PKI Services for the Public Sector of the EU Member States

Slides:



Advertisements
Similar presentations
© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
Advertisements

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
PKI services in the Public Sector of the EU Member States Objectives and Methodology of the survey Prof. Sokratis K. Katsikas University of the Aegean,
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
S.1 Using a Global Validation Service to Unite Communities Jon Shamah EMEA Head of Sales, BBS eSecurity.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,
Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.
Legal Issues on PKI & qualified electronic certificates. THIBAULT VERBIEST Attorney-at-law at the Brussels and Paris Bar Professor at the Universities.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
PKI Services for the Public Sector of the EU Member States Dr. Dimitrios Lekkas Dept. of Products & Systems Design Engineering University of the Aegean.
Per Anders Eriksson
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.
National Smartcard Project Work Package 8 – Security Issues Report.
1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.
8 Nob 06 / CEN/ISSS ETSI STF 305: Procedures for Handling Advanced Electronic Signatures on Digital Accounting CEN/ISSS Workshop.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
EESSI June 2000Slide 1 European Electronic Signature Standardization Hans Nilsson, iD2 Technologies, Sweden.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
DIGITAL SIGNATURE.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
PKI Policy Determination Process Input from PKI Decision Process PKI Policy Determination Process Application(s) Workflows Players.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
 Introduction  History  What is Digital Signature  Why Digital Signature  Basic Requirements  How the Technology Works  Approaches.
M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 10 – Information society and media.
TAG Presentation 18th May 2004 Paul Butler
Key management issues in PGP
OASIS Digital Signature Services and ETSI standards Juan Carlos Cruellas – UPC Stefan Drees - DSS-X co-chair Nick Pope – Thales.
Making the Connection ISO Master Class An Overview.
Training for developers of X-Road interfaces
e-Government policy and projects of the Hellenic Republic Dr
Cryptography and Network Security
TAG Presentation 18th May 2004 Paul Butler
e-Health Platform End 2 End encryption
Authentication Applications
Service Organization Control (SOC)
SWIM Common PKI and policies & procedures for establishing a Trust Framework                           Kick-off meeting Patrick MANA Project lead 29 November.
Public Key Infrastructure (PKI)
Digital Signature.
Setting Actuarial Standards
CompTIA Security+ Study Guide (SY0-401)
Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop
Security in ebXML Messaging
Standard of Electronic Health Record
County HIPAA Review All Rights Reserved 2002.
E-Commerce for Developing Countries (EC-DC)
Digital Certificates and X.509
Dashboard eHealth services: actual mockup
Operationalizing Export Certification and Regionalization Programmes
Prof. Sokratis K. Katsikas University of the Aegean, Greece
PKI (Public Key Infrastructure)
SIMPLIFIED MEASURES FOR CUSTOMER’S IDENTIFICATION
Presentation transcript:

PKI Services for the Public Sector of the EU Member States Asst. Prof. Dimitris Gritzalis (dgrit@aueb.gr) Athens, 10 April 2003

Objectives of the study To review the use of electronic signatures for e-government services. To identify the technologies employed for the exploitation of e-signatures. To discuss legal issues referring to the use of e-signatures. To discuss digital certificates management in the public sector. To provide a set of good-practices on the use of e-signatures in the public sector.

eEurope-2005 The underlying strategic framework Based on two groups of actions: Services - Applications - Content Broadband Infrastructure - Security Action Plan around inter-linked lines: Policy Measures Good Practices Benchmarking Policies Coordination

eGovernment Services General key actions: Key actions for security: Broadband Connection Interoperability Interactive Public Services Public Procurement Public Internet Access Points Culture and Tourism Key actions for security: Cyber Security Task Force Security Culture Secure Communication between Public Services

Our methodology at a glance 1. State-of-practice Review of state-of-practice on e-signatures use. 2. Legal issues Review of legal and regulatory issues on e-signatures use. 3. Standards Review the standardization work on e-signatures. 4. Case studies Study lessons learnt from relevant situations. 5. Survey Identify and review relevant experiences from EU …towards Good Practices

