1.8. Main differences between X-Road versions 5 and 6

Table 2 Short overview of main differences between X-Road versions 5 and 6



Message exchange

Digital stamp added to message in security server

(e-stamp) conforms to the Electronic Identification and Trust Services for Electronic Transactions Act



Generation and preservation of evidential value

In cooperation between security server and central server

Security server ensures evidential value

Message log

Text file

Database and ASiC-E containers in file system

Mssage protocol

Supported X-Road message protocol versions 2.0, 3.0, 3.1

Supported X-Road message protocol version 4.0

Digitas stamp/E-stamp

verification capability

In central server

Through a verifier component installed with the security server. The .jar file located at the address https://www.x-tee.ee/packages/asicverifier-1.0.jar can also be used without a security server.

Description of SOAP profile

Message header

Changes related to hierarchical identifier: identifier of subsystem (security server client) and service identifier

Message body

There are no obligatory additional requirements in the content of messages. Version 6.0 has no obligation to use ‘request’ and ‘response’ elements or to duplicate request message in a response message. Namespace of messages is not fixed.

Rights and certificates


Differentiation of users and providers of service

Members are organisations which affiliate just once. Member identifier is hierarchical and includes token of X-Road instance, information about member class (private, public) and registry code of authority. E.g. ‘EE:GOV:xxxxxxxx’.

Service rights/access rights

Database (e.g. ‘xkogu’) grants access rights to authorities

Access rights are administered on the level of subsystem. Each subsystem is bound to X-Road member. E.g. 'EE:GOV:xxxxxxxx:xkogu', for use as well as provision of service


Subsystem uses signature certificate of sub-authority

Subsystem uses an e-stamp certificate of X-Road members

Security server identifier

In X-Road Version 6.0, security servers have a unique identifier independent of the address and certificate of the security server (hierarchical), including the identifier of the owner of security server and security server code. Each security server must have at least one valid authentication certificate, registered in the central server and used for creating secure data exchange channel between security servers.

Certificates issued by


Qualified trust service provider

Trust services

Consumption of trust services

Security server does not perform OCSP and timestamp requests

Security server performs OCSP and timestamp requests at least with frequency specified in security policy

Asynchronous services


Not supported

Other functionality

Encoding service


Not supported

International universality

Not supported


Support of several interfacing components

Not supported


Last modified: Thursday, 24 January 2019, 3:10 PM