h1. {color:#cc0000}Guidelines on European learner mobility: electronic document authentication{color}
This section is a separate supplement to the core [Guidelines on European Learner Mobility].
h2. 1. Requirements for secure electronic graduation documents
The following list gives a initial set of requirements for electronic graduation documents (including DS and other documents) that may be readily agreed.
# Electronic documents must be legally admissible as evidence. [\[ESig\]|#ESig]
# Documents must be capable of being authenticated and must be protected against tampering.
# Authentication of documents must be compatible with relevant technical standards where such standards exist.
# The validity and security of documents must be maintained for (at least) the career length of the graduate.
# It should be possible for an institution to revoke an electronic document after it is issued such that subsequent verification attempts will fail.
# Compliance with applicable Data Protection laws is mandatory. Documents must be made available only to the graduate and to third parties authorised by the graduate in a controlled and auditable manner.
There are a number of ways to address the issue of document authentication. The next section attempts to generalise these approaches with a view to identifying what work needs to be done, and also what areas can we work towards standardising. Where applicable, references are made to approaches already implemented in European countries for the authentication of DS and other documents.
h2. 2. Models for document authentication
The following is a generic view of the main approaches to the authentication of documents such as DS. More details of the models in current practice can be found in Section 6.4 of the core Guidelines [\[GUIDELINES\]|#GUIDELINES].
h3. 2.1 Offline authentication
Offline authentication is a model where:
* the issuing HEI generates electronic documents and *applies the necessary digital signatures* (e.g. digitally signed or certified PDF);
* documents are distributed to graduates by the HEI as self-contained document files;
* documents are distributed to recruiters by the graduates as self-contained document files;
* *documents can be verified offline* without the need to contact the issuing HEI (i.e. using Adobe Reader software, for example).
h3. 2.2 Online authentication
Online authentication is a model where:
* the issuing HEI generates documents (no digital signatures are necessarily applied to the documents);
* documents are placed into an archive managed by the HEI;
* documents are made accessible to graduates via a secure online facility (trusted website of the issuing HEI);
* trusted links to documents are distributed to recruiters by the graduates via the secure online facility (trusted website of the issuing HEI);
* *documents are verified online at the HEI site* using a web browser. Any revocation of the document by the HEI can be flagged.
h3. 2.3 Hybrid authentication
Hybrid authentication is a variation of the offline and online models that involves the secure online verification of *archived, digitally signed* document content. This model is very similar to the online authentication model, except that the archived documents contain the digital signatures that were applied when the document was officially signed.
* The issuing HEI generates documents and *applies a digital signature* to the documents.
* Documents are placed in a secure archive managed by the HEI. *Long-term cryptographic validity of documents is maintained* by the HEI.
* Documents from the archive are made accessible to graduates via a secure online facility (trusted website of the issuing HEI).
* Trusted links to documents are distributed to recruiters by the graduates via the secure online facility (trusted website of the issuing HEI).
* *Documents are verified online at the HEI site* using a web browser (the HEI service checks the digital signatures). Any revocation of the document by the HEI can be flagged at this point.
h3. 2.4 Comparison of models
A white paper (presented at EUNIS 2009) is available [\[DCPDF\]|#DCPDF] that analyses real-world implementations of these models in detail (the Digitary model as used in Ireland/UK/Portugal, versus Certified PDF used in the United States).
h2. 3. Areas for implementation and standardisation
Looking at the offline, online and hybrid models above, we can identify three core elements that need to be implemented (with some relevant standardisation work) in order to address all requirements 1-6 given above in Section 1. The requirements addressed are given in the "Addresses" column. Digitary reports that each area has working implementations, based on their system, in Ireland, the UK, and Portugal.