1. State-of-practice on Certification Services Topics: Qualified Certificates (QC) Requirements for issuing QC Additional requirements for Public Sector

Qualified Certificates Unique identification of CSP Unique identification of the physical entity Intended purpose Signature verification data corresponding to subject Period of validity Identity code of the certificate Electronic signature of the CSP Usage limitations Case-relevant extensions

Requirements for issuing QS Demonstrate the appropriate reliability Ensure appropriate directory/revocation services Verify physical entity’s identity Employ properly qualified personnel Use trustworthy systems Protect signature creation data Keep records relevant to qualified certificates Publish policies, practices, terms, and conditions Maintain sufficient operation financial resources Ensure physical security

Additional requirements for the Public Sector Risk Analysis/Assessment ISO 9000 certification Personal data protection Insurance Repositories for storing signature verification data for long time

3. Standardization work European initiatives and bodies: ETSI: Europe's contribution to world-wide standardization CEN/ISSS: Information Society Standardization System ICTB/EESSI: European Electronic Signature Standardisation Initiative International initiatives and bodies: ISO & ITU: World-wide de jure standards IETF: Widely accepted de facto Internet standards W3C: Recommendations for structuring web documents PKCS: Public Key Cryptography Standards ANSI: The American perspective ETSI: European Telecommunications Standards Institute ITU: International Telecommunications Union IETF: Internet Engineering Task Force W3C: www consortium

Existing and emerging standards Cryptography Cryptographic algorithms, Hash functions, Random number generators Secure Hardware Smart cards, Tokens, Secure devices Digital Certificates Formats, Distribution, Certificate Status Information (CSI) Certification Services Digital signatures, Key management, Authorization, Time-stamping, Notary General support ICT Security, Directory access, Database management, Repositories, Interoperability Management IS management, Quality, Policy composition, Audit

4. PKI in third countries Canada USA Australia A ‘Policy Management Authority’ exists ‘External subscribers’ are allowed Key management resembles with the EU Directive USA Federal PKI is fully functional Federal Bridge CA assures interoperability Various ‘assurance levels’ for certificates Australia ‘Government Public Key Authority’ exists as accreditation body Various levels of certificates for individuals and non-individuals Summary of some important findings

5. Survey Means: Questionnaire on: Existing e-services Legal status of certificates Use of certificates in the public sector Requirements from CSP Use of certificates for G2G and G2C transactions - Sent to the 15 Member States via CIRCA - All recipients responded - Results taken into account and refer to in the deliverable

Survey findings All Member States have adopted Directive 1999/93/EC. In 5 Member States certificates of types other rather than qualified/unqualified are used. In 14 Member States there is at least 1 CSP offering qualified certificates (except Ireland). In 13 Member States there is one authority responsible for the accreditation of CSP (except France and Ireland). In 13 Member States there is one authority responsible for regulating, monitoring and auditing the operation of CSP (except Ireland and UK). In 9 Member States the two aforementioned procedures are performed by the same entity/authority.

…survey findings In 11 Member States CSP accreditation is voluntary for qualified certificates. In 7 Member States certificates have been employed in G2G transactions (3 have plans for 2003 and 3 after 2003). In all Member States the Public Sector obtains services from multiple CSP. In 14 Member States there is no nation-wide RA, which registers civil servants (except of Belgium). In 11 Member States each governmental organization may have or operate its own RA. In 2 Member States (Finland and France) each sector or administration level has its own RA.

