Www.bundesnetzagentur.de Infrastructure for qualified electronic Signatures in Germany Jürgen Schwemmer Moscow, 17th April 2014.

Slides:

Advertisements

Similar presentations

Universal Electronic Signatures Tarvi Martens ESTONIA.

Advertisements

1 Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market (COM( final) {SWD(2012)

© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

Bundesamt für Sicherheit in der Informationstechnik EESSI - WS May , 2000, Paris, Folie 1/18Klaus J. Keus, BSI Electronic Signatures in Germany,

Digital Stamps of Companies Tarvi Martens SK, Estonia.

Digital Certificate Installation & User Guide For Class-2 Certificates.

The Austrian Governmental eDelivery System Technical Aspects Ankara, March 17th, 2015 Christian Maierhofer, EGIZ The E-Government Innovation Center is.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

Workshop on registered electronic mail policies and implementations (ETT 57074) Ankara, –

2011 CAPF Professional Workshop Professional Sign-offs.

INFORMATION TECHNOLOGY LAW LECTURE 3- ELECTRONIC SIGNATURE Dr. Kadir Bas.

Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,

Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.

Legal Issues on PKI & qualified electronic certificates. THIBAULT VERBIEST Attorney-at-law at the Brussels and Paris Bar Professor at the Universities.

Opening Presentation of Notary Reqs 8/5/2004 Tobias Gondrom.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.

FINANCIAL REPORTING Rules and Regulations

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

Intra-ASEAN Secure Transactions Framework Project Progress Report

1. 2 ECRF survey - Electronic signature Mr Yves Gonner Luxembourg, June 12, 2009.

© Julia Wilk (FHÖV NRW) 1 Digital Signatures. © Julia Wilk (FHÖV NRW)2 Structure 1. Introduction 2. Basics 3. Elements of digital signatures 4. Realisation.

Evolution in cross-border interoperability of eSignatures and eID Tarvi Martens SK, Estonia.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

Interim Report Review Inter-Registrar Domain Name Transfers ICANN DNSO Names Council Task Force on Transfers Public Discussion on Transfers of gTLD Names.

Country Update: Austria Herbert Leitold Secure Information Technology Center - Austria

IT Security Policy in Japan 23 September 2002 Office of IT Security Policy Ministry of Economy, Trade and Industry JAPAN.

8 Nob 06 / CEN/ISSS ETSI STF 305: Procedures for Handling Advanced Electronic Signatures on Digital Accounting CEN/ISSS Workshop.

Niall Curran E-Commerce Division Department of Public Enterprise

"certification service provider" Electronic Signatures

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

General Key Management Guidance. Key Management Policy  Governs the lifecycle for the keying material  Hope to minimize additional required documentation.

Physician Lunch-N-Learn – PECOS Registration Training Getting Started with PECOS for Physicians June 15, 2010.

Risks of data manipulation and theft Gateway Average route travelled by an sent via the Internet from A to B Washington DC A's provider Paris A.

Evaluating trusted electronic documents Petr Švéda Security and Protection of Information ‘03 © 2003 Petr Švéda, FI MU.

Riccardo Genghini - Ws E-Sign Chairman – IETF PKIX San Francisco March Electronic Signature infrastructure for Europe Riccardo Genghini Cen/Isss.

Electronic Signatures Implementation 1 DIAGRAM of interrelationships CERTIFICATION INFRASTRUCTURE EXAMPLE LAYOUT of a trust centre.

EESSI June 2000Slide 1 European Electronic Signature Standardization Hans Nilsson, iD2 Technologies, Sweden.

DIGITAL SIGNATURE.

Electronic signature Validity Model 1. Shell model Certificate 1 Certificate 2 Certificate 3 Signed document Generate valid signature validCheck invalidCheck.

Database security Diego Abella. Database security Global connection increase database security problems. Database security is the system, processes, and.

eIDAS: current state of play and the Luxembourgish approach

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

E-SIGNED DocFlow SYSTEM in GEORGIAN FINANCIAL SECTOR NANA ENUKIDZE – E-Business Development Consultant.

Electronic Signatures RegTP's Tasks Technical operation of the national root certification authority - Issuance of certificates for accredited certification.

Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Independent Centre for Privacy ProtectionSchleswig-Holstein.

I. Fundamental and general statements in connection with the Hungarian group of corporations law of groups of corporations is regulated by Code Civil,

Electronic Signatures Regulation in the European Union Jos Dumortier K.U.Leuven University Belgium Roundtable on Electronic Documents and Electronic Signatures.

