0

There are around 200+ nation-states on the planet. Most of these use eIDs. Do any of these nation-states have a public API to verify digital signatures?

Example:

Nation-state Canada issues a eID to Alice, through Canadas CA (certificate authority)

Alice signs some legal document using her eID.

Bob owns a service that needs to check Alice legal document. Bob verifies Alice digital signature with Canadas CA.

Bob used some sort of API, and Canada returns 'true' or 'false'.


And if none of the 200+ nation-states verify digital signatures,

How does Bob verify that Alice is really Alice ?



asked the same question 3 days ago but it was deemed 'to broad', How would a nation-state provide an API for its citizens to verify their legal identity online? i've tried to narrow it down now.

Community
  • 1
b0ris
  • 57
  • 4
  • 2
    Hello, welcome to [security.se]. When your question is closed, you should try to [edit] it instead of posting a new one. Then reopen votes can be cast. If they don't happen by themselves, you can come the [chat] room to ask for advice on getting it on-topic then reopened. – M'vy Jul 20 '15 at 14:55
  • Have you looked at https://en.wikipedia.org/wiki/National_identification_number? – Neil Smithline Jul 20 '15 at 15:55
  • What do you mean by "verify digital signatures"? Are you asking for an API that simply does certificate trust chain validation outside of the browser/OS, or something more complicated? – PwdRsch Jul 20 '15 at 15:58
  • an API that verifies that Alice is part of the trust-chain that has a CA (for example, Canada, since I'm asking about national-IDs) as root.

    if Alice signs something with her digital signatures, how can Bob know that it came from the private key that's held by the CA ? can't Alice just create a random public key from a random private key and just sign a document ?

     – b0ris Jul 20 '15 at 16:22
  • I'm unfamiliar with eID. If I get an eID from my country, is it then signed with the countries CA cert? – Steve Sether Jul 20 '15 at 17:53
  • i've thought that the CA has the root key, and that it generates eIDs from that, derived keys that can sign documents to prove they came from that key, and that only the holder of the root key could verify that the eIDs belong to National_identification_number. it seems like a digital signature would need to be verified with whoever holds the root key, and that there should be APIs for this. – b0ris Jul 21 '15 at 00:29
  • How would this be different than a verification of a typical CA Chain? – RoraΖ Jul 21 '15 at 11:17

2 Answers2

1

Does any nation-state CA (certificate authority) have a public API to verify digital signatures?

No, the CAs do not verify digital signatures, the relying-parties (the recipients) do the verification by themselves, using their own software applications. Eg, use Adobe Reader (free version) to verify digitally signed PDFs.

However, the CA's do publish a public CRL (Certificate Revocation List). That file can be viewed as an API that aids in the verification process. It does not do the verification process per se.

And some CA's provide access for Online Certificate Status Protocol (OCSP) requests. OCSP is a newer technique for determining if a certificate has been revoked or not. Eg Verisign. Like CRL files, OCSP helps with the verification process but is not the same as verifying a signature.

And if none of the 200+ nation-states verify digital signatures, how does Bob verify that Alice is really Alice ?

Bob opens the digitally signed document or data by using the appropriate software application. To verify a digital signature, Bob's app goes through a number of steps. One of the steps is to re-create the trust chain between a certificate that Bob already trusts and Alice's certificate which Bob does not yet trust.

If Bob's software is able to re-create the trust chain, then doing so gives Bob some level of assurance that Alice is who she says she is.

How high is the level of trust? It depends on the polices and procedures of the root CA and the intermediate CA's on the trust chain. It also depends on Alice properly safeguarding her digital signature device.

If you're into "movie plots" then it is always possible (but not likely) for someone to forge someone else's signature no matter what technology was used.

In the real world, signatures denote trust and relying parties determine what level of trust they need to accept a given signature on a given document.

Community
  • 1
Larry K
  • 601
  • 3
  • 11
1

For the European Union, there seems to be a list of Trusted CA available here usable to authentify such signature. You should import the list into you software (the same way that browsers are provided with a common Web CA list already imported in them) then it will be usable as root to ensure digital signature authenticity.

Some countries also propose development kits, even-though I'm not sure there is any international project to broaden such kit to a larger scale. If your activity is not limited to such country, building your own API relying on the above mentioned Trust List may be a more generic solution.

WhiteWinterWolf
  • 19,292
  • 4
  • 61
  • 110
  • 1
    There was once publicly open WebNotarius service run by Polish company Certum that verified all EU qualified signature documents, which I guess is closest to what b0ris was asking for, but it's now fully commercial. – kravietz May 17 '17 at 12:52