Skip to content
This repository has been archived by the owner on Mar 25, 2021. It is now read-only.

Swisscom CA 4

eramons edited this page Apr 28, 2020 · 9 revisions

New Swisscom CA 4 Certificate Authorities

Certificates, CP/CPS and further information available under: https://www.swisscom.ch/de/business/enterprise/angebot/security/digital_certificate_service.html

New padding algorithm

With the introduction of the new issuing Diamant and Saphir CA 4, the padding algorithm for the issuance of the signature will change from the current RSASSA-PKCS1-v1_5 to the new RSASSA-PSS. The key size also increases from 2048 to 3072. The client implementation must make sure that there is no validation errors on the source code in case a third-party library is used which does not support the algorithm yet.

Signature Size

With the introduction of new certificates for the issuance of timestamps and advanced and qualified digital signatures, the size of the signature object will increase slightly. Client implementations must consider this, since the approximate size of the signature must be calculated beforehand. This page will include some numbers which should help to adapt the code accordingly, if necessary.

The sample numbers below should reflect the impact in the signature size in following cases:

  1. The current issuing Swisscom Saphir and Diamant CA 2 with the current Timestamp Service TSA 3
  2. The current issuing Swisscom Saphir and Diamant CA 2 with the upcoming Timstamp Service TSU 4.1
  3. The upcoming issuing Swisscom Saphir and Diamant CA 4 with the current Timestamp Service TSA 3
  4. The upcoming issuing Swisscom Saphir and Diamant CA 4 with the upcoming Timestamp Service TSU 4.1

Both the new issuing CAs and the new Timestamp service have an impact on the size of the signature.

1. Swisscom CA 2 with Timestamp Service Swisscom TSA 3

Signature Type Issuing CA Root CA Timestamp Service Signature Size
Organization Saphir CA 2 Root CA 2 TSA 3 12408
Personal Advanced Saphir CA 2 Root CA 2 TSA 3 12765
Personal Qualified Diamant CA 2 Root CA 2 TSA 3 12964
Timestamp TSS CA 2 Root CA 2 TSA 3 8760

2. Swisscom CA 2 with Timestamp Service Swisscom TSU 4.1

Signature Type Issuing CA Root CA Timestamp Service Signature Size
Organization Saphir CA 2 Root CA 2 TSU 4.1 15310
Personal Advanced Saphir CA 2 Root CA 2 TSU 4.1 15666
Personal Qualified Diamant CA 2 Root CA 2 TSU 4.1 15863

"Timestamp" row omitted on this table since it's equal to the one in the last table.

3. Swisscom CA 4 with Timestamp Service Swisscom TSA 3

Signature Type Issuing CA Root CA Timestamp Service Signature Size
Organization Advanced Saphir CA 4 Root CA 4 TSA 3 15020
Organization Qualified Diamant CA 4 Root CA 4 TSA 3 15387
Personal Advanced Saphir CA 4 Root CA 4 TSA 3 15332
Personal Qualified Diamant CA 4 Root CA 4 TSA 3 15743

"Timestamp" row omitted on this table since it's equal to the one in the first table.

4. Swisscom CA 4 with new Timestamp Service Swisscom TSU 4.1

Signature Type Issuing CA Root CA Timestamp Service Signature Size
Organization Advanced Saphir CA 4 Root CA 4 TSU 4.1 17921
Organization Qualified Diamant CA 4 Root CA 4 TSU 4.1 18288
Personal Advanced Saphir CA 4 Root CA 4 TSU 4.1 18344
Personal Qualified Diamant CA 4 Root CA 4 TSU 4.1 18644
Timestamp TSS CA 4.1 Root CA 4 TSU 4.1 12134

Comparing the first an the fourth tables, we observe an increment of:

  • around 3 000 bytes for the timestamp
  • around 5 000 bytes for the signatures

Taking as a reference the Swisscom All-In Signing iText samples available under these Github account, the client implementation estimates a size of 30 000 bytes for CMS signatures and 15 000 bytes for timestamps. These numbers still work with the increased sizes. However, it's up to the reader to decide if the estimated sized should be increased accordingly in the source code of the client implementation or not.

Clone this wiki locally