View
217
Download
0
Tags:
Embed Size (px)
Citation preview
EESSI Overview - 1 August 2002
EESSIEuropean Electronic Signature
Standardisation Initiative
Implementing Electronic Signature
EESSI Overview - 2 August 2002
Electronic Signature Directive is providing a common EU framework for electronic signatures (1993/93/EC)
Industry, with the assistance of European Standards Bodies, to provide an agreed framework for an open, market-oriented implementation of the Directive
EESSI put in place to co-ordinate this task (ICT-SB Dec. 98)
EESSI Charter
EESSI Overview - 3 August 2002
EESSI Objectives
Analyse needs for standards in support of minimum essential legal requirements as stated by the Directive
Assess available standards and current initiatives at national, European and international levels
Set up and implement a Programme of Work, built
on international co-operation
EESSI Overview - 4 August 2002
Directive highlights
Legal recognition of electronic signatures
Technology neutral
Free flow of Products and Services
Excludes prior authorisation or licensing scheme for Certification Service Providers
Mandates supervision scheme for CSPs
Calls for monitoring of Voluntary Accreditation Scheme
EESSI Overview - 5 August 2002
Annexes of the Directive
Annex I: Requirements for qualified certificates
Annex II: Requirements for certification-service-providers
issuing qualified certificates
Annex III: Requirements for secure signature-creation
devices
Annex IV: Recommendations for secure signature
verification
EESSI Overview - 6 August 2002
Proposed Classes of Electronic Signatures
Classes ofsignature:
Generalelectronicsignature asrequired in 5.2
Qualified electronicsignature - as specifiedin 5.1 (Annex I, II, III)
Enhanced electronicsignature (applicable toboth general andqualified electronicsignatures)
Level of legalcertainty:
Can not be deniedlegal effect (art5.2)
Same legal effect ashand-written signature(art 5.1)
Enhancement oftechnical evidence
Explanation: Any electronicsignature that isnot a qualifiedelectronicsignature.
Minimum technical levelrequired for the signerso that his electronicsignature can beconsidered as legallyequivalent with a hand-written signature.
Additional technicalrequirements for averifier, such as time-stamping, but also forthe signer, to enhancetechnical security andobtain protection againstcertain threats.
EESSI Overview - 7 August 2002
Framework for implementation
Security/Quality level
Signature Creation Device
Certificate Policy
Electronic Signature Syntax
Trustworthy System
Signature with long validity
Qualified Electronic Signature
Signature for limited value transactions
EESSI Overview - 8 August 2002
EESSI Organisation
Steering Committee
Standard Bodies and Consensus Bodies involved in standardisation: CEN, ETSI, ISO, ECBS, EEMA, EURESCOM
Market Players: Bull, Globalsign, iD2, BT, ACE
Public Authorities and Consumers Rep’s: BSI (D), PRC (FIN), AIPA (I), DSTI (F), ECP.NL (NL), ANEC
Commission as observer: DG Enterprise, DG Information Society, DG Internal Market
Expertise activity as required
EESSI Overview - 9 August 2002
EESSI Structure
EESSI/SG
European Telecommunications Standards Institute
Industry and business, assisted by European standard bodies
EESSI Overview - 10 August 2002
Base Line for Action
Capitalise on European & International activities
ETSI TC SEC, ISO/JTC1/SC27, IETF-PKIX, W3C, EURESCOM
EEMA/ECAF, ICC, ABA, ILPF
UNCITRAL Model of Law, AGB
European Projects: IST and ISIS programmes
National activities in Germany (BSI, INDI), Nordic Countries (SEIS, SAT, FDS), Italy (AIPA), Austria, Spain (FESTE), Netherlands (TTP.NL), UK (tScheme), ...
EESSI Overview - 11 August 2002
EESSI Programme Implementation
Standardization work programme
Phase 1 (work programme definition) completed 3Q1999
Phase 2 (essential requirements for the Directive) completed 2Q2002
Phase 3 (requirements for different classes of electronic signature) to be completed by the end of 2002
Phase 4 (additional requirements) to be performed in 2002-2003
EESSI Overview - 12 August 2002
EESSI Programme Implementation
Use of the existing standardization technical groups
CEN/ISSS E-SIGN Workshop
– 30+ participants, funded Expert Teams
– Deliverables: CEN Workshop Agreements (CWA)
ETSI ESI Technical Committee
– 20+ Participants, funded Specialist Task Force
– Deliverables: ETSI Technical Specifications (ETSI TS) and ETSI Technical Reports (ETSI TR)
Creation of the ALGO group Expert group providing guidance on cryptographic algorithms and parameters in EESSI standards
EESSI Overview - 13 August 2002
Roadmap of Phase 2 EESSI Standards
Signature creation process & environment (A.III)
Signature valida-tion process and environment - A.IV
Signature formatand syntax(Advanced ES)
Creationdevice A.III
Requirements for CSPs - A.II
Trustworthy system- A.II.f
Certification Service Provider
User/signerRelying party/verifier
CEN E-SIGN
ETSI ESI
Qualified certificate - A.I
Time Stamp
EESSI Overview - 14 August 2002
Phase 2 Deliverables
Target: Directive Annexes I-IV requirements and interoperability
Published in 4Q2000:
Policies for Certification Service Providers, ETSI TS 101 456 (updated 2Q2002)
Profile for Qualified Certificates, ETSI TS 101 862, (updated 2Q2001)
Electronic Signature Formats, ETSI TS 101 733, (also published as 2 IETF RFC) (updated 1Q2002)
EESSI Overview - 15 August 2002
Published in 3Q2001:
Security Requirements for SSCDs (EAL4), CWA 14168
Signature Creation Process and Environment, CWA 14170
Signature Verification Process and Environment, CWA 14171
Conformity Assessment Guidance, CWA 14172 – Parts 1-2
Time Stamping Profile, ETSI TS 101 861 (based on IETF RFC) (updated 1Q2002)
Deliverables…..
