Choosing the Security Model:

Slides:

Advertisements

Similar presentations

1 Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market (COM( final) {SWD(2012)

Advertisements

Research and Innovation Participant Portal Concept for electronic-only grant management in Horizon 2020 Peter HÄRTWICH

AFACT eCOO WG interim meeting - Conference Call 1st March of 2011 Mahmood Zargar eCOO Experiences and Standards.

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

S.1 Using a Global Validation Service to Unite Communities Jon Shamah EMEA Head of Sales, BBS eSecurity.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.

Workshop on registered electronic mail policies and implementations (ETT 57074) Ankara, –

Summary of ETSI/ESI activities Andrea Caccia ETSI/ESI TB member Note: This document expresses only the views of its author.

21 mai 2015 Bridges between Certification Authorities.

Legal Issues on PKI & qualified electronic certificates. THIBAULT VERBIEST Attorney-at-law at the Brussels and Paris Bar Professor at the Universities.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

Workshop on registered electronic mail policies and implementation Ankara, March 2015 Davide Mula REM country practice in legal infrastructure,

XBRL regulatory reporting to the Securities Commission of Spain José M. Alonso Comisión Nacional del Mercado de Valores (CNMV)

1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Possible elements of the technical standards Pre-sessional consultations on registries Bonn, 2-3 June 2002 Andrew Howard UNFCCC secretariat

DIGITAL SIGNATURE.

The German eID and eIDAS

A proposal for a Non Repudiation Protocol for epSOS Massimiliano Masi.

Stork is an EU co-funded project INFSO-ICT-PSP STORK PRESENTATION Frank LEYMAN Manager International Relations 04/06/2009.

Scoping the Framework Guidelines on Interoperability Rules for European Gas Transmission Geert Van Hauwermeiren 20 th Madrid Forum, 26 Sept 2011.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

2 PSD2- C HALLENGES AND OPPORTUNITIES Pascale-Marie BRIEN– Senior Policy Adviser.

Guided by : VIPUL GAJJAR Prepared by: JIGAR KAKADIYA.

 Introduction  History  What is Digital Signature  Why Digital Signature  Basic Requirements  How the Technology Works  Approaches.

M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 10 – Information society and media.

Frank Schipplick Work Package Coordinator WP1 - eSignatures.

TAG Presentation 18th May 2004 Paul Butler

Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.

Training for developers of X-Road interfaces

Geert Van Hauwermeiren Workshop, Ljubljana, 13 Sept 2011

Cross-sector and user-centric AAI

TeleTrusT Initiatives for PKI Solutions

Trust Anchor Management Problem Statement

Authority Recognition GGF9

TAG Presentation 18th May 2004 Paul Butler

GREECE-ALBANIA IPA CROSS BORDER COOPERATION PROGRAMME

e-Health Platform End 2 End encryption

PRESENTATION OF MONTENEGRO

CEF Building Blocks status update CONNECTING EUROPEAN CHAMBERS

SPOCS : Simple Procedures Online for Crossborder Services

SWIM Common PKI and policies & procedures for establishing a Trust Framework Kick-off meeting Patrick MANA Project lead 29 November.

Public Key Infrastructure (PKI)

S/MIME T ANANDHAN.

Digital Signature.

ICT-PreAward-eCAT- Pre_Award_Conformance_and_ Test_Strategy-1.0.1

Enhancing maritime domain awareness and responsiveness in Europe

Why eIDAS? eID under eIDAS compliance

Choosing the Discovery Model Martin Forsberg

TOOP The Once-Only Principle Project

Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop

Presentation to TRAN Committee

Security in ebXML Messaging

The Once-Only Principle Project

EDelivery Tutorial How can CEF help you set-up your eDelivery infrastructure? November 2016.

TRACES Trade Control and Expert System Electronic sanitary certificates using qualified electronic signature Brussels 15th September 2016.

E-Commerce for Developing Countries (EC-DC)

CEF eID SMO The use of eID in eHealth

CEF eDelivery Digital Service Infrastructure

Dashboard eHealth services: actual mockup

Website authentication E-registered delivery

PRESENTATION OF MONTENEGRO

PKI (Public Key Infrastructure)

Outline Background: development of the Commission’s position

1. Mission of EGR and legal framework

31st Conference of European Civil-Law Notaries Interconnection and Quality Salla Saastamoinen, Director of the Directorate for Civil and commercial.

