Presentation is loading. Please wait.

Presentation is loading. Please wait.

Telia Research AB György Endersz 2000-09-26 1 European Electronic Signature Standardisation Initiative EESSI Workshop Barcelona, 2000-09-26 György Endersz,

Published byKendra Dimock Modified over 9 years ago

Similar presentations

Presentation on theme: "Telia Research AB György Endersz 2000-09-26 1 European Electronic Signature Standardisation Initiative EESSI Workshop Barcelona, 2000-09-26 György Endersz,"— Presentation transcript:

1 Telia Research AB György Endersz 2000-09-26 1 European Electronic Signature Standardisation Initiative EESSI Workshop Barcelona, 2000-09-26 György Endersz, Telia Research AB, Sweden Chairman ETSI ESI Working Group gyorgy.g.endersz@telia.se Status & International Issues

2 Telia Research AB György Endersz 2000-09-26 2 The Program and the Actors (Who is Who) European Directive for Electronic Signatures (“The Directive”) provides a common framework for electronic signatures. Harmonization of the aspects: - legal - trust - technical Industry and business, assisted by European standard bodies, will provide a framework for an open, market-oriented implementation of the Directive Information & Communications Technologies Standards Board: co-operation between European standards bodies Article 9 Committee, as defined by the Directive

3 Telia Research AB György Endersz 2000-09-26 3 EESSI SG EESSI: European Electronic Signature Standardization Initiative European Telecommunications Standards Institute

4 Telia Research AB György Endersz 2000-09-26 4 EESSI Program Implementation All deliverables to be published by the end of 2000 ETSI ESI Working Group 40-50 Participants, funded Specialist Task Force of 8 Result: ETSI Technical Specifications 4Q2000 Chairman: gyorgy.g.endersz@telia.se CEN/ISSS E-SIGN Workshop 70 participants, funded Expert Team of 12 Result: CEN Workshop Agreements 4Q2000 Chairman: hans.nilsson@id2tech.com

5 Telia Research AB György Endersz 2000-09-26 5 Directive “on a Community framework for electronic signatures, 13 Dec ‘99” Ensures legal recognition of electronic signatures Security and quality requirements in Annexes I-III Qualified certificates+secure signature-creation device+ advanced signatures hand-written signature Other signatures recognised as well (Art 5.2) Voluntary accreditation of service providers (tScheme, NL.TTP, Italy, Austria, Germany, Spain….) Technology-neutral framework To be in place within 18 months

6 Telia Research AB György Endersz 2000-09-26 6 Annexes of the Directive Annex I: Requirements for qualified certificates Annex II: Requirements for certification-service-providers issuing qualified certificates Annex III: Requirements for secure signature-creation devices Annex IV: Recommendations for secure signature verification

7 Telia Research AB György Endersz 2000-09-26 7 EESSI Standards overview Signature creation process and environment Signature validation process and environment Signature format and syntax Creation device Requirements for CSPs Trustworthy system Certification Service Provider User/signer Relying party/ verifier CEN E-SIGN ETSI ESI Qualified certificate Time Stamp

8 Telia Research AB György Endersz 2000-09-26 8 Requirements for Certification Service Providers (CSPs) Functional, quality and security requirements expressed in Certificate Policy and security controls Consistent requirements to provide the basis for implementation, audit and approval Current work responds to Directive requirements for CSPs issuing Qualified Certificates, Annex II Requirements for other class(es) to meet market needs

9 Telia Research AB György Endersz 2000-09-26 9 Baseline Requirements Security Management PKI Organisational Obligations & Liability Issuing CSP Relying Party Subscriber RADirectory Qualified Certificate Policies - QCP Public - QCP Public + SSCD - Framework for other QCPs

10 Telia Research AB György Endersz 2000-09-26 10 Requirements for CSPs: Main Parts Obligations and liability Requirements on CSP practice - Key Management Life Cycle - Certificate Life Cycle - CSP Management & Operation - Organisational Definition of QC policies Annex: Cross-references to Directive and to RFC 2527

11 Telia Research AB György Endersz 2000-09-26 11 Trustworthy Systems for CSPs Technical security requirements for products and technology components used by CSPs to create certificates for the use of advanced signatures. To meet security requirements stated in the work area „Requirements for CSPs“. Seek consistent overlap of specifications. Describe requirements as one or more Protection Profiles using Common Criteria. The use of FIPS 140-1 is considered for the cryptographic module requirements.

12 Telia Research AB György Endersz 2000-09-26 12 Profile for Qualified Certificate (QC) Standard for the use of X.509 public key certificates as qualified certificates European profile based on current IETF PKIX draft as required by Annex I of the Directive. Mandates that the certificate is indicated as a QC either by policy identifier or QC extension. Base IETF PKIX standard in IETF approval process. Ended IESG last call period 22 September. Draft Technical Specification for approval by ETSI SEC in 4Q2000

13 Telia Research AB György Endersz 2000-09-26 13 Qualified Certificate Statements The profile uses a private extension defined in the IETF Qualified Certificates profile, to include the following explicit statements of the Issuer: Statement claiming that the certificates is issued as a Qualified certificate Statement regarding limits on the value of transactions for which the certificate can be used Statement indicating the duration of the retention period during which registration information is archived

14 Telia Research AB György Endersz 2000-09-26 14 SSCD: the trusted element at the user EU-directive requires SSCD to be evaluated and „confirmed“ by national bodies A specific Common Criteria Protection Profile will address appropriateness It reflects the requirements regulated in Annex III of the signature Directive It is aimed to remain technology neutral as long as security is not impaired Use of SSCD to be represented in QC SSCD: Secure Signature Creation Device

15 Telia Research AB György Endersz 2000-09-26 15 The Scenario TOE The SSCD is the device „getting in touch“ with the private key. The SSCD comprises the whole lifecycle. The SSCD assumes an appropriate environment for its application. Trusted paths are offered to meet security requirements.

16 Telia Research AB György Endersz 2000-09-26 16 Electronic Signature Formats Defines interoperable syntax and encoding for signature, validation data and signature policy. Builds on exiting PKI and digital signature standards Published as ETSI Standard (ES) 201 733 in May 2000. Amended version without mandatory time stamp for approval as ETSI Technical Specification in 4Q2000 Submitted to IETF in July 2000 as Informational/Experimental RFCs, in two parts, based on the ES Co-operative implementation project in preparation to validate standard and provide free software Aim: to harmonise development with XML signatures. First working draft of XML-version: September 2000

17 Telia Research AB György Endersz 2000-09-26 17 ES = The ETSI Electronic Signature as generated by the signer. ETSI Electronic Signature Signers Structures

18 Telia Research AB György Endersz 2000-09-26 18 ES-T = The ETSI Timestamp Electronic Signature. Timestamp attribute may be absent, if secure records prove the time of the ES ES-C = The ETSI complete Electronic Signature with references to all information needed to check its validity ETSI ES-T and ES-C Verifiers Structures Unsigned attributes added for long term verification

19 Telia Research AB György Endersz 2000-09-26 19 Format and Protocol for Time Stamp Profile based on current IETF PKIX draft Time stamps used for signature validation, e.g. in ES 201 733 Electronic Signature Formats Harmonisation of ISO-IETF activities: IETF draft may become a compatible subset of the ISO specifications Draft Technical Specification to be approved by ETSI SEC in 4Q2000

20 Telia Research AB György Endersz 2000-09-26 20 EESSI Orientations The standards should support different classes of requirements reflecting market needs for different security/quality levels In this model the standards, where applicable, will offer alternative levels Consistent sets chosen from the alternatives will meet a class of requirement, as illustrated in the following examples Input by stakeholders needed

21 Telia Research AB György Endersz 2000-09-26 21 Non-Public or Extended Policies Public Use with SSCD Electronic Signature + Validation Data Electronic Signature +Val Data +Time stamp Lower Level Qualified Level Higher Level Lower Level Qualified Level EESSI Standard Qualified Certificate Policy Electronic Signature Format Qualified Certificate Format Time-stamping Protocol Security Requirements for Trustworthy Systems SSCD Qualified Certificate Profile Time Stamping Profile Option Within Standard Qualified Electronic Signature

22 Telia Research AB György Endersz 2000-09-26 22 Non-Public or Extended Policies Public Use with SSCD Electronic Signature + Validation Data Electronic Signature +Val Data +Time stamp Lower LevelQualified Level Higher Level Lower Level Qualified Level EESSI Standard Qualified Certificate Policy Electronic Signature Format Qualified Certificate Format Time-stamping Protocol Security Requirements for Trustworthy Systems SSCD Qualified Certificate Profile Time Stamping Profile Option Within Standard Qualified Electronic Signature with Long-term Validity

23 Telia Research AB György Endersz 2000-09-26 23 Non-Public or Extended Policies Public Use with SSCD Electronic Signature + Validation Data Electronic Signature +Val Data +Time stamp Lower Level Qualified LevelHigher Level Lower Level Qualified Level EESSI Standard Qualified Certificate Policy Electronic Signature Format Qualified Certificate Format Time-stamping Protocol Security Requirements for Trustworthy Systems SSCD Qualified Certificate Profile Profile from IETF Timestamp Protocol Option Within Standard Electronic Signature Using Qualified Certificate

24 Telia Research AB György Endersz 2000-09-26 24 International Issues Recognition of conformance to SSCD requirements Cross-recognition of “certification policy” On-line validation of CSP status Harmonization of interoperability standards

25 Telia Research AB György Endersz 2000-09-26 25 Cross-recognition of conformance to SSCD requirements In general: CC MRA: Arrangement on the Mutual Recognition of CC Certificates in the Field of IT Security The Directive: Designated Body (Art. 3.4) issues statement that the SSCD conforms to Annex III requirements Can be based on certificate obtained by the CC MRA but formally independent decision

26 Telia Research AB György Endersz 2000-09-26 26 Cross-recognition of ‘certification policy’ The aim is establishment of trust, optimally at the time of the transaction policy mapping Cross recognition provides equivalent quality. Can be represented in machine-readable form Cross-certification, the “bridge-CA” concept “Foreign” certificates = qualified certificates if…. Review and update of cryptographic requirements will affect cross-recognition at the international level

27 Telia Research AB György Endersz 2000-09-26 27 On-line validation of CSP status National schemes include procedures to make such information available, e.g. CSP not bale to fulfill obligations, failed audit, etc Agreed, simple formats and mechanisms are needed to store and retrieve such information Not addressed yet: gray zone between accreditation/approval and technical interoperation

28 Telia Research AB György Endersz 2000-09-26 28 Harmonization of interoperability standards Profiles based on IETF RFCs: Qualified Certificate and Time Stamp: the consistency issue Partial interoperability of ISO and IETF standards for time stamping ES Formats standard: harmonisation of activities - on Signing Policy with IETF and - on XML version of ES Formats with W3C and EDI/XML

29 Telia Research AB György Endersz 2000-09-26 29 Other Issues Identification of subjects: in person? Management of cryptographic requirements Requirements for other than QC: alternative trust levels. Impact on SSCD, CSP Policy and trustworthy system The need for unique, permanent, borderless electronic identity

30 Telia Research AB György Endersz 2000-09-26 30 Events Calendar Drafts of amended ES Format, Qualified Certificate and Time Stamp posted by on Web-site for public consultation 22 September. Comments period ends 13 October. Drafts of SSCD, Trustworthy Systems, Signature Creation and Verification posted on Web-site for public consultation end of September. Comments period ends 31 October. EESSI Workshop in Barcelona, 26 September. Co-located with the Information Security Solutions Europe (ISSE) conference, 27-29 September CEN/ISSS E-Sign meeting: 2-3 October, Barcelona ESI WG meeting: 16-17 October, Milan CEN/ISSS E-Sign WS and ETSI ESI WG meetings, including Joint session, 20-22 November, Brussels

31 Telia Research AB György Endersz 2000-09-26 31 References ETSI: http://www.etsi.org/sec/el-sign.htm Sign up from Web-site to open El Sign mailing list CEN: http://www.cenorm.be/isss/workshop/e-sign EESSI: http://www.ict.etsi.org/eessi/EESSI-homepage.htm ISSE Conference & Workshops: http://www.eema.org/isse

Download ppt "Telia Research AB György Endersz 2000-09-26 1 European Electronic Signature Standardisation Initiative EESSI Workshop Barcelona, 2000-09-26 György Endersz,"

Similar presentations

Universal Electronic Signatures Tarvi Martens ESTONIA.

Universal Electronic Signatures Tarvi Martens ESTONIA.
WTO, Trade and Environment Division

WTO, Trade and Environment Division
Security standardization for Health Informatics ITU-T eHealth conference Geneva 2003-05-23 Dr Gunnar O. Klein convenor of ISO/TC 215/WG 4 Security Karolinska.

Security standardization for Health Informatics ITU-T eHealth conference Geneva Dr Gunnar O. Klein convenor of ISO/TC 215/WG 4 Security Karolinska.
© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
Bundesamt für Sicherheit in der Informationstechnik EESSI - WS May 11.-12., 2000, Paris, Folie 1/18Klaus J. Keus, BSI Electronic Signatures in Germany,

Bundesamt für Sicherheit in der Informationstechnik EESSI - WS May , 2000, Paris, Folie 1/18Klaus J. Keus, BSI Electronic Signatures in Germany,
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
WP4 – Task 4.4 LCA Activities

WP4 – Task 4.4 LCA Activities
Quality Label and Certification Processes Vienna Summit 11 April 2014 Karima Bourquard Director of Interoperability IHE-Europe.

Quality Label and Certification Processes Vienna Summit 11 April 2014 Karima Bourquard Director of Interoperability IHE-Europe.
Telia Research AB György Endersz 2001-05-08 1 European Electronic Signature Standardisation Initiative EESSI Budapest Seminar at the Hungarian Communication.

Telia Research AB György Endersz European Electronic Signature Standardisation Initiative EESSI Budapest Seminar at the Hungarian Communication.
1 European Standardisation and the Identification of ICT Technical Specifications 13th XBRL Europe Day Rome, 6 May 2014 Antonio Conte, Project Manager.

1 European Standardisation and the Identification of ICT Technical Specifications 13th XBRL Europe Day Rome, 6 May 2014 Antonio Conte, Project Manager.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Summary of ETSI/ESI activities Andrea Caccia ETSI/ESI TB member Note: This document expresses only the views of its author.

Summary of ETSI/ESI activities Andrea Caccia ETSI/ESI TB member Note: This document expresses only the views of its author.
Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,

Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,
© ETSI 2012 All rights reserved EUROPEAN UNION MANDATE/460 Kloster Banz 11.09.2013 Presented by Arno Fiedler, Member of European Telecommunications Standards.

© ETSI 2012 All rights reserved EUROPEAN UNION MANDATE/460 Kloster Banz Presented by Arno Fiedler, Member of European Telecommunications Standards.
2002 10 21 Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.

Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
1 Bridge/Gateway CA Project Status Gzim OCAKOGLU European Commission – DG ENTR / IDABC Reykjavik – 27 May 2005.

1 Bridge/Gateway CA Project Status Gzim OCAKOGLU European Commission – DG ENTR / IDABC Reykjavik – 27 May 2005.

Similar presentations

Ads by Google