STANDARDISATION IN E-ARCHIVING. D I G I TA L T R U S T A N D E - A R C H I V I N G Alain Wahl

Transcription

1 STANDARDISATION IN E-ARCHIVING D I G I TA L T R U S T A N D E - A R C H I V I N G Alain Wahl 1

2 OBJECTIVES OF THIS PRESENTATION Understand the cncept f digital trust Definitin Digital trust department f ILNAS Eurpean eidas regulatin n e-id and trust services Understand the natinal cntext f electrnic archiving Understand the bjectives f the law n e-archiving Understand the supervisin scheme fr digitisatin and e-archiving service prviders 2

3 SUMMARY Digital trust Definitin and cncept Digital trust department f ILNAS Eurpean eidas regulatin n electrnic identificatin and trust services Electrnic archiving Natinal law f 25 July 2015 n electrnic archiving Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Grand-ducal regulatin f 25 July 2015 n digitizatin and preservatin f dcuments 3

4 SUMMARY Digital trust Definitin and cncept Digital trust department f ILNAS Eurpean eidas regulatin n electrnic identificatin and trust services Electrnic archiving Natinal law f 25 July 2015 n electrnic archiving Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Grand-ducal regulatin f 25 July 2015 n digitizatin and preservatin f dcuments 4

5 SUMMARY Digital trust Definitin and cncept Digital trust department f ILNAS Eurpean eidas regulatin n electrnic identificatin and trust services Electrnic archiving Natinal law f 25 July 2015 n electrnic archiving Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Grand-ducal regulatin f 25 July 2015 n digitizatin and preservatin f dcuments 5

6 DEFINITION OF TRUST Li, F., Pieńkwski, D., Van Mrsel, A., Smith, C. (2012) A hlistic framewrk fr trust in nline transactins Li et al. shw that trust can be classified int three categries: Interpersnal trust, which is the trust that ne agent has in anther agent. It is based n specific characteristics f the agents invlved System trust, r Impersnal trust, which is based n the perceived reliability f a system r institutin Dispsitinal trust, als referred t as basic trust, which describes the general trusting attitude f the trustr 6

7 THE CONCEPT OF TRUST Yan, Z., Hltmanns, S. (2007), Trust Mdeling and Management: frm Scial Trust t Digital Trust Related t trustr s bjective prperties: Assessment Set f standards Related t trustr s subjective prperties: Cnfidence Expectatins Related t trustee s bjective prperties: Cmpetence, ability, security, dependability, integrity, predictability, reliability Timeliness, bserved behavir, strength Related t trustee s subjective prperties: Hnesty, benevlence, gdness, prbability, willingness, belief, dispsitin Attitude, feeling, intentin, faith, hpe, trustr s dependence and reliance Related t the cntext: Situatins entailing risk, structural, risk Dmain f actin 7

8 THE CONCEPT OF DIGITAL TRUST Wang, Y. D., Emurian, H. H. (2005). An verview f nline trust: Cncepts, elements, and implicatins. Similar characteristics f digital and traditinal trust Trustr and trustee Trustr e.g. cnsumer wh is brwsing a web site n the Internet Trustee e.g. gvernance rganizatin r merchant that the website represents Establishing and maintaining a trust relatinship Annymity f ding business using the Internet Trustees: may behave in an unpredictable manner Cnsumers Uncertain abut the risks and its cnsequences when passing infrmatin r executing nline transactins Mre vulnerable t specific trust vilatins such as privacy vilatins r lss f mney 8

9 SUMMARY Digital trust Definitin and cncept Digital trust department f ILNAS Eurpean eidas regulatin n electrnic identificatin and trust services Electrnic archiving Natinal law f 25 July 2015 n electrnic archiving Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Grand-ducal regulatin f 25 July 2015 n digitizatin and preservatin f dcuments 9

10 DIGITAL TRUST DEPARTMENT Natinal supervisry bdy fr Qualified trust service prviders Qualified digitizatin r e-archiving service prviders Management and publicatin f Luxemburg s trusted list Prmtin f gd practices fr trust service prviders and digitizatin r e-archiving service prviders Member f the Eurpean Multi-Stakehlder Platfrm (MSP) n ICT Standardizatin 10

11 SUMMARY Digital trust Definitin and cncept Digital trust department f ILNAS Eurpean eidas regulatin n electrnic identificatin and trust services Electrnic archiving Natinal law f 25 July 2015 n electrnic archiving Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Grand-ducal regulatin f 25 July 2015 n digitizatin and preservatin f dcuments 11

