OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

dss-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: DSS services and European Signature law


I am looking for more information about (or references to discussions on)
whether or not (and if yes, under which circumstances) a DSS server (using
adequate protection for the private keys stored on it) could be claimed to
meet the requirements of a Secure Signature Creation Device, thus allowing
its use to create qualified electronic signatures.  This exact question was
asked and answered during the DSS Webinar [3], but since then I've found it
hard to find more information or references on this. 

The CEN CWA 14169 "Secure signature-creation devices "EAL 4+"" [1] uses a
concept called "trusted path". A trusted path is referred to as "an
encrypted channel" to exchange authentication data between the Secure
Signature Creation Device and the Signature Creation Application
implementing the Human Interface.  It is explained to be "a communication
channel [..] that is logically distinct from other communication channels
and provides assured identification of its end points and protection of the
channel data from modification or disclosure". 

The DSS Core TLS security binding [2] seems to meet all these requirements.
A DSS server can also be made to provide the same hardware/software
protection of the TOE as other secure devices. There are some differences,
e.g. the owner of a key cannot physically protect a DSS server "device" and
a DSS server in a network has a different vulnerability than an off-line
device.  Some types of Verification Authentication Data that may be
acceptable for cards (e.g. PIN) are weak in a network environment, but if
the authentication requirements are set too high they greatly reduce the
advantages of server-based signing. A DSS Server would also typically not be
personalized (e.g. usable by only one user) as is required for an SSCD type
2, but serve a set of users.

The CWA consistently refers to an abstract category of Signature Creation
Devices, of which smart cards would be just a special case. However, so far
it seems that the extension of the general concept to other types of devices
is not very clear and some PKI guidelines in fact narrow the SSCD concept
down and exclude devices other than smart cards explicitly.  I would very
much appreciate any information or pointers from people on this list, and
more general comments on the legal status of DSS in various jurisdictions. 


[1] ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14169-00-2004-Mar.pdf

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]