Presentation is loading. Please wait.

Presentation is loading. Please wait.

EESSI June 2000Slide 1 European Electronic Signature Standardization Hans Nilsson, iD2 Technologies, Sweden.

Similar presentations


Presentation on theme: "EESSI June 2000Slide 1 European Electronic Signature Standardization Hans Nilsson, iD2 Technologies, Sweden."— Presentation transcript:

1 EESSI June 2000Slide 1 European Electronic Signature Standardization Hans Nilsson, iD2 Technologies, Sweden

2 EESSI June 2000Slide 2 Scope of the EU Directive on Electronic Signatures

3 EESSI June 2000Slide 3 Legal Recognition General principle (art. 5.2): Legal effect for all electronic signatures Second principle (art.5.1): Certain electronic signatures get the same legal effect as hand-written signatures Electronic signatures Advanced electronic signatures Qualified electronic signature: advanced electronic signature + qualified certificate (annex II) + secure signature creation device (annex III) Qualified electronic signatures

4 EESSI June 2000Slide 4 European Electronic Signature Standardization Initiative Abbreviated: EESSI Based on a mandate from European Commission to – Support the requirements of the EU Directive and – the requirements for standards from users and industry First phase: Inventory and work programme –Reported on July 1 1999 Current phase: Implementation of work programme by –CEN/ISSS: Electronic Signature Workshop – ETSI TC Security: Electronic Signature and Infrastructure WG Final drafts: September 25, 2000 Approval: November 2000 More information: http://www.ict.etsi.fr/eessi/EESSI-homepage.htm http://www.cenorm.be/isss/workshop/e-sign/ http://www.etsi.org/SEC/el-sign.htm

5 EESSI June 2000Slide 5 EESSI standards overview Signature creation process and environment Signature validation process and environment Signature format and syntax Creation device Qualified Certificate policy Trustworthy system Certification Service Provider User/signer Relying party/ verifier CEN E-SIGN ETSI ESI Qualified certificate Time Stamp

6 EESSI June 2000Slide 6 CSP Services provided by a CA Revocation Issuance Certification Issuance Certificate Publishing Certificate Revo- cation status Time Stamping Service Signed Transaction Certification Authority (ultimate responsibility) SubscriberRelying Party CSP Response Service Request CSP Response External Trust Relations Core Services Supplementary Services Key RegistrationSubscriber SCD Provision

7 EESSI June 2000Slide 7 Qualified Certificate Policy Subscriber Obligations RA Obligations Repository Obligations Liability Relying Party Obligations Environment Requirements on CSP Practice CA Obligations Obligations and Liability Key Life Cycle Management Certificate Life Cycle Management Requirements specified in Directive’s Annex II

8 EESSI June 2000Slide 8 Standards for Trustworthy Systems used by Certification Service Providers Annex II: Certification service providers must: (f) use trustworthy systems and products which are protected against modification and which must ensure the technical and cryptographic security of the processes supported by them 1.„Common Criteria Protection Profile“-style description for the entire CA system 2.Formal CC-PP for the Certification issuance subsystem 3.Formal CC-PP for the Registration subsystem

9 EESSI June 2000Slide 9 ANNEX III: Requirements for secure signature-creation devices 1. Secure signature-creation devices must, by appropriate technical and procedural means, ensure at the least that: (a) the signature-creation-data (i.e. Private key) used for signature generation can practically occur only once, and that their secrecy is reasonably assured; (b) the signature-creation-data used for signature generation cannot, with reasonable assurance, be derived and the signature is protected against forgery using currently available technology; (c) the signature-creation-data used for signature generation can be reliably protected by the legitimate signatory against the use of others. 2. Secure signature-creation devices must not alter the data to be signed or prevent such data from being presented to the signatory prior to the signature process.

10 EESSI June 2000Slide 10 What is a secure signature creation device? Signature-creation device ’means configured software or hardware used to implement the signature-creation data A secure signature creation device is a set of HW / SW elements capable to ensure ANNEX III to be matched. This includes those elements getting in touch with the „key“ [signature creation data] and the elements handling the „key“ access. The standard will focus on the more critical elements getting in touch with the „key“.

11 EESSI June 2000Slide 11 Functions to be considered in the standard Key generation When and where the signature creation data are composed What constraints signature creation data have Key management How the signature creation data are stored handled How signature creation date relate to signature verification data Initialisation/Personalisation If signature creation data are transferred in this phase How the secrecy of the signature creation data is assured Lifecycle How signature creation data are disposed Signature creation process How signature creation data are handled

12 EESSI June 2000Slide 12 What is the target for a Secure Signature Creation Device? The goal is to remain as technology neutral as possible. The standards must be as clear and as applicable as possible. –Technical implementations might be SMART CARDS OTHER STAND ALONE DEVICE (USB...) ELECTRONIC WALLETS PERSONAL DIGITAL ASSISTANTS MOBILE COMMUNICATIN DEVICES SECURE LAPTOPS OR COMPUTERS......?........

13 EESSI June 2000Slide 13 Signature process and environment Signature-Device PKI Private Key Certificates Signature Environment’s Operating System & Signature Application Processes Intent Pin-Pad + Authentication Signature Par DocumentSignature = Scope of standardization Signature Policy Cryptographic Profile Other (un-trusted) Processes Other un-trusted inputs/outputs User LocalStorage No mandatory requirements in the directive, i.e. voluntary to follow standard (manufacturer’s declaration)

14 EESSI June 2000Slide 14 Different requirements in different physical locations Signature Application System Home Office Public Environment User Signature Creation Device

15 EESSI June 2000Slide 15 Signature verification: process and environment Only recommendations specified in Directive’s Annex IV The standard introduces the concept of a Signature Policy Validation process requirements –Rules for Use of Certification Authorities and Trust Points –Certification Path –Revocation Rules –Rules for the Use of Timestamping and Timing –Rules for Verification Data to be followed –Rules for Algorithm Constraints and Key Lengths Validation environment requirements –Validation by human –Validation by machine –Validation by Third Party

16 EESSI June 2000Slide 16 EESSI standards overview Signature creation process and environment Signature validation process and environment Signature format and syntax Creation device Qualified Certificate policy Trustworthy system Certification Service Provider User/signer Relying party/ verifier CEN E-SIGN ETSI ESI Qualified certificate Time Stamp

17 EESSI June 2000Slide 17 Electronic Signature Formats ETSI ES 201 733 recently approved Based on CMS (RFC 2630)

18 EESSI June 2000Slide 18 Profile for Qualified Certificates Requirements specified in Directive’s Annex I Standard for the use of X.509 public key certificates as qualified certificates European profile based on current IETF PKIX draft Draft to be approved by ETSI SEC in 4Q2000

19 EESSI June 2000Slide 19 Conformity assessment Certificate Policy –Self-declared (but supervised), or –3rd party audit (voluntary accreditation) Secure signature creation devices: –Mandatory 3rd party evaluation Signature creation environment products: –Manufacturer’s declarations Signature verification products: –Manufacturer’s declarations

20 EESSI June 2000Slide 20 How can YOU participate?? CEN/ISSS E-SIGN Workshop –Result: CEN Workshop Agreements –Chairman: hans.nilsson@id2tech.com ETSI ESI Working Group –Result: ETSI Standards –Chariman: gyorgy.g.endersz@telia.se For more information: –http://www.ict.etsi.org/eessi/EESSI-homepage.htm


Download ppt "EESSI June 2000Slide 1 European Electronic Signature Standardization Hans Nilsson, iD2 Technologies, Sweden."

Similar presentations


Ads by Google