Support for syntaxes (UBL and UN/CEFACT) Nicosia October 30, 2017

National Trust Platform

Presentation transcript:

Choosing the Security Model: Linking eIDAS Electronic Registered Delivery Services and CEF eDelivery CEF eDelivery Infrastructure Day, Breakout Session C Brussels, November 2016 Jörg Apitzsch, Governikus KG, DE

(Q)ERDS eIDAS Requirements REQ1: Integrity messages should be secured against any illegitimate manipulation during transmission REQ2: Confidentiality messages should be encrypted during transmission REQ3: Sender Identification should be verified with a high level of confidence REQ4: Addressee Identification should be ensured before the delivery of the message 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

(Q)ERDS eIDAS Requirements cont. REQ5: Time-Reference Time instant of sending/receiving a message should be indicated by a qualified time stamp REQ6: Proof of Send/Receive Sender and receiver of the message should be provided with evidence of message sending and receiving 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Trust Usually is established by means to enable trust in security tokens used to authenticate (seal) messages or parts thereof Whole message; ensures integrity, too (REQ1) Statement about sender’s (user of C1) identity (REQ3) Transport evidences and time instants, e.g. for submission, delivery… (REQ5, REQ6) Certificates used should conform to relevant ETSI ENs Different Trust Models have been considered by e-SENS, selection to be done according Application Domain needs 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

4-Corner Trust & Security Party A Party B C1 CORNER End-to-end Security C4 ORIGINAL SENDER Inner Security Inner Security FINAL RECIPIENT Applications Layer SUBMIT Backend Backend DELIVER 1 or several NOTIFY NOTIFY 1 or several AS4 ERDS ERDS C2 C3 CORNER Cross-party Security Messaging and Transport Layer Connector Access Point SEND RECEIVE Access Point Connector ACKNOWLEDGE Networking Layer: Internet Options to enable Trust: (may be combined) Trusted PKI Mutual Key Exchange Service Metadata Publisher Service Metadata Publisher Trusted List 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Linking Trust Domains: Direct Brokered Trust Connector C2 C3 Connector C4 WS-Sec TD A domestic means TLS (?) TD B domestic means AP / SMP AP / SMP Trust Domain A Cross TD Trust Domain B AP’s act in TD Broker Role Connected domestic domains use various established means C4 <-> C1 Trust just generally given by community agreement / contract TD A/B rely on their AP (respective it’s connector) brokerage functionality 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Direct Trust – Mutual Key Exchange Mutual Key Exchange respective domain Trusted Key Store May cover all active corners in the network Widely used simple mechanism of the Direct Trust Model Advantage: Free choice of PKI for all actors, as far as CAs and issued certificates conformant to ETSI ENs Piloting Domains: e-Justice and eConfirmation Disadvantages: Restricted Scalability It may not be possible, to actor’s role/service type from his certificate 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Trust Model: Community PKI Piloting Domain: eTendering Hierarchical Community PKI covers AP/SMP (PTN, CEF PKI Service) CR to OpenPEPPOL to extend scope to C1/C4 for good reasons was not accepted 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Challenge: C1 <-> C4 Authentication Documents / payload exchanged shall be sealed by the generating & sending service using an advanced digital seal applied on an ASiC-E Manifest respective on evidence DeliveryNonDeliveryToRecipient “Corners” sealing are systems, not “Participants” Related Business Requirements address authentication Receiving / consuming party must be able to validate authentication - means to establish trust in the certificate used for sealing 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Trust Brokerage using STS / SAML Issued SAML Token vouches for C1/C4 Already foreseen by PEPPOL But never implemented/used But: SAML according eIDAS eID would be an option for REQ3, Sender Identification 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Trust Federation using Trusted Lists Established Model for CA Type of Trust Services (at least for issuers of qualified certificates) eIDAS Recital (46): “Trusted lists are essential elements in the building of trust among market operators as they indicate the qualified status of the service provider at the time of supervision.” TL entry depicts (among other details): ../DigitalIdentity: Certificates used (enc, sig/seal) Essentially is the trust anchor to validate presented certificates TSPs able to use issuing CA of their choice, nat. regulation may apply 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Trusted List in e-SENS TSL specification itself not only addresses qTSP/qTS according eIDAS Domains may set up and maintain own TL Actually used or in set up by Domains eHealth, eTendering and Business Lifecycle Domain TLs since years in use by e.g. European Banking Sector, German eHealth “gematik” 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Special Case: Interconnecting existing ERDS by CEF eDelivery Application Domain: General purpose ERDS established in piloting countries are used for cross-border processes and procedures of Business Lifecycle use cases Pilot developed in view of Art. 44 of eIDAS Main key is enabling for legal value (solutions aim to qualify as Q(ualified)ERDS) Recital (22): In order to contribute to their general cross-border use, it should be possible to use trust services as evidence in legal proceedings in all Member States. Participating Countries: FR, DE, AT, GR, SI 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Project funded under CEF Telecom Call 2015-1 Take-up: Connecting Europe Facility NOBLE (NO Barriers in edeLivEry) Project funded under CEF Telecom Call 2015-1 10 beneficiaries from DE, FR, GR, SI Timespan October 2016 – September 2017 Productive setup of 7 APs and SMPs thereof 6 APs to interconnect ERDS of above countries initial usage for data exchange in Business Lifecycle procedures, but not bound to these use cases 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

