Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Slides:

Advertisements

Similar presentations

Universal Electronic Signatures Tarvi Martens ESTONIA.

Advertisements

1 Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market (COM( final) {SWD(2012)

PKI Strategy PKI Requirements Standard –Based on e-MARC or other Certificate Policy Statements –Specify key aspects that must be met by CA Cert format.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

AFACT eCOO WG interim meeting - Conference Call 1st March of 2011 Mahmood Zargar eCOO Experiences and Standards.

Telia Research AB György Endersz European Electronic Signature Standardisation Initiative EESSI Workshop Barcelona, György Endersz,

Telia Research AB György Endersz European Electronic Signature Standardisation Initiative EESSI Budapest Seminar at the Hungarian Communication.

An overview of legal aspects in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Setting Processes for Electronic Signature 1 The ”W-SPES Project” and the “Leuven Report on the Electronic Signatures Directive” – Putting the Project.

1 © Cooley Godward 2001 PKI A SSESSMENT The process of evaluating, verifying, and certifying your PKI Presented by: Randy V. Sabett Vanguard Enterprise.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,

Workshop on registered electronic mail policies and implementations (ETT 57074) Ankara, –

Sustainable Energy Systems Overview of contractual obligations, procedures and practical matters KICK-OFF MEETING.

Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,

Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.

1 Bridge/Gateway CA Project Status Gzim OCAKOGLU European Commission – DG ENTR / IDABC Reykjavik – 27 May 2005.

21 mai 2015 Bridges between Certification Authorities.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

Legal Issues on PKI & qualified electronic certificates. THIBAULT VERBIEST Attorney-at-law at the Brussels and Paris Bar Professor at the Universities.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

EESSI Overview - 1August 2002 EESSI European Electronic Signature Standardisation Initiative Implementing Electronic Signature.

DIGITAL SIGNATURE AND ELECTRONIC DOCUMENTS IN ITALY Prof. Pierluigi Ridolfi AIPA Authority for Information Technology in the Public Administration V. Solferino,

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.

Budapest May, 2001 Anne Lehouck European Commission, DG ENTERPRISE 1 ELECTRONIC SIGNATURE LEGAL FRAMEWORK & STANDARDISATION.

The U.S. Federal PKI and the Federal Bridge Certification Authority

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

PKI Services for the Public Sector of the EU Member States Dr. Dimitrios Lekkas Dept. of Products & Systems Design Engineering University of the Aegean.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Controller of Certifying Authorities Public Key Infrastructure for Digital Signatures under the IT Act, 2000 : Framework & status Mrs Debjani Nag Deputy.

National Smartcard Project Work Package 8 – Security Issues Report.

Vilnius, October 21st, 2002 © eEurope SmartCards Securing a Telework Infrastructure: Smart.IS - Objectives and Deliverables Dr. Lutz Martiny Co-Chairman,

Niall Curran E-Commerce Division Department of Public Enterprise

E-Signatures The Community framework on e-signatures (Directive 1999/93/EC) Dr Ioannis Iglezakis Visiting Lecturer University of Thessaloniki, Greece.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

David L. Wasley Office of the President University of California Higher Ed PKI Certificate Policy David L. Wasley University of California I2 Middleware.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.

+1 (801) Standards for Registration Practices Statements IGTF Considerations.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Towards a European network for digital preservation Ideas for a proposal Mariella Guercio, University of Urbino.

WORKSHOP, Nicosia 2-3rd July 2008 “Extension of SAFETY & QUALITY Common Requirements to the EMAC States” Item 3 : Regulatory Context Peter Stastny EUROCONTROL.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

HEPKI-PAG Policy Activities Group David L. Wasley University of California.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Riccardo Genghini - Ws E-Sign Chairman – IETF PKIX San Francisco March Electronic Signature infrastructure for Europe Riccardo Genghini Cen/Isss.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Higher Education PKI Summit Meeting August 8, 2001 The ABA PAG Rodney J. Petersen, J.D. Director, Policy and Planning Office of Information Technology.

© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

EESSI June 2000Slide 1 European Electronic Signature Standardization Hans Nilsson, iD2 Technologies, Sweden.

Jimmy C. Tseng Assistant Professor of Electronic Commerce

1 - DG ENV Brussels, 5 March 2003 Draft INSPIRE Legislative proposal The key issues 9th INSPIRE Expert Group Meeting Brussels.

Slide 1 Recognition of Professional Qualifications in the European Single Market for Services Henri Olivier FEE Secretary General FEE (Fédération des Experts.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.

19-20 October 2010 IT Directors’ Group meeting 1 Item 6 of the agenda ISA programme Pascal JACQUES Unit B2 - Methodology/Research Local Informatics Security.

Harmonised use of accreditation for assessing the competence of various Conformity Assessment Bodies Dr Andreas Steinhorst, EA ERA workshop 13 April 2016,

Scoping the Framework Guidelines on Interoperability Rules for European Gas Transmission Geert Van Hauwermeiren 20 th Madrid Forum, 26 Sept 2011.

M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 10 – Information society and media.

Alternative Governance Models for PKI

Geert Van Hauwermeiren Workshop, Ljubljana, 13 Sept 2011

Exchange of information between Member States

SWIM Common PKI and policies & procedures for establishing a Trust Framework Kick-off meeting Patrick MANA Project lead 29 November.