Bulding blocks of e- government Ingmar Pappel. Bulding blocks of e-government  Personal Code  Digital Identity  Digital signature  X-Road  Organizations.

Content Introduction History What is Digital Signature Why Digital Signature Basic Requirements How the Technology Works Approaches.

Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.

Quanzhou City, June 11, 2009 IPR 2 Project H A R D E R R E C H T S A N W Ä L T E Munich EU-China Workshop on the Regulation of Online Business and Related.

© Software602 a.s. SOFTWARE Zdenek Metodej Zalis Martin Vondrous Ondrej Malek.

M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 10 – Information society and media.

Washington D.C., March 23, 2017 Improving Quality and Reliability of Land Records: Germany’s Experience Dr. Nicola Hoischen, LL.M. (Cologne/Paris 1)

Dr. Stephan Finke Deutsche Akkreditierungsstelle GmbH

ELECTRONIC DOCUMENT: LITHUANIAN EXAMPLE

Chris Wendt, David Hancock (Comcast)

Digital Signature.

UN Task Force on Cyber Security and OTA issues

Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop

Prof. Dr. Martin Balleer Yalta Forum, September 2009

Chapter 4 Cryptography / Encryption

Dashboard eHealth services: actual mockup

Website authentication E-registered delivery

Presentation transcript:

Infrastructure for qualified electronic Signatures in Germany Jürgen Schwemmer Moscow, 17th April 2014

2 Overview „History“ of „Qualified Electronic Signatures“ (QES) since 1997 Peculiarities of QESs Recommendations/german Blueprint/Reality The eIDAS Regulation of 2014

3 „History“ of QESs since Regulation of (exclusively) technical-organizational system-security of (exclusively) QES (handwritten signature/will declaration) as prerequisite of changes in Civil Code… by German Signature Law and Ordinance (i.e. NO other regulations in the Signature Law) 1999 Inclusion of other kinds of signatures by Signature Directive 1999/93/EC leads to complete change of the actual objective (AUTHENTICATION), see especially Article 2, Article 5(1) vs. 5(2) and the time of validity check of certificates in annex IV NB:therefore annex IV (on demand of Germany) „only“ recommendation, although certificate verification is the most important/critical item! 2012/2014 New eIDAS Regulation with additional services like eIDs, seals, time stamps, verification services

4 Peculiarities of QESs QES are means of will declaration and/or a legal equivalent of HANDWRITTEN signatures (only NATURAL persons!), (almost) all other signatures are means of authentication „Sign and forget“ needs very „longlasting systems“ (archiving/“oversigning“ by means of (qualified) archival time stamps… included; measures for algorithms necessary!) Revocation/“time out“ of Root- and/or CA-keys must NOT make validity check of end-user-certificates impossible („chain-model“ plus „indirect system“ as possible solutions) Validity check of certificates must be possible at „requested“ point of time or at time of signing, (mostly) NOT at the actual time point (i.e. „was the signature valid when it was done“?)

5 Peculiarities of QESs (2) „Secure Signature Creation Device“ under REAL sole control of the owner! („shared“ or „distant“ solutions mostly critical) For legal reasons NO „suspend/resume“ of certificates! „suspended“ e.g. could mean „the person is incapacitated“ (exceptions only with e.g. „enforced“ use of time stamps…) (e.g. the) „Supervisory Authority“ must take care for customers/certificates of CSPs going/having gone out of business in order to continue the service („was the signature valid…“?) „Accreditation“ (Audit before start of operation) can be the way to the a.m. requirement (possibly also in future) no „market driven“ solution to be exspected (No private company´s real „business case“ for „my“ (free of costs) signature)

6 Recommendations Use of hardware-based tokens as SSCD (mandatory for QES) Evaluation of SSCD forces the improvement of the „operational environment“ as side effect Separate paths for QC and non-QC in order to be able to react appropriately (e.g. „cut off“ of only the „infected areas“) Rigorous and complete auditing of the system, mandatory security concept including the use of signing-/verification tools… Strict supervision, NOT just „registering“ CA-production unit should not (easily) be accessed from the internet; only OSCP- responder should be „seen“ from outside „CRL-conclusio“ can be dangerous and misleading, no good protection against full-fakes of certificate-chains For QES anyway („whereas“ No. 20) longterm-concept necessary (CA out of business must NOT lead to user-certificate cannot be verified anymore); Archiving/timestamping!  Root-CA operated/mandated by public authority (no operation-termination)

7 Thank You for Your Attention Questions? Jürgen Schwemmer Section Qualified Electronic Signatures Bundesnetzagentur, Germany