EESSI Overview - 1 August 2002

EESSIEuropean Electronic Signature

Standardisation Initiative

Implementing Electronic Signature

EESSI Overview - 2 August 2002

Electronic Signature Directive is providing a common EU framework for electronic signatures (1993/93/EC)

Industry, with the assistance of European Standards Bodies, to provide an agreed framework for an open, market-oriented implementation of the Directive

EESSI put in place to co-ordinate this task (ICT-SB Dec. 98)

EESSI Charter

EESSI Overview - 3 August 2002

EESSI Objectives

Analyse needs for standards in support of minimum essential legal requirements as stated by the Directive

Assess available standards and current initiatives at national, European and international levels

Set up and implement a Programme of Work, built

on international co-operation

EESSI Overview - 4 August 2002

Directive highlights

Legal recognition of electronic signatures

Technology neutral

Free flow of Products and Services

Excludes prior authorisation or licensing scheme for Certification Service Providers

Mandates supervision scheme for CSPs

Calls for monitoring of Voluntary Accreditation Scheme

EESSI Overview - 5 August 2002

Annexes of the Directive

Annex I: Requirements for qualified certificates

Annex II: Requirements for certification-service-providers

issuing qualified certificates

Annex III: Requirements for secure signature-creation

devices

Annex IV: Recommendations for secure signature

verification

EESSI Overview - 6 August 2002

Proposed Classes of Electronic Signatures

Classes ofsignature:

Generalelectronicsignature asrequired in 5.2

Qualified electronicsignature - as specifiedin 5.1 (Annex I, II, III)

Enhanced electronicsignature (applicable toboth general andqualified electronicsignatures)

Level of legalcertainty:

Can not be deniedlegal effect (art5.2)

Same legal effect ashand-written signature(art 5.1)

Enhancement oftechnical evidence

Explanation: Any electronicsignature that isnot a qualifiedelectronicsignature.

Minimum technical levelrequired for the signerso that his electronicsignature can beconsidered as legallyequivalent with a hand-written signature.

Additional technicalrequirements for averifier, such as time-stamping, but also forthe signer, to enhancetechnical security andobtain protection againstcertain threats.

EESSI Overview - 7 August 2002

Framework for implementation

Security/Quality level

Signature Creation Device

Certificate Policy

Electronic Signature Syntax

Trustworthy System

Signature with long validity

Qualified Electronic Signature

Signature for limited value transactions

EESSI Overview - 8 August 2002

EESSI Organisation

Steering Committee

Standard Bodies and Consensus Bodies involved in standardisation: CEN, ETSI, ISO, ECBS, EEMA, EURESCOM

Market Players: Bull, Globalsign, iD2, BT, ACE

Public Authorities and Consumers Rep’s: BSI (D), PRC (FIN), AIPA (I), DSTI (F), ECP.NL (NL), ANEC

Commission as observer: DG Enterprise, DG Information Society, DG Internal Market

Expertise activity as required

EESSI Overview - 9 August 2002

EESSI Structure

EESSI/SG

European Telecommunications Standards Institute

Industry and business, assisted by European standard bodies

EESSI Overview - 10 August 2002

Base Line for Action

Capitalise on European & International activities

ETSI TC SEC, ISO/JTC1/SC27, IETF-PKIX, W3C, EURESCOM

EEMA/ECAF, ICC, ABA, ILPF

UNCITRAL Model of Law, AGB

European Projects: IST and ISIS programmes

National activities in Germany (BSI, INDI), Nordic Countries (SEIS, SAT, FDS), Italy (AIPA), Austria, Spain (FESTE), Netherlands (TTP.NL), UK (tScheme), ...

EESSI Overview - 11 August 2002

EESSI Programme Implementation

Standardization work programme

Phase 1 (work programme definition) completed 3Q1999

Phase 2 (essential requirements for the Directive) completed 2Q2002

Phase 3 (requirements for different classes of electronic signature) to be completed by the end of 2002

Phase 4 (additional requirements) to be performed in 2002-2003

EESSI Overview - 12 August 2002

EESSI Programme Implementation

Use of the existing standardization technical groups

CEN/ISSS E-SIGN Workshop

– 30+ participants, funded Expert Teams

– Deliverables: CEN Workshop Agreements (CWA)

ETSI ESI Technical Committee

– 20+ Participants, funded Specialist Task Force

– Deliverables: ETSI Technical Specifications (ETSI TS) and ETSI Technical Reports (ETSI TR)

Creation of the ALGO group Expert group providing guidance on cryptographic algorithms and parameters in EESSI standards

EESSI Overview - 13 August 2002

Roadmap of Phase 2 EESSI Standards

Signature creation process & environment (A.III)

Signature valida-tion process and environment - A.IV

Signature formatand syntax(Advanced ES)

Creationdevice A.III

Requirements for CSPs - A.II

Trustworthy system- A.II.f

Certification Service Provider

User/signerRelying party/verifier

CEN E-SIGN

ETSI ESI

Qualified certificate - A.I

Time Stamp

EESSI Overview - 14 August 2002

Phase 2 Deliverables

Target: Directive Annexes I-IV requirements and interoperability

Published in 4Q2000:

