Menu
▾
▴
Re: [SignServer-develop] SigServer - Level 2 sole control
|
From: Markus K. <ma...@pr...> - 2016-04-04 08:08:19
|
On 03/31/2016 09:34 AM, André Clerc wrote: > Dear SignServer developper > > > > On behalf of a customer, I send you this e-mail because he is interested > in a signing solution. Unlike to CRS, where a CA creates and sign > certificates, the customer would like to have signed hash values (e.g.: > hash of a document, code, etc.). These hash values refer to a document > will be produced by an external application (please see illustration > below or in the attachment). > > > > cid:image002.png@01D1893B.2C9FA1F0 > > > > > > As a special criteria the customer is interested in particular for a > possible implementation of the *level 2 sole control* regarding TS 419 > 241 respectively EN 419 241. Our understanding with respect to level 2 > sole control have I added to the PS. If EJBCA dose currently not support > level 2 sole control, what is the size of the estimated effort/cost and > what kind problems there are still to be resolved. > > > > Your sincerely > > André Clerc > > > > *PS:*Our understanding with respect to Level 2 Sole Control is such > that, a commitment to release a signature have to be protect by multiple > factors. One allowed way for a multi-factor authentication is provided > by the signature creation device itself. Another method is a > multi-factor authentication of the signer by the server signing > application followed by a commitment protect by 1 factor (please review > the attached diagram in the slide 13 and 17) in a secure way. > Hi André, I have only had a quick look but from what I have seen I agree with your understanding that in the level 2 you would need to have some support for this provided by the SSCD itself. I am not sure what devices exists with this functionality though. Cheers, Markus > > > > > > > -- > > André Clerc > > Expert IT Security Consultant > > > > *TEMET AG* > > Basteiplatz 5, CH-8001 Zürich > > T: +41 79 222 22 54 | Büro: +41 44 302 24 42 > > and...@te... <mailto:and...@te...>| www.temet.ch > <http://www.temet.ch/> |
