The OpenXAdES Concept
The concept of this site and the whole OpenXAdES project is to bring legally
binding digital signatures into everyday life and business practices.
The above sounds easy enough, but it is a challenge to actually accomplish.
People and businesses view digital signature and ID card projects often merely
as interesting toys or technology demonstrations, and not something that can
make our lives better. Yet it can, if used and applied smartly.
What is OpenXAdES?
In a nutshell, OpenXAdES is technology that enables people to work with legally
binding digital signatures. Primarily that means giving and verifying them. Legislation often
defines a set of requirements that legal digital signature technologies and
infrastructures must be compliant with, and OpenXAdES aims at meeting many,
if not all, such requirements from different legislations that we consider to
be reasonable.
OpenXAdES is:
- Document format. OpenXAdES specifies the format that is used
for storing original signed documents (in any format), signatures given
to those documents and the associated technical information. It is based
on the XML-DSIG
(XML Digital Signatures) standard by W3C
and XAdES
(XML Advanced Electronic Signatures) technical standard published by ETSI
(European Telecommunication Standards Institute).
- Program libraries. OpenXAdES provides libraries in C and Java
for document creation, signing and verification.
OpenXAdES libraries are used for end-user tools currently branded as "DigiDoc":
- Client program. DigiDoc Client is a simple Windows client program for working with OpenXAdES
documents.
- Web portal. portal software is based
on the OpenXAdES libraries and lets people work with digital documents and
signatures without the need to install any additional software. Both the
client and the portal are based on the same OpenXAdES libraries that are
made available for other developers in the download area.
DigiDoc Portal is available for users
with Estonian ID-card.
Who is OpenXAdES meant for?
The main goal of OpenXAdES is to promote regional, national and international
legal digital signature interoperability. We want people and businesses
to be able to do local and international legal communication using legal digital
signatures provided by OpenXAdES.
This means that OpenXAdES is mainly directed at the parties in each community
that are responsible for providing certificates and validity services - that
is, Certificate Authorities/Certification Service Providers. This means not
only governmental projects, but also commercial initiatives. OpenXAdES requires
that CA provides validity services that OpenXAdES-compliant clients can use.
However, adopting digital signatures is a complex process and a lot of different
parties are involved - legislators, security technology vendors, software and
hardware providers and integrators, end user interest groups etc. We encourage
that anybody interested in promoting our goal of secure and legal digital signature
interoperability contact us directly or through the mailing lists to determine
how you may help us further our (and your) goals.
Guiding principles
These are the guiding principles that drive the development of OpenXAdES.
- Digital signature is universal. Think of your handwritten signature.
Whether you sign a paper as a citizen, the CEO of your company, the
head of some nonprofit hobby association or as a bank customer - the scribbling that
you draw on paper and that is called a signature always looks the same,
regardless of your role. Whether you were indeed authorized to sign the
document or did agree to its content or other such questions are a totally
different matters, just as in the traditional world. Although OpenXAdES
is to some extent suitable to addressing some of them, those are not our
focus areas - we aim merely at providing users a way of working with legally
binding digital signatures.
- Document must be self-contained: no additional validation services
should be needed for verification after the signature has been created and
saved. OpenXAdES documents are self-contained:
they contain the digital signature, original signed data and all other data
necessary for document verification. Using the data in the document file,
it is possible to firmly establish whether the digital signatures are valid
(whether the certificates was valid at the time of signing etc).
- Legislation is important. Since we are talking about legally
binding signature, legal framework for digital signatures is critical. Different
countries have different digital signature regulation, but we have created
OpenXAdES to be as flexible and universal as possible, so there is a chance
that it is already compliant also with the regulation in your country. To date,
we can say that OpenXAdES complies fully with Estonian digital signature regulation, as
well as the EU directive 1999/93/EC, regulating the general use of digital
signatures within the EU.
Additionally, when talking about legislation,
we cannot only concentrate on strictly digital signature and PKI-related
acts: whether you can use digital signatures or not depends also on the
legislation of other generic areas of life, e.g. administrative procedure,
civil relations, court proceedings etc. A number of European countries are
at a disadvantage in this respect: although digital signature law is in
place, other laws foresee that documents can only be used on paper. Estonia
is in a good position because many of the country's laws have been just
recently passed or updated to reflect the vision described above: digital
documents and paper documents should be used interchangeably in everyday
life in private and business relations and should be considered equivalent
in all respects.
- PKI hype is over, business value is important. It is no more
the year 2000 where technology opened all the doors (and buzzwords guaranteed
immediate funding). OpenXAdES is heavily based on PKI technology, but the
use of PKI is done from the focus of added business value to organizations
and end users. This may sound painful to some PKI enthusiasts: many PKI
projects carried out so far do not justify the costs made and do not add
significant value to anybody. OpenXAdES tries to avoid this pitfall by tring
to be as simple as bare-bones as possible, while adding considerable value
to any business process which uses legal documents.
- Open standards and trust are critical for user confidence and interoperability.
Digital signatures and the whole PKI is based on trust and confidence
- implementers and end users need to be aware of what actions cause what
outcomes in the system, and that the system is really doing what it claims
to be doing. This is why OpenXAdES is distributed as open source, free software,
and is based on the public XAdES standard - anyone can examine the
project and document internals if necessary. This is also why OpenXAdES
does not use any heavyweight and cutting-edge timestamping protocol for
signature timing and validation - instead, it uses the lightweight and proven
standard OCSP.
- Our main competitor is pen and paper. Remember that we are talking
about giving signatures to documents. This has been done the same way for
many hundreds and thousands of years. Telling people that it can also be
done differently is a very complex task and you are facing fierce competition
from traditional signing tools, pen and paper. If you cannot explain the
benefits of the new method to people and organizations and do not credibly
demonstrate that it is more cost effective to them, you will fail and people
will continue using paper documents.
- PKI business model must be based on certificates and corporate services,
not end-user services and transactions. This is a direct consequence
of the above point. Understanding and accepting the new system is already
hard enough for people. If you want to charge them lots for using the digital
signature, they won't ever use it. A place where persons can be charged is issuing
a certificate for them, but after that, it should be free, both the services
and the software.
Advantages
This is why we think that the OpenXAdES approach is the best way to bring
digital signatures into everyday life.
- It lets you capitalize on already existing IT investment. Much
of the infrastructure that is necessary for using digital signatures is
already in place. Most people and businesses have access to PC-s and the
Internet.
Countries and communities are starting to distribute universal national
or regional ID cards. Having an ID card and access to smartcard-reader equipped
PC should be the only thing a person needs for using the digital signature.
- The costs to businesses and end users are limited. OpenXAdES
requires some investment from CA service provider for providing certificate
validity information, but not much else. We do not need to construct complex
expensive PKI-s for each different service: single PKI-s, perhaps even on
a national scale such as in Estonia, are suitable for all purposes.
- People can understand digital signatures. Complexity has been
the key inhibitor in successfully providing PKI services to end users, and
much of that complexity is due to the fact that current services and products
have been specific to one service or organization only. People have
to learn new approaches and new interfaces for each communication pattern,
and it is very frustrating. Having a single certificate and PIN code for
all digital signature purposes is all that a person needs, and people
can also understand this, exactly as they can understand using ATM cards
and mobile phones.
- It is secure. When people have only a single token to look after,
they know they have to be very careful with it. If a single card carries
the authentication and digital signature functions such as in Estonia, security-critical
functions can be easily established and maintained, such as a round-the-clock
helpdesk for suspending card and certificate validity in case of loss or
theft. Problems associated with outdated or insecure passwords are eliminated,
as smartcard- and certificate-based authentication gains momentum.