A mobile signature service needs agreements between mobile signature system entities. These entities must share system identifiers, SOAP bindings, services, certificates, and so on. An MSSP metadata specification is useful for describing this information in a commonly understandable way.
An ETSI MCOMM standards based mobile signature service consists of mobile signature service providers (MSSP) and application providers. MSSP entities have different roles such as Acquiring Entity, Routing Entity, Identity Issuer and Home MSSP. Connected MSSPs constitute a mobile signature service system known as a Mesh. MSSPs connect to Service Providers (SP) that offer registration services or additional services. The Mesh has been defined in the ETSI TS 102 207 standard. This is also known as mobile signature roaming.
The security of the mobile signature roaming is based on shared communication addresses, mutual TLS authentication of the entities and a message integrity based on XML signatures. This trust model is based on X509 certificates. These certificates must be shared between entities in a secure way, and the life cycle of these certificates needs to be taken care of. We need a way of describing and managing this information in a commonly understandable way.
The most effective counter-measure against SSL man-in-the-middle attacks is knowing your communication partner’s certificates. The MSSP metadata supplies that information to SSL clients.
Introduction to MSSP metadata
The MSSP metadata defines an XML file that contains mobile signature system entities and the security and communication parameters between these entities. By publishing MSSP metadata, MSSPs not only extend the Mesh security but also make it easier to manage. The MSSP metadata replaces ETSI TS 102 204 standard MSS HandshakeService method in a secure way.
The MSSP metadata defines metadata for XML signatures and TLS/SSL among system entities. The MSSP metadata also introduces XML encryption metadata support for mobile signature services. XML encryption can be used especially by a mobile signature registration method when distributing confidential data over the Internet.
Public MSSP metadata is generally needed when establishing large interconnected Mesh on a national level. MSSP metadata blocks can be digitally signed and verified. The mechanisms help in establishing trust in the accuracy and authenticity of MSSP metadata. The base or reference model for this metadata is the Metadata for the OASIS Security Assertion Markup Language V2.0 (SAML2). If you are familiar with the SAML2 metadata, you should find that fundaments of MSSP metadata have been organized in the same way.
Metadata specification: Kiuru_MSSP_5.0_Metadata_Specification