“Applications-Driven PKI”

This paper presents two related activities, the first is the OASIS Digital Signature Services (DSS) standard, the second is the application of digital signatures to electronic invoicing as recognised under recent European legislation. DSS can be used to support a range of signature formats including the binary “cryptographic message syntax” and XML signatures, as well as related extended formats for “advanced electronic signatures” defined in European standards. The DSS standard is built around the general XML web based services structure and can be used with HTTP and SOAP transport protocols. The paper describes how DSS supports the needs of eInvoicing signature creation and verification, minimising the per user installation costs, improving security and reducing the need for revocation. It also describes how DSS verification greatly simplifies the complexity of user systems and facilitates centralised management of security within an organisation. Finally, the paper considers the requirements for maintaining the verifiability of signed invoices stored over a period of around 10 years and how this can be met by DSS verification services with time-stamping and / or archive services. E-Invoicing in Europe A directive was issued in 2001 with the aim of harmonising the requirements relating to “Value Added Tax” (VAT) in Europe [VATDirective]. This tax is a form purchase tax but is applicable to all sales including supplies of goods between companies to which value is added (hence the name value added tax). VAT legislation requires invoices be produced and recorded on all sales to which VAT is applicable and there are pan European rules on how this tax is itemised to facilitate auditing of the tax collection. The recent directive on VAT harmonisation defines further rules for the form of VAT invoices, including requirements for the security of electronic invoices. It states that: “Invoices sent by electronic means shall be accepted by Member States provided that the authenticity of the origin and integrity of the contents are guaranteed ..” The VAT directive then goes on to identify alternative solutions to providing such protection including protection using a form of digital signature based on a PKI (referred to in EU legislation as an “advanced electronic signature”). Records of these signed e-invoices need to be kept for a number of years, varying from country to country, but can be up to 10 years or more. It 6th Annual PKI R&D Workshop Proceedings