DESCRIPTION OF E-GOV 2.0 IMPLEMENTATION – Digital Signature Estonia

1. Implementation procedure

2. Implementation's characteristics

Estonia’s digital signature system has paved the way for some of its most useful e-services including Company Registration Portal, the nation’s groundbreaking i-voting system, electronic tax filing and DigiDoc – essentially any services that require signatures for their validity.

Because e-Estonia’s infrastructure is an open system, new services can always be integrated. Businesses can freely use the digital signature system as well, and have applied it to a variety of web-based services.

Estonia boasts one of the world’s most advanced digital signature systems thanks to two crucial developments:

  • In March 2000, Parliament passed a law giving electronic signatures the same legal weight as traditional paper signatures.
  • The nation’s groundbreaking electronic ID infrastructure has created an effective and universal system for secure identification.

When a website offers the digital signature option:

The user has entered the information to be signed (tax declaration, ballot choices, contracts, etc.).

The site asks the user if they would like to digitally sign the information.

If the user clicks ‘yes’, a window from a third-party Certificate Center pops up, asking for the PIN codes connected to the user’s electronic ID Card.

The Certificate Center verifies the codes and sends a confirmation back to the website.

SK activity is regulated by two governing laws. Identity Documents Act describes the functions of ID card as the primary identification document and establishes document requirement to Estonian residents. Although the law does not apply directly to the SK main activities and services, it is still associated with the ID card, which is SK key area of activity.

Digital Signatures Act describes the concept of digital signature valid in Estonia and procedures and services connected to it, including SK main operation which is issuing certificates. The law applies to ID card certificates and also to other SK certification services, which are issued in accordance with the digital signature law.

Alongside digital signature certificates SK is also issuing certificates for technical purposes such as device certificates. They do not allow to give digital signatures however the regulations and requirements such as the Certification Practice Statement still apply to them.

Digital signatures act also defines the statutory audit and insurance claim to the certification service providers.

 

Besides the laws concerning SK specific area of activity also apply to us all business regulating laws valid in Estonia (General Principles of the Civil Code Act, Commercial Code, Law of Property Act).

European Union has adopted a Directive 1999/93/EC “Community Framework for Electronic Signatures”, which defines the requirements for digital signatures and certification service providers. The directive describes several categories of certification and digital signatures. SK activity, ID card and digital signatures given by using ID card correspond to the directive categories with the strictest requirements (advanced electronic signature, secure-signature-creation device, qualified certificate, certification-service-provider issuing qualified certificates).

More than 100 million digital signatures have been made in Estonia since the system became available.

 

  1. NAME OF WEBSITES / APPLICATION [in the primary language in which the service is provided]

SK (Certification Centre, legal name AS Sertifitseerimiskeskus)

  1. Website address:

https://www.sk.ee/en

 

  1. Page / application implementation procedure:

Name of the organization leading website / application: [Enter the name in the primary language in which the site is provided]    

SK (Certification Centre, legal name AS Sertifitseerimiskeskus) is Estonia’s primary and currently the only certification authority (CA), providing certificates for authentication and digital signing to national identity documents (ID-card, residence permit, Digi-ID, Mobiil-ID).

 

The core function of AS Sertifitseerimiskeskus (SK) is to ensure the reliability and integrity of the electronic infrastructure behind the Estonian ID-card project. We function as a CA, provide certificates to the card and also the services necessary for utilizing the certificates and giving legally binding digital signatures. We also function as a competence center for ID-card and spread the knowledge necessary for creating electronic applications to the card. You can already give legally binding digital signatures in Estonia using applications based on SK’s DigiDoc architecture.

 

In addition, SK provides certification service within electronic tachograph project in Estonia, Latvia, Lithuania, and Denmark. Regarding certification services, we are also the partner of Lithuanian mobile operator Omnitel.

 

Established in March 2001 by two leading Estonian banks Hansapank (member of the Swedbank group) and SEB (member of SEB Group) and two telecom companies, Elion and EMT (members of the TeliaSonera group), SK has the backing of Estonian and Nordic financial and telecom sector.

 

 

Type of institution leading website / application (please choose one item from the list):

– Implementation carried out by private entity

 

Financing method:

– Private funds – enterprises

– Financing / co-financing from public funds as a grant

 

Application launching year: 2002

 

Application technology:

The approach is platform independent. There are prepared sample web based and java solutions.

