Safelayer Secure Communications

FOAF Manager

gOTP and Graphical Password

Interidy Identity Provider

PKI Trust Center

  • What is the “Export to FOAFManager” button in the “Get a semantically signed FOAF” menu for?

    The “Export to FOAFManager” button exports the FOAF and the semantic signature that are generated in the PKI Trust Center to the FOAF Manager application, in which you can view the FOAF and validate the signature.

  • What is the semantic signature?

    The semantic signature is an electronic signature designed to protect documents in semantic formats, such as RDF and OWL. In contrast to the traditional signature, the semantic signature is abstracted from how the information is written, i.e., it validates the integrity of the concepts contained in the document rather than the document's syntax.

  • When I enter in "Get a signed FOAF", why do I see a list of certificates to choose from?

    These are the certificates installed in your browser or inserted in your card reader. Select the certificate you want to use to generate the FOAF. Note that the CA that issued the certificate must be included in the catalog (more information). Once the FOAF is generated, the system checks that the policy with which the certificate was issued is trusted (more information); if it is found to be a trusted certificate, the FOAF can be signed with the application.

  • When does the application consider a policy to be trusted?

    When the policy has a trust rating of greater than 50%.

  • In the "Get a signed FOAF" functionality, why do I get the message "Please, select a valid certificate" when I insert a valid certificate?

    You get this message when the certificate you are trying to generate a FOAF with is not registered in the application's catalog. To generate a signed FOAF using your certificate, request the inclusion of the CA that issued the certificate using the "Add CA" option for the administrator to register it.

  • The "Get a signed FOAF" functionality does not let me select any certificate or it selects, automatically, one that I don't want. How do I fix this?

    At some point, you may have chosen an invalid certificate with the option for remembering the decision checked, and thus the application no longer displays the full list of installed certificates. To fix this problem, delete the active sessions in your browser.

  • What is a CA? What is a CPS? What is a Policy? What is the role of an Organization?

    PKI Trust Center has a catalog of information on the recognized entities that intervene in the PKI services, which principally include electronic signing, data encrypting and authenticating users and systems. The following concepts are dealt with in this catalog:

    • A CA (Certification Authority) is a trust entity that issues and revokes digital certificates used in public-key cryptography.
    • A CPS (Certificate Practice Statement or Declaration of Certification Practices) is a document in which a Certification Authority describes the procedures it follows during the life-cycle of its certificates. This document describes the content of the certificates (grouped in policies) and includes the contact information of the Certification Authority.
    • A policy describes the characteristics of certificates issued by a Certification Authority. The policies that a Certification Authority can use are described in its Declaration of Certification Practices.
    • The Organization is the legal entity that manages one or more Certification Authorities. Each Certification Authority is managed by an Organization.

    The following figure illustrates how these elements relate.

    PKI Trust Center concepts

    Owing to dependencies between the elements in the catalog, you should register the information in this order: Organization > Certification Authority > Policy > CPS.

  • How is policy trust calculated?

    As there is no completely-objective value for trust, it is calculated by mining data. This way, the system learns with each policy added to the catalog, arriving at an increasingly-accurate value each time. The parameters used for this calculation are the signature algorithm, key length, certificate format and whether the issuing process requires physical presence and presenting an ID document.

  • What do I need to generate a signature in a test document?

    You need a certificate issued by a Certification Authority listed in the catalog. Install the certificate in your browser or use a card reader if you have the certificate on a card (such as an electronic DNI—Spanish ID card).

  • What is the logical order for adding information to the catalog of Certification Authorities?

    Owing to dependencies between the elements in the catalog, you should register the information in this order:

    1. Organization
    2. Certification Authority
    3. Policy
    4. CPS
  • What happens when I send a request for registering a Certification Authority?

    When you request the registration of a Certification Authority, the request is sent to an administrator who registers the CA in the system. If there is information missing or a problem occurs during this process, the administrator will contact you via the application's messaging system. Once the request is validated or rejected, you are sent a message with the request result via this system.

  • How much information do I need to send to request the registration of a Certification Authority?

    To facilitate the administrator's task, send all the information you have on the Certification Authority. Leaving out information or including incorrect information can lead to the rejection of your request.

  • Why do I get a warning saying PKI TrustCenter has non-secure elements? Is it really safe to enter?

    PKI Trust Center, like the rest of the portal's applications, uses HTTPS secure protocol and is a totally-secure application in which the data is sent encrypted across the Internet. This message is displayed because PKI Trust Center, as part of its functionality, locates organizations via Google Maps, which uses HTTP.

  • What can I do with the FOAF file I generate?

    You can import the FOAF file into FOAF Manager and Interidy IdP.

PKI Webtop

  • Why does the document explorer not have such-and-such functionality?

    The document explorer has similar functionality to that of the explorers found in the most-common operating systems. If there is a particular function that you think should be included, let us know via the Feedback button and we will see if it can be added.

  • How can I find out the users registered in the system to send them signature requests and share directories?

    This is not currently possible. You need to know the username of the person you want to send the request to or share directories with. The system checks that the usernames are registered in the system on sending the requests, returning an error where it finds a username to be invalid.

