Filename extension | .asice, .bdoc, .ddoc .cdoc |
---|---|
Internet media type | application/vnd.etsi.asic-e+zip, application/x-bdoc, application/x-cdoc, application/x-p12d |
Developed by | RIA (ria.ee) |
Latest release | .asice 2014-06-05 |
Type of format | Digital signature |
Container for | any file format |
Extended from | ASiC |
Standard | EVS 821:2014 |
Open format? | Yes (implementations) |
Free format? | No (standard text) |
DigiDoc (Digital Document) is a family of digital signature- and cryptographic computing file formats utilizing a public key infrastructure. It currently has three generations of sub formats, DDOC- , a later binary based BDOC and currently used ASiC-E format that is supposed to replace the previous generation formats. DigiDoc was created and is developed and maintained by RIA [1] (Riigi Infosüsteemi Amet, Information System Authority of Estonia).
The format is used to legally sign and optionally encrypt file(s) like text documents as part of electronic transactions. All operations are done using a national id-card, a hardware token, that has a chip with digital PKI certificates to verify a person's signature mathematically. Signed file is a container holding actual signed, unmodified files and hence operation does not require any support from software that created those files.
Format container and its signatures can be created using application like qDigiDoc or a web service with user's web browser with signing extension. When an application is used, container is typically exchanged between signing parties as an email attachment until everyone has signed it and have their own complete copy.
Web services also utilize identity cards for session authentication using an authentication certificate which is also stored on the id-card.
DigiDoc container contains actual files and metadata, including a hash that represents those files. When signing, software sends content hash using standardised PKCS 11 interface to the user's id-card. After verifying the user's PIN, id-card signs the hash internally and returns a signature which is then stored into DigiDoc container.
During the signing, the certificate validity of each signing party is checked, and a signed timestamp is retrieved, using an OCSP service. The signed timestamp makes it possible to prove later at what time a document was signed (as the timestamp is derived from the document hash) and that each signing certificate was not in certificate revocation list at the time of signing. Any signatures prior to the revocation are still valid (therefore, documents do not have to be resigned when the user receives new certificates).
ASiC-E ( Associated Signature Containers ) and its extended variant is the latest DigiDoc container format. Used file extension is .asice
.
BDOC (Binary Document), of which the latest version is 2.1, is based on ETSI's ASiC signature container standards. It is official Estonian national standard EVS 821:2014. [2] Files use the .bdoc
file extension.
DDOC (Digical document) is the first generation DigiDoc format. Files use the .ddoc
file extension.
The most widely used application is the qDigiDoc graphical desktop software that runs on Microsoft Windows, Apple Mac OSX and on various Linux distributions. qDigiDoc is Open Source Software that can be freely downloaded and installed. Applications also exist for Apple iPad tablet devices and Windows phones.
Currently Estonian- and Finnish government issued cards work with qDigiDoc 3.x and later versions.
Multiple programming languages are supported to create applications and services utilizing DigiDoc-format, including C++, C, Java, .NET,
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature on a message gives a recipient confidence that the message came from a sender known to the recipient.
A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.
In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.
In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.
In cryptography, a certificate revocation list (CRL) is "a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted". CRLs are no longer required by the CA/Browser forum, as alternate certificate revocation technologies are increasingly used instead. Nevertheless, CRLs are still widely used by the CAs.
In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.
In cryptography and computer security, self-signed certificates are public key certificates that are not issued by a certificate authority (CA). These self-signed certificates are easy to make and do not cost money. However, they do not provide any trust value.
An electronic identification ("eID") is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.
A Digital Postmark (DPM) is a technology that applies a trusted time stamp issued by a postal operator to an electronic document, validates electronic signatures, and stores and archives all non-repudiation data needed to support a potential court challenge. It guarantees the certainty of date and time of the postmarking. This global standard was renamed the Electronic Postal Certification Mark (EPCM) in 2007 shortly after a new iteration of the technology was developed by Microsoft and Poste Italiane. The key addition to the traditional postmarking technology was integrity of the electronically postmarked item, meaning any kind of falsification and tampering will be easily and definitely detected.
The Estonian identity card is a mandatory identity document for citizens of Estonia. In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. Within Europe as well as French overseas territories, Georgia and Tunisia the Estonian ID-card can be used by the citizens of Estonia as a travel document.
Trusted timestamping is the process of securely keeping track of the creation and modification time of a document. Security here means that no one—not even the owner of the document—should be able to change it once it has been recorded provided that the timestamper's integrity is never compromised.
PAdES is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for advanced electronic signatures (AdES). This is published by ETSI as EN 319 142.
The Finnish identity card is one of two official identity documents in Finland, the other being the Finnish passport. Any citizen or resident can get an identification card. Finnish citizens will get indication of citizenship on the card. It is available as an electronic ID card, which enables logging into certain services on the Internet, local computers or adding digital signatures into LibreOffice ODF documents or creating DigiDoc formatted containers that also allows encryption during content transfer. ID card is applied at a police station and it is issued by the police.
Ahto Buldas is an Estonian computer scientist. He is the inventor of Keyless Signature Infrastructure, Co-Founder and Chief Scientist at Guardtime and Chair of the OpenKSI foundation.
Electronic signature allows users to electronically perform the actions for which they previously had to give a signature on paper. Estonia's digital signature system is the foundation for some of its most popular e-services including registering a company online, e-banks, the e-voting system and electronic tax filing – essentially any services that require signatures to prove their validity.
DigiLocker is a digitization service provided by the Indian Ministry of Electronics and Information Technology (MeitY) under its Digital India initiative. DigiLocker allows access to digital versions of various documents including driver's licenses, vehicle registration certificates and academic mark sheets. It also provides 1 GB storage space to each account to upload scanned copies of legacy documents.
Associated Signature Containers (ASiC) specifies the use of container structures to bind together one or more signed objects with either advanced electronic signatures or timestamp tokens into one single digital container.
The Documento Nacional de Identidad (DNI) (Spanish for 'National Identity Document') is the only personal identity card recognized by the Peruvian Government for all civil, commercial, administrative, judicial acts and, in general, for all those cases in which, by legal mandate, it must be presented. It is a public document, personal, and non-transferable and also constitutes the only title of right to the suffrage of the person in whose favor it has been granted. Its issuance is in charge of the National Registry of Identification and Civil Status (RENIEC).
Smart-ID is an electronic authentication tool developed by SK ID Solutions, an Estonian company. Users can log in to various electronic services and sign documents with an electronic signature.