…survey findings 8 Member States have in place specific provisions, in case a CSP ceases operation. 11 Member States have in place specific provisions, in case a CSP uses its key in a way incompatible with the existing legislation 10 Appropriate skills of CSP staff 11 Compliance with personal data regulations 4 ISO 9000 certification Security of CSP equipment used for key generation Security of CSP premises Risk Analysis/Assessment Member States Special requirements a CSP should fulfill

…survey findings 6 All CSP should first apply for voluntary accreditation 5 Compatibility of the CPS 4 Interoperability of technology Member States Interoperability requirements when more than one CSP is involved 4 Non-repudiation of receipt Notary 8 Timestamping Member States Value Added Services the Public Sector receives from CSP

…survey findings In 6 Member States there exists (or is planned) a central repository, which provides each and every civil servant with a certificate. In 5 Member States the role of the civil servant is associated with the certificate issuance. In 4 of the above 5, when a civil servant is transferred to another post, its certificate is revoked or renewed. In 10 Member States smart cards are used to keep signature-creation-data (e.g. a private key). In 10 Member States audit records (logs) are kept. In 9 of the above 10 CSP are responsible for keeping the audit logs.

Good-practices Working assumptions: G2G and G2C transactions are included. C2G transactions are not included. Subject to additional sector-related requirements Focus on authentication, non-repudiation, and integrity. Compliance with EU Directive 99/93.

EU Directive 99/93: Article 3 Outline: CSP operation Accreditation and supervision Certificate characteristics Signature Creation Devices Architectural issues Information dissemination Value-added Certification Services Certification Practice Statement (CPS) CSP cease of operation

CSP Operation CSP operator The government is generally considered as the owner of its Public Key Infrastructure. The operator may be a governmental authority, or the operation may be outsourced to the private sector. CSP’s cease of operation Handling differs in Member States Subject to prior interoperability established, certificates will be managed by another CSP, or All issued certificates are revoked, or Purely governmental-operated CSP (they never cease...)

Accreditation and Supervision Voluntary Accreditation Some Member States ask for compulsory accreditation Generally desired for qualified certificates issuance Accreditation is not a requirement for the issuance of unqualified certificates Supervision Establishment of national supervisory bodies in most Member States Supervision, in most cases, is performed by Telecom Authorities Diversification of supervision and accreditation roles is desired

Requirements for certificates Certificate characteristics Role-based certificates tend to have heavy administrative cost. Both qualified and unqualified are needed, each for specific user domain. An identity certificate is needed for every civil servant. The certificates can be either identity-based, only, or role-based. Average certificate lifecycle: 1-3 years. Public sector specific requirements Signature lifetime is reported to be 30 years. The signature lifetime should be (considerably) longer. It is suggested that different keys are used for different functions (e.g. signature, authentication, encryption).

Signature creation issues Key management Key generation should be performed under the full control of the end-user (for non-repudiation purposes) No key-recovery must be possible Signature Creation Devices Common agreement on the adoption of secure hardware tokens (e.g. smart cards) Conformance with international standards is recommended.

Architectural issues Number of Certification Authorities Support for multiple CA in each country should be ensured Web of trust scalability is recommended Trust architectures Mixed schemes may exist Combination of per-sector local hierarchies, local RA, Bridge CA and Cross-certified CA should be ensured Registration Authorities Civil servants should be given a security token, according to a standard procedure Multiple RA per region or user domain should exist If a central identity repository exists, then national-wide RA should also exist

Information dissemination Key distribution By personal correspondence (private) and by publicly accessible repositories (public) Specific provision for the self-signed CA certificates distribution The maintenance of the Certification Trust Lists (CTL) should be done on a per-sector basis

Value-added Certification Services Time-stamping Confidentiality Notary Audit services Non-repudiation of receipt Long-lasting data repositories

Certification Practice Statement Conformance with IETF RFC-2527 is recommended. It should include, at least: CA and RA obligations Subscriber and relying party obligations Addressing community Certificate classes, formats, and profiles Procedures description Liabilities Value-added services description Interoperability issues Information dissemination procedures

EU Directive 99/93: Article 8 CSP should comply with data protection legislation Dissemination of personal PKI information Regulation of lawful access to personal data available to CSP Data security measures specification Data protection authorities should support public authorities to monitor the CSP privacy policies

Conclusion The result of our study is… an appropriately balanced good-practice guidance for the exploitation of Public Key Infrastructure by the Public Sector

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.