12 ELECTRONIC IDENTIFICATION AND TRUST SERVICES INCLUDING E-SIGNATURES Eurpean legislatin: Regulatin (EU) N 910/2014 f the Eurpean Parliament and f the Cuncil n electrnic identificatin and trust services fr electrnic transactins in the internal market (eidas regulatin) Related nging standardisatin and research activities ETSI EN , ETSI EN Requirements fr Trust Service Prviders ETSI EN Plicy and Security Requirements fr Trust Service Prviders issuing Time-Stamps ETSI SR Ratinalized framewrk f Standards fr Electrnic Registered Delivery Services Applying Electrnic Signatures ETSI TS Trusted Lists Signature frmats (CAdES, XAdES, PAdES, CAdES prfile, ASiC, and ASiC prfile) 12

13 EIDAS REGULATION (EU) NO 910/2014 Objective Strengthen EU Single Market by bsting TRUST and CONVENIENCE in secure and seamless crss-brder electrnic transactins 13

14 EIDAS REGULATION (EU) NO 910/2014 Mutual recgnitin f e-identificatin means Electrnic trust services Electrnic signatures Electrnic seals Time stamping Electrnic registered delivery service Website authenticatin. Electrnic dcuments 14

15 EIDAS REGULATION (EU) NO 910/2014 E-Transactins wrkflw Submitting a tax declaratin Website authenticatin: check if the website yu enter is really linked t the tax authrity. eid: identify (r authenticate) yurself using, fr instance, an eid means Creatin f the tax declaratin E-registered delivery: Tax authrity sends acknwledgement f receipt Time stamp: Prf f submissin f the tax declaratin in due time E-signature/ e-seal: Signing r Sealing the tax declaratin Preservatin: strage f the tax declaratin and acknwledgment f receipt 15

16 EIDAS REGULATION (EU) NO 910/2014 Prvides legal certainty and fsters the usage f eid means fr n-line access (nt regulated at EU level befre) Addresses all the stages f a generic e-transactin, frm the authenticatin f a web site t preservatin Prvides the legal framewrk fr a cmprehensive tlbx f mechanisms and services t bst trust and cnfidence in electrnic transactins Takes a risk management perspective, nt based n nrmative rules but n principles: Transparency and accuntability: well-defined minimal bligatins fr TSPs and liability Trustwrthiness f the services tgether with security requirements fr TSPs Light-tuch reactive mnitring fr TSPs vs. full-fledged supervisin fr QTSPs Technlgical neutrality: aviding requirements which culd nly be met by a specific technlgy Market rules and building n standardisatin Prvides ne set f rules directly applicable acrss all EU MS (regulatin, 1 DA and 28 IA) 16

17 EIDAS REGULATION (EU) NO 910/2014 Mandatry recgnitin f electrnic identificatin Vluntary ntificatin f eid schemes "Cperatin and interperability" mechanism Assurance Levels: "high" and "substantial" (and "lw") Interperability framewrk Access t authenticatin capabilities: free f charge fr public sectr bdies & accrding t natinal rules fr private sectr relying parties 17

18 EIDAS REGULATION (EU) NO 910/2014 Trust services Hrizntal principles: Liability; Supervisin; Internatinal aspects; Security requirements; data prtectin; Qualified services; Prir authrisatin; trusted lists; EU trust mark Electrnic signatures, including validatin and preservatin services Electrnic seals, including validatin and preservatin services Time stamping Electrnic registered delivery service Website authenticatin 18

19 EIDAS REGULATION (EU) NO 910/2014 Timeline f implementatin Entry int frce f the Regulatin Vluntary recgnitin eids Date f applicatin f rules fr trust services Mandatry recgnitin f eids 19

20 SUMMARY Digital trust Definitin and cncept Digital trust department f ILNAS Eurpean eidas regulatin n electrnic identificatin and trust services Electrnic archiving Natinal law f 25 July 2015 n electrnic archiving Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Grand-ducal regulatin f 25 July 2015 n digitizatin and preservatin f dcuments 20

21 SUMMARY Digital trust Definitin and cncept Digital trust department f ILNAS Eurpean eidas regulatin n electrnic identificatin and trust services Electrnic archiving Natinal law f 25 July 2015 n electrnic archiving Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Grand-ducal regulatin f 25 July 2015 n digitizatin and preservatin f dcuments 21

22 NATIONAL LAW OF 25 JULY 2015 ON ELECTRONIC ARCHIVING Objectives Establish a trust relatin between users External verificatin Prmte the quality f prducts and services Restitutin f dcuments in case a qualified PSDC ceases its activities Legal value f the electrnic dcuments Given by the law n electrnic archiving Prmte the activities f e-archiving Marketing effect Gd image f qualified PSDCs Cst reductin Reduce paper archives Reduce time t find and access an infrmatin Reduce security incidents 22

23 NATIONAL LAW OF 25 JULY 2015 ON ELECTRONIC ARCHIVING Definitins Accredited Cnfrmity Assessment Bdy (CAB): independent bdy f assessrs accredited by a Natinal Accreditatin Bdy as having the cmpetence t carry ut cnfrmity assessment activities