[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: DSS services and European Signature law
Hello, I am looking for more information about (or references to discussions on) whether or not (and if yes, under which circumstances) a DSS server (using adequate protection for the private keys stored on it) could be claimed to meet the requirements of a Secure Signature Creation Device, thus allowing its use to create qualified electronic signatures. This exact question was asked and answered during the DSS Webinar [3], but since then I've found it hard to find more information or references on this. The CEN CWA 14169 "Secure signature-creation devices "EAL 4+"" [1] uses a concept called "trusted path". A trusted path is referred to as "an encrypted channel" to exchange authentication data between the Secure Signature Creation Device and the Signature Creation Application implementing the Human Interface. It is explained to be "a communication channel [..] that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure". The DSS Core TLS security binding [2] seems to meet all these requirements. A DSS server can also be made to provide the same hardware/software protection of the TOE as other secure devices. There are some differences, e.g. the owner of a key cannot physically protect a DSS server "device" and a DSS server in a network has a different vulnerability than an off-line device. Some types of Verification Authentication Data that may be acceptable for cards (e.g. PIN) are weak in a network environment, but if the authentication requirements are set too high they greatly reduce the advantages of server-based signing. A DSS Server would also typically not be personalized (e.g. usable by only one user) as is required for an SSCD type 2, but serve a set of users. The CWA consistently refers to an abstract category of Signature Creation Devices, of which smart cards would be just a special case. However, so far it seems that the extension of the general concept to other types of devices is not very clear and some PKI guidelines in fact narrow the SSCD concept down and exclude devices other than smart cards explicitly. I would very much appreciate any information or pointers from people on this list, and more general comments on the legal status of DSS in various jurisdictions. Pim [1] ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14169-00-2004-Mar.pdf [2] http://docs.oasis-open.org/dss/v1.0/oasis-dss-core-spec-cs-v1.0-r1.htm#_Toc1 59076100 [3] http://www.oasis-open.org/events/webinars/2007-07-16-DSS-Assures-WS-Data-Aut henticity.wmv
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]