Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Published byElisha Fitchett Modified over 9 years ago

Similar presentations

Presentation on theme: "Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003."— Presentation transcript:

1 Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003

2 Agenda Interoperability in 1999/93/EC Policy interoperability Format interoperability Content interoperability Aspects of Policy architecture

3 Scope of interoperability Policy interoperability is an issue broader than electronic signatures since it is often be linked to the underlying transaction Policy interoperability in electronic signatures can be addressed by: using international standards (e.g.: IETF) using European standards (e.g.: EESSI deliverables) using specific bilateral agreements Adhering to common operational rules etc Standards OR agreementinteroperability

4 Objective for policy interoperability Policy is used to adapt legal and business requirements in a particular operational context The objective for policy interoperability is to ensure the policy and liability conditions across multiple electronic signature infrastructures to establish Trust Equivalence must be established at the: Technical Organisational/procedural Legal level Liability rules + Policy limitationsLimits of Trust

5 Interoperability Interoperability has become necessary to deliver e.g. trusted public services in the field of e.g. tax and customs, social security, exchanges between administrations etc. Interoperability and standards development are a priority for government and vendors It is further required to enhance application interoperability through: Specific rules in electronic document exchange to render electronic signature enforceable (Policy) interoperability necessary for EU harmonisation

6 Directive 99/93/EC

7 Interoperability in 99/93/EC I 99/93/EC aims at harmonising the internal market and sets out interoperability objectives Coherence with existing international standards IETF European standardisation Privacy Protection (art. 8) Electronic signatures shall not make data mining easier! Pseudonyms are explicitly permitted

8 Interoperability in 99/93/EC II EU Mutual recognition (art. 5) A common framework of technical standards has been developed by CEN/ISSS and ETSI in the EESSI framework 99/93/EC refers to such standards Multilateral co-operation among supervising authorities Legal relevance (art. 5) Advanced signatures, created with a Secure signature Creation Device for which a Qualified Certificate has been issued, are equal to handwritten signatures (5.1) To other legal relevance cannot be denied in principle

9 Policy Aspects

10 CP and CPS Typical electronic signature doctrine foresees: A general framework for a CP & a CPSs for CAs and PKIs A checklist of topics to be covered in a certificate policy definition or a CPS Level of trust in a certificate depends on factors such as: CA Practices to verify the identity of subjects’ identity CA’s operating policy, procedures, and security controls Subject’s obligations (e.g., to protect private key, revoke cert when compromised etc.) Warranties and obligations of the CA (e.g., warranties & limitations on liability)

11 Certificate Policy A Certificate Policy (CP) is a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements High level document that describes the objectives of a PKI It refers to a group of domains rather than a single domain alone It is normative in a way that describes “what” to address in a PKI A Policy could be the scope of an application domain rather than a PKI domain Scope of the CP is to ascertain interoperability (if that is the goal) Hence a standardised format makes good sense (e.g. RFC 2527)

12 Certification Practice Statements (CPSs) A CPS is a detailed description of practices used by a CA to issue and manage certificates published by the CA According to American Bar Association (ABA) Digital Signature Guidelines, “a CPS is a statement of the practices which a CA employs in issuing and managing certificates” RFC 2527 gives a framework to support authors of CPs or CPS’

13 CPS content CPS is the main source of information on the provision of a CAs public and/or private certification services and related procedures User must view, read and accept the CPS prior to applying for a cert -- Is that real? CPS describes in great detail the practices and procedures it uses for issuing and managing certificates A CPS could be reviewed and audited periodically by a recognized auditor

14 RFC 2527 Update

15 Updated draft RFC 2527 Describes a dynamic Certificate Policy Framework Encompasses experience from application of the Framework since 1999 PKI application better address legal requirements It also Explains CP and CPS roles and differences better Explains better that framework can apply to all PKI entities: CA, RA, Repository, Subscribers, Relying Parties, Others

16 Evolution RFC 2527: Supports managed electronic signature policies Provides an education and training tool on electronic signature policies Shapes electronic signature policies to influence the growth of business and technology Is subjected to periodic review and updating Is a tool to develop and maintain electronic signature policies with a specific application domain or user community

17

18 Source EU Directive 1999/93/EC “A Community Framework for Electronic Signatures” Annex II: Requirements for CAs issuing qualified certificates

19 ETSI Policy Requirements for CAs Issuing Qualified Certificates ETSI TS 101 456 Directive 99/93/EC Annex II “Requirements for Certification Service Providers” CA Practices Policy Standards e.g. RFC 2527, ANSI X9.29 European CSP Accreditation Schemes CA Qualified Certificate Policy input ETSI TS 101 042 CA generic Certificate Policy

20 Qualified Certificate Policy framework Objectives QCP for CAs issuing qualified certificates to the public QCP for CAs issuing qualified certificates to the public requiring a secure signature creation device Framework for the definition of other CPs Set out objectives for CSPs that meet the requirements of the 99/93/EC and enhance interoperability

21 Issues of policy architecture

22 Interoperability models Policy is essential for subscribers, relying parties and interoperability Hierarchical model accepting subordination to another CAs policy Cross-certification Costly administration Absence of comprehensive standards Multiple negotiations, varying contracts and agreements Peer to peer trust Single contracting party Widely accepted and agreed standards Customizable chain of Trust

23 Policy driven interoperability Policy driven environment for Accreditation Cross recognition

24 Contact Information www.ubizen.com andreas.mitrakas@ubizen.com

Download ppt "Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003."

Similar presentations

Universal Electronic Signatures Tarvi Martens ESTONIA.

Universal Electronic Signatures Tarvi Martens ESTONIA.
1 Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market (COM(2012 238 final) {SWD(2012)

1 Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market (COM( final) {SWD(2012)
PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.
© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
AFACT eCOO WG interim meeting - Conference Call 1st March of 2011 Mahmood Zargar eCOO Experiences and Standards.

AFACT eCOO WG interim meeting - Conference Call 1st March of 2011 Mahmood Zargar eCOO Experiences and Standards.
Telia Research AB György Endersz 2000-09-26 1 European Electronic Signature Standardisation Initiative EESSI Workshop Barcelona, 2000-09-26 György Endersz,

Telia Research AB György Endersz European Electronic Signature Standardisation Initiative EESSI Workshop Barcelona, György Endersz,
Telia Research AB György Endersz 2001-05-08 1 European Electronic Signature Standardisation Initiative EESSI Budapest Seminar at the Hungarian Communication.

Telia Research AB György Endersz European Electronic Signature Standardisation Initiative EESSI Budapest Seminar at the Hungarian Communication.
An overview of legal aspects in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

An overview of legal aspects in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Setting Processes for Electronic Signature 1 The ”W-SPES Project” and the “Leuven Report on the Electronic Signatures Directive” – Putting the Project.

Setting Processes for Electronic Signature 1 The ”W-SPES Project” and the “Leuven Report on the Electronic Signatures Directive” – Putting the Project.
1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.

1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Workshop on registered electronic mail policies and implementations (ETT 57074) Ankara, 16.3. – 17.3. 2015.

Workshop on registered electronic mail policies and implementations (ETT 57074) Ankara, –
Sustainable Energy Systems Overview of contractual obligations, procedures and practical matters KICK-OFF MEETING.

Sustainable Energy Systems Overview of contractual obligations, procedures and practical matters KICK-OFF MEETING.
Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,

Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,
2002 10 21 Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.

Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.
1 Bridge/Gateway CA Project Status Gzim OCAKOGLU European Commission – DG ENTR / IDABC Reykjavik – 27 May 2005.

1 Bridge/Gateway CA Project Status Gzim OCAKOGLU European Commission – DG ENTR / IDABC Reykjavik – 27 May 2005.
21 mai 2015 Bridges between Certification Authorities.

21 mai 2015 Bridges between Certification Authorities.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

Similar presentations

Ads by Google