The latest version was saved by David Blanco Giró on 2012-10-25 10:21:54.
This document is the English translation of the original one in Spanish ( https://www.tractis.com/contracts/379026695 ). This English translation is provided for user convenience, but it is not binding. The Spanish original is the only legally binding document between you and Tractis.
Tractis Validation Policy Statement
Tractis provides its clients as well as to some of the services that are part of its infrastructure with a validation service for signatures and X509 v3 identity certificates.
To provide this service a Semantic Validation Authority has been created as the entity in charge of carrying out the processes for the validation of cryptographic materials according to definable validation criteria.
This definition of the validation contexts, making the validation authority a semantic one, implements the specifications set forth in RFC 3125 Electronic Signature Policies and other equivalent documents issued by ETSI covering the definition of signature policies in signature creation and validation processes.
The main specifications followed in setting up this service were:
- DSS Core 1.0 and DSS Timestamp profile as to the service signature formats and demand/response protocols.
- XAdES 1.3.2 for signature formats and time stamps.
- RFC 3125 in respect of signature policies.
- SVA: Semantic Validation Authority
- TSA: Time Stamp Authority
- DSS: Digital Signature Services
- OASIS: Organization for the Advancement of Structured Information Standard
- XMLdSIG: XML Digital Signature
- XAdES: XML Advanced Electronic Signatures
- CPD: Data Processing Center
- CA: Certification Authority
- CRL: Certificate Revocation List
- OCSP: Online Certificate Status Protocol
- RFC: Request For Comments
- Document reference: urn:tractis:pki:svp:1.0
- Location: https://www.tractis.com/pki/svp/1.0
3. Document Objetive
This document defines the service characteristics of the Tractis Semantic Validation Authority, the communication protocols supported, the petition formats accepted and the standards this service adheres to.
4. Service provision framework
This document expands on and further specifies the provisions regarding services based on digital signatures described in the document Tractis Certification Practices for the Semantic Validation Authority Services Statement, also known as Signature Validation Service.
Hence, the general framework under which this service is provided is defined in the aforementioned document, leaving for this document here the sole task of defining the Semantic Validation Authority special features.
5. Service description
Tractis can validate different types of cryptographic materials. Regarding their nature, Tractis can validate:
- Advanced digital signatures in XAdES format.
- X509 v3. identity certificates.
Although Tractis has internal services that can validate other cryptographic materials, at the time of writing this document only the only validation services offered to its clients are those herein mentioned.
5.1. Service motivation
Tractis offers its clients on-line contracting services based on different types of digital signatures. In terms of the different nature of the signatures, Tractis accepts from signatures based on the allegation of identity and clickwrap acceptance to Advanced Electronic Signatures with recognized Certificates.
For these latter cases an infrastructure validating the signatures generated is needed in order to the signatures have been made according to those criteria qualifying them as valid signatures. By proceeding in this way, Tractis clients are given sufficient guarantee that the signature was executed with a valid certificate and is cryptographically valid.
Developing this kind of infrastructure with all the necessary rigor is a complex thing to do, both in its development and in its maintenance. This is the reason behind Tractis, having all the subject know-how, software and infrastructure, bringing to the market its Semantic Validation Authority, so that its clients can make use of the same without incurring its set-up and running costs.
5.2. Communication protocol
Such an infrastructure must conform to all market prevailing standards to define the service performance parameters. This applies both to the infrastructure expected performance and to the communication protocols to access it.
Consequently the Tractis SVA adheres to the DSS communication protocol, defined by the OASIS consortium, to provide its digital signature services. By doing this, clients can connect with the Tractis SVA following direction from a standard documentation or, alternatively, any of the clients available in the market.
Tractis SVA offers its services using the DSS 1.0 protocol from the OASIS consortium.
More details and advice on integrating with the SVA appear in the section corresponding to the SVA on the Tractis Help, but these fall beyond the scope of this document.
6. Service components
The system micro-architecture is confidential internal data and is operated by Tractis exclusively, this notwithstanding, the collection of services that Tractis offers to the market are public.
Tractis offers the following callable components within its SVA:
- Signature validation service.
- Certificate validation service.
6.1. Signature validation service
Tractis offers a XAdES advanced signatures validation service.
Tractis accepts XAdES signatures from their form BES to their form C. By default Tractis will validate signatures according to the information contained in them and that the SVA will have in its internal repositories.
Tractis will let clients request the completion of the signatures, passing signatures from form BES to form C.
