JUDSYS

A digital signature standard for the common folks.

G. Queiroz © 2018.

Last update: 2018-09-09

Introduction

JUDSYS-1 is a standard meant to replace CMS/CAdES, XML-DSIG/XAdES, PAdES (PDF) and other digital signature systems.

The JUDSYS project aims to develop both the standard end user applications.

This is mainly intended for Brazil, but it should be able to work for other countries with minimal or no changes.

Design Principles

  1. Keep it as simple as possible without sacrificing usability.
  2. Make it easy for programmers as well as end users.
  3. Prioritize interoperability.
  4. Internationally usable.
  5. Use only well known algorithms and prefer quantum resistant ones.

Current Status

The specification draft is not even half complete.

Why the name?

JUDSYS-1 means: JSON Unified Digital Signatures System Standard 1.

I also like how the name sounds like judicial and juris.

Contribute

If you want to help or comment on this project, please file an issue on GitHub (English only) or use one of the following: the Portuguese contact form and the English contact form.

Motivations

Currently, ITI, the government body responsible of ICP-Brasil, Brazil’s PKI (Public Key Infrastructure), endorses three different standards: CAdES, XAdES and PAdES.

Since they are all based on X.509 which is used in SSL, there should be an abundance of good software libraries and end user applications to support at least one of these standard.

This is not the case. While there have been some efforts to write open source libraries and end user applications for ICP-Brasil, they are hard to find and most seem unfinished and abandoned.

ITI provides a digital signature verification web tool, but it is only for CAdES and doesn’t seem to work well.

PAdES is a monster of its own kind. In an attempt to replicate the paper experience in the digital world, a PDF file can be signed, edited and resigned by another person in a way that they signed over different version of the same document in the same file. This is both hard to implement and hard to explain to end users.

To make matters worse, PDF readers almost never come with the necessary CAs to verify ICP-Brasil digital signatures.

Perhaps as result of this mess of different standards, the ITI admits that no one is obliged to accept digital signatures in Brazil:

Given the authenticity generated by the usage of ICP-Brasil digital certificates, is it correct to assert that everyone (government bodies, banks, private citizens, etc.) must accept them?

The answer is negative. As noted, ICP-Brasil confers legal validity to electronic manifestations. However, no entity nor government body nor private agent is required, ex lege, to accept digitally signed electronic documents.

And this is for a simple reason: in spite of the fact we live in an information society, many entities, both public and private, do not yet find themselves adherent to this new technological paradigm. They may even simply lack the necessary equipments to receive, verify and store digitally signed documents.

Original (in Portuguese): http://www.iti.gov.br/perguntas-frequentes/41-perguntas-frequentes/567-questoes-juridicas#r21.

This situation is unacceptable. We need a digital signature standard that:

  1. Is easy for programmers to implement. Including reference libraries in multiple languages.
  2. Is easy for ordinary people to use on a day to day basis.
  3. Has strict rules to avoid interoperability problems.
  4. Has mandatory acceptance by law.

JUDSYS aims to provide a digital signature standard that address the first there points. And, hopefully, this standard may fulfil the fourth point in the (not so) near future.

Some features and non-features (many are still just ideas)