Social Icons

twitterfacebookgoogle pluslinkedinrss feedemail


Thursday, May 9, 2013

I'm siiiiiiiigning in the cloud

(music from "Singing in the rain" in the background)

Past March 14th Barcelona hosted the Workshop on ETSI ESI in the cloud signature, which I had the opportunity to attend (well, to the open session, of course.)

There were the cream of the electronic signature at the European level to discuss what the market has demanded for years and only a few countries have heard: qualified electronic signature in the cloud, meaning that the signatory does not carry signing keys, in cryptographic Smartcard, cryptographic USB, eID card or other device, but they (signing keys) are in a server and you can access them easily, with technologies that ordinary people more or less dominate.

The truth is it was a very insightful session, which had as many points of agreement as opposing views.

The problem of remote electronic signature is clear: how can you ensure sole control of the signer, if she do not have the keys, but they are in a remote server and access to them must go through public telecommunications networks?

But also surfaced other no less important issues: why we strive to make remote qualified electronic signature if, possibly, advanced electronic signature would be enough?, or what is it really difficult to achieve in remote signature, that the device is considered a secure signature creation device (necessary but insufficient to produce qualified electronic signature) or to guarantee sole control of the singer over her keys (a necessary condition to generate advanced electronic signature)?

More or less, following a temporal sequence, things went this way (I only quote the most relevant issues, from my point of view):

Jonathan Allin, of Thales , was categorical: current standards are not focused for a HSM (hardware security module that could centralize keys and enable remote electronic signature) to produce qualified electronic signatures. This means that if standards are not changed, there is nothing to do.

+Riccardo Genghini, to suggestions that the problem is in the law, he charges against solution manufacturers  indicating that the law is no problem, but  trying to sell remote qualified electronic signature is, when for most purposes advanced electronic signatures is more than enough and, in principle, it should be easier to achieve remote advanced electronic signature generation (sure?.) Solution manufacturers and service providers have not been able to add value to the advanced electronic signature. But then, when you tell a client: the qualified electronic signature is equivalent to hand-written and advanced, we'll see; which one does the customer prefer?

Julien Stern, Cryptolog also exposed several interesting points: an organization that meets requirements for issuing qualified electronic certificates, can also to offer a remote qualified electronic signature service? Clearly not, the requirements are different. On the other hand,  why do we insist on comparing a remote electronic signature system with a secure signature creation device (SSCD)? In the second case we are talking about pure hardware and some software (middleware that accesses card / token) and the first one implies hardware, software, communication protocols, procedures, services and so on.
It is clear that the rules that evaluate an SSCD are not useful to evaluate a Remote Electronic Signature Service. Julien proposes to coin SSCS acronym as Secure Signature-Creation Service (or System, says Jonathan Allin.) And for this SSCS is for which standards demanded by Jonathan Allin must be developed.
He also made clear that, to this day, in France are not allowed remote qualified electronic signature system. [Off-topic: Germany does not allow remote qualified electronic signature]

In Norway is crystal clear, Rune Hagen explained what Norwegian BankID is  and openly admitted that neither was a system that would generate qualified electronic signatures nor pretended to be, it just was a reasonably secure system to perform a large number of transactions and both banks and the state, have allowed to perform many operations with this system to Norwegian citizens. While it has been a great source of efficiency for Norway it is hardly exportable and even harder border recognition, among other reasons, due to its reliance on banks and because this system is so far from European initiatives on  cross-border eIDs and signatures.

Austria, Peter Lipp tells us, thinks that a secure signature creation device can be virtual as well as a national identity card could also. And so they have interpreted the European directive on electronic signature, they have ruled, and its citizens can (only in Austria) perform qualified electronic signatures for a multitude of procedures. Honestly, I think it is a very loose interpretation of the directive and its requirements. Norway way is a cleaner alternative.

But Italy has a very interesting approach. +Andrea Caccia explains that Italy allows remote qualified electronic signature, but the underlying system needs to pass a conformity assessment. There is a procedure (IT, Andrea, thanks for the link) which, depending upon which level of compliance, it indicates what additional requirements must be met by the system to generate remote qualified electronic signatures.

And finally, +Franck Leroy, talks about work on the demanded standard, the CEN draft Server signing - TS 419 241: Security Requirements for Trustworthy Systems Supporting Server Signing. This is a multipart technical specification and works are currently focused on the first part, that will be like a kind of presentation or Overview. The following two parts correspond to the definition of the requirements of Levels 1 and 2, trying to absorb the level one with advanced electronic signature and the level two with qualified electronic signature. Level 2 will require two-factor authentication, something that I know and something that I have. Is this the solution?

From my point of view, if the division between advanced and recognized electronic signature created many doubts, paralyzed the market and generated much controversy, the definition of these two levels, in the best, moves the problem elsewhere, but even it can actually worsen the situation of doubt and paralysis. Is it possible to generate an AdES with remote system without using strong authentication?

But, after all this, the most momentous question with which I go is this: is it necessary (or even feasible) to define two levels of electronic signatures and that both must be valid throughout the European Economic Area? What if we only rule,  at European level, qualified electronic signature and let each country to rule other levels, so they can invent solutions as efficient and effective as the Norwegian one?

Do you think this is an interesting post? Just help me sharing it by clicking one of the buttons below.