Download presentation
Presentation is loading. Please wait.
Published byKendra Dimock Modified over 9 years ago
1
Telia Research AB György Endersz 2000-09-26 1 European Electronic Signature Standardisation Initiative EESSI Workshop Barcelona, 2000-09-26 György Endersz, Telia Research AB, Sweden Chairman ETSI ESI Working Group gyorgy.g.endersz@telia.se Status & International Issues
2
Telia Research AB György Endersz 2000-09-26 2 The Program and the Actors (Who is Who) European Directive for Electronic Signatures (“The Directive”) provides a common framework for electronic signatures. Harmonization of the aspects: - legal - trust - technical Industry and business, assisted by European standard bodies, will provide a framework for an open, market-oriented implementation of the Directive Information & Communications Technologies Standards Board: co-operation between European standards bodies Article 9 Committee, as defined by the Directive
3
Telia Research AB György Endersz 2000-09-26 3 EESSI SG EESSI: European Electronic Signature Standardization Initiative European Telecommunications Standards Institute
4
Telia Research AB György Endersz 2000-09-26 4 EESSI Program Implementation All deliverables to be published by the end of 2000 ETSI ESI Working Group 40-50 Participants, funded Specialist Task Force of 8 Result: ETSI Technical Specifications 4Q2000 Chairman: gyorgy.g.endersz@telia.se CEN/ISSS E-SIGN Workshop 70 participants, funded Expert Team of 12 Result: CEN Workshop Agreements 4Q2000 Chairman: hans.nilsson@id2tech.com
5
Telia Research AB György Endersz 2000-09-26 5 Directive “on a Community framework for electronic signatures, 13 Dec ‘99” Ensures legal recognition of electronic signatures Security and quality requirements in Annexes I-III Qualified certificates+secure signature-creation device+ advanced signatures hand-written signature Other signatures recognised as well (Art 5.2) Voluntary accreditation of service providers (tScheme, NL.TTP, Italy, Austria, Germany, Spain….) Technology-neutral framework To be in place within 18 months
6
Telia Research AB György Endersz 2000-09-26 6 Annexes of the Directive Annex I: Requirements for qualified certificates Annex II: Requirements for certification-service-providers issuing qualified certificates Annex III: Requirements for secure signature-creation devices Annex IV: Recommendations for secure signature verification
7
Telia Research AB György Endersz 2000-09-26 7 EESSI Standards overview Signature creation process and environment Signature validation process and environment Signature format and syntax Creation device Requirements for CSPs Trustworthy system Certification Service Provider User/signer Relying party/ verifier CEN E-SIGN ETSI ESI Qualified certificate Time Stamp
8
Telia Research AB György Endersz 2000-09-26 8 Requirements for Certification Service Providers (CSPs) Functional, quality and security requirements expressed in Certificate Policy and security controls Consistent requirements to provide the basis for implementation, audit and approval Current work responds to Directive requirements for CSPs issuing Qualified Certificates, Annex II Requirements for other class(es) to meet market needs
9
Telia Research AB György Endersz 2000-09-26 9 Baseline Requirements Security Management PKI Organisational Obligations & Liability Issuing CSP Relying Party Subscriber RADirectory Qualified Certificate Policies - QCP Public - QCP Public + SSCD - Framework for other QCPs
10
Telia Research AB György Endersz 2000-09-26 10 Requirements for CSPs: Main Parts Obligations and liability Requirements on CSP practice - Key Management Life Cycle - Certificate Life Cycle - CSP Management & Operation - Organisational Definition of QC policies Annex: Cross-references to Directive and to RFC 2527
11
Telia Research AB György Endersz 2000-09-26 11 Trustworthy Systems for CSPs Technical security requirements for products and technology components used by CSPs to create certificates for the use of advanced signatures. To meet security requirements stated in the work area „Requirements for CSPs“. Seek consistent overlap of specifications. Describe requirements as one or more Protection Profiles using Common Criteria. The use of FIPS 140-1 is considered for the cryptographic module requirements.
