Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Similar presentations


Presentation on theme: "Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003."— Presentation transcript:

1 Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003

2 Agenda Interoperability in 1999/93/EC Policy interoperability Format interoperability Content interoperability Aspects of Policy architecture

3 Scope of interoperability Policy interoperability is an issue broader than electronic signatures since it is often be linked to the underlying transaction Policy interoperability in electronic signatures can be addressed by: using international standards (e.g.: IETF) using European standards (e.g.: EESSI deliverables) using specific bilateral agreements Adhering to common operational rules etc Standards OR agreementinteroperability

4 Objective for policy interoperability Policy is used to adapt legal and business requirements in a particular operational context The objective for policy interoperability is to ensure the policy and liability conditions across multiple electronic signature infrastructures to establish Trust Equivalence must be established at the: Technical Organisational/procedural Legal level Liability rules + Policy limitationsLimits of Trust

5 Interoperability Interoperability has become necessary to deliver e.g. trusted public services in the field of e.g. tax and customs, social security, exchanges between administrations etc. Interoperability and standards development are a priority for government and vendors It is further required to enhance application interoperability through: Specific rules in electronic document exchange to render electronic signature enforceable (Policy) interoperability necessary for EU harmonisation

6 Directive 99/93/EC

7 Interoperability in 99/93/EC I 99/93/EC aims at harmonising the internal market and sets out interoperability objectives Coherence with existing international standards IETF European standardisation Privacy Protection (art. 8) Electronic signatures shall not make data mining easier! Pseudonyms are explicitly permitted

8 Interoperability in 99/93/EC II EU Mutual recognition (art. 5) A common framework of technical standards has been developed by CEN/ISSS and ETSI in the EESSI framework 99/93/EC refers to such standards Multilateral co-operation among supervising authorities Legal relevance (art. 5) Advanced signatures, created with a Secure signature Creation Device for which a Qualified Certificate has been issued, are equal to handwritten signatures (5.1) To other legal relevance cannot be denied in principle

9 Policy Aspects

10 CP and CPS Typical electronic signature doctrine foresees: A general framework for a CP & a CPSs for CAs and PKIs A checklist of topics to be covered in a certificate policy definition or a CPS Level of trust in a certificate depends on factors such as: CA Practices to verify the identity of subjects’ identity CA’s operating policy, procedures, and security controls Subject’s obligations (e.g., to protect private key, revoke cert when compromised etc.) Warranties and obligations of the CA (e.g., warranties & limitations on liability)

11 Certificate Policy A Certificate Policy (CP) is a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements High level document that describes the objectives of a PKI It refers to a group of domains rather than a single domain alone It is normative in a way that describes “what” to address in a PKI A Policy could be the scope of an application domain rather than a PKI domain Scope of the CP is to ascertain interoperability (if that is the goal) Hence a standardised format makes good sense (e.g. RFC 2527)

12 Certification Practice Statements (CPSs) A CPS is a detailed description of practices used by a CA to issue and manage certificates published by the CA According to American Bar Association (ABA) Digital Signature Guidelines, “a CPS is a statement of the practices which a CA employs in issuing and managing certificates” RFC 2527 gives a framework to support authors of CPs or CPS’

13 CPS content CPS is the main source of information on the provision of a CAs public and/or private certification services and related procedures User must view, read and accept the CPS prior to applying for a cert -- Is that real? CPS describes in great detail the practices and procedures it uses for issuing and managing certificates A CPS could be reviewed and audited periodically by a recognized auditor

14 RFC 2527 Update

15 Updated draft RFC 2527 Describes a dynamic Certificate Policy Framework Encompasses experience from application of the Framework since 1999 PKI application better address legal requirements It also Explains CP and CPS roles and differences better Explains better that framework can apply to all PKI entities: CA, RA, Repository, Subscribers, Relying Parties, Others

16 Evolution RFC 2527: Supports managed electronic signature policies Provides an education and training tool on electronic signature policies Shapes electronic signature policies to influence the growth of business and technology Is subjected to periodic review and updating Is a tool to develop and maintain electronic signature policies with a specific application domain or user community

17

18 Source EU Directive 1999/93/EC “A Community Framework for Electronic Signatures” Annex II: Requirements for CAs issuing qualified certificates

19 ETSI Policy Requirements for CAs Issuing Qualified Certificates ETSI TS Directive 99/93/EC Annex II “Requirements for Certification Service Providers” CA Practices Policy Standards e.g. RFC 2527, ANSI X9.29 European CSP Accreditation Schemes CA Qualified Certificate Policy input ETSI TS CA generic Certificate Policy

20 Qualified Certificate Policy framework Objectives QCP for CAs issuing qualified certificates to the public QCP for CAs issuing qualified certificates to the public requiring a secure signature creation device Framework for the definition of other CPs Set out objectives for CSPs that meet the requirements of the 99/93/EC and enhance interoperability

21 Issues of policy architecture

22 Interoperability models Policy is essential for subscribers, relying parties and interoperability Hierarchical model accepting subordination to another CAs policy Cross-certification Costly administration Absence of comprehensive standards Multiple negotiations, varying contracts and agreements Peer to peer trust Single contracting party Widely accepted and agreed standards Customizable chain of Trust

23 Policy driven interoperability Policy driven environment for Accreditation Cross recognition

24 Contact Information


Download ppt "Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003."

Similar presentations


Ads by Google