Presentation on theme: "Telia Research AB György Endersz 2001-05-08 1 European Electronic Signature Standardisation Initiative EESSI Budapest Seminar at the Hungarian Communication."— Presentation transcript:
Telia Research AB György Endersz European Electronic Signature Standardisation Initiative EESSI Budapest Seminar at the Hungarian Communication Authority György Endersz, Telia Research AB, Sweden Chairman ETSI ESI Working Group Deliverables and Current Activities
Telia Research AB György Endersz EESSI SG EESSI: European Electronic Signature Standardization Initiative European Telecommunications Standards Institute Industry and business, assisted by European standard bodies
Telia Research AB György Endersz EESSI Program Implementation Phase 2 (2000) completed 2Q2001 Phase 3 (2001) deliverables to be published by the end of 2001 ETSI ESI Working Group Participants, funded Specialist Task Force, STF155, 178 Result: ETSI Technical Specifications Chairman: CEN/ISSS E-SIGN Workshop participants, funded Expert Teams Result: CEN Workshop Agreements Chairman:
Telia Research AB György Endersz Directive “on a Community framework for electronic signatures, 13 Dec ‘99” Ensures legal recognition of electronic signatures Security and quality requirements in Annexes I-III Qualified certificates+secure signature-creation device+ advanced signatures hand-written signature Other signatures recognised as well (Art 5.2) Voluntary accreditation of service providers (tScheme, TTP.NL, Italy, Austria, Germany, Spain….) Technology-neutral framework To be in place within 18 months
Telia Research AB György Endersz Annexes of the Directive Annex I: Requirements for qualified certificates Annex II: Requirements for certification-service-providers issuing qualified certificates Annex III: Requirements for secure signature-creation devices Annex IV: Recommendations for secure signature verification
Telia Research AB György Endersz Strategy and Work Process Focus on Directive Annexes and interoperability Market driven Open, transparent and co-operative Re-use of existing work Funded support for timeliness European with global ambition
Telia Research AB György Endersz Roadmap of EESSI Standards Signature creation process and environment (A.III) Signature valida- tion process and environment - A.IV Signature format and syntax (Advanced ES) Creation device A.III Requirements for CSPs - A.II Trustworthy system- A.II.f Certification Service Provider User/signer Relying party/ verifier CEN E-SIGN ETSI ESI Qualified certificate - A.I Time Stamp
Telia Research AB György Endersz Phase 2 Deliverables Published in 4Q2000: Policies for CSPs, ETSI TS Profile for Qualified Certificates, ETSI TS Electronic Signature Formats, ETSI TS Target: Annex I-IV requirements and interoperability
Telia Research AB György Endersz Deliverables... Published in 1-2Q2001: Security Requirements for Trustworthy Systems CEN/ISSS CWA Security Requirements for SSCDs, CEN/ISSS CWA Signature Creation Process and Environment CEN/ISSS CWA Signature Verification Process and Environment CEN/ISSS CWA
Telia Research AB György Endersz Deliverables... Time Stamping Profile ETSI TS , waiting for IETF RFC number of mother document, by early 1Q2001 Conformity Assessment Guidance, Part 1 CEN/ISSS CWA
Telia Research AB György Endersz Requirements for Certification Service Providers (CSPs) Functional, quality and security requirements expressed in Certificate Policy and security controls Consistent requirements to provide the basis for implementation, audit and approval Current work responds to Directive requirements for CSPs issuing Qualified Certificates, Annex II Requirements for other class(es) to meet market needs
Telia Research AB György Endersz Baseline Requirements Security Management PKI Organisational Obligations & Liability Issuing CSP Relying Party Subscriber RADirectory Qualified Certificate Policies - QCP Public - QCP Public + SSCD - Framework for other QCPs
Telia Research AB György Endersz Trustworthy Systems for CSPs Technical security requirements for products and technology components used by CSPs to create certificates for the use of advanced signatures. To meet security requirements stated in the work area „Requirements for CSPs“. Seek consistent overlap of specifications. The use of FIPS is considered for the cryptographic module requirements until European specifications become available (Phase 3 action).
Telia Research AB György Endersz Profile for Qualified Certificate (QC) Standard for the use of X.509 public key certificates as qualified certificates European profile based on current IETF PKIX draft as required by Annex I of the Directive
Telia Research AB György Endersz Qualified Certificate Statements The profile uses, as an option, the private extension defined in the IETF QC profile, to include the following explicit statements of the Issuer: Statement claiming that the certificate is issued as a Qualified certificate. OID will point to relevant policy standard Statement regarding limits on the value of transactions for which the certificate can be used Statement regarding the retention time of identification data
Telia Research AB György Endersz SSCD: the trusted element at the user EU-directive requires SSCD to be evaluated and „confirmed“ by national bodies A specific Common Criteria Protection Profile will address appropriateness It reflects the requirements regulated in Annex III of the signature Directive It is aimed to remain technology neutral as long as security is not impaired Use of SSCD to be represented in QC SSCD: Secure Signature Creation Device
Telia Research AB György Endersz The Scenario TOE The SSCD is the device „getting in touch“ with the private key. The SSCD comprises the whole lifecycle. The SSCD assumes an appropriate environment for its application. Trusted paths are offered to meet security requirements.
Telia Research AB György Endersz Electronic Signature Formats Defines interoperable syntax and encoding for signature, validation data and signature policy. Builds on exiting PKI and digital signature standards Format part approved by the IETF as an Informational RFC, the Signature Policy part as an IETF Experimental Protocol Co-operative implementation project in preparation to validate standard and provide free software Aim: to harmonise development with XML signatures and create XML version (Phase 3) action.
Telia Research AB György Endersz ES = The ETSI Electronic Signature as generated by the signer. ETSI Electronic Signature Signers Structures
Telia Research AB György Endersz ES-T = The ETSI Timestamp Electronic Signature. Timestamp attribute may be absent, if secure records prove the time of the ES ES-C = The ETSI complete Electronic Signature with references to all information needed to check its validity ETSI ES-T and ES-C Verifiers Structures Unsigned attributes added for long term verification
Telia Research AB György Endersz Format and Protocol for Time Stamp Profile based on current IETF PKIX draft Time stamps used for signature validation, e.g. in ES Electronic Signature Formats Harmonisation of ISO-IETF activities: IETF draft may become a compatible subset of the ISO specifications
Telia Research AB György Endersz Roadmap of Phase 3 Activities (2001) Signature creation process and environment Signature valida- tion process and environment Signature format * and syntax in XML Signature Creation device * Alternative Requirements for CSPs * Trustworthy Systems * Certification Service Provider User/Signer Relying Party/ Verifier Qualified certificate Time Stamping Format&Protocol Time Stamping Authority Requirements for TSAs * * Phase 3 CA status and validation by RP *
Telia Research AB György Endersz EESSI Phase 3 Activities (2001) CEN/ISSS: Security Requirements for Trustworthy systems - Finalisation of the General Security Requirements - Protection Profile for Cryptographic Modules used by CSPs Security requirements for Signature Creation Devices in different environments and types of use - Guidance for writing Security Targets for different types of SSCDs, such as smart cards, mobile phones and PDAs - Security requirements for SCDs in e-commerce using 5.2 signatures
Telia Research AB György Endersz Phase 3 Activities….. Security Requirements for Cryptographic Modules - Common Criteria PP to protect the CA private key and the certificate signing process - International harmonisation: the aim is to liase with NIST - CC MRA: Arrangement on the Mutual Recognition of CC Certificates in the Field of IT Security
Telia Research AB György Endersz Phase 3 Activities….. ETSI ESI WG: Security management and certificate policy for CSP issuing Trusted Time-Stamps Requirements for CSPs issuing certificates, which meet classes of requirements different from those for qualified certificates Electronic Signature syntax and encoding formats in XML Technical aspects of signature policies Harmonised provision of CSP status information
Telia Research AB György Endersz CSP status information for Relying Parties National schemes include procedures to make such information available, e.g. CSP not able to fulfill obligations, failed audit, etc. Gray zone between accreditation/supervision and technical interoperation A framework and simple formats and mechanisms are needed to store and retrieve such information so as to become available (on-line) over domain borders Work item to assess infrastructure and interoperability requirements and suggest solutions. Co-operation with national schemes via EESSI and ESI membership
Telia Research AB György Endersz CA (TSP) Status information Signature creation process and environment Signature valida- tion process and environment Signature Creation device * User/Signer Relying Party/ Verifier Qualified certificate CA status and validation by RP CA CA status info provider
Telia Research AB György Endersz CA (TSP) Status information Items to harmonise regarding status info: Content and format Distribution, storage and management Technical means to find, access and validate information Measures to ensure trust and security
Telia Research AB György Endersz Phase 3 Activities……. Algorithm Group Expert group providing guidance on cryptographic algorithms and parameters in EESSI standards. Regular review and maintenance of specifications Reference implementation of ES Format standard Funded activity with the aim of validating the standards ES-format, QC-profile and Time Stamp. Promote applications by releasing source code.
Telia Research AB György Endersz Phase 3 Activities…… Currently discussed Use of smart cards for creating electronic signatures Requirements for CSPs issuing attribute certificates Signature policy for common business practices
Telia Research AB György Endersz International Perspectives Recognition of conformance to SSCD requirements CC MRA: Arrangement on the Mutual Recognition of CC Certificates in the Field of IT Security Similar ambition with Trustworthy Systems Cross-recognition of “certification policy” Assessment of policy mapping between US Federal PKI and ETSI-EESSI requirements Harmonization of interoperability standards Use of existing standards (ISO, IETF), liaisons under development (W3C, WAP Forum, EDI/XML) and submissions to IETF
Telia Research AB György Endersz References ETSI: Sign up from Web-site to open El Sign mailing list CEN: EESSI: