170 likes | 418 Views
Implementation of the EESSI work programme. György Endersz, Telia Research, Sweden Chairman ETSI ESI Working Group. Hans Nilsson, iD2 Technologies, Sweden Chairman CEN/ISSS E-SIGN Workshop. EESSI standards overview. Certification Service Provider. Trustworthy system.
E N D
Implementation of the EESSI work programme György Endersz, Telia Research, SwedenChairman ETSI ESI Working Group Hans Nilsson, iD2 Technologies, Sweden Chairman CEN/ISSS E-SIGN Workshop EESSI May 10, 2000
EESSI standards overview Certification Service Provider Trustworthy system Qualified Certificate policy Time Stamp Qualified certificate Signature creation process and environment Signature validation process and environment Creationdevice Signature formatand syntax Relying party/verifier User/signer CEN E-SIGN ETSI ESI EESSI May 10, 2000
EESSI standards implementation • CEN/ISSS E-SIGN Workshop • 70+ participants, 12 paid experts • Result: CEN Workshop Agreements during Q3 and Q4 • Chairman: hans.nilsson@id2tech.com • ETSI ESI Working Group • 40-50 Participants, 8 paid experts • Result: ETSI Standards/Technical Specifications 2-4Q2000 • Chariman: gyorgy.g.endersz@telia.se • For more information: • http://www.ict.etsi.org/eessi/EESSI-homepage.htm EESSI May 10, 2000
EESSI not limited to “5.1 signatures”: Different classes of electronic signatures EESSI May 10, 2000
“Security requirements for electronic signature creation devices” • Technical issues to be covered: • Key generation • When and where the signature creation data are composed • What constraints signature creation data have • Key management • How the signature creation data are stored handled • How signature creation date relate to signature verification data • Initialisation/Personalisation • If signature creation data are transferred in this phase • How the secrecy of the signature creation data is assured • Lifecycle • How signature creation data are disposed • Signature creation process • How signature creation data are handled EESSI May 10, 2000
Signature process and environment Signature Policy PKI Cryptographic Profile Certificates Intent Pin-Pad + Authentication Signature Par Document Signature Signature Environment’s Operating System & Signature Application Processes User Signature-Device Private Key Local Storage Other un-trusted inputs/outputs Other (un-trusted) Processes = Scope of standardization EESSI May 10, 2000
“Guidelines for Signature verification process and environment” Some of the issues to to covered: • Validation process • Trust points • Certificate paths • Revocation rules • Roles and attributes • Time-stamping and timing • Validation environment • Validation by humans (supported by machines) • Validation by machines only • Validation by third parties EESSI May 10, 2000
Policies for Certification Service Providers (CSPs) • Functional, quality and security requirements expressed in Certificate Policy and security controls • Uniform requirements as a basis for implementation, audit and accreditation • Current work responds to Directive requirements for CSPs issuing Qualified Certificates • Requirements for other class(es) to meet market needs • ETSI TS in 4Q2000 EESSI May 10, 2000
Qualified Certificate Policy Baseline Qualified Certificate Policy Subscriber Obligations CSP/ CA Obligations Liability RA Obligations RepositoryObligations Financial CSP Security Controls Objectives PolicyRequirements EESSI May 10, 2000
Electronic Signature Formats • Defines interoperable syntax and encoding for signature, validation data and signing policy.Builds upon existing standards • Published as ETSI Standard (ES) 201 733 in 2Q2000 • Proposed to IETF in March 2000 as an Informational RFC, based on the ES • Aim: to harmonise development with XML sigantures EESSI May 10, 2000
Profile for Qualified Certificate • Standard for the use of X.509 public key certificates as qualified certificates • European profile based on current IETF PKIX draft • Draft to be approved by ETSI SEC in 4Q2000 EESSI May 10, 2000
Format and Protocol for Time Stamp • Profile based on current IETF PKIX draft • Time stamps used for signature validation, e.g. in ES 201 733 • Draft to be approved by ETSI SEC in 4Q2000 EESSI May 10, 2000
Conformity Assessment ofElectronic SignatureProducts and Services EESSI May 10, 2000
Conformity Assessment of Secure Signature Creation Devices • “Conformity shall be determined by appropriate public or private bodies designated by Member States” • “The Commission shall establish criteria for Member States to determine whether a body should be designated” • CEN Workshop Agreement: Common Criteria Protection Profile • => CC evaluation by CLEF or other notified body EESSI May 10, 2000
Conformity Assessment of Certification Service Providers • Prior authorisation not allowed, but... • Mandatory supervision of CSPs issuing QCs to the public • Registration/notification of CSPs • Self-declaration for fulfilling QC Policy • What documentation is required? • Voluntary Accreditation • Audit to be performed • Based on QC Policy • Assessment guidelines also required? • National private or government schemes • Need for mutual recognition of accreditation !! EESSI May 10, 2000
Conformity Assessment of Trustworthy Systems • “The Commission may establish and publish reference numbers of generally recognised standards for electronic-signature products. Member States shall presume that there is compliance with the requirements laid down in Annex II, point (f), and Annex III when an electronic signature product meets those standards” • Only applicable for Voluntary Accreditation? • Common Criteria Protection Profile • Evaluation by CLEF or notified body or in other ways EESSI May 10, 2000
What we expect from this meeting • Increased knowledge about the EESSI work amongst industry, users and regulators • Get feedback on the contents of the work • Discuss harmonization of supervision • Discuss mutual recognition of accreditation EESSI May 10, 2000