The signature validation process uses the Certificate Validation Service as part of its business logic. The terms for this part of the process are defined on the Certificate Validation Service.
NOTE: For further detail on the different XAdES signature forms, their topology and their completion processes, refer to the document on XAdES published by ETSI.
6.1.1. Signature completion
XAdES, like many other advanced signature formats, define the concept of signature completion.
By this process you can add information at the time of signature validation that will facilitate future validation. This also makes the signature more interoperable, as the more of necessary information that is added to the validation process, the more the degrees of freedom at validation time are reduced and, hence, the probability of correctly validating the signature in other systems increases.
The completion process adds, among other, time stamps that enable delimiting the instant of creation of the signature, revocation information (such as CRLs and OCSPs), etc.
The different completion processes, as well as the different types of signatures arising from them, are defined in the XAdES documentation published by ETSI.
6.1.2. Time stamps
Creating time stamps on the signature may be required as part of the completion process. The Tractis SVA will delegate to the Tractis TSA the creation of these time stamps. The details on the service policy of this TSA can be found in the document "Tractis Time Stamping Policy Statement" (https://www.tractis.com/tsa_policy).
6.1.3. Standards implemented
Tractis signature validation service implements the provisions in:
- DSS 1.0 from OASIS
- ETSI XAdES 1.3.2
- RFC 3125
6.2. Certificate validation service
By means of this service Tractis makes it possible to validate X509 v3. certificates. This service is used by third party services that use digital certificates in processes like portal authentication but where the validation of the electronic signature or equivalent proof of possession takes place in another system outside of Tractis control, presumably the calling service.
Tractis offers a multi-CA validation service. This way, clients can make validations of the different profiles from each of the CAs supported. The authorities supported are from diverse European countries and are catalogued by Tractis according to the nature of the certificate profiles they offer.
NOTE: The number of CAs and their profiles supported will grow over time obeying Tractis defined strategic criteria. The concrete list is published in the Help section of the Tractis site.
6.2.1. Implemented standards
Tractis certificate validation service implements the provisions in:
- Certification Path Building RFC 4158
- RFC 3280
- RFC 3125 (with respect to parameters affecting the validation of certificates)
6.2.2. Status validation protocols supported
The certificate validation service needs to consult the status of the certificates it is validating. To do that it consults their status with the issuing CAs. This service can consult the certificate status by means of:
- Delta CRLs
These resources can be consulted through different communication protocols, among them, HTTP/s, LDAP; FTP, etc.
7. Signature policies
As commented in previous sections the mentioned services implement the signature policy concepts.
These policies allow for some service related parameters to be configured. This configuration gives the user the ability to restrict the different services parameters to adjust them to the particular requirements of each client.
Through this configuration capacity, clients are able to deem valid only the certificates from a closed set CAs, accept only some types of certificates or, even, define which are the signature algorithms and key size accepted.
The definition of the concrete parameters can be consulted in the signature policies standard documentation and goes beyond the scope of this document.
8. Activity registers and auditing
All SVA activity registration falls within the general activity registry management scheme defined in the Tractis CPS.
The services provided by the Tractis SVA use a number of virtual objects to carry out their validation processes. These objects are known as electronic evidences and may be required both for future validations and, under court order, for forensic evidence in legal procedures.
To guarantee their preservation and that these materials are not altered, these will be preserved in the Tractis Long Term Archiving Service and protected in agreement with the requirements relative to data protection and custody times set out in the legislation in effect.
The SVA administration covers systems management processes, management of signature policies and supported certificate profiles. All processes will follow the authentication and event registration criteria defined in the Tractis CPS.
8.2. Administration personnel
The administration, monitoring and maintenance of the SVA systems will be performed only by personnel belonging to the Tractis Core Development Team.
9. Physical, management and operations security controls
These matters follow the provisions in the Tractis CPS.
10. Dispute resolution
This section follows the provisions in the Tractis CPS under Party Identification in Dispute Resolution.
11. Discontinuation of the service
This section follows the provisions in the Tractis CPS.
12. Disaster contingencies
This section follows the provisions in the Tractis CPS.
13. Referenced documents
- DSS core 1.0.- http://docs.oasis-open.org/dss/v1.0/oasis-dss-core-spec-v1.0-os.html
- ETSI TS 102 023.- Available on the ETSI portal.
- RFC 3125.- http://www.ietf.org/rfc/rfc3125.txt
- RFC 4158.- http://www.ietf.org/rfc/rfc4158.txt
- RFC 3280 .- http://www.ietf.org/rfc/rfc3280.txt