Policies for Certification Service Providers, ETSI TS 101 456 (updated 2Q2002)

Profile for Qualified Certificates, ETSI TS 101 862, (updated 2Q2001)

Electronic Signature Formats, ETSI TS 101 733, (also published as 2 IETF RFC) (updated 1Q2002)

EESSI Overview - 15 August 2002

Published in 3Q2001:

Security Requirements for SSCDs (EAL4), CWA 14168

Signature Creation Process and Environment, CWA 14170

Signature Verification Process and Environment, CWA 14171

Conformity Assessment Guidance, CWA 14172 – Parts 1-2

Time Stamping Profile, ETSI TS 101 861 (based on IETF RFC) (updated 1Q2002)

Deliverables…..

EESSI Overview - 16 August 2002

Published in 4Q2001:

Security Requirements for Trustworthy Systems, CWA 14167-1

Conformity Assessment Guidance, CWA 14172 – Parts 3-5

Published in 1Q2002:

Cryptographic Modules for CSP (MCSO-PP), CWA 14167-2

Security Requirements for SSCDs (EAL4+), CWA 14169

Deliverables...

EESSI Overview - 17 August 2002

Roadmap of Phase 3 Activities (2001)

Signature creation process and environment

Signature valida-tion process and environment

Signature format *and syntax in XML

SignatureCreationdevice *

AlternativeRequirements for CSPs *

Trustworthy Systems *

Certification Service Provider

User/Signer

Relying Party/Verifier

Qualified certificate

Time Stamping Format&Protocol

Time Stamping Authority

Requirements for TSAs *

* Phase 3

CA status and validation by RP *

EESSI Overview - 18 August 2002

Published in 1Q2002:

Guidelines for the implementation of SSCDs, CWA 14355

XML Advanced Electronic Signatures, ETSI TS 101 903

International harmonization of Policy Requirements for CAs issuing Certificates, ETSI TR 102 040

Signature Policies Report, ETSI TR 102 041

Phase 3 Deliverables

EESSI Overview - 19 August 2002

Published in 2Q2002:

Policy Requirements for Time Stamping Authorities, ETSI TS 102 023

Provision of harmonized Trust Service Provider status information, ETSI TR 102 030

XML Format for Signature Policies, ETSI TR 102 038

Policy Requirements for Certification authorities issuing Public Key Certificates, ETSI TS 102 042

Deliverables…..

EESSI Overview - 20 August 2002

Ongoing work:

Guide on the Use of Electronic Signatures, draft CWA 14365

Cryptographic Module for CSP Key Generation Services, (CMCKG-PP), draft CWA 14167-3

Application Interface for Smart cards used as SSCDs, draft CWA

Signature Policy for Extended Business Model draft ETSI TR 102 045

Maintenance of ETSI Standards from EESSI phase 2 and 3, draft ETSI TR 102 046

International harmonization and globalization activities, draft ETSI TR 102 047

Publication is foreseen in the second half of 2002

Deliverables…..

EESSI Overview - 21 August 2002

New activities are planned in 2002-2003 on the following subjects:

Maintenance of the published specifications

Harmonised provision of TSP status information

Internationalisation of Certificate Policies

Technical Standards for Signature Policies

Policy Requirements for CSPs issuing Attribute Certificates

Technical properties of Advanced Electronic Signatures

Interoperability requirements of smart Cards used as SSCDs

Conformity assessment of SSCDs supporting non Qualified Electronic Signatures

Provision of Certificates status information to Relying Parties

Phase 4 Activities

EESSI Overview - 22 August 2002

The evaluation of the EESSI specifications of the EESSI phase 2 deliverables, as answering the requirements set by the Directive has been performed by the Commission

The recognition as Generally Recognized Standards under the Directive of the EESSI phase 2 deliverables answering the requirements set in the annexes, is proposed in a draft Decision prepared by the Commission. The proposal was discussed in the meeting of the Directive Member States committee in July 2002, and generally supported

The publication in the EU OJ of the references to the deliverables produced by EESSI, as providing a proper technical framework for the implementation of the Directive should follow. It will give a positive signal to the market players for the development of products and services complying with the EESSI specifications

European perspectives

EESSI Overview - 23 August 2002

International Perspectives

Recognition of conformance to SSCD requirements CC MRA: Arrangement on the Mutual Recognition of CC Certificates in the Field of IT Security Similar ambition with Trustworthy Systems

Cross-recognition of “certification policy”: Assessment of policy mapping between US Federal PKI and ETSI-EESSI requirements

Harmonization of interoperability standards : Use of existing standards (ISO, IETF), liaisons under development (W3C, WAP Forum, EDI/XML) and submissions to IETF

EESSI Overview - 24 August 2002

http://www.ictsb.org/EESSI_home.htm

More useful references:

ETSI:http://www.etsi.org/esi/el-sign.htmSign up from Web-site to open El Sign mailing list

CEN:http://www.cenorm.be/isss/workshop/e-sign

EESSI on the Web