Trust relationship between verifiers and signers

DigSig trust relationships are established using the same existing mechanisms as utilised in Public Key Infrastructure. DigSigs utilises existing SSL infrastructure to ensure the validity of the Domain Authority SSL certificate. The private key of the Domain Authority SSL certificate can then be used to create and sign CID and DDD specific DigSig Certificates.

DigSig Certificates are signed by DigSig Domain Authorities who in turn have their certificates signed by standard Certification Authorities.

DigSig Certificates distribution

The ISO/IEC 20248 specification dictates how DigSig Certificates are to be distributed to remote offline verifiers. All DigSig Certificates manifest in the form X.509 compliant certificates that has the DDD embedded in a certificate extension as described in the specification.

When a DigSig is composes according to specification then it will be prefixed with what is referred to as a DAID code.DAID codes are ISO/IEC 15459-2 compliant IAC CIN codes which are to be registered as dictated by the standard. DAID codes can then be resolved to a specific Domain Authority URI using a repository service such as https://repository.20248.org

Revocation of individual DigSigs

The ISO/IEC 20248 specification provides a mechanism for automatically discovering and downloading DigSig revocation lists. This allows offline verifiers in the field to be able to periodically update revocation lists from the revocation service specified in the DDD.

The ISO/IEC 20248 DigSig revocation scheme has the following advantages:

Z

No private information is stored by the revocation service because only hashes of digsigs are stored

Z

Revocation lists are securely distributed and signed

Z

Revocation lists can be partially updated

Verifiers are expected to maintain a local revocation list per CID so that they can perform local lookups.

Updated revocation lists for a specific CID can be downloaded from:

<revocationuri>?daid=<DAID>&cid=<CID>[&locallistend=999][&downloadlimit=999]

The revocation service will respond with a DigSig containing a list of the revoked DigSigs as defined in the standard.