As I mentioned in other articles, one of the companies with which I am working is EADTrust, European Agency of Digital Trust, a CSP (Certification Service Provider) that provides services related to electronic signatures in the framework of Law 59/2003 (or Directive 1999/93/CE) with a philosophy we intend to be innovative:
- It is not planned to issue individual certificates to natural persons (we might consider issuing certificates to natural persons linked to groups as part of a project).
- It provides services to manage trust of the Information Society, particularly by encouraging the creation of high quality electronic signatures with timestamping services, validation of digital certificates and electronic document custody.
- It provides advanced services, some specifically designed for public administrations in the framework of eGovernment Law 11/2007: certified publication in the contractor’s profile, certified service of notice, electronic invoicing or generation and verification of electronic signatures through the OASIS DSS protocol (the Ministry of Presidence announced that the evolution of the official @firma platform will evolve to implement this protocol).
- It manages two root CAs linked together, combining RSA cryptography and ECC (Elliptic curve cryptography).
The latter is a significant milestone, since this way EADTrust becomes the first certification authority in the world with dual technology, and possibly the first European Certification Authority that manages a PKI hierarchy based on elliptic curve cryptography.
The root CAs of both of the certificate hierarchies are as follows:
- RSA (sha1RSA). RSA 2048-bit key size
- ECC (sha1ECDSA). ECC key sizes: 256 bits (equivalent to 3020 bit RSA)
Both root CA certificates and keys were generated in the presence of a notary, a procedure that we have been refining on several CA (Certification Authority) key generation ceremonies to other certification providers with whom we have collaborated: FESTE, Camerfirma, Banesto and ANCERT.
The certification authority based on Elliptic Curve algorithm, uses random 256 BITS ECDSAFp (secp256r1), as indicated in the documents generated by the NIST (National Institute of Standards and Technology) FIPS (Federal Information Processing Standards) 186 -2 and FIPS 186-3 in Appendices 6 and D respectively in their sections on the Recommended Elliptic Curves for Federal Government use (United States).
This algorithm is also described in document ETSI TS 102 176-1 V2.0.0 (2007-11) “Technical Specification. Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 1: Hash functions and asymmetric algorithms”.
- RFC 4051 “Additional XML Security Uniform Resource Identifiers (URIs)”
- RFC 4492 “Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)”
- ISO/IEC 15946 “Information technology — Security techniques — Cryptographic techniques based on elliptic curves”
- ANSI X9.62:2005 “Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA)”