Sample code has been created on the platform Ubuntu 12.04 Long-Term Support a.k.a Precise Pangolin (64-bit), using the default package versions:

apache2 2.2.22-1ubuntu1.4

php5 5.3.10-1ubuntu3

php5-dev 5.3.10-1ubuntu3

php5-curl 5.3.10-1ubuntu3

swig 2.0.4+really2.0.4-4ubuntu2

By default this platform contains out-of-the-box old DigiDoc libraries. In order to use new libraries the following script should be downloaded and executed from command line: https://installer.id.ee/media/install-scripts/install-esteid-ubuntu.sh

 

Dependencies of Java command line utility

In order to be able compile of Java command line utility following packages should be installed into the computer:

openjdk-7-jdk

ant 1.8.2-4build1

There is also required to install the following external packages:

JDigiDoc 3.8.1.709

esteidtestcerts

Deployment scripts and configuration of Java command line application are designed for installing the application into the same computer, where is claims service installed. If this is not the case then there is probably required to do suitable changes in deployment scripts and configuration files. Also on such case there is required to install DigiDoc libraries.

 

The popularity of the page / application: More than 100 million digital signatures have been made in Estonia since the system became available.

Screenshots along with a brief description:

 

 

  1. Characteristics of implementation:

 

Following are a number of issues and questions that have been solved when implementing the Estonian ID card and digital signature infrastructure.

Certificate profiles and e-mail addresses

The certificates on Estonian ID cards are standard X509v3 certificates. The authentication certificate contains the card holder’s e-mail address. The certificate profile is available in a separate document.

Certificate validity verification methods

According to Estonian DSA, CSP-s must provide “a method of verifying certificate validity online”. SK as the issuer of certificates to ID cards provides users three ways of checking certificate validity.

CRL-s are provided, containing the list of suspended and revoked certificates. CRL-s are standard but outdated method, because as of January 2003, CRL size has grown to over 1 MB in one year and it is not very convenient to use. CRL-s are mainly provided for backwards compatibility and standards compliance. SK updates its CRL twice a day. Delta CRL-s are not provided.

The second method is an LDAP directory, containing all valid certificates. The directory is updated in real time – if a certificate is activated, it is uploaded to the directory, and if it is suspended or revoked, it is removed from there. Among other things, this provides everyone a chance of finding the e-mail address of any ID card holder. Restrictions are in effect as to the maximum number of responses returned to one LDAP query to protect against server overload.

The most convenient method of verifying certificate validity is SK-s OCSP service. It can be used for simple certificate validity confirmations, but also for validity confirmations (“notary confirmations”) to digital signatures. SK provides a standard OCSP service compliant with RFC 2560. An important detail is that according to the RFC, OCSP responses are supposed to be based on CRL-s and therefore may not necessarily reflect the actual certificate status. In contrast, SK has implemented its OCSP service in such a way that it operates directly off its master CA certificate database and does not use CRL-s. Thus, SK-s OCSP responses reflect actual (real-time) certificate status. In terms of the RFC, the response’s thisUpdate and producedAt fields are equivalent.

OCSP, time-stamping and evidentiary value of digital signatures

For legally binding digital signatures, time is an extremely important factor. According to the Estonian DSA as well as common sense, only signatures given using a valid certificate are to be considered valid. On the other hand, to provide remedy to the risk that the signing device (ID card) may be stolen together with PIN-s and digital signatures could be given on behalf of the user by someone else, users have the chance of suspending their certificate validity using a 24-hour telephone hotline operated by SK. With these two concepts combined, users must be able to clearly differentiate the signatures given using a valid certificate from those given using a suspended or revoked certificate. Thus, there is a need for a time-stamping and validity confirmation service which binds the signature, time and certificate validity.

Another important concept concerning signature validity is that the signature must be valid also when the certificate has already expired or been revoked. If a certificate is suspended by the card holder or anyone else, the card holder can reactivate it at a bank office.

A number of experimental time-stamping protocols and technologies have been proposed, but no common understanding or agreements of time-stamping is present, the experimental technologies are under constant development and not in mass use. Thus, an innovative approach was needed. SK chose to base its time-stamping implementation on standard OCSP. The protocol contains a Nonce field, which protects against replay attacks. Instead of cryptographically random data, the Nonce field is set to contain the hash of the data to be signed, because it can also be interpreted as just a random number. According to the RFC, the OCSP responder signs its response which in SK-s case, contains the original nonce (document hash), response providing/signing time and ID of the certificate used to give the signature, binding the three pieces of data together and providing the validity confirmation for the digital signature. SK stores the signed response in its log as evidence material.

Digital signature usage statistics

 

On 06.03.2015 08:19

Digital signatuures: 203 574 757

Active cards: 1 239 279

Electronic authentications: 330 802 597

References

  1. Digital Signature Act http://www.legaltext.ee/text/en/X30081K4.htm Retrieved 06.03.2015.
  2. “Estonian ID legislation”. https://www.sk.ee/en/repository/legislation Retrieved 06.03.2015

3. Detailed description categories

Service's/Application's integration to social networking sites
  • Yes
Is the connection encrypted?
  • Yes

4. Service's/Application's integration with social networking sites

As for:
The project hasn't its profiles on networking sites:

5. Screen gallery