The document discusses the role and functions of a Trusted Archive Authority (TAA). A TAA is responsible for long-term storage of data and ensuring evidence of data integrity over time. The document outlines the key components and functionalities needed to enable a TAA service, including policies, procedures, infrastructure design, security, and audit capabilities. It also discusses document management systems, electronic signatures, timestamping, and other relevant standards and technologies.

1. TAA-Trusted Archive Authority Presented by Jan Biets [email_address] +32(0)477 32 90 11 Mechelen - Belgium

4. TSA E-SIGN CA - PKI ERS Management LAW Policy Security Business Process User interface Agenda

5. Agenda law & standards managed documented other modules operations TAA

6. RFC3281 : An Internet Attribute Certificate Profile for Authorization RFC3280 : Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile R FC3369 :Cryptographic Message Syntax (CMS) RFC3126 : Electronic Signature Formats for long term electronic signaturesRFC3161 : Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) RFC2459 : Internet X.509 Public Key Infrastructure Certificate and CRL Profile PKCS#7 : Cryptographic Message Syntax Standard PKCS#11 : Cryptographic Token Interface Standard PKCS#12 : Personal Information Exchange Syntax Standard FIPS PUB 186-2 digital signature standard RfC 4871 - DomainKeys Identified Mail (DKIM) Signatures DomainKeys Identified Mail (DKIM) Service Overview draft-ietf-dkim-overview-10 (11 juli 2008)RfC 3280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) ProfileRfC 5055 - Server-Based Certificate Validation Protocol (SCVP)RfC 3379 - Delegated Path Validation and Delegated Path Discovery Protocol RequirementsETSI 201 733 - ETSI Electronic Signatures and InfrastructuresACVS: An Advanced Certificate [RFC0989] Linn, J. and IAB Privacy Task Force, "Privacy enhancement for Internet electronic mail: Part I: Message encipherment and authentication procedures", RFC 0989, February 1987.[RFC2822] Resnick, P., "Internet Message Format", RFC 2822, April 2001.[RFC3164] Lonvick, C., "The BSD Syslog Protocol", RFC 3164, August 2001.[RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification", RFC 3851, July 2004.[RFC4686] Fenton, J., "Analysis of Threats Motivating DomainKeys Identified Mail (DKIM)", RFC 4686, September 2006. INTERNET DRAFT DKIM Service Overview February 2008 Hansen, et al. Informational [RFC4870] Delany, M., "Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys)", RFC 4870, May 2007. [RFC4871] Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J., and M. Thomas, "DomainKeys Identified Mail (DKIM) Signatures", RFC 4871, May 2007. TAA – the complexity (?)

7. TAA – functional architectural design IAM CA TSA DMS ERS i-Sign HW Event logging (audit trail) storage SA* Abbreviations : IAM – identity & access management CA – Certification authority RA – registration authority SA – “source authentic” ERS – Evidence record syntax

12. TAA - TSA Abbreviations : TSA - Timestamp Authority , ETSI TS 102 023

14. TAA - management

17. TAA – Risk assessment 360° (off-site) Back-up policy ICT room policies processes People & staff Physical security operations TAA

18. TAA – Risk assessment 360°security tiers) Policy Security Policy HR Trusted Archival Authority Physical Security Building Security Policy Security Application security Server room Organisation & management Policy System Security Authorisation & authentification Network Security User interface Security procedures people

26. TAA – basic architectural design Hardware & Storage Policy & Procedures Web Service DMS – user interface ERS engine TSA Security & Legal

27. TAA – functional architectural design IAM CA TSA DMS ERS i-Sign HW Event logging (audit trail) storage SA* Abbreviations : IAM – identity & access management CA – Certification authority (RA – registration authority) SA – “source authentic” ERS – Evidence record syntax

28. TAA – architectural design Abbreviations : LTAP – long term archival protocol ERS – Evidence record syntax

34. Questions? ? ? ? ? ?

40. Xades, electronic signature composition The XAdES-T envelope: contains a trusted timestamp over the signature. The goal is to prove that the signer’s certificate was valid at the time of signature. The XAdES-X envelope: “ When an OCSP response is used, it is necessary to time-stamp in particular that response in the case the key from the responder would be compromised” In other words, the goal is to prove that the OCSP responder’s signing certificate was valid at the time of OCSP response. “ The SignatureTimeStamp encapsulates the time-stamp over the SignatureValue element.” XADES : XML Advanced Electronic Signatures Specification from the ETSI that is built upon the Xmldsig specification. It provides “signatures that remain valid over long periods. XAdES - X - L XAdES - X XAdES - C XAdES - T XAdES - EPES OCSP Timestamp Certificates Chain Timestamp XAdES - a Timestamp

41. Xades, electronic signature composition

43. Xades, electronic signature process flow E-sign

44. TSA – timestamp , process flow