for supporting signatures before and after 01/07/2016 (eIDAS entry into force) Refactoring of ASiC format handling Migration to PDFBox 2 2017 v5.2 RSASSA-PSS support CRL streaming 2018 v5.3 Standalone certificate validation Content timestamps SHA-3 (“Keccak”) Support of non-EU trusted lists 2019 v5.4 Wrapping attack detection (XML, PDF) Validation of PDF certified signature Support of Java 9 2019 v5.5 Implementation of the ETSI Validation Report (TS 119 102-2) Support of Java 12 2020 v5.6 New TL / LOTL loading mechanism: online/offline, multiple sources, pivot LOTL support, alerting Timestamp qualification 2020 v5.7 Removal of CertificatePool and performance enhancements QWAC validator, support of PSD2 attributes EdDSA (Edwards-Curve Digital Signature Algorithm) Signature representation with a timeline Visual signature creation with REST/SOAP webservices 2021 v5.8 14 Next release: DSS 5.8 in Q1 2021
Release notes
• Implementation of the soon to be released new JAdES standard • Shadow Attack detection • Counter-signature creation • Support of SignaturePolicyStore • Support of Java 15 Why DSS?
Compliance with DSS deals with the eIDAS and the ETSI signatures, so you standards. can deal with the business.
DSS Create and verify electronic Open source and Funding for projects signatures in line with free of charge. in the Member European Standards. States.
16 02 Digital signatures
17 Digital signatures Signature creation, augmentation, and validation
Public Key Certificate Digital Signature Public key – private key pair ETSI “AdES” standardized formats Binding of an identity to a key pair ETSI standardized levels Certificate authority (TSP)
Signature validation Qualified Electronic Signature ETSI standardized processes for • Electronic Signature AdES and QES validation • Advanced Electronic Signature ETSI standardized validation report • Qualified Electronic Signature QES = AdES + QC + QSCD Validation based on Trusted Lists Public Key Infrastructure and DSS Signature creation, augmentation, and validation
Root CA CRL of RootCA
CRL of SubCA 1 SubCA 1
SubCA 2 CRL of SubCA 2
OCSP End-entity Private key in responder(s) certificate SCD
Signature Status OK / value Revoked
Signature Creation Signed Signature Validation Document 19 Validation Application document Application report What are the digital signature formats ? There are currently 3 (soon 4) AdES digital signatures format and 1 signature container format standardized by ETSI ESI
ETSI EN 319 122 ETSI EN 319 132 ETSI EN 319 142 Draft ETSI TS 119 182
CAdES (CMS) XAdES (XML) PAdES (PDF) JAdES (JSON clear/compact) Can be used to Can be used to Can only produce Can be used to create enveloping create enveloped, enveloped create enveloping or detached enveloping or signatures. or detached signatures. detached signatures. signatures.
ASiC: ETSI EN 319 162 Specification of the “Associated Signature Containers” (ASiC) which bind together into one single digital container based on ZIP either detached digital signatures or time assertions, with a number of file objects (e.g. documents, XML structured data, spreadsheet, multimedia content) to which they apply.
20 ETSI ESI and digital signatures ETSI ESI defines 4 signature classes and a structure common to all those classes in ETSI EN 319 102-1. ETSI ESI and digital signatures ETSI ESI defines 4 signature classes and a structure common to all those classes in ETSI EN 319 102-1. ETSI ESI and digital signatures Signature profiles, also called signature levels, of XAdES / CAdES / PAdES corresponding to these classes:
Signed Revocation Archive Original file Signature Timestamp attributes data timestamp
Baseline Profile B
Baseline Profile T
Baseline Profile LT
Baseline Profile LTA
23 Digital signature validation Digital signature validation builds on signature value verification and certificate path validation whereas verifying a qualified status builds on the interpretation of the content of trusted lists.