WP5.4 eDelivery landscape – on it‘s way to NOBLE (initially already was connected to WP5.4 PoC AP AP AP AP AP Lettre recommandée en ligne Slovenska Centralna rešitev za e-Vročanje National solutions per ERDS Realm use adapters to connect to APs 19/11/2016 CEF eDelivery and ERDS, Trust Establishment 15

ERDS in 4-Corner Model Not covered by CEF yet Domestic means Domestic ORIGINAL SENDER Ultimate Recipient C1 CORNER End-to-end Trust/Security C4 Trust Domein A, Inner Security Inner Security Trust Domain B, uses uses Now: C1,C2,C3,C4 (q)ERDS in Trust List Domestic ERDS Messaging/ Transport Layer SUBMIT ERDS Realm MS A ERDS Realm MS B DELIVER 1 or several NOTIFY NOTIFY 1 or several Domestic means Domestic means C2 C3 CORNER Cross-AP Trust/Security AS4 CEF eDelivery Messaging and Transport Layer Adapter/ Connector Access Point SEND RECEIVE Access Point Adapter/ Connector ACKNOWLEDGE Networking Layer: Internet E.g. given by Community PKI like PTN 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

eIDAS on TS, (q)ERDS Art. 33.6 gives a general definition of scope and duties Art. 44.1 defines the requirements for qualified ERDS Important: If “data being transferred between two or more qualified trust service providers” applies for all TS involved – means QERDS and APs in the 4-Corner Model Trust Service Provider for QERDS and APs may be separate entities If all seen as QERDS type of TS, requirements must be fulfilled by each TS involved, at least fulfilment must be ensured over the whole 4-Corner delivery chain in a trustworthy manner 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

TL Governance and Operational Setup Actually set up as (single instance) Domain TL Migration of TL set up for ERDS used in Business Lifecyle to official MS TLs expected Governance defined by EC / national law on QTS Possible Options for Domain TLs: Bilateral contracts between Member States or service providers Network of service providers: Governance defined by service providers in cooperation with national supervisory bodies ETSI ESI is working standards for trust service status lists providers, including policy & security requirements 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Open points tbd Authors questions: Should we include some of the issues of the “AT-CZ-DE-FR-IT non-paper on electronic registered delivery services (ERDS)” in the presentation? Alignment still needed with CEF eDelivery BB Security Controls and Recommendations 19/11/2016 CEF eDelivery and ERDS, Trust Establishment

Thank you for your attention! Jörg Apitzsch, joerg.apitzsch@governikus.com 19/11/2016 CEF eDelivery and ERDS, Trust Establishment