PEPPOL quality trust ratings explained

Posted by Liaquat Khan on Apr 15, 2013 1:03:00 PM

PEPPOL is a large-scale European Commission project, working on allowing any company in the EU to be able to communicate electronically with any EU governmental institution for all procurement processes.

PEPPOL process

PEPPOL includes pre-award (e.g. tendering) and post-award (e.g. ordering and invoicing) processes. The results of PEPPOL are very interesting. They go beyond e-procurement and include other e-Gov applications and even non-government sectors. Additionally, it is applicable on a global basis rather than just within the EU.


PEPPOL vision for eSignatures

The eSignature vision of PEPPOL is:

“ have solutions that make it possible for economic operators in any European country to utilise the eSignatures of their own choice when submitting offers electronically to any European public sector awarding entity.”

Economic operators are seen as product and service suppliers responding to public tenders. PEPPOL’s ultimate interoperability aim for eSignatures can be expressed as:

  • An eID holder shall be able to use the eID to sign a document towards any counterparty, even internationally. The eID holder independently selects the eID to use

  • The receiver (relying party) of a signed document shall be able to accept signatures from all counterparties, regardless of the eID used by the counterparty. In an open market, the RP has no influence on a counterparties’ selection of eID

  • A third party, receiving a document signed by other parties, shall be able to verify the signatures no matter which eIDs has been used by other parties. A signing party does not know at the time of signing who may need to verify their signature.

Need for trusted Validation Authorities (VAs)

To achieve this vision, PEPPOL recognises that there are many challenges for the Relying Party application which needs to process eSignatures.

There are other technical challenges apart from multiple signature and document formats, multiple eID issuers and issues of scaling. The real issue for the Relying Party is the assessment of the risk implied by accepting the signature and eID.

This risk is determined by:

  • Signature legal status
  • Quality of the eID
  • Quality of the cryptography used
  • Liability position
  • Trustworthiness of the issuing Certificate Authority (CA)

These are tough questions for a would-be relying party needing to accept eSignatures from any corner of Europe and beyond.

To aid the process, PEPPOL recommends relying parties use Validation Authority (VA) service providers. It takes the technical burden of signature verification away from business applications and the associated risk through use of an agreed liability model.

Such a model already exists in the form of the BBS Global Validation Service, a centralised authority for verifying eSignatures and eIDs across Europe. The following diagram illustrates how BBS offers validation services to relying parties, shielding them from the complexity of PKIs and associated risks:


PEPPOL vision for e-signatures

The BBS Global Verification Service uses Ascertia ADSS Server as the underlying signature and eID verification technology.

Please note: Originally this service was offered by DNV using earlier versions of ADSS Server. 

Signature and eID quality requirements

In an open, non-exclusive, environment, determining which CAs are trustworthy to an appropriate quality level in an automated manner is an essential requirement for Relying Parties.

Therefore, differences in national legislation, as well as different requirements for business applications necessitate development of a framework to enable quality ratings for eSignatures and eIDs.

PEPPOL provides a specification for non-discriminatory rules for acceptance of eIDs to replace present policies for national solutions, which only refer to domestic eID issuers or national accreditation schemes.

Ascertia worked with DNV as part of the Global Verification Service to help establish a signature and eID quality rating scheme back in 2006.

The PEPPOL project took this framework and extended it further, specifically including a parameter for measuring the independent assurance level.

The PEPPOL quality rating framework is based on the following aspects:

  • eID quality: Quality must consist of:

    • A certificate quality parameter ranging from zero to six depending on the issuing CA’s CP/CPS. For example, is a qualified certificate policy being used in accordance with ETSI TS 101 456 standard? Is the user’s private key held within a SSCD? Six is the highest level.

    • An independent assurance parameter ranging from zero to seven which defines how the issuing CA is audited and accredited. E.g. is the CA accredited by a public, national or international authority according to applicable law to the CA? Seven is the highest level that can be achieved.
  • Hash Algorithm quality:

    • Ranging from zero to five, depending on how secure the hash algorithm is. Five is the highest level, although most algorithms that are considered secure today are expected to have a rating of two indicating they are good for next 5 to 10 years.

  • Public key quality:

    • Ranging from zero to five, same as above.

PEPPOL quality trust rating example

A Qualified Electronic Signature (QES) created with an SSCD and a qualified certificate issued by an accredited CA and using the SHA-224 hash algorithm and a cryptographic key length of 2048, would have the following signature quality parameters:

  • eID quality: (6,7) – Meaning certificate quality level 6 & independent assurance level 7
  • Hash quality: 2 – Regarded as trustworthy for 5-10 years
  • Public key quality: 2 – Regarded as trustworthy for 5-10 years

In this specific example, it would have a signature quality = {(6,7),2,2}.

Standard Validation Authority interfaces

The PEPPOL project has extended the OASIS DSS specifications and W3C XKMS specifications. They now allow a Relying Party to request the signature and certificate quality levels from an online Validation Authority (e.g. like BBS GVS).

Please note: A signature can be deemed to be of insufficient quality if it fails to meet the required quality level but passes normal cryptographic checking, certificate path building and certificate validation checking.

ADSS Server v4.1 already supports the PEPPOL enhanced OASIS DSS protocol v4.1 and v4.2 due in Q2 2010 will support the PEPPOL XKMS enhancements.

In large cross-border, non-discriminatory, environments there is a need for being able to quality rate eSignatures and eIDs in an automated manner. PEPPOL has defined such a mechanism.