EESSI Overview - 2August 2002 Electronic Signature Directive is providing a common EU framework for electronic signatures (1993/93/EC) Industry, with the assistance of European Standards Bodies, to provide an agreed framework for an open, market-oriented implementation of the Directive EESSI put in place to co-ordinate this task (ICT-SB Dec. 98) EESSI Charter
EESSI Overview - 3August 2002 EESSI Objectives Analyse needs for standards in support of minimum essential legal requirements as stated by the Directive Assess available standards and current initiatives at national, European and international levels Set up and implement a Programme of Work, built on international co-operation
EESSI Overview - 4August 2002 Directive highlights Legal recognition of electronic signatures Technology neutral Free flow of Products and Services Excludes prior authorisation or licensing scheme for Certification Service Providers Mandates supervision scheme for CSPs Calls for monitoring of Voluntary Accreditation Scheme
EESSI Overview - 5August 2002 Annexes of the Directive Annex I: Requirements for qualified certificates Annex II: Requirements for certification-service-providers issuing qualified certificates Annex III: Requirements for secure signature-creation devices Annex IV: Recommendations for secure signature verification
EESSI Overview - 7August 2002 Framework for implementation Security/Quality level Signature Creation Device Certificate Policy Electronic Signature Syntax Trustworthy System Signature with long validity Qualified Electronic Signature Signature for limited value transactions
EESSI Overview - 8August 2002 EESSI Organisation Steering Committee Standard Bodies and Consensus Bodies involved in standardisation: CEN, ETSI, ISO, ECBS, EEMA, EURESCOM Market Players: Bull, Globalsign, iD2, BT, ACE Public Authorities and Consumers Rep’s: BSI (D), PRC (FIN), AIPA (I), DSTI (F), ECP.NL (NL), ANEC Commission as observer: DG Enterprise, DG Information Society, DG Internal Market Expertise activity as required
EESSI Overview - 9August 2002 EESSI Structure EESSI/SG European Telecommunications Standards Institute Industry and business, assisted by European standard bodies
EESSI Overview - 10August 2002 Base Line for Action Capitalise on European & International activities ETSI TC SEC, ISO/JTC1/SC27, IETF-PKIX, W3C, EURESCOM EEMA/ECAF, ICC, ABA, ILPF UNCITRAL Model of Law, AGB European Projects: IST and ISIS programmes National activities in Germany (BSI, INDI), Nordic Countries (SEIS, SAT, FDS), Italy (AIPA), Austria, Spain (FESTE), Netherlands (TTP.NL), UK (tScheme),...
EESSI Overview - 11August 2002 EESSI Programme Implementation Standardization work programme Phase 1 (work programme definition) completed 3Q1999 Phase 2 (essential requirements for the Directive) completed 2Q2002 Phase 3 (requirements for different classes of electronic signature) to be completed by the end of 2002 Phase 4 (additional requirements) to be performed in 2002-2003
EESSI Overview - 12August 2002 EESSI Programme Implementation Use of the existing standardization technical groups CEN/ISSS E-SIGN Workshop – 30+ participants, funded Expert Teams – Deliverables: CEN Workshop Agreements (CWA) ETSI ESI Technical Committee – 20+ Participants, funded Specialist Task Force – Deliverables: ETSI Technical Specifications (ETSI TS) and ETSI Technical Reports (ETSI TR) Creation of the ALGO group Expert group providing guidance on cryptographic algorithms and parameters in EESSI standards
EESSI Overview - 13August 2002 Roadmap of Phase 2 EESSI Standards Signature creation process & environmen t (A.III) Signature valida-tion process and environment - A.IV Signature format and syntax (Advanced ES) Creation device A.III Requirements for CSPs - A.II Trustworthy system- A.II.f Certification Service Provider User/signer Relying party/verifier CEN E-SIGN ETSI ESI Qualified certificate - A.I Time Stamp
EESSI Overview - 14August 2002 Phase 2 Deliverables Target: Directive Annexes I-IV requirements and interoperability Published in 4Q2000: Policies for Certification Service Providers, ETSI TS 101 456 (updated 2Q2002) Profile for Qualified Certificates, ETSI TS 101 862, (updated 2Q2001) Electronic Signature Formats, ETSI TS 101 733, (also published as 2 IETF RFC) (updated 1Q2002)
EESSI Overview - 15August 2002 Published in 3Q2001: Security Requirements for SSCDs (EAL4), CWA 14168 Signature Creation Process and Environment, CWA 14170 Signature Verification Process and Environment, CWA 14171 Conformity Assessment Guidance, CWA 14172 – Parts 1-2 Time Stamping Profile, ETSI TS 101 861 (based on IETF RFC) (updated 1Q2002) Deliverables…..
EESSI Overview - 16August 2002 Published in 4Q2001: Security Requirements for Trustworthy Systems, CWA 14167-1 Conformity Assessment Guidance, CWA 14172 – Parts 3-5 Published in 1Q2002: Cryptographic Modules for CSP (MCSO-PP), CWA 14167-2 Security Requirements for SSCDs (EAL4+), CWA 14169 Deliverables...
EESSI Overview - 17August 2002 Roadmap of Phase 3 Activities (2001) Signature creation process and environment Signature valida- tion process and environment Signature format * and syntax in XML Signature Creation device * Alternative Requirements for CSPs * Trustworthy Systems * Certification Service Provider User/Signer Relying Party/Verifier Qualified certificate Time Stamping Format&Protocol Time Stamping Authority Requirements for TSAs * * Phase 3 CA status and validation by RP *
EESSI Overview - 18August 2002 Published in 1Q2002: Guidelines for the implementation of SSCDs, CWA 14355 XML Advanced Electronic Signatures, ETSI TS 101 903 International harmonization of Policy Requirements for CAs issuing Certificates, ETSI TR 102 040 Signature Policies Report, ETSI TR 102 041 Phase 3 Deliverables
EESSI Overview - 19August 2002 Published in 2Q2002: Policy Requirements for Time Stamping Authorities, ETSI TS 102 023 Provision of harmonized Trust Service Provider status information, ETSI TR 102 030 XML Format for Signature Policies, ETSI TR 102 038 Policy Requirements for Certification authorities issuing Public Key Certificates, ETSI TS 102 042 Deliverables…..
EESSI Overview - 20August 2002 Ongoing work: Guide on the Use of Electronic Signatures, draft CWA 14365 Cryptographic Module for CSP Key Generation Services, (CMCKG-PP), draft CWA 14167-3 Application Interface for Smart cards used as SSCDs, draft CWA Signature Policy for Extended Business Model draft ETSI TR 102 045 Maintenance of ETSI Standards from EESSI phase 2 and 3, draft ETSI TR 102 046 International harmonization and globalization activities, draft ETSI TR 102 047 Publication is foreseen in the second half of 2002 Deliverables…..
EESSI Overview - 21August 2002 New activities are planned in 2002-2003 on the following subjects: Maintenance of the published specifications Harmonised provision of TSP status information Internationalisation of Certificate Policies Technical Standards for Signature Policies Policy Requirements for CSPs issuing Attribute Certificates Technical properties of Advanced Electronic Signatures Interoperability requirements of smart Cards used as SSCDs Conformity assessment of SSCDs supporting non Qualified Electronic Signatures Provision of Certificates status information to Relying Parties Phase 4 Activities
EESSI Overview - 22August 2002 The evaluation of the EESSI specifications of the EESSI phase 2 deliverables, as answering the requirements set by the Directive has been performed by the Commission The recognition as Generally Recognized Standards under the Directive of the EESSI phase 2 deliverables answering the requirements set in the annexes, is proposed in a draft Decision prepared by the Commission. The proposal was discussed in the meeting of the Directive Member States committee in July 2002, and generally supported The publication in the EU OJ of the references to the deliverables produced by EESSI, as providing a proper technical framework for the implementation of the Directive should follow. It will give a positive signal to the market players for the development of products and services complying with the EESSI specifications European perspectives
EESSI Overview - 23August 2002 International Perspectives Recognition of conformance to SSCD requirements CC MRA: Arrangement on the Mutual Recognition of CC Certificates in the Field of IT Security Similar ambition with Trustworthy Systems Cross-recognition of “certification policy”: Assessment of policy mapping between US Federal PKI and ETSI-EESSI requirements Harmonization of interoperability standards : Use of existing standards (ISO, IETF), liaisons underdevelopment (W3C, WAP Forum, EDI/XML) andsubmissions to IETF
EESSI Overview - 24August 2002 http://www.ictsb.org/EESSI_home.htm More useful references: ETSI: http://www.etsi.org/esi/el-sign.htm Sign up from Web-site to open El Sign mailing list CEN: http://www.cenorm.be/isss/workshop/e-sign EESSI on the Web