Re: [ubl-security] Questions about the digital signature specification

[Andrea Caccia <andrea.caccia@studiocaccia.com>]

Hi Jon,

On Feb 20th 2011 at 22.17 CET Jon Bosak wrote:
> Hello UBL Security SC,
> 
> I am finishing up the edits on the UBL Digital Signature specification
> version 09 (will be 10) and have two questions for you.
> 
> First, regarding this paragraph:
> 
>    <para>TS 101 903 is an XML electronic signature standard that can be
>      used to create different XML Advanced Electronic Signatures <xref
>      linkend="b_XAdES"/>. XMLDSig is a general framework for digitally
>      signing XML documents; XAdES extends XMLDSig for use with advanced
>      and qualified electronic signatures as specified in European Union
>      Directive 1999/93/EC. Use of XAdES is not limited to Europe, as it
>      is being adopted by many countries outside the EU and, at the time
>      of publication of this specification, it is undergoing
>      standardization in ISO TC 154 [ISO/CD 14533-2]. One important
>      benefit of XAdES is that the validity of electronically signed
>      documents can be extended for long periods, longer than the
>      expiration of the electronic certificates involved in signature
>      verification and also if underlying cryptographic keys and
>      algorithms security becomes inadequate.</para>
> 
> I don't understand the ending of the last sentence.  Could someone
> please explain?
It refers to the fact that, to preserve for a long period a signature, the following problems arise:
- expiration of certificates
- after the signed certificate expires, if revoked it is usually removed form CRL
- over a long period of time faster machines and better attack techniques become available and signature algorithms need to be strengthen. There is the possibility that signatures, certificates and CRLs can be forged.

XAdES allow to add to signatures additional information and time-stamps that allow you to overcome these issues (e.g. by storing relevant CRLs, adding time-stamp tokens to demonstrate that the document was signed before the eventual revocations and certificates/CRLs/signatures existed at a time when used algorithms were secure).


> 
> Second, regarding this paragraph:
> 
>      <para>It is important to note that XAdES and XMLDSig define
>        digital signature processing rules and syntax but do not cover
>        the implementation of security measures required for an AdES,
>        which are out of scope for this document.  Implementation may
>        depend on local regulations in place and specific provisions set
>        by the authority issuing the certificates supporting the signature. The
>        implementer has to determine the set of requirements that
>        apply to the specific context of use and determine accordingly
>        the suitability of the standards and the specific profiles to be
>        used: an explicit advice is given to reference directly to any
>        regulation applicable to the specific context of use.</para>
> 
> I don't understand the reference to "explicit advice."  Would it be
> possible to get more detail here?


Please let me know if you need additional details.

Best regards,
Andrea