Draft ETSI TS Annex C Presented by Michał Tabor for PSD2 Workshop

PKI Services for the Public Sector of the EU Member States

Presentation transcript:

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003

Agenda Interoperability in 1999/93/EC Policy interoperability Format interoperability Content interoperability Aspects of Policy architecture

Scope of interoperability Policy interoperability is an issue broader than electronic signatures since it is often be linked to the underlying transaction Policy interoperability in electronic signatures can be addressed by: using international standards (e.g.: IETF) using European standards (e.g.: EESSI deliverables) using specific bilateral agreements Adhering to common operational rules etc Standards OR agreementinteroperability

Objective for policy interoperability Policy is used to adapt legal and business requirements in a particular operational context The objective for policy interoperability is to ensure the policy and liability conditions across multiple electronic signature infrastructures to establish Trust Equivalence must be established at the: Technical Organisational/procedural Legal level Liability rules + Policy limitationsLimits of Trust

Interoperability Interoperability has become necessary to deliver e.g. trusted public services in the field of e.g. tax and customs, social security, exchanges between administrations etc. Interoperability and standards development are a priority for government and vendors It is further required to enhance application interoperability through: Specific rules in electronic document exchange to render electronic signature enforceable (Policy) interoperability necessary for EU harmonisation

Directive 99/93/EC

Interoperability in 99/93/EC I 99/93/EC aims at harmonising the internal market and sets out interoperability objectives Coherence with existing international standards IETF European standardisation Privacy Protection (art. 8) Electronic signatures shall not make data mining easier! Pseudonyms are explicitly permitted

Interoperability in 99/93/EC II EU Mutual recognition (art. 5) A common framework of technical standards has been developed by CEN/ISSS and ETSI in the EESSI framework 99/93/EC refers to such standards Multilateral co-operation among supervising authorities Legal relevance (art. 5) Advanced signatures, created with a Secure signature Creation Device for which a Qualified Certificate has been issued, are equal to handwritten signatures (5.1) To other legal relevance cannot be denied in principle

Policy Aspects

CP and CPS Typical electronic signature doctrine foresees: A general framework for a CP & a CPSs for CAs and PKIs A checklist of topics to be covered in a certificate policy definition or a CPS Level of trust in a certificate depends on factors such as: CA Practices to verify the identity of subjects’ identity CA’s operating policy, procedures, and security controls Subject’s obligations (e.g., to protect private key, revoke cert when compromised etc.) Warranties and obligations of the CA (e.g., warranties & limitations on liability)

Certificate Policy A Certificate Policy (CP) is a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements High level document that describes the objectives of a PKI It refers to a group of domains rather than a single domain alone It is normative in a way that describes “what” to address in a PKI A Policy could be the scope of an application domain rather than a PKI domain Scope of the CP is to ascertain interoperability (if that is the goal) Hence a standardised format makes good sense (e.g. RFC 2527)

Certification Practice Statements (CPSs) A CPS is a detailed description of practices used by a CA to issue and manage certificates published by the CA According to American Bar Association (ABA) Digital Signature Guidelines, “a CPS is a statement of the practices which a CA employs in issuing and managing certificates” RFC 2527 gives a framework to support authors of CPs or CPS’

CPS content CPS is the main source of information on the provision of a CAs public and/or private certification services and related procedures User must view, read and accept the CPS prior to applying for a cert -- Is that real? CPS describes in great detail the practices and procedures it uses for issuing and managing certificates A CPS could be reviewed and audited periodically by a recognized auditor

RFC 2527 Update

Updated draft RFC 2527 Describes a dynamic Certificate Policy Framework Encompasses experience from application of the Framework since 1999 PKI application better address legal requirements It also Explains CP and CPS roles and differences better Explains better that framework can apply to all PKI entities: CA, RA, Repository, Subscribers, Relying Parties, Others

Evolution RFC 2527: Supports managed electronic signature policies Provides an education and training tool on electronic signature policies Shapes electronic signature policies to influence the growth of business and technology Is subjected to periodic review and updating Is a tool to develop and maintain electronic signature policies with a specific application domain or user community

Source EU Directive 1999/93/EC “A Community Framework for Electronic Signatures” Annex II: Requirements for CAs issuing qualified certificates

ETSI Policy Requirements for CAs Issuing Qualified Certificates ETSI TS Directive 99/93/EC Annex II “Requirements for Certification Service Providers” CA Practices Policy Standards e.g. RFC 2527, ANSI X9.29 European CSP Accreditation Schemes CA Qualified Certificate Policy input ETSI TS CA generic Certificate Policy

Qualified Certificate Policy framework Objectives QCP for CAs issuing qualified certificates to the public QCP for CAs issuing qualified certificates to the public requiring a secure signature creation device Framework for the definition of other CPs Set out objectives for CSPs that meet the requirements of the 99/93/EC and enhance interoperability

Issues of policy architecture

Interoperability models Policy is essential for subscribers, relying parties and interoperability Hierarchical model accepting subordination to another CAs policy Cross-certification Costly administration Absence of comprehensive standards Multiple negotiations, varying contracts and agreements Peer to peer trust Single contracting party Widely accepted and agreed standards Customizable chain of Trust

Policy driven interoperability Policy driven environment for Accreditation Cross recognition

Contact Information