Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Security Issues Report.

Published byMervin Page Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Security Issues Report."— Presentation transcript:

1 www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Security Issues Report

2 Corporate Structures Report Format of report: Executive summary Introduction and Scope of report Electronic Signatures Certification-Service-Providers ISO 17799 Authentication Smartcard Issues Memorandum of agreement

3 The Executive Summary outlines: What is covered in the introduction to this report The scope of this report The key points covered in each section of this report and any conclusions reached Executive Summary

4 Introduction The Introduction explains: Purposes of report Parameters of report Context in which to be read Summary of key legislation and regulation reviewed Please note that the report should be read in conjunction with the Introductory Report

5 Electronic Signatures EU Directive on a community framework for electronic signatures (1999) Basic and advanced electronic signatures Technologically neutral Electronic Communications Act 2000 Definition of “Electronic Signature” Section 7 UNCITRAL Model Law on Electronic Signatures Functional Equivalent Approach Article 6 – “Compliance with a requirement for a signature” Electronic Signatures Regulations 2002

6 Electronic Signatures (continued) Law Commission Advice “Electronic Commerce: Formal requirements in Electronic Transactions” Reviewed legal status of: Electronic documents Electronic signatures Adopted “functional equivalent approach”

7 Electronic Signatures (continued) What is a signature? Means of identification Indication of personal involvement Indication of intention to be bound Law Commission advised: Look at function not form Courts can determine evidential weight Various types of signature already accepted printed, scanned, typed, faxed Considered 4 types of electronic signatures Digital, scanned, typed and click Do not confuse reliability with validity

8 Certification-Service-Providers Public key Infrastructure “digital certificates” and “digital signatures” Certification–Service-Providers EU Directive Electronic Communications Act 2000 tScheme Electronic Signatures Regulations 2000 Imposes liability on Certification–Service-Providers for “qualified certificates”

9 Liability of Certification-Service- Providers Where a CSP issues or guarantees a qualified certificate to the public and a person reasonably relies on that certificate for: accuracy of information in the certificate inclusion of Schedule 1 Information holding by signatory of relevant signature-creation-data ability of signature-creation-data and signature-verification- data to work together and that person suffers loss, then CSP liable unless can show that not acted negligently

10 Schedule 1 - Qualified Certificates Statement that a ‘Qualified Certificate’ Name and country of establishment of CSP Name or pseudonym of the signatory Signature-verification data Period of validity of the certificate Identity code of the certificate Advanced electronic signature of issuing CSP Limitations: on the scope of use of the certificate on the value of transactions for which it can be used

11 Schedule 2 - CSP Qualities Operational reliability Technical ability and security Financial stability and security Manner in which certificates: issued stored revoked Identification of signatories Conflict of interests

12 Information Security: ISO 17799 PIU Report “Privacy and data-sharing: The way forward for public services” 2002 Recommendation 13 Information Security: Confidentiality Integrity Availability

13 Information Security: ISO 17799 (continued) Detailed security standard 10 sections Key elements: Top down approach Identify assets Evaluate risks Develop Security policy Implement policy by way of Information Security Management System Review regularly Third party suppliers: are they compliant?

14 Verification and Authentication Verification Verifying the identity of a Card User Authentication Authenticating that Card User is Card User by Something that Card User knows Something that Card User possesses Something that the Card User is

15 Verification and Authentication HMG’s minimum requirements for the verification of the identity of individuals (2003) Four levels of identity verification: Level 0 - none necessary Level 1 – balance of probabilities Level 2 – substantial likelihood Level 3 – beyond reasonable doubt Different types of evidence associated with each level

16 Verification and Authentication Biometrics Behavioural/physiological traits of an individual “something that a person is” Fingerprints, iris and retinal scans etc Stored on a card or central database? Some concerns: Access to biometric data (by whom and for what purpose?) Updating of data Speed Not infallible (how are errors corrected?)

17 Verification and Authentication Article 29 Data Protection Working Party: Working document on Biometrics Biometrics = personal data and can be sensitive personal data Need to address: Purpose and proportionality of using biometric data Fair collection of biometric data Legitimate grounds for processing personal data

18 Smartcard Issues Electronic Signatures: Identify machine or card rather than person unless use biometric data Certification-Service-Providers Qualified Certificates include limits on use for which certificate may be relied and on liability ISO 17799 Card, reader, telecommunications network & database Verification and Authentication Identity fraud Lies about attribute (e.g. age) Adopts false identity (e.g. third party’s or bogus identity)

19 Smartcard Issues Certification-Service-Providers contractual issues Services, Purposes, Certificate Terms, tScheme Approval, Security, Revocation Procedures and Data Processor Card User contractual issues Identity, Data Protection, Purpose, Card Security, Password Security, Biometrics, Dispute resolution, Limitation of Liability, Signatures and Card Issuer Security Obligations

20 Memorandum of Agreement Agreement to be entered into with Certification Authority Provides framework for: Verification Services Authentication Services Revocation Services Allows new Local Authorities to join in the agreement at later date

Download ppt "Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Security Issues Report."

Similar presentations

UNITED NATIONS COMMISION ON INTERNATIONAL TRADE LAW Enhancing legal certainty for electronic signatures and other authentication methods José Angelo Estrella.

UNITED NATIONS COMMISION ON INTERNATIONAL TRADE LAW Enhancing legal certainty for electronic signatures and other authentication methods José Angelo Estrella.
AFACT eCOO WG interim meeting - Conference Call 1st March of 2011 Mahmood Zargar eCOO Experiences and Standards.

AFACT eCOO WG interim meeting - Conference Call 1st March of 2011 Mahmood Zargar eCOO Experiences and Standards.
KSTCD Branch/HRD Section/TrainForTrade & STICT Branch/ ICT Analysis Section1 Module 2 Legal validity of data messages.

KSTCD Branch/HRD Section/TrainForTrade & STICT Branch/ ICT Analysis Section1 Module 2 Legal validity of data messages.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Archiving for legal purposes How to implement the new Belgian legislation to destroy physical invoices and use an electronic archive.

Archiving for legal purposes How to implement the new Belgian legislation to destroy physical invoices and use an electronic archive.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
European Electronic Identity Practices Country Update of …………… Speaker: Date:

European Electronic Identity Practices Country Update of …………… Speaker: Date:
1 Exploring Acceptance and Legal Nature of eRecords Within a Paper-Based Framework Electronic Signature & Records Association November 14, 2012 Rafael.

1 Exploring Acceptance and Legal Nature of eRecords Within a Paper-Based Framework Electronic Signature & Records Association November 14, 2012 Rafael.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Card Governance Report.

National Smartcard Project Work Package 8 – Card Governance Report.
Workshop on registered electronic mail policies and implementations (ETT 57074) Ankara, 16.3. – 17.3. 2015.

Workshop on registered electronic mail policies and implementations (ETT 57074) Ankara, –
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Report on financial services legislation.

National Smartcard Project Work Package 8 – Report on financial services legislation.
2002 10 21 Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.

Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.
Legal Issues on PKI & qualified electronic certificates. THIBAULT VERBIEST Attorney-at-law at the Brussels and Paris Bar Professor at the Universities.

Legal Issues on PKI & qualified electronic certificates. THIBAULT VERBIEST Attorney-at-law at the Brussels and Paris Bar Professor at the Universities.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University.

Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University.
Information Security Policies and Standards

Information Security Policies and Standards

Similar presentations

Ads by Google