Civil Registry Agency of the Ministry of Justice, Georgia

Digital Signature Services in Georgia

Mikheil Kapanadze

E-Document and E-Signature Law

• … and we know that we are late. So, we will have to work hard and fix the gap

Adopted in 2008

• Some changes are planned

There were changes in subsequent years

• These regulations mainly concern certification authorities

Along with the E-Signature law, Georgia adopted the technical regulations

• The president, other government officials and citizens (about 80 persons) put their signatures using their ID Cards

On May 10, 2012 we made a first digital signature on the electronic document

E-Signature and Digital Signature according the law

• Defined as any set of the data, created based on electronic sources, which can be used by the signer to specify his/her association with the document

Electronic signature

• An electronic signature, created using cryptographic manipulation on the data based on the private key, logically associated to the electronic document

• Associated to the signer only• It’s possible to identify the signer• The private key is under the sole control of the signer• Association with the document allows to detect manipulation on the data

Digital Signature

ID Card as secure signature creation device (SSCD)

• Signature key (RSA 2048) is generated on the card• The private key never leaves the card• The key material can not be extracted from the card

Private key security

• 6 digits• Not generated during card personalization. Must be set by the card holder• The secure envelope does not contain this PIN• The cardholder is supplied with 5-digit transport PIN• The transport PIN can used ONLY ONCE to set the digital signature PIN• It’s not possible to reset the signature PIN by PUK

Digital Signature PIN

Additional security measures

• ID Card’s PKI applet is available on contact interface only

No Contactless signatures

• All card terminals, installed at customer service points MUST support secure PIN entry

• The terminal must be able to use SPE when it deals with Georgian ID card

• Organizations are recommended to cooperate with CRA to certify their card terminals before starting operations

Regulations against card readers

Physical security of the ID Card and PIN

• It’s not recommended to card holders to write down their signature PIN• If the card holder can not memorize the PIN, he/she is recommended to

store card and PIN separately

Please, memorize your PIN

• The special regulation will be issued to prohibit leaving the ID card in the entrance of the building to get the pass

• We understand that it may introduce additional costs to the organizations but we need to minimize risks

Leaving the card on the entrance of the organizations

Advanced electronic signatures

• The signature law demands to sign the document using the certificate which is valid during the signing process

• Thus we need to have revocation information along with the signature• Secure timestamp is not mandated by the law yet but we are going to change the

law accordingly• This means that the signer will have to be online to sign the document

Signature type and the demands of the law

• Signatures of *AdES family of ETSI standards were found to be permitted under the Georgian signature law

• As the revocation information needs to be stored in the document, the basic profiles of *AdES can not be used

ETSI Standards and the signature law

The format of the signed documents

• For the signed text documents, PDF is the only format in Georgia now• The format allows to store additional data as attachments• Can be created by the wide range of the software• “Trusted readers” exist• Multiple signatures are allowed• PDF/A is not mandated but highly recommended

PDF (ISO 32000-1) with signature extensions

• Currently, signatures can not be made on non-text documents, according the signature law

• We are working to extend the signature law to support them

Non-text documents

The signature format

• This is the only signature format now, suitable to Georgian signature law• It uses non-ISO extensions to PDF defined by ETSI• It is promised to put these extensions in the next ISO standard

PAdES-LTV (ETSI TS 102 778-4)

• Other profiles are not immediately compatible with the signature law• To speed up the signing process in case of multiple signers, it may be possible

to use PAdES Basic/BES/EPES profiles and extend the profile to LTV as soon as possible

• What ASAP means in this case, needs to be defined in the law

Other profiles

Sign-what-you-see

• One of the arguments of selecting PDF was that it can be read by the different tools on many platforms

• So, the signer can verify the document before signing and after signing• It’s recommended to use the signed document only when you have reviewed it

after signing

How we implement the sign-what-you-see concept?

• ID Card demands typing the signature pin on EACH signature operation• The cardholder may have a simple card reader for personal use but it is highly

recommended to buy one with SPE even for home use• We do not want to introduce regulations on card terminals for home use as it may

slow down digital signature adoption among the population

Other security measures

Signature tools

• Developed as Java Web Start application• Available at https://id.ge • Can be used to sign confidential documents

Standalone tool

• A web portal which allows file upload and signing• Uses Java applet to communicate with card• Allows document sharing to perform multi signatures• Available at https://id.ge

Sign ’em Portal

• PKCS#11 driver exists for ID Card PKI• Adobe Acrobat/Reader X can be configured to use this driver and sign the documents in CRA-independent way• This method is not officially supported yet but we are working hard on it

Adobe Acrobat X/Adobe Reader X

Embedding the signature creation in other software

• The applet, written for the Sign ‘em portal can be embedded in any web-based solution

• It uses easy-to-use interfaces to communicate with the outer world• We plan to embed it in the unified document management system, used in the

Ministry of Justice and all its agencies (CRA, NAPR, DEA, etc)

Web Portals

• We enforce only standards, not tools/libraries/frameworks• The organizations are free to use any solution available on the market which allows

creation of PAdES-LTV signatures• It’s strongly recommended to use tools which participate in ETSI PlugTest events for

interoperability

Libraries/Frameworks

ID.GE – ID Card, Signatures and more

Thank You Happy Signing!