Versions Compared

Version Old Version 2 New Version Current
Changes made by

Petteri Kivimäki

Petteri Kivimäki

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

A functioning X-Road ecosystem requires two types of trust services:

  1. time-stamping authority (TSA)

  2. certification authority (CA).

Trust Service Providers are organizations providing these services. Trust Service Providers may be commercial third parties, or the services can be provided and maintained by the X-Road Operator too. Regardless of who provides the services, they must meet certain technical requirements.

...

  • The TSA service must be compliant with RFC3161 specification.

  • The TSA service must use HTTP(S) with POST for transportation.

  • The TSA service must support SHA-256 or stronger hash functions in requests

  • The certificate that is used for time-stamping signatures must have the id-kp-timeStamping value in the Extended Key Usage ExtendedKeyUsage field.

  • The TSA service must not require the usage of reqPolicy field in requests.

  • The TSA service must use at least 2048-bit RSA key and SHA-256 (or stronger) hash function for response signatures.

  • TSA service must maintain its accuracy within 1 second of UTC.

...

  • The certificates must be compliant with the RFC5280 specification.

  • The CA must accept PKCS#10 Certificate Signing Requests (CSRs).

  • The CA must support issuing certificates for public RSA keys with at least 2048-bit length.

  • The CA must use at least 2048-bit legnth RSA signature function and SHA-256 (or stronger) hash function for certificate signature.

Requirements for authentication certificates

  • The Key Usage KeyUsage field must include at least one of the following values: digitalSignature, keyEncipherment or dataEncipherment.

  • The KeyUsage field must not include nonRepudiation.

  • The Extended Key Usage ExtendedKeyUsage field may contain ClientAuthentication or ServerAuthentication.

Requirements for signing certificates

  • The KeyUsage field must include nonRepudiation.

  • The KeyUsage field must not include any of the following values: digitalSignature, keyEncipherment and dataEncipherment.

  • The ExtendedKeyUsage field must not include ClientAuthentication.

  • The CA issuing must ensure that Qualified eSeal certificates are issued only if private key is stored on a Qualified Signature Creation Device.

  • The CA must ensure that Advanced eSeal certificates are issued only if private key is handle securely by certificate owner.

  • When a Qualified Signature Creation Device is used, the Device must support PKCS#11 protocol for connectivity.

...

  • The CA issuing certificates must provide a certificate validation service that is compliant with the RFC6960 or RFC2560 specification.

  • The certificate validation service must use at least 2048-bit length RSA signature function and SHA-256 (or stronger) hash function for response signing.

...

Filter by label (Content by label)
page
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@4fe6361
showSpacefalse
sortmodified
showSpacetypefalsepage
reversetruetype
labelskb-how-to-article
cqllabel = "kb-how-to-article" and type = "page" and space = "XRDKB"labelskb-how-to-article