filmov
tv
Creating a technically valid but legally invalid EU Qualified Electronic Signature
Показать описание
The EU-developed eSignature DSS library and the Estonian DigiDoc software (and possibly software used in other EU member states) contain a flaw in the signature validation logic that allows the creation of legally invalid qualified electronic signatures (QES) that are recognized by the affected validation software as valid. The problem lies in the acceptance of outdated revocation information which enables the creation of signatures after the signer's certificate has been revoked and thus such a signature should not have legal effect.
Details:
According to law (EU eIDAS regulation article 32(1)(b)), only signatures that have been created when the signatory's certificate was valid are legally valid. To prove that the signature was made when the signatory's certificate was valid, a digital signature container must include a timestamp that shows the existance of the signature at time T, as well as an OCSP response produced after T.
The flawed software versions will also accept signatures where the signing time (the time shown in the timestamp) is after the time shown in the positive OCSP validity response.
The video demonstrates how such a legally invalid qualified electronic signature is created. First, a positive OCSP response is obtained and then the certificate is revoked by calling the certificate issuer's helpline. After that, a document is signed and timestamped. Since the signature is created and timestamped after the certificate was revoked, according to law, the qualified electronic signature is not legally valid. To convince the court that this signature is void, the signatory will have to show certificate revocation records obtained from the certificate issuer (in this case - SK ID Solutions AS), which will clearly show that the signature was created (timestamped) after the certificate was revoked.
Vendor's response:
Test case:
Timeline (Estonian DigiDoc software):
2017-06-20 - The ID-software v17.6 containing the flawed validation code released
2019-07-31 - RIA (Estonian Information System Authority) informed about the flaw
2020-01-30 - Patched ID-software v20.01 released
Details:
According to law (EU eIDAS regulation article 32(1)(b)), only signatures that have been created when the signatory's certificate was valid are legally valid. To prove that the signature was made when the signatory's certificate was valid, a digital signature container must include a timestamp that shows the existance of the signature at time T, as well as an OCSP response produced after T.
The flawed software versions will also accept signatures where the signing time (the time shown in the timestamp) is after the time shown in the positive OCSP validity response.
The video demonstrates how such a legally invalid qualified electronic signature is created. First, a positive OCSP response is obtained and then the certificate is revoked by calling the certificate issuer's helpline. After that, a document is signed and timestamped. Since the signature is created and timestamped after the certificate was revoked, according to law, the qualified electronic signature is not legally valid. To convince the court that this signature is void, the signatory will have to show certificate revocation records obtained from the certificate issuer (in this case - SK ID Solutions AS), which will clearly show that the signature was created (timestamped) after the certificate was revoked.
Vendor's response:
Test case:
Timeline (Estonian DigiDoc software):
2017-06-20 - The ID-software v17.6 containing the flawed validation code released
2019-07-31 - RIA (Estonian Information System Authority) informed about the flaw
2020-01-30 - Patched ID-software v20.01 released
0:21:57
0:16:38
1:49:37
0:33:29
0:01:38
0:05:51
0:11:36
0:00:31
0:00:48
0:00:55
0:00:32
0:00:47
0:00:53
0:00:45
0:10:10
0:00:08
0:00:47
0:24:14
0:00:43
0:00:59
0:00:42
0:00:43
0:00:51