Package: wnpp
Severity: wishlist
Owner: Bert Van de Poel <b...@ulyssis.org>
* Package name : eutl
Version : date based?
Upstream Author : The European Union
* URL : https://ec.europa.eu/digital-single-market/en/eu-trusted-lists
* License : NA
Programming Lang: NA
Description : The European Union Trust List is a collection of CA
certificates of Trust Service Providers compiled by member states within
the framework of the eIDAS regulation for purposes which includes the
verification and validation of eSignatures and eSeals
With the ongoing pandemic, a student organization I'm part of has been
required to rely more on electronic signatures for its sponsor contracts
with local open source companies. It has however been difficult to
explain to those companies that a scan of a signature isn't legally
binding. While we've signed PDF documents with PKCS#7 signatures based
on the signing certificates on our ID cards for years, tooling around
this procedure has been somewhat lacking. Because of our renewed
interest, we've decided to investigate further and found out that it's
currently easily possible to read signature information with tools such
as poppler's pdfsig. However, it currently relies on NSS to establish
the trust chain. This is quite problematic as the EU regulations have
specifically stipulated the use of CAs that are ideally not used for any
other purpose than signing ID certificates (we're not sure if it's a
strict requirement, but it seems to be applied that way). Therefore, the
chain of trust can't be established.
Beyond this specific use case, the EUTL is in general useful for
establishing the chain of trust for any kind of eIDAS based eSignature
or eSeal, on PDFs (PAdES), XML (XAdES) or other formats (CAdES). For
tools within the FOSS ecosystem, it's now not clear how these kinds of
signatures should be verified and validated, as the relevant CAs are not
available for any distro. This is solved on the proprietary operating
systems for PDFs through Adobe including the EUTL within Adobe Reader.
I'm suggesting packaging the EUTL separately so the CAs are not just
available to those applications who wish to verify PDF signatures (PAdES
or common PKCS#7), but also other types of signatures based on the same
eIDAS concepts.
I hope that this shows from both a practical and a more ideological
point of view why the inclusion of the EUTL within Debian is relevant. I
would suggest the CAs would be save separate from existing certificate
locations, so they are isolated from those used within browsers and
other applications, but the path can then be included (or even
pre-compiled) within tools such as pdfsig.
Some useful links:
- https://ec.europa.eu/digital-single-market/en/eu-trusted-lists
- https://webgate.ec.europa.eu/tl-browser/#/
- https://tsl.belgium.be/
- https://en.wikipedia.org/wiki/Trust_service_provider
-
https://ec.europa.eu/digital-single-market/en/policies/trust-services-and-eidentification
If any further information is required, I will try to help as much as I
can. I'm however not a specialist within eIDAS or eSignatures (and not a
lawyer either), but happen to think eSignatures are a safer options with
the ongoing pandemic and a good way to save a tree by using less paper.