|| Area || What needs to be done? || Addresses || Suggested implementation path || EuroLM standards work ||
| Digital signature creation | Employ a facility for the creation of *legally-binding*, *standards-compliant* digital signatures resulting in a digitally-signed record _(i.e. official electronic record)_ that can be admitted as evidence in a court of law. | 1, 2, 3 \\ | In accordance with EU Digital Signature Directive 1999/93/EC [\[ESig\]|#ESig], digital signatures should be *advanced electronic signatures* (i.e. PKI-based) containing *qualified certificates* (issued under very strict conditions including face-to-face identity verification of the signatory) created *using a secure signature creation device* (i.e. certified cryptographic hardware). \\
The digital signatures should comply with relevant EU technical standards for long-lived digital signatures such as ETSI TS 101 903 (XML Advanced Electronic Signatures [\[XAdES\]|#XAdES]), ETSI TS 101 733 (CMS Advanced Electronic Signatures [\[CAdES\]|#CAdES]), or the upcoming PDF standard in ETSI TS 102 778 (PDF Advanced Electronic Signatures [\[PAdES\]|#PAdES]). \\
For maximum legal compatibility and standards compliance, Qualified Certificates used by institutions to digitally sign electronic documents should be issued in accordance with the policy requirements specified as per ETSI TS 101 456 [\[QCPOLICY\]|#QCPOLICY] and comply with the technical standards for Qualified Certificates specified in ETSI TS 101 862 [\[QCPROFILE\]|#QCPROFILE]. \\
\\
Where XML documents are digitally signed, it is recommended that this XML representation of the document is covered by the digital signature *and* that it is accompanied by a *fixed-layout*, human-readable representation of the document to represent to a third party (also covered by the signature) so that it can be later asserted that "what was actually seen when the document was signed" | Reference existing ETSI standards for digital signatures as being acceptable for the purposes of digitally signing EuroLM documents?\\ |
| Secure Document repository \\ | Provide a secure online repository to preserve and *maintain the long-term validity* of the official electronic record in line with relevant legislation and technical standards. | 1, 2, 3, 4 \\ | Implement a document repository that will *maintain the cryptographic integrity of signed documents according to the "long-term" XAdES-A/CAdES-A/PAdES-A standards*. This will ensure the validity of the signed document in the long term even after the expiry of digital certificates and the original signing algorithm/key becomes weak over time. \\
This element insulates the signed record from any tampering that may arise over time due to changes to the information systems that store the document, etc. This standard is appropriate for documents that need to archived for very long periods of time (i.e. the career length of a graduate). \\ | Reference existing ETSI standards for representation of long-term digital signatures.\\ |
| Online services \\ | Implement a suite of online services that can be used to perform various operations on the official electronic record in a controlled and auditable manner. | 2, 5, 6 \\ | Implement various functionality via *secure* online services, including: \\
* (HEI) - Issue document to graduate
* (HEI) - Revoke document
* (HEI) - Notify recruiter of revoked document (law permitting)
* (HEI) - Gather statistics on document usage
* (Graduate) - Online document access
* (Graduate) - Configure document access controls to third parties (i.e. recuiters)
* (Graduate) - View access logs to shared documents
* (Recruiter) - Request document from graduate for authentication
* (Recruiter) - Verify document
* (Recruiter) - Re-verify document to ensure status has not changed (assumes (2) already occurred)
* (Recruiter) - View access logs to documents \\
Services such as these can be implemented both in *user-space* (i.e. human-accessible - web sites/applications) and *system-space* (i.e. system-accessible - web services).2, | {color:#990000}Future work - define these services and specify standard interfaces.{color}\\ |
h2. References
* "Available at" means that the URL given is the URL of the document itself, or a version of it.
* "Available through" means that a link to the document appears on the page with the given URL, where other related material and documents may also be found.
* "See" introduces a web site or sub-site, that is, several relevant web pages which may be browsed.
All web references were accessed successfully in November 2009.
h3. Documents
{anchor:CAdES}\[CAdES\] ETSI TS 101 733 CMS Advanced Electronic Signatures (CAdES). Available through [http://www.etsi.org/WebSite/Technologies/ElectronicSignature.aspx]
{anchor:DCPDF}\[DCPDF\] EUNIS 2009: A comparison of certified PDF and Digitary for secure graduation documents. June 2009. Available at [https://www.digitary.net/assets/files/digitary_certified_pdf.pdf]
{anchor:ESig}\[ESig\] EU Digital Signature Directive 1999/93/EC. December 1999. Available through [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:EN:NOT]
{anchor:GUIDELINES}\[GUIDELINES\] Guidelines on a European Learner Mobility model. Core document, to which this is a supplement. A wiki version is available at [http://wiki.teria.no/confluence/display/EuropeanLearnerMobility/Guidelines+on+European+Learner+Mobility].
{anchor:PAdES}\[PAdES\] ETSI TS 102 778 PDF Advanced Electronic Signatures (PAdES). Available through [http://www.etsi.org/WebSite/Technologies/ElectronicSignature.aspx]
{anchor:QCPOLICY}\[QCPOLICY\] ETSI TS 101 862 Policy requirements for certification authorities issuing qualified certificates. Available through [http://www.etsi.org/WebSite/Technologies/ElectronicSignature.aspx]
{anchor:QCPROFILE}\[QCPROFILE\] ETSI TS 101 456 Qualified Certificate Profile. Available through [http://www.etsi.org/WebSite/Technologies/ElectronicSignature.aspx]
{anchor:XAdES}\[XAdES\] ETSI TS 101 903 XML Advanced Electronic Signatures (XAdES). Available through [http://www.etsi.org/WebSite/Technologies/ElectronicSignature.aspx]
This section is a separate supplement to the core [Guidelines on European Learner Mobility].
h2. 1. Requirements for secure electronic graduation documents
The following list gives a initial set of requirements for electronic graduation documents (including DS and other documents) that may be readily agreed.
# Electronic documents must be legally admissible as evidence. [\[ESig\]|#ESig]
# Documents must be capable of being authenticated and must be protected against tampering.
# Authentication of documents must be compatible with relevant technical standards where such standards exist.
# The validity and security of documents must be maintained for (at least) the career length of the graduate.
# It should be possible for an institution to revoke an electronic document after it is issued such that subsequent verification attempts will fail.
# Compliance with applicable Data Protection laws is mandatory. Documents must be made available only to the graduate and to third parties authorised by the graduate in a controlled and auditable manner.
There are a number of ways to address the issue of document authentication. The next section attempts to generalise these approaches with a view to identifying what work needs to be done, and also what areas can we work towards standardising. Where applicable, references are made to approaches already implemented in European countries for the authentication of DS and other documents.
h2. 2. Models for document authentication
The following is a generic view of the main approaches to the authentication of documents such as DS. More details of the models in current practice can be found in Section 6.4 of the core Guidelines [\[GUIDELINES\]|#GUIDELINES].
h3. 2.1 Offline authentication
Offline authentication is a model where:
* the issuing HEI generates electronic documents and *applies the necessary digital signatures* (e.g. digitally signed or certified PDF);
* documents are distributed to graduates by the HEI as self-contained document files;
* documents are distributed to recruiters by the graduates as self-contained document files;
* *documents can be verified offline* without the need to contact the issuing HEI (i.e. using Adobe Reader software, for example).
h3. 2.2 Online authentication
Online authentication is a model where:
* the issuing HEI generates documents (no digital signatures are necessarily applied to the documents);
* documents are placed into an archive managed by the HEI;
* documents are made accessible to graduates via a secure online facility (trusted website of the issuing HEI);
* trusted links to documents are distributed to recruiters by the graduates via the secure online facility (trusted website of the issuing HEI);
* *documents are verified online at the HEI site* using a web browser. Any revocation of the document by the HEI can be flagged.
h3. 2.3 Hybrid authentication
Hybrid authentication is a variation of the offline and online models that involves the secure online verification of *archived, digitally signed* document content. This model is very similar to the online authentication model, except that the archived documents contain the digital signatures that were applied when the document was officially signed.
* The issuing HEI generates documents and *applies a digital signature* to the documents.
* Documents are placed in a secure archive managed by the HEI. *Long-term cryptographic validity of documents is maintained* by the HEI.
* Documents from the archive are made accessible to graduates via a secure online facility (trusted website of the issuing HEI).
* Trusted links to documents are distributed to recruiters by the graduates via the secure online facility (trusted website of the issuing HEI).
* *Documents are verified online at the HEI site* using a web browser (the HEI service checks the digital signatures). Any revocation of the document by the HEI can be flagged at this point.
h3. 2.4 Comparison of models
A white paper (presented at EUNIS 2009) is available [\[DCPDF\]|#DCPDF] that analyses real-world implementations of these models in detail (the Digitary model as used in Ireland/UK/Portugal, versus Certified PDF used in the United States).
h2. 3. Areas for implementation and standardisation
Looking at the offline, online and hybrid models above, we can identify three core elements that need to be implemented (with some relevant standardisation work) in order to address all requirements 1-6 given above in Section 1. The requirements addressed are given in the "Addresses" column. Digitary reports that each area has working implementations, based on their system, in Ireland, the UK, and Portugal.
|| Area || What needs to be done? || Addresses || Suggested implementation path || EuroLM standards work ||
| Digital signature creation | Employ a facility for the creation of *legally-binding*, *standards-compliant* digital signatures resulting in a digitally-signed record _(i.e. official electronic record)_ that can be admitted as evidence in a court of law. | 1, 2, 3 \\ | In accordance with EU Digital Signature Directive 1999/93/EC [\[ESig\]|#ESig], digital signatures should be *advanced electronic signatures* (i.e. PKI-based) containing *qualified certificates* (issued under very strict conditions including face-to-face identity verification of the signatory) created *using a secure signature creation device* (i.e. certified cryptographic hardware). \\
The digital signatures should comply with relevant EU technical standards for long-lived digital signatures such as ETSI TS 101 903 (XML Advanced Electronic Signatures [\[XAdES\]|#XAdES]), ETSI TS 101 733 (CMS Advanced Electronic Signatures [\[CAdES\]|#CAdES]), or the upcoming PDF standard in ETSI TS 102 778 (PDF Advanced Electronic Signatures [\[PAdES\]|#PAdES]). \\
For maximum legal compatibility and standards compliance, Qualified Certificates used by institutions to digitally sign electronic documents should be issued in accordance with the policy requirements specified as per ETSI TS 101 456 [\[QCPOLICY\]|#QCPOLICY] and comply with the technical standards for Qualified Certificates specified in ETSI TS 101 862 [\[QCPROFILE\]|#QCPROFILE]. \\
\\
Where XML documents are digitally signed, it is recommended that this XML representation of the document is covered by the digital signature *and* that it is accompanied by a *fixed-layout*, human-readable representation of the document to represent to a third party (also covered by the signature) so that it can be later asserted that "what was actually seen when the document was signed" | Reference existing ETSI standards for digital signatures as being acceptable for the purposes of digitally signing EuroLM documents?\\ |
| Secure Document repository \\ | Provide a secure online repository to preserve and *maintain the long-term validity* of the official electronic record in line with relevant legislation and technical standards. | 1, 2, 3, 4 \\ | Implement a document repository that will *maintain the cryptographic integrity of signed documents according to the "long-term" XAdES-A/CAdES-A/PAdES-A standards*. This will ensure the validity of the signed document in the long term even after the expiry of digital certificates and the original signing algorithm/key becomes weak over time. \\
This element insulates the signed record from any tampering that may arise over time due to changes to the information systems that store the document, etc. This standard is appropriate for documents that need to archived for very long periods of time (i.e. the career length of a graduate). \\ | Reference existing ETSI standards for representation of long-term digital signatures.\\ |
| Online services \\ | Implement a suite of online services that can be used to perform various operations on the official electronic record in a controlled and auditable manner. | 2, 5, 6 \\ | Implement various functionality via *secure* online services, including: \\
* (HEI) - Issue document to graduate
* (HEI) - Revoke document
* (HEI) - Notify recruiter of revoked document (law permitting)
* (HEI) - Gather statistics on document usage
* (Graduate) - Online document access
* (Graduate) - Configure document access controls to third parties (i.e. recuiters)
* (Graduate) - View access logs to shared documents
* (Recruiter) - Request document from graduate for authentication
* (Recruiter) - Verify document
* (Recruiter) - Re-verify document to ensure status has not changed (assumes (2) already occurred)
* (Recruiter) - View access logs to documents \\
Services such as these can be implemented both in *user-space* (i.e. human-accessible - web sites/applications) and *system-space* (i.e. system-accessible - web services).2, | {color:#990000}Future work - define these services and specify standard interfaces.{color}\\ |
h2. References
* "Available at" means that the URL given is the URL of the document itself, or a version of it.
* "Available through" means that a link to the document appears on the page with the given URL, where other related material and documents may also be found.
* "See" introduces a web site or sub-site, that is, several relevant web pages which may be browsed.
All web references were accessed successfully in November 2009.
h3. Documents
{anchor:CAdES}\[CAdES\] ETSI TS 101 733 CMS Advanced Electronic Signatures (CAdES). Available through [http://www.etsi.org/WebSite/Technologies/ElectronicSignature.aspx]
{anchor:DCPDF}\[DCPDF\] EUNIS 2009: A comparison of certified PDF and Digitary for secure graduation documents. June 2009. Available at [https://www.digitary.net/assets/files/digitary_certified_pdf.pdf]
{anchor:ESig}\[ESig\] EU Digital Signature Directive 1999/93/EC. December 1999. Available through [http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:EN:NOT]
{anchor:GUIDELINES}\[GUIDELINES\] Guidelines on a European Learner Mobility model. Core document, to which this is a supplement. A wiki version is available at [http://wiki.teria.no/confluence/display/EuropeanLearnerMobility/Guidelines+on+European+Learner+Mobility].
{anchor:PAdES}\[PAdES\] ETSI TS 102 778 PDF Advanced Electronic Signatures (PAdES). Available through [http://www.etsi.org/WebSite/Technologies/ElectronicSignature.aspx]
{anchor:QCPOLICY}\[QCPOLICY\] ETSI TS 101 862 Policy requirements for certification authorities issuing qualified certificates. Available through [http://www.etsi.org/WebSite/Technologies/ElectronicSignature.aspx]
{anchor:QCPROFILE}\[QCPROFILE\] ETSI TS 101 456 Qualified Certificate Profile. Available through [http://www.etsi.org/WebSite/Technologies/ElectronicSignature.aspx]
{anchor:XAdES}\[XAdES\] ETSI TS 101 903 XML Advanced Electronic Signatures (XAdES). Available through [http://www.etsi.org/WebSite/Technologies/ElectronicSignature.aspx]