1. EESSI European Electronic Signature Standardisation Initiative
Implementing Electronic Signatures
Overview - Nov. 2000

2. EESSI Charter
Electronic Signature Directive is providing a common EU framework for electronic signatures
Industry, with the assistance of European Standards Bodies, to provide an agreed framework for an open, market-oriented implementation of the Directive
EESSI put in place to co-ordinate this task
Nov. 2000

3. EESSI Objectives
Analyse needs for standards in support of minimum essential legal requirements as stated by the Directive
Assess available standards and current initiatives at national, European and international levels
Set up and implement a Programme of Work, built on international co-operation
Nov. 2000

4. Directive highlights Legal recognition of electronic signatures
Technology neutral
Free flow of Products and Services in the EU
No prior authorisation nor licensing scheme for Certification Service operations
Mandating MS’s to set up a supervision scheme for CSPs
Calling for Voluntary Accreditation Scheme monitoring
Nov. 2000

5. Environment of the Directive
Typical European context: harmonisation of national laws in order to abolish obstacles
Signature has many different meanings in Europe
well-known example: notion of “intent” not accepted in all MS’s
Directive does not cover contract formation
no limit to contractual freedom of parties in the choice of an e-sign technology
Nov. 2000

6. Classes of Electronic Signatures
General
electronic
signature as
required in 5.2
Qualified electronic
signature -
as specified
in 5.1 (Annex I, II, III)
Enhanced electronic
(applicable to
both general and
qualified electronic
signatures)
Level of legal
certainty:
Can not be denied
legal effect (art
5.2)
Same legal effect as
hand-written signature
(art 5.1)
Enhancement of
technical evidence
Explanation:
Any electronic
signature that is
not a qualified
signature.
Minimum technical level
required for the signer
so that his electronic
signature can be
considered as legally
equivalent with a hand-
written signature.
Additional technical
requirements for a
verifier, such as time-
stamping, but also for
the signer, to enhance
technical security and
obtain protection against
certain threats.
Nov. 2000

7. EESSI Timetable Nov. 2000 DEC.’98 FEB. ‘99 JUNE ‘99 JULY ‘99 OCT ‘99
MAR’00
MAY’00
JUN’00
SEP’00
DEC’00
Draft Report
for
Consultation
EESSI
Launch
Open Consultation
Meeting:
Presentation
of EESSI Deliverables
Design
Review
Implementation
Review 1
Implementation
Review 2
1st Open Consultation
Meeting:
Market Assessment
24 February
2nd Open Consultation
Meeting:
Report Presentation
1st July
ETSI SEC
Kick-Off Meeting
Open Seminar
EESSI &
National Initiatives
Paris
11-12 May
EESSI International
Seminar
Barcelona
26 Sept.
ICTSB
Recommendations
Endorsement
CEN ISSS E-Sign
Kick-off Meeting
Nov. 2000

8. EESSI Organisation Steering Committee
Standard Bodies and Consensus Bodies involved in standardisation: CEN, ETSI, ISO, ECBS, EEMA, EURESCOM
Market Players: ACE/Telefonica, Belgacom, BT, Bull, Globalsign, iD2/Sonera, Telia, Utimaco
Public Authorities and Consumers Rep’s: BSI (D), PRC (FIN), AIPA (I), DSTI (F), ECP.NL (NL), ANEC
Commission as observer: DG Enterprise, DG Information Society, DG Internal Market
Open WGs with assistance of CEN/ISSS and ETSI TC Security
Nov. 2000

9. EESSI Mode of Operation
SC defining the Programme of Work
CEN and ETSI:
proposing programme split: WGs
calling for experts and editors
setting up open meetings for consensus building
calling for public comment (60 days) to reach TS (Technical Specifications)
managing reference deliverables
Nov. 2000

10. EESSI Commitment to International Co-operation
ETSI TC SEC, ISO/JTC1/SC27, IETF-PKIX, W3C, EURESCOM
EEMA/ECAF, ICC, ABA, ILPF
UNCITRAL Model of Law, AGB
European Projects: IST and ISIS programmes
National activities in Germany (BSI, INDI), Nordic Countries (SEIS, SAT, FDS), Italy (AIPA), Austria, Spain (FESTE), Netherlands (TTP.NL), UK (tScheme), ...
Nov. 2000

11. EESSI Programme Overview
Certification Service Provider
Qualified Certificate policy
Trustworthy system
Qualified certificate
Signature validation process and environment
Signature creation process and environment
Signature format and syntax
Creation device
Subscriber/signer
Relying party
Nov. 2000

12. The Work Programme (1)
Policy reqmt’s for Certification Service Providers (CSPs) issuing Qualified Certificates
Security rqmt’s for Trustworthy Systems used by CSPs issuing qualified certificates
Profiles for the use of X.509 Public Key certificates as Qualified Certificates (based on work in IETF PKIX)
Nov. 2000

13. Policies rqmt’s for CSP’s issuing Qualified Certificates
Purpose
Define functional and quality specifications for operation and management of CSP’s issuing Qualified Certificates, compliant with Directive Annex II
Service coverage
Registration
Certificate Generation
Certification Dissemination
Revocation Management
Revocation Status
Availability: draft June; final draft Dec.
Nov. 2000

14. Security reqmt’s for trustworthy systems and products
Purpose
define a Protection Profile based on CC for CSP’s installations + security reqt’s and level for crypto modules, compliant with Annex II, (f)
Coverage
Security reqt’s for the whole system
Registration
Certificate generation
Availability: draft Sept; final draft Nov.
Nov. 2000

15. Profile for Qualified Certificate
Purpose
Define unified contents and format of X.509 certificates for interoperability purpose
Issue
Result highly dependent on IETF RFC release date
Availability (TBC): draft, Sept.; final draft Dec.
Nov. 2000

16. The Work Programme (2) Security rqmt’s for signature creation devices
User interface and operating environment for electronic signature creation
Rqmt’s for signature verification
Electronic Signature format
Nov. 2000

17. Security reqmt’s for secure signature creation device
Purpose
define a Protection Profile based on CC for SSCD, compliant with Annex III
[SSCD: the device where the signature creation data are implemented]
Scope
assume trusted paths with the rest of the system
initialisation and operations
objective of technology neutrality
Availability: draft, Sept; Final Draft, Nov.
Nov. 2000

18. Signature Creation Process and Environment
Purpose
Propose guidelines for a trustworthy and friendly user environment and interface for electronic signature creation
No reqmt’ from the Directive: voluntary acceptance
Scope
Interface to the signatory
e-sign creation environment: trusted(home), partially trusted (office), untrusted (public)
Availability: draft, Sept.; final draft, Nov.
Nov. 2000

19. Reqmt’s for Signature Verification
Purpose
Propose guidelines for signature verification products and procedures
[Express requirements for the use of time-stamping and/or archival services to enable the use of electronic signatures as long term evidence]
No reqmt’s from the Directive: Annex IV sets out “recommendations”
Scope
Signature verification based on Signature Policy
Availability: draft, Sept.; final draft, Nov.
Nov. 2000

20. Electronic Signature Format
Purpose
establish a standard format for electronic signatures, incl; such functionality as support for multiple signatures, signature policy, long term validity,
interfacing W3C XML signature
Scope
based on ETSI ES , now proposed to IETF under RFC
Availability: submission to IETF in March
Nov. 2000

21. The Work Programme (3)
Guidelines for Conformity Assessment of Electronic Signature products and services
Algorithms for electronic signatures
Nov. 2000

22. Guidelines for Conformity Assessment of Electronic Signature Products and Services
Purpose
Propose a conformity assessment scheme to be applied to all EESSI deliverables
Developed with EA (European cooperation for Accreditation)
Scope
Art 3 of the Directive establishes the principles of conformity assessment: voluntary accreditation for CSP’s incl. self-declaration
Availability: draft, Oct.; final draft, Dec.
Nov. 2000

23. Algorithms for electronic signatures
Purpose
list valid algorithms for implementation in SSCD, propose a swift and efficient update procedure (introduction, deletion, change of parameters as key length
Scope
Dynamic adoption of new technology progress
Associated with a qualified methodology for safe management
Availability: under study
Nov. 2000

24. Present Priorities Three short term Priorities
Policies rqmt’s for CSP’s issuing Qualified Certificates
Trustworthy Systems
SSCD
Avoid divergences in MS’s implementation
Supervision
Voluntary accreditation
The Next Step
How to implement “5.2” ?
How to launch active cooperation on “international aspects”?
Nov. 2000

25. How to implement 5.2 ? Security/Quality level
Signature Creation Device
Certificate Policy
Electronic Signature Syntax
Trustworthy Systems
Signature with long validity
Qualified Electronic signature
Signature for limited value transactions
Nov. 2000

26. “Qualified Electronic Signature”
EESSI Standard
Option Within Standard
Qualified Certificate
Policy
Non-Public or
Extended Policies
Public Use
Public Use
with SSCD
Electronic Signature
Format
Electronic Signature
Electronic Signature
+ Validation Data
Electronic Signature
+Val Data +Time stamp
Qualified Certificate
Format
Qualified Certificate Profile
Timestamping
Protocol
Profile from IETF Timestamping Protocol
Security Reqt’s
for Trustworthy Systems
Lower Level
Qualified Level
SSCD
Lower Level
Qualified Level
Higher Level
Nov. 2000

27. “Qualified Electronic Signature with long term Validity”
EESSI Standard
Option Within Standard
Qualified Certificate
Policy
Non-Public or
Extended Policies
Public Use
Public Use
with SSCD
Electronic Signature
Format
Electronic Signature
Electronic Signature
+ Validation Data
Electronic Signature
+Val Data +Time stamp
Qualified Certificate
Format
Qualified Certificate Profile
Timestamping
Protocol
Profile from IETF Timestamping Protocol
Security Reqt’s
for Trustworthy Systems
Lower Level
Qualified Level
SSCD
Lower Level
Qualified Level
Higher Level
Nov. 2000

28. “Electronic signatures using Qualified Certificates”
EESSI Standard
Option Within Standard
Qualified Certificate
Policy
Non-Public or
Extended Policies
Public Use
Public Use
with SSCD
Electronic Signature
Format
Electronic Signature
Electronic Signature
+ Validation Data
Electronic Signature
+Val Data +Time stamp
Qualified Certificate
Format
Qualified Certificate Profile
Timestamping
Protocol
Profile from IETF Timestamp Protocol
Security Reqt’s
for Trustworthy Systems
Lower Level
Qualified Level
SSCD
Lower Level
Qualified Level
Higher Level
Nov. 2000

29. Contributing to International Cooperation
EESSI organised an international seminar in Barcelona (Spain) 26 September 2000
Purpose of the seminar
to share EESSI draft specifications
to discuss how to achieve a more general model for cross-border recognition of electronic signatures
to agree on implementation principles: who and how
Nov. 2000

30. Contributing to International Cooperation
Representatives from:
Identrus
GTA
ECOM from Japan
Radicchio
PKI Forum
U.S. Federal PKI Steering Committee
ISO/IEC JTC1
APEC
WAP Forum
W3C
The Open Forum
Nov. 2000

31. Join us on the EESSI Home Page http://www. ict. etsi
Nov. 2000