Multiple certificate authority services

The Spanish National Statistics Institute (INE) decided to use Safelayer's TrustedX platform to effectively reduce the complexity of its computer programs, at a time when the use of digital certificate and electronic signature technologies was being consolidated.

Introduction

 Instituto Nacional de Estadística de EspañaThe Spanish National Statistical Institute (INE) is the official body in charge of co-ordinating the public administration’s statistical services, as well as monitoring, controlling and supervising the technical procedures used. It is responsible, among other tasks, for providing demographic, economic and social statistics for Spain.

“At first, the aim was to drastically reduce the complexity of our computer programmes.”

“Before, programmes had to verify every digital certificate against every certification services provider (the Spanish Royal Mint - FNMT, the Autonomous Government of Valencia, CATCert, Camerfirma, Notaries, etc). But after the deployment of TrustedX computer programmes only need to access one point inside the agency that informs them whether the digital certificate is correct, if it has been revoked, etc.”

The INE considers PKI technology essential for developing any solution designed to secure the management of electronic documents. A pioneer in the use of this security technology and efficiency improvement by eliminating the use of paper, the INE decided to extend its benefits to a wider range of procedures, making an intensive use of computer networks.

Challenges

In keeping with European directives and their transposition into Spanish law, the provision of certification services has been liberalised. This means that the INE should be prepared to recognise a large number of digital certificates, starting with the e-DNI (Spanish e-ID) and providers recognised by the Spanish Ministry of Industry, Tourism and Trade, as well as the Spanish Tax Authorities. There were already over fifteen providers in Spain alone, and it should also keep in mind those located in other European countries.

Faced with such a variety of providers, another problem that emerged was how to extract the data from the digital certificates. The digital certificates did not all include the same information in the same way, which meant that in practice each certification services provider called for different operations in order to obtain the same data. For instance, one of the criteria for determining access control or type of information is the signer’s name and Spanish Tax Identification Number (NIF), or registered office and Tax Identification Card (CIF) number, depending on whether it is a natural person or a legal entity. The INE also wanted future applications to be able to use time-stamps in order to irrefutably ensure the date of electronic signatures.

According to INE proyect responsible, “At first, the aim was to drastically reduce the complexity of our computer programmes.”

Until then, integrating security mechanisms using traditional PKI tools had been a complex task, particularly the higher the number of applications. These tools enable the logic of security functions to be built inside the applications, which means that any minor change to the logic may require that certain code be rewritten or, to avoid this, it may require complex configuration methods.

It was therefore necessary to have more advanced tools capable of validating digital certificates, extracting their information and verifying electronic signatures in a simple, standardised and scalable way, while managing industry-endorsed electronic signature formats, etc.

Success Strategy

Initially, the INE decided it needed its own tool equipped with all the security services, in such a way that the application securing strategy was forced to consume a series of specialised services. These services would provide applications with security functions preventing them from having to be systematically modified in order to “embed” them and maintain security functionality. This new approach significantly reduces the cost of integration and enables security changes to be centrally managed. Service-Oriented Architectures (SOA) and new Web Services (WS) and XML technologies express this idea in which processes are viewed as independent services. INE viewed security services as one of the critical processes that had to be considered a specialised service. The Safelayer TrustedX trusted services platform accurately implements this idea: it offers a series of global and standardised security services (authentication, authorisation, electronic signature and data protection) as web services with well-defined, standard interfaces where applications can be connected and use these services.

According to INE “before, programmes had to verify every digital certificate against every certification services provider (the Spanish Royal Mint - FNMT, the Autonomous Government of Valencia, CATCert, Camerfirma, Notaries, etc). But after the deployment of TrustedX computer programmes only need to access one point inside the agency that informs them whether the digital certificate is correct, if it has been revoked, etc.”

TrustedX was the ideal solution, since one of the advantages it offers is that it enables applications to always operate in the same way, regardless of the certification services provider. TrustedX centralises and applies trust policies (authentication and authorisation, electronic signature verification and generation, and ciphering and deciphering policies) at a corporate level. These policies establish whether electronic signatures generated for a specific application will carry a time-stamp, the steps to follow to validate a digital certificate or the data and format that will be given to the applications.

Furthermore, from the viewpoint of the INE, not all certification services providers present the same level of trust. In other words, digital certificates may be perfectly valid for performing browsing operations but they may not offer the appropriate guarantee for other types of electronic operations. The TrustedX trust management mechanism adequately solves this problem, determining the level of trust of each digital certificate at any given moment. This means that this type of decision can also be defined centrally rather than by the applications.

This is how the concept known as “Enterprise Trust Integration” (ETI) is implemented: definitively simplifying the establishment of trust relationships between security domains, eliminating interoperability problems and offering improved business processes orientation, standardising trusted data, establishing metrics and classifying trusted data.

Benefits

According to INE, “Improvements have clearly been made in the back-office by simplifying our applications at a rate of 20 to 1, only counting the Spanish certification providers. If in the more or less near future the 25 members of the European Union experience a growth similar to that of Spain, we may find that we have to recognise 300 or 400 certification providers, which would be unfeasible without implementing a tool like TrustedX.”

TrustedX is the ideal tool when a considerable number of applications need to be secured by different software suppliers: the greatest advantage of TrustedX is its business process orientation, simplifying the use of PKI technology and enabling not only processes to be secured but also the management of their security.Lastly, and as a result of the incorporation of TrustedX, INE will easily be able to integrate electronic signatures and time-stamps in future applications.

We use cookies to improve our website and your experience when using it. Cookies used for the essential operation of this site have already been set. To find out more about the cookies we use and how to delete them, see our Privacy Policy.I accept cookies from this site