AdES QES = AdES + QC + QSCD
The validation of a qualified status goes beyond the Verifying the technical validity of an AdES digital verification of the technological validity. In a technical signature is a process involving, among other things, the context, it should be understood as determining whether a verification that: digital signature can be (technically) considered as a - the signature meets adequate cryptographic European qualified electronic signature/seal using trusted constrains; lists (TLs) in the sense of the applicable European legislation - that its supporting certificate was not expired or at the time of signing, i.e. either Directive 1999/93/EC or revoked at a time where such a signature is proven to Regulation (EU) No 910/2014. exist, and - that the issuer of the certificate is a trusted issuer. ETSI ESI is currently producing a standard that specifies rules for such a determination: ETSI TS 119 172-4. This standard is supported by a standards that specifies rules for interpreting MS trusted lists: ETSI TS 119 ETSI ESI produced a standard specifying procedures 615 for the creation and validation of AdES digital signatures: ETSI EN 319 102-1. The combination of the procedures described in ETSI EN 319 102-1 and the rules described in ETSI TS 172-4 supported by ETSI TS 119 615 is what allows the automated conclusion on a qualified status.
24 03
Digital signatures, electronic signatures & DSS
25 How to use DSS Signature creation, augmentation, and validation
3 core stateless methods for creating a Adapt the validation policy signature
• Get the data to be signed, • The default DSS xml validation policy is set-up to validate signatures according • Compute the signature value, the ETSI TS 119 172-4. • Incorporate the signature value in the document. • Constraints can be relaxed or strengthened • Different trust anchors from those in the EU MS TLs can be specified
As a webservice As a library
• Implement your own interfaces; or Set-up a maven project, add which modules are relevant to your project • Expose the existing implemented interfaces provided in the framework; • Callable from other languages (PHP, C#, …) Getting started with DSS
Try and test the ready-to-use bundle. • Download the bundle on CEF eSignature: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/DSS • De-zip and start the WebApp demo using the “Webapp- Startup.bat”. • Access the demo using the “DSS-Web” shortcut. • Test the functionalities demonstrated ! Or try the CEF WebApp demo online: https://ec.europa.eu/cefdigital/DSS/webapp-demo DSS useful links
• DSS cookbook The DSS cookbook provides extensive documentation on a wide range of use cases: https://ec.europa.eu/cefdigital/DSS/webapp- demo/doc/dss-documentation.html • DSS JIRA Report a bug and ask for new features on the DSS JIRA: https://ec.europa.eu/cefdigital/tracker/projects/DSS/issues/ • DSS maven integration Integrate DSS in a maven project
• DSS GitHub Follow the project and look at the sources on github: https://github.com/esig/
• CEF eSig FAQ The CEF eSignature FAQ also contains information about DSS: https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eSignature+FAQ
28 DSS modularity DSS modules and use cases
• specs-xxx modules can be used individually. E.g. users wishing to check trusted lists conformance can work with only specs-trusted-list. • Users only interested / not interested in XAdES basic signatures only need / do not need dss-xades as well as dss-token and their dependencies. • Users only interested / not interested in validating trusted lists against OJEU published information only need / do not need dss-tsl-validation and its dependencies • Users interested / not interested in using online ressources need / do not need dss-service and its dependencies • There are 2 PAdES implementations in DSS, using 2 different frameworks • dss-utils-apache-commons / google-guava are utils packages for different environments.
29 DSS and validation
One method The validation in DSS can be invoked using a single method : ”validateDocument()” The validation is performed against a given validation policy.
Four outputs The validation in DSS produces four outputs: • The DSS simple report • The DSS detailed report • The DSS diagnostic data • The ETSI standardized validation report
Customizable validation policy DSS provides a default validation policy which can be modified when needed, for instance when the validation against Trusted Lists is not required, or when weaker/stronger cryptographic constrains are desired.
30 Live-coding session
1 Setting up the workspace
2 Creating a XAdES signature
3 Validating a XAdES signature
4 Extending a XAdES signature
Modifying the default DSS 5 validation policy
31 Q&A time
15 min
32 Q&A
Access the Mentimeter www.menti.com
Login with the code 32 15 85 2
33 Ready to get started?
Reach out to us to learn more! Visit us at www.ec.europa.eu/cefdigital
Follow us on social media
Connecting @Connecting_EU Europe
Connecting Europe
34