Plugtests Portal for Electronic Signature

This document provides details on the cryptographic material that the participants will have to deal with while conducting the plugtest and also on the trust frameworks specified for this plugtest.

Cryptographic material

ETSI will supply to plugtest participants with the required cryptographic material for conducting all the tests.

This material will consist in:

P12 files containing private keys and their corresponding certificates for generating and verifying test cases signatures.

Certificate files containing the CA certificates up to a trust anchor represented by the root CA (Root_CA_OK). These certificates will be published in the LDAP server (details for accessing to the LDAP server may be found in the Online PKI services details page) and in the HTTP server deployed in the plugtest portal.

CRLs issued by the CAs operating in the plugtest trust frameworks. These CRLs will be re-issued several times during the plugtest with a certain periodicity, so that all of them are up to date. The CRLs will be published in the LDAP server and in the HTTP server deployed in the plugtest portal.

The certificate for the Time-stamping server issued by Root_CA_OK. As above, this material will be published in the the LDAP server and in the HTTP server deployed in the plugtest portal.

Trust framework

ETSI has defined a trust framework for this plugtest, within different scenarios are defined. ETSI will define groups of test cases of ASiC containers for each scenario

Participants will use the cryptographic material in a certain scenario (as per ETSI indications) for generating (and/or verifying) the signatures corresponding to this group. In consequence each scenario will incorporate a set of cryptographic items that the participants will use while working with one of the aforementioned groups of test cases.

The trust framework has been defined as detailed below:

Trust framework. Root_CA_OK as Root CA. This framework will be used for conducting tests on ASiC Containers using time-stamp tokens issued by only one TSA. For this trust framework, one scenario has been defined:

Scenario SCOK. Participants will use its cryptographic material for both generating and verifying the signatures corresponding to the generation and cross-verification and for verifying signatures pre-generated by ETSI corresponding to the only-verification test cases. In this scenario there are the certificates managed during the generation and verification of the signature, including the end-entities certificates issued by the CA deployed in the portal to the participants, that are valid and there are a pre-generated signing certificates, which by the time the plugtest will start will be revoked, and also a pre-generated signing certificate, which by the time the plugtest will start will be expired. The CA issuing the certificates will issue the CRLs including references to the revoked certificate. This CA will also generate OCSP responses reporting on the status of these certificates whenever it is requested by the participants. ETSI will pre-generate one signature using the revoked certificate and another one using the expired certificate. This scenario is intended both to check implementations behaviour when verifying not valid signatures, which will be provided by the ETSI portal and to check implementations behaviour when verifying valid signatures, which will be provided by the other participants.

Untrusted framework

ETSI has defined an untrusted framework too for this plugtest. The untrusted framework has been used for negative test cases only. In this framework an untrusted CA generating signature certificates and an untrusted TSA generating timestamp signing certificates are defined. The verifications of the signed and timestamped documents generated by using the above signature and timestamp signing certificates should fail.