12
Telia Research AB György Endersz 2000-09-26 12 Profile for Qualified Certificate (QC) Standard for the use of X.509 public key certificates as qualified certificates European profile based on current IETF PKIX draft as required by Annex I of the Directive. Mandates that the certificate is indicated as a QC either by policy identifier or QC extension. Base IETF PKIX standard in IETF approval process. Ended IESG last call period 22 September. Draft Technical Specification for approval by ETSI SEC in 4Q2000
13
Telia Research AB György Endersz 2000-09-26 13 Qualified Certificate Statements The profile uses a private extension defined in the IETF Qualified Certificates profile, to include the following explicit statements of the Issuer: Statement claiming that the certificates is issued as a Qualified certificate Statement regarding limits on the value of transactions for which the certificate can be used Statement indicating the duration of the retention period during which registration information is archived
14
Telia Research AB György Endersz 2000-09-26 14 SSCD: the trusted element at the user EU-directive requires SSCD to be evaluated and „confirmed“ by national bodies A specific Common Criteria Protection Profile will address appropriateness It reflects the requirements regulated in Annex III of the signature Directive It is aimed to remain technology neutral as long as security is not impaired Use of SSCD to be represented in QC SSCD: Secure Signature Creation Device
15
Telia Research AB György Endersz 2000-09-26 15 The Scenario TOE The SSCD is the device „getting in touch“ with the private key. The SSCD comprises the whole lifecycle. The SSCD assumes an appropriate environment for its application. Trusted paths are offered to meet security requirements.
16
Telia Research AB György Endersz 2000-09-26 16 Electronic Signature Formats Defines interoperable syntax and encoding for signature, validation data and signature policy. Builds on exiting PKI and digital signature standards Published as ETSI Standard (ES) 201 733 in May 2000. Amended version without mandatory time stamp for approval as ETSI Technical Specification in 4Q2000 Submitted to IETF in July 2000 as Informational/Experimental RFCs, in two parts, based on the ES Co-operative implementation project in preparation to validate standard and provide free software Aim: to harmonise development with XML signatures. First working draft of XML-version: September 2000
17
Telia Research AB György Endersz 2000-09-26 17 ES = The ETSI Electronic Signature as generated by the signer. ETSI Electronic Signature Signers Structures
18
Telia Research AB György Endersz 2000-09-26 18 ES-T = The ETSI Timestamp Electronic Signature. Timestamp attribute may be absent, if secure records prove the time of the ES ES-C = The ETSI complete Electronic Signature with references to all information needed to check its validity ETSI ES-T and ES-C Verifiers Structures Unsigned attributes added for long term verification
19
Telia Research AB György Endersz 2000-09-26 19 Format and Protocol for Time Stamp Profile based on current IETF PKIX draft Time stamps used for signature validation, e.g. in ES 201 733 Electronic Signature Formats Harmonisation of ISO-IETF activities: IETF draft may become a compatible subset of the ISO specifications Draft Technical Specification to be approved by ETSI SEC in 4Q2000
20
Telia Research AB György Endersz 2000-09-26 20 EESSI Orientations The standards should support different classes of requirements reflecting market needs for different security/quality levels In this model the standards, where applicable, will offer alternative levels Consistent sets chosen from the alternatives will meet a class of requirement, as illustrated in the following examples Input by stakeholders needed
21
Telia Research AB György Endersz 2000-09-26 21 Non-Public or Extended Policies Public Use with SSCD Electronic Signature + Validation Data Electronic Signature +Val Data +Time stamp Lower Level Qualified Level Higher Level Lower Level Qualified Level EESSI Standard Qualified Certificate Policy Electronic Signature Format Qualified Certificate Format Time-stamping Protocol Security Requirements for Trustworthy Systems SSCD Qualified Certificate Profile Time Stamping Profile Option Within Standard Qualified Electronic Signature
22
Telia Research AB György Endersz 2000-09-26 22 Non-Public or Extended Policies Public Use with SSCD Electronic Signature + Validation Data Electronic Signature +Val Data +Time stamp Lower LevelQualified Level Higher Level Lower Level Qualified Level EESSI Standard Qualified Certificate Policy Electronic Signature Format Qualified Certificate Format Time-stamping Protocol Security Requirements for Trustworthy Systems SSCD Qualified Certificate Profile Time Stamping Profile Option Within Standard Qualified Electronic Signature with Long-term Validity
23
Telia Research AB György Endersz 2000-09-26 23 Non-Public or Extended Policies Public Use with SSCD Electronic Signature + Validation Data Electronic Signature +Val Data +Time stamp Lower Level Qualified LevelHigher Level Lower Level Qualified Level EESSI Standard Qualified Certificate Policy Electronic Signature Format Qualified Certificate Format Time-stamping Protocol Security Requirements for Trustworthy Systems SSCD Qualified Certificate Profile Profile from IETF Timestamp Protocol Option Within Standard Electronic Signature Using Qualified Certificate
24
Telia Research AB György Endersz 2000-09-26 24 International Issues Recognition of conformance to SSCD requirements Cross-recognition of “certification policy” On-line validation of CSP status Harmonization of interoperability standards
25
Telia Research AB György Endersz 2000-09-26 25 Cross-recognition of conformance to SSCD requirements In general: CC MRA: Arrangement on the Mutual Recognition of CC Certificates in the Field of IT Security The Directive: Designated Body (Art. 3.4) issues statement that the SSCD conforms to Annex III requirements Can be based on certificate obtained by the CC MRA but formally independent decision
26
Telia Research AB György Endersz 2000-09-26 26 Cross-recognition of ‘certification policy’ The aim is establishment of trust, optimally at the time of the transaction policy mapping Cross recognition provides equivalent quality. Can be represented in machine-readable form Cross-certification, the “bridge-CA” concept “Foreign” certificates = qualified certificates if…. Review and update of cryptographic requirements will affect cross-recognition at the international level
27
Telia Research AB György Endersz 2000-09-26 27 On-line validation of CSP status National schemes include procedures to make such information available, e.g. CSP not bale to fulfill obligations, failed audit, etc Agreed, simple formats and mechanisms are needed to store and retrieve such information Not addressed yet: gray zone between accreditation/approval and technical interoperation
28
Telia Research AB György Endersz 2000-09-26 28 Harmonization of interoperability standards Profiles based on IETF RFCs: Qualified Certificate and Time Stamp: the consistency issue Partial interoperability of ISO and IETF standards for time stamping ES Formats standard: harmonisation of activities - on Signing Policy with IETF and - on XML version of ES Formats with W3C and EDI/XML
29
Telia Research AB György Endersz 2000-09-26 29 Other Issues Identification of subjects: in person? Management of cryptographic requirements Requirements for other than QC: alternative trust levels. Impact on SSCD, CSP Policy and trustworthy system The need for unique, permanent, borderless electronic identity
30
Telia Research AB György Endersz 2000-09-26 30 Events Calendar Drafts of amended ES Format, Qualified Certificate and Time Stamp posted by on Web-site for public consultation 22 September. Comments period ends 13 October. Drafts of SSCD, Trustworthy Systems, Signature Creation and Verification posted on Web-site for public consultation end of September. Comments period ends 31 October. EESSI Workshop in Barcelona, 26 September. Co-located with the Information Security Solutions Europe (ISSE) conference, 27-29 September CEN/ISSS E-Sign meeting: 2-3 October, Barcelona ESI WG meeting: 16-17 October, Milan CEN/ISSS E-Sign WS and ETSI ESI WG meetings, including Joint session, 20-22 November, Brussels
31
Telia Research AB György Endersz 2000-09-26 31 References ETSI: http://www.etsi.org/sec/el-sign.htm Sign up from Web-site to open El Sign mailing list CEN: http://www.cenorm.be/isss/workshop/e-sign EESSI: http://www.ict.etsi.org/eessi/EESSI-homepage.htm ISSE Conference & Workshops: http://www.eema.org/isse
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.