Swisscom CA 4
Pages 6
-
- New Swisscom CA 4 Certificate Authorities
- New padding algorithm
- Signature Size
- 1. Swisscom CA 2 with Timestamp Service Swisscom TSA 3
- 2. Swisscom CA 2 with Timestamp Service Swisscom TSU 4.1
- 3. Swisscom CA 4 with Timestamp Service Swisscom TSA 3
- 4. Swisscom CA 4 with new Timestamp Service Swisscom TSU 4.1
Clone this wiki locally
New Swisscom CA 4 Certificate Authorities
Certificates, CP/CPS and further information available under: https://www.swisscom.ch/de/business/enterprise/angebot/security/digital_certificate_service.html
New padding algorithm
With the introduction of the new issuing Diamant and Saphir CA 4, the padding algorithm for the issuance of the signature will change from the current RSASSA-PKCS1-v1_5 to the new RSASSA-PSS. The key size also increases from 2048 to 3072. The client implementation must make sure that there is no validation errors on the source code in case a third-party library is used which does not support the algorithm yet.
Signature Size
With the introduction of new certificates for the issuance of timestamps and advanced and qualified digital signatures, the size of the signature object will increase slightly. Client implementations must consider this, since the approximate size of the signature must be calculated beforehand. This page will include some numbers which should help to adapt the code accordingly, if necessary.
The sample numbers below should reflect the impact in the signature size in following cases:
- The current issuing Swisscom Saphir and Diamant CA 2 with the current Timestamp Service TSA 3
- The current issuing Swisscom Saphir and Diamant CA 2 with the upcoming Timstamp Service TSU 4.1
- The upcoming issuing Swisscom Saphir and Diamant CA 4 with the current Timestamp Service TSA 3
- The upcoming issuing Swisscom Saphir and Diamant CA 4 with the upcoming Timestamp Service TSU 4.1
Both the new issuing CAs and the new Timestamp service have an impact on the size of the signature.
The CA 2 is no longer in service. The values in the table below should not be used anymore.
1. Swisscom CA 2 with Timestamp Service Swisscom TSA 3
| Signature Type | Issuing CA | Root CA | Timestamp Service | Signature Size |
|---|---|---|---|---|
| Organization | Saphir CA 2 | Root CA 2 | TSA 3 | 12408 |
| Personal Advanced | Saphir CA 2 | Root CA 2 | TSA 3 | 12765 |
| Personal Qualified | Diamant CA 2 | Root CA 2 | TSA 3 | 12964 |
| Timestamp | TSS CA 2 | Root CA 2 | TSA 3 | 8760 |
The CA 2 is no longer in service. The values in the table below should not be used anymore.
2. Swisscom CA 2 with Timestamp Service Swisscom TSU 4.1
| Signature Type | Issuing CA | Root CA | Timestamp Service | Signature Size |
|---|---|---|---|---|
| Organization | Saphir CA 2 | Root CA 2 | TSU 4.1 | 15310 |
| Personal Advanced | Saphir CA 2 | Root CA 2 | TSU 4.1 | 15666 |
| Personal Qualified | Diamant CA 2 | Root CA 2 | TSU 4.1 | 15863 |
"Timestamp" row omitted on this table since it's equal to the one in the last table.
The CA 4 in combination with the TSA 3 is no longer in service. The values in the table below should not be used anymore.
3. Swisscom CA 4 with Timestamp Service Swisscom TSA 3
| Signature Type | Issuing CA | Root CA | Timestamp Service | Signature Size |
|---|---|---|---|---|
| Organization Advanced | Saphir CA 4 | Root CA 4 | TSA 3 | 15020 |
| Organization Qualified | Diamant CA 4 | Root CA 4 | TSA 3 | 15387 |
| Personal Advanced | Saphir CA 4 | Root CA 4 | TSA 3 | 15332 |
| Personal Qualified | Diamant CA 4 | Root CA 4 | TSA 3 | 15743 |
"Timestamp" row omitted on this table since it's equal to the one in the first table.
4. Swisscom CA 4 with new Timestamp Service Swisscom TSU 4.1
| Signature Type | Issuing CA | Root CA | Timestamp Service | Signature Size |
|---|---|---|---|---|
| Organization Advanced | Saphir CA 4 | Root CA 4 | TSU 4.1 | 22921 |
| Organization Qualified | Diamant CA 4 | Root CA 4 | TSU 4.1 | 23288 |
| Personal Advanced | Saphir CA 4 | Root CA 4 | TSU 4.1 | 23344 |
| Personal Qualified | Diamant CA 4 | Root CA 4 | TSU 4.1 | 23644 |
| Timestamp | TSS CA 4.1 | Root CA 4 | TSU 4.1 | 15134 |
Comparing the first an the fourth tables above, we observe an increment of:
- around 6 000 bytes for the timestamp
- around 10 000 bytes for the signatures
In more detail, the CMS signatures are in binary format and require a minimum reserved space of 30000 bytes to embed the signature including necessary information for long term validation. Please note that the size of PEM format can be larger. Timestamps require at least 15000 bytes. Note that these numbers still work with increased sizes. However, it is up to the reader to decide if the estimated sized should be increased accordingly in the source code of the client implementation.