EESSI Overview - 16 August 2002
Published in 4Q2001:
Security Requirements for Trustworthy Systems, CWA 14167-1
Conformity Assessment Guidance, CWA 14172 – Parts 3-5
Published in 1Q2002:
Cryptographic Modules for CSP (MCSO-PP), CWA 14167-2
Security Requirements for SSCDs (EAL4+), CWA 14169
Deliverables...
EESSI Overview - 17 August 2002
Roadmap of Phase 3 Activities (2001)
Signature creation process and environment
Signature valida-tion process and environment
Signature format *and syntax in XML
SignatureCreationdevice *
AlternativeRequirements for CSPs *
Trustworthy Systems *
Certification Service Provider
User/Signer
Relying Party/Verifier
Qualified certificate
Time Stamping Format&Protocol
Time Stamping Authority
Requirements for TSAs *
* Phase 3
CA status and validation by RP *
EESSI Overview - 18 August 2002
Published in 1Q2002:
Guidelines for the implementation of SSCDs, CWA 14355
XML Advanced Electronic Signatures, ETSI TS 101 903
International harmonization of Policy Requirements for CAs issuing Certificates, ETSI TR 102 040
Signature Policies Report, ETSI TR 102 041
Phase 3 Deliverables
EESSI Overview - 19 August 2002
Published in 2Q2002:
Policy Requirements for Time Stamping Authorities, ETSI TS 102 023
Provision of harmonized Trust Service Provider status information, ETSI TR 102 030
XML Format for Signature Policies, ETSI TR 102 038
Policy Requirements for Certification authorities issuing Public Key Certificates, ETSI TS 102 042
Deliverables…..
EESSI Overview - 20 August 2002
Ongoing work:
Guide on the Use of Electronic Signatures, draft CWA 14365
Cryptographic Module for CSP Key Generation Services, (CMCKG-PP), draft CWA 14167-3
Application Interface for Smart cards used as SSCDs, draft CWA
Signature Policy for Extended Business Model draft ETSI TR 102 045
Maintenance of ETSI Standards from EESSI phase 2 and 3, draft ETSI TR 102 046
International harmonization and globalization activities, draft ETSI TR 102 047
Publication is foreseen in the second half of 2002
Deliverables…..
EESSI Overview - 21 August 2002
New activities are planned in 2002-2003 on the following subjects:
Maintenance of the published specifications
Harmonised provision of TSP status information
Internationalisation of Certificate Policies
Technical Standards for Signature Policies
Policy Requirements for CSPs issuing Attribute Certificates
Technical properties of Advanced Electronic Signatures
Interoperability requirements of smart Cards used as SSCDs
Conformity assessment of SSCDs supporting non Qualified Electronic Signatures
Provision of Certificates status information to Relying Parties
Phase 4 Activities
EESSI Overview - 22 August 2002
The evaluation of the EESSI specifications of the EESSI phase 2 deliverables, as answering the requirements set by the Directive has been performed by the Commission
The recognition as Generally Recognized Standards under the Directive of the EESSI phase 2 deliverables answering the requirements set in the annexes, is proposed in a draft Decision prepared by the Commission. The proposal was discussed in the meeting of the Directive Member States committee in July 2002, and generally supported
The publication in the EU OJ of the references to the deliverables produced by EESSI, as providing a proper technical framework for the implementation of the Directive should follow. It will give a positive signal to the market players for the development of products and services complying with the EESSI specifications
European perspectives
EESSI Overview - 23 August 2002
International Perspectives
Recognition of conformance to SSCD requirements CC MRA: Arrangement on the Mutual Recognition of CC Certificates in the Field of IT Security Similar ambition with Trustworthy Systems
Cross-recognition of “certification policy”: Assessment of policy mapping between US Federal PKI and ETSI-EESSI requirements
Harmonization of interoperability standards : Use of existing standards (ISO, IETF), liaisons under development (W3C, WAP Forum, EDI/XML) and submissions to IETF