    If you think this would be a useful function for PKI Webtop, let us know via the Feedback button.

  • Can I use a PKCS#12 issued by another provider to sign or encrypt data?

    Yes. You can import your own PKCS#12s using the "User details" service as long as these PKCS#12s include the whole certification chain. Although to be able to use your keys the system must trust the Certification Authority (CA) that issued them. Use PKI Trust Center to register the CA in the system. Once you have carried out these steps, you can use the PKCS#12 you have imported to perform PKI Webtop security operations (e.g., signing and encrypting data).

  • What is the public key infrastructure (PKI)? What services does it offer?

    The public key infrastructure (PKI) is a structure that links the public keys with their owners via an entity (a Certification Authority) that is trusted by the parties involved in the communication. This guarantees that a public key belongs to a specific owner. Thanks to the PKI, complete trust can be placed in using the digital-signature and data-encryption services.

  • What are the encryption, signature-generation and signature-verification policies?

    To carry out encryption, signature-generation and signature-verification operations, certain parameters need to be defined in policies. PKI Webtop has a predefined set of policies that users can select.

    Encryption, signature-generation and signature-verification policies comprise one or more rules that define how these operations are performed. In turn, these rules define a certificate-validation policy for validating the signer certificate.

    The policies that can be selected in the encryption, signature-generation and signature-verification processes are configured in TrustedX.

  • What documents can I sign and encrypt?

    You can sign and encrypt any document uploaded to PKI Webtop from your PC and any file uploaded to your account.

  • What is the size-limit for uploading files to PKI Webtop?

    You can upload files of up to 3 MB.

  • What space restrictions does PKI Webtop have?

    Each user can store up to 50 MB in PKI Webtop.

  • What is a PKCS#12?

    PKCS (Public Key Cryptography Standards) is a group of public key cryptography standards. PKCS#12 in particular governs the exchange of personal data. It is a file format commonly used for storing private keys with their public-key certificates and is protected by a password (or symmetric key).

QR-Scan OTP

  • How long do I have to complete the authentication?

    You have one minute in the online mode. In the offline mode, there is no time limit, but you have a maximum of three attempts to correctly enter the one-time password.

  • I have downloaded and installed the application in my mobile. Now what?

    The first step is to initialize the application: execute it and enter the username and password you use to access Semantic Web Trust Portal.

    The QR-Scan OTP application uses the cryptographic keys generated when you registered in Semantic Web Trust Portal that are stored in a PKCS#12 file. To use them, you need to unlock this file:

    • If you have not changed your Semantic Web Trust Portal password since registering, the QR-Scan OTP unlocks the PKCS#12 file automatically.
    • If, at some stage, you changed your Semantic Web Trust Portal password with the PKI Webtop application, QR-Scan OTP asks you to enter the original password to unlock the PKCS#12 file.
  • How do I install the application in my mobile?

    You can download it from Android Market.

  • What password do I use to activate the application in my telephone?

    The password for activating the application is the same used to protect the PKCS#12 file that was generated when you registered in Semantic Web Trust Portal. (see this FAQ)

  • Does the mobile phone have to connect to the Internet to perform the authentication?

    No, you can use the application in offline mode, which does not require the mobile to have a data connection.


  • What information does the QR code contain?

    The QR code contains a session challenge, which is a set of data that the server and the QR-Scan OTP application exchange to recognize each other and carry out the authentication. This data includes a random number for each session and a time-stamp, both signed by the server.


  • What are QR-Scan OTP's operating modes?

    The QR-Scan OTP application has two operating modes:

    • Online: the user photographs the QR code that appears on screen, and the application takes care of the rest of the authentication process. To use this operating mode, the mobile phone must have a data connection.
    • Offline: the user photographs the QR code that appears on screen and the application generates a one-time alphanumeric password that must be entered manually in Semantic Web Trust Portal. In this operating mode, the mobile does not require a data connection during the authentication processes.
  • Can I use the QR-Scan OTP application in any mobile phone?

    The QR-Scan OTP application is currently only available for mobiles with the Android operating system.

  • What is a PKCS#12?

    PKCS (Public Key Cryptography Standards) is a group of public key cryptography standards. PKCS#12 in particular governs the exchange of personal data. It is a file format commonly used for storing private keys with their public-key certificates and is protected by a password (or symmetric key).

SWTP Registration and Authentication

  • Why is no list of available certificates for authentication displayed?

    The first possibility is that you have no personal certificates installed in your browser. See this question for how to authenticate with a digital certificate.
    If you have managed to authenticate with a certificate without selecting it from a list, your browser sent the certificate automatically for the authentication. This probably occurred because your browser is configured to decide which certificate needs to be sent. If you do not want this to happen, change your browser's configuration.

  • Which browsers support authentication using the I-Card? Do I need to install a plug-in?

    You can use the I-Cards with the following browser/card-selector combinations:

    • Internet Explorer 7.0 or higher
      • CardSpace
    • Firefox 3.5.8 or higher
      • CardSpace with the Higgins Selector Switch plug-in.

    CardSpace is available by default in Windows Vista and Windows 7. If you are using Windows XP SP2, you need to install the .NET Framework 3.0 pack. You access CardSpace via the Control Panel.

    You can download the Higgins Selector Switch plug-in from the official Eclipse Higgins page, but you need to compile it before using it. An alternative to this process (which can be complicated) is to install the Azigo selector, which incorporates the Higgins Selector Switch plug-in. Once you have done this, access the Control Panel, open the I-Card Selector service and change the default option to Windows CardSpace.

    We are soon going to enable a remote-card repository so you can also use the Azigo card selector.

    Important: For CardSpace to accept Interidy IdP as a trusted identity-provider for authenticating with I-Cards, you must install the Interidy IdP certificate in the "Trusted People" store in Windows (and restart the explorer).

  • How do I authenticate with an I-Card?

    To authenticate with an I-Card, first you need to generate an I-Card with Interidy IdP following these steps:

    1. Authenticate in the portal with your password.
    2. Access Interidy IdP.
    3. Select the "Generate I-Card" service.
    4. Click on the "Generate I-Card" button you see at the bottom of the screen.
    5. In the "Card Type" field, select "Authentication Card". Select a name for the card and click on "Generate I-Card".
    6. To finalize the procedure, download the card or directly install it in your card selector.

    From now on, this card appears in your selector. You can use it to authenticate in Semantic Web Trust Portal.

  • I forgot my password. How can I access the applications?

    If you have the certificate that was generated during registration, authenticate with it and change your password in the "User details" window of PKI Webtop.

  • Can I try out the applications without registering?

    No. As the applications manage personal information, registration is required for identifying users so they can access their personal area. The registration process is very simple and only requires entering a username and password.

  • Is registration free?

    Yes, registration is free. This procedure is required to protect the personal data users enter in the applications.

  • How do I change my data and the password I selected when I registered?

    There are two ways of changing the information you entered during the registration process:

    • By accessing Interidy IdP. In the "Manage profile" screen, the data you entered when you registered is displayed in the "Non-verified" column. Make the changes and click on "Submit".
    • By accessing PKI Webtop. Go to the "User details" service to browse and make changes to the data you entered when you registered.   
      You can also change the portal-access password, but note that the password for the PKCS#12 generated during registration cannot be changed.
  • How can I return to the home page of the portal from the applications?

    All the applications have an "Exit" button for returning to the portal's home page. This button is at the top right in FOAF Manager, PKI Trust Center and Interidy IdP. In PKI Webtop, it is in the start menu.

  • Is all my information deleted when I cancel my account?

    Your personal data, the data you uploaded to PKI Webtop (certificates, files, signature requests, etc.) and the FOAF and FOAF Manager files are deleted from the system. Your access credentials are revoked.

    The Certification Authorities ratings and any comments you have left in PKI Trust Center are made anonymous.

  • How do I cancel my user account?

    To cancel your user account, authenticate in the portal and access the "Cancel account" option.

  • Why should I fill in the optional registration fields?

    Several portal applications let you manage your personal data:

    • FOAF Manager automatically generates a demo FOAF file when you register. The content of this file is determined by the information you provide when you register (name, last name, email). By default, this FOAF file is not published; only you have access to it via the application.
    • Interidy IdP generates I-Cards from the personal data. If you provide this information when registering, it appears in the application by default, although you can make changes to it at any time.
    • You can also browse and make changes to the personal data you have registered in the portal in PKI Webtop.
    • Coming soon: a more-customized PKI Trust Center experience for users who fill in the "Country" field.

    The personal data you enter in the registration process is not used, under any circumstances, to send you spam, nor is it given to third parties.

  • Why can't I access Interidy IdP?

    You have to authenticate with your password before you can access the Interidy IdP application.

  • I didn't download the PKCS#12 during registration or I did but now I can't find it. Can I recover it?

    Yes. Authenticate with your password or I-Card and access the "Downloads" section to recover it.

  • What password protects the PKCS#12 generated during registration?

    The PKCS#12 generated during the registration process is protected by the password you selected when you registered in the portal. Note that the PKCS#12 file password does not change even if you change your portal-access password.

  • What is a PKCS#12?

    PKCS (Public Key Cryptography Standards) is a group of public key cryptography standards. PKCS#12 in particular governs the exchange of personal data. It is a file format commonly used for storing private keys with their public-key certificates and is protected by a password (or symmetric key).

  • I already have a digital certificate (from the electronic DNI or other provider). Can I use it to authenticate in Semantic Web Trust Portal?

    No. You can only authenticate with the certificate generated during registration. This minimizes the amount of personal data you have to provide to register.

  • How do I authenticate with a digital certificate?

    To authenticate with a digital certificate, download the PKCS#12 file generated when you registered and install it in your browser's keystore.

    Once installed, when you click on "Send certificate", a list of certificates is displayed. Select the certificate for Semantic Web Trust Portal to authenticate.

  • Why does CardSpace not accept I-Cards issued by Interidy IdP?

    For CardSpace to accept Interidy IdP as a trusted identity-provider for authenticating with I-Cards, you must install the Interidy IdP certificate in the "Trusted People" store in Windows (and restart the explorer).

 

©2012 safelayer.com