[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#976435: ITP: eutl -- The European Union Trust List is a collection of CA certificates of Trust Service Providers compiled by member states within the framework of the eIDAS regulation for purposes which includes the verification and validation of eSignatures and eSeals

Package: wnpp
Severity: wishlist
Owner: Bert Van de Poel <bert@ulyssis.org>

* Package name : eutl
Version : date based?
Upstream Author : The European Union
* URL : https://ec.europa.eu/digital-single-market/en/eu-trusted-lists
* License : NA
Programming Lang: NA
Description : The European Union Trust List is a collection of CA certificates of Trust Service Providers compiled by member states within the framework of the eIDAS regulation for purposes which includes the verification and validation of eSignatures and eSeals
With the ongoing pandemic, a student organization I'm part of has been required to rely more on electronic signatures for its sponsor contracts with local open source companies. It has however been difficult to explain to those companies that a scan of a signature isn't legally binding. While we've signed PDF documents with PKCS#7 signatures based on the signing certificates on our ID cards for years, tooling around this procedure has been somewhat lacking. Because of our renewed interest, we've decided to investigate further and found out that it's currently easily possible to read signature information with tools such as poppler's pdfsig. However, it currently relies on NSS to establish the trust chain. This is quite problematic as the EU regulations have specifically stipulated the use of CAs that are ideally not used for any other purpose than signing ID certificates (we're not sure if it's a strict requirement, but it seems to be applied that way). Therefore, the chain of trust can't be established. Beyond this specific use case, the EUTL is in general useful for establishing the chain of trust for any kind of eIDAS based eSignature or eSeal, on PDFs (PAdES), XML (XAdES) or other formats (CAdES). For tools within the FOSS ecosystem, it's now not clear how these kinds of signatures should be verified and validated, as the relevant CAs are not available for any distro. This is solved on the proprietary operating systems for PDFs through Adobe including the EUTL within Adobe Reader. I'm suggesting packaging the EUTL separately so the CAs are not just available to those applications who wish to verify PDF signatures (PAdES or common PKCS#7), but also other types of signatures based on the same eIDAS concepts.
I hope that this shows from both a practical and a more ideological point of view why the inclusion of the EUTL within Debian is relevant. I would suggest the CAs would be save separate from existing certificate locations, so they are isolated from those used within browsers and other applications, but the path can then be included (or even pre-compiled) within tools such as pdfsig. 

Some useful links:
- https://ec.europa.eu/digital-single-market/en/eu-trusted-lists
- https://webgate.ec.europa.eu/tl-browser/#/
- https://tsl.belgium.be/
- https://en.wikipedia.org/wiki/Trust_service_provider
- https://ec.europa.eu/digital-single-market/en/policies/trust-services-and-eidentification
If any further information is required, I will try to help as much as I can. I'm however not a specialist within eIDAS or eSignatures (and not a lawyer either), but happen to think eSignatures are a safer options with the ongoing pandemic and a good way to save a tree by using less paper.
Reply to: