As an alternative to managing a private key and certificate itself, an engineering tool may make use of a remote signing service to digitally sign a Descriptor. In this case, a hash value representing the Descriptor’s content is submitted to the service along with some form of authorization. Provided the submitter is authorized, the service replies with a matching digital signature. The private key and certificate are maintained by the signing service instead of the engineering tool.
Communication between the engineering tool and the signing service may be automated by deploying a remote signing protocol. Such a protocol is specified by the Cloud Signature Consortium (https://cloudsignatureconsortium.org). It uses HTTPS as the transport protocol and OAuth 2.0 as the authorization protocol and fulfils the requirements of the EU’s electronic identification and trust services (eIDAS) regulation. While it is primarily intended for public signing services, it can be implemented as an in-house service as well.
Bibliography
Whitepaper AutomationML Edition 2.1 Part1 – Architecture and General Requirements
https://www.automationml.org/about-automationml/specifications/
AML Whitepaper AutomationML in a Nutshell, November 2015
https://www.automationml.org/about-automationml/specifications/
ECMA-376 Edition 5 – Office Open XML file formats
https://www.ecma-international.org/publications-and-standards/standards/ecma-376/
W3C XML Schema Structures, XML Schema Part 1: Structures (Second Edition)
https://www.w3.org/TR/xmlschema-1/
W3C XML Schema Datatypes, XML Schema Part 2: Datatypes (Second Edition)
https://www.w3.org/TR/xmlschema-2/
RFC 3987: Internationalized Resource Identifiers (IRIs)