-
Notifications
You must be signed in to change notification settings - Fork 7
Swisscom CA 4
Certificates, CP/CPS and further information available under: https://www.swisscom.ch/de/business/enterprise/angebot/security/digital_certificate_service.html
With the introduction of the new issuing Diamant and Saphir CA 4, the padding algorithm for the issuance of the signature will change from the current RSASSA-PKCS1-v1_5 to the new RSASSA-PSS. The key size also increases from 2048 to 3072. The client implementation must make sure that there is no validation errors on the source code in case a third-party library is used which does not support the algorithm yet.
With the introduction of new certificates for the issuance of timestamps and advanced and qualified digital signatures, the size of the signature object will increase slightly. Client implementations must consider this, since the approximate size of the signature must be calculated beforehand. This page will include some numbers which should help to adapt the code accordingly, if necessary.
The sample numbers below should reflect the impact in the signature size in following cases:
- The current issuing Swisscom Saphir and Diamant CA 2 with the current Timestamp Service TSA 3
- The current issuing Swisscom Saphir and Diamant CA 2 with the upcoming Timstamp Service TSU 4.1
- The upcoming issuing Swisscom Saphir and Diamant CA 4 with the current Timestamp Service TSA 3
- The upcoming issuing Swisscom Saphir and Diamant CA 4 with the upcoming Timestamp Service TSU 4.1
Both the new issuing CAs and the new Timestamp service have an impact on the size of the signature.
| Signature Type | Issuing CA | Root CA | Timestamp Service | Signature Size |
|---|---|---|---|---|
| Organization | Saphir CA 2 | Root CA 2 | TSA 3 | 12408 |
| Personal Advanced | Saphir CA 2 | Root CA 2 | TSA 3 | 12765 |
| Personal Qualified | Diamant CA 2 | Root CA 2 | TSA 3 | 12964 |
| Timestamp | TSS CA 2 | Root CA 2 | TSA 3 | 8760 |
| Signature Type | Issuing CA | Root CA | Timestamp Service | Signature Size |
|---|---|---|---|---|
| Organization | Saphir CA 2 | Root CA 2 | TSU 4.1 | 15310 |
| Personal Advanced | Saphir CA 2 | Root CA 2 | TSU 4.1 | 15666 |
| Personal Qualified | Diamant CA 2 | Root CA 2 | TSU 4.1 | 15863 |
"Timestamp" row omitted on this table since it's equal to the one in the last table.
| Signature Type | Issuing CA | Root CA | Timestamp Service | Signature Size |
|---|---|---|---|---|
| Organization Advanced | Saphir CA 4 | Root CA 4 | TSA 3 | 15020 |
| Organization Qualified | Diamant CA 4 | Root CA 4 | TSA 3 | 15387 |
| Personal Advanced | Saphir CA 4 | Root CA 4 | TSA 3 | 15332 |
| Personal Qualified | Diamant CA 4 | Root CA 4 | TSA 3 | 15743 |
"Timestamp" row omitted on this table since it's equal to the one in the first table.
| Signature Type | Issuing CA | Root CA | Timestamp Service | Signature Size |
|---|---|---|---|---|
| Organization Advanced | Saphir CA 4 | Root CA 4 | TSU 4.1 | 17921 |
| Organization Qualified | Diamant CA 4 | Root CA 4 | TSU 4.1 | 18288 |
| Personal Advanced | Saphir CA 4 | Root CA 4 | TSU 4.1 | 18344 |
| Personal Qualified | Diamant CA 4 | Root CA 4 | TSU 4.1 | 18644 |
| Timestamp | TSS CA 4.1 | Root CA 4 | TSU 4.1 | 12134 |
Comparing the first an the fourth tables, we observe an increment of:
- around 3 000 bytes for the timestamp
- around 5 000 bytes for the signatures
Taking as a reference the Swisscom All-In Signing iText samples available under these Github account, the client implementation estimates a size of 30 000 bytes for CMS signatures and 15 000 bytes for timestamps. These numbers still work with the increased sizes. However, it's up to the reader to decide if the estimated sized should be increased accordingly in the source code of the client implementation or not.