1 PostSignum QCA Qualified certificate, findings Lukáš Jakubík FI MU 2010 2 Motivation Qualified certificate provides a secure electronic signature of a person or organization under the Act Use for individuals and businesses communication with state, electronic submission before the submission of a hardcopy ... Legislation § 227/2000 Coll. in revised, the electronic signature Decree 496/2004, the electronic registrar ... 3 Qualification of certificate § 11 227/2000 Coll. novelized in 226/2002 Sb. In the area of public policy is to be used only advanced electronic signatures and qualified certificates issued by accredited certification service provider. This also applies to the exercise of public authority against natural and legal persons. If the advanced electronic signature based on a qualified certificate used in public authorities, professional certificate must contain such information that the person was clearly identifiable. 4 PostSignum CA owned by Česká pošta, state-owned enterprise One of the three qualified CAs registered and accredited Ministry of informatics, then Ministry of interior Issues qualified certificates from 9 / 2005 and qualified time stamps from 7 / 2009 Benefits MPSV identification - the pseudonymous identification, unique number to the Ministry of labour and social affairs, Tax offices, Czech Social Security Administration and Employment offices from 5 / 2010 included in the list of Microsoft Root CA spread and accessibility of post offices with CzechPOINT cheaper service (200 ~ 400 CZK), familiar surroundings 5 Requirements Generated key pair (online through IE / offline) Electronic certificate request, signed public key with private key pair (CMS) 2 completed copies of the Agreement on the Provision of Certification Services with Czech Post 2 completed paper forms containing attributes of requested certificate 2 identification cards Voucher / cash / maxkarta ~ no debetcard supported Time 6 Key generation Online generation in IE (rather) not tested Offline PostSignum Tool Plus is a portable application available for Windows, Linux and MacOS running the JRE It is suitable for the generation a key pair and then all types of certificate’s request, which gives PostSignum It uses the familiar file structure according to the PKCS, hidden in a password-protected directory ~ it means encrypted by "directory password" Password is loaded in the memory as long as you are working with the program 7 Program GUI, Windows 8 Folder content 9 Program GUI, Ubuntu 10 Folder content 11 Certificate’s request procedure Certificate’s request shall be filed in person Worker checks the paper formalities documents (makes a copy) and in her system filled parties for future cooperation complete the application form for a certificate under loaded from a USB flash drive electronic application complete revocation strong password a certificate of issuing a certificate printed with that strong password ☺ she is nice and skilled (2 successes from about 5 per day) Signing all agreements and forms Certificate will be released / delivered on the Web 12 Workspace of QCA 13 Issued certificate, attributes Certificate: … Signature Algorithm: sha256WithRSAEncryption Issuer: C=CZ, O=\xC4\x8Cesk\xC3\xA1 po\xC5\xA1ta, s.p. [I\xC4\x8C 47114983], CN=PostSignum Qualified CA 2 Validity Not Before: Oct 21 16:46:00 2010 GMT Not After : Oct 21 16:46:00 2011 GMT Subject: C=CZ, OU=P250905, CN=Lukas Jakubik/serialNumber=P250905 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit) … 14 Issued certificate, attributes … X509v3 extensions: X509v3 Subject Alternative Name: email:lukas.jakubik@gmail.com, othername:, othername: X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 2.23.134.1.4.1.7.200 User Notice: Explicit Text: Tento kvalifikovany certifikat byl vydan podle zakona 227/2000Sb. a navaznych predpisu./This qualified certificate was issued according to Law No 227/2000Coll. and related regulations CPS: http://www.postsignum.cz X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment … 15 Certification policy Certificate Policy defines the way of issuing a certificate, the next administration, use, acceptance, termination, revocation, etc. The structure of international politics is given RFC 3647, later taken over by local Decree 378/2006 Example: PostSignum CP for QCA from 1 / 2010 3rd Identification and authentication – the certification, the revocation 4th Certificate Life Cycle – OCSP not provided 6th Technical safety – ensuring the QCA 7th Certificate profile – a table showing the properties 9th Other business and legal affairs - disclaimer 16 Certification policy, findings The right version of the agreement, that is a person not conducting business is important Knowledge of the policies in full (thankfully) can not be expected from workers 3.1.4 Rules for interpreting various name forms ... to transmit requests for certificates in the form in which they are listed in the submitted documents. Transcription, such as the removal of diacritics, it is not possible … ~ Lukáš Jakubík has the CN = Lukas Jakubik Certificate may be revoked by decision of the manager of QCA or the staff of Ministry of interior 17 Certification validation 18 Conclusion Lukáš Nevosád, 2005 Despite the complexity of the process of obtaining evaluate the achievement of the Czech Post in the affirmative and I believe it will contribute to spread use of e-signatures in the country. But I can not resist the impression that the whole process could be greatly simplified and automated. Indeed, it is necessary to spend 12 signatures per electronic signatures? Lukáš Jakubík, 2010 Getting a qualified certificate is not a hard time, but the process will complete successfully only prepared. The course of the process is beyond reproach, I think the post office has a path to the electronic signature even quite human face. It is needed only 8-10 signatures… Thank you for your attention 19 Links Collection of laws http://www.postsignum.cz/offline_generovani_zadosti.html http://tools.ietf.org/html/rfc3647 http://www.mvcr.cz/clanek/informace-k-pouzivani- kvalifikovanych-certifikatu-pro-elektronicky-podpis-a-zaroven- pro-autentizaci-a-sifrovani.aspx http://www.mvcr.cz/clanek/aktualni-situace-v-oblasti-uznavani- zahranicnich-kvalifikovanych-certifikatu.aspx http://www.lupa.cz/clanky/jak-jsem-si-poridil-elektronicky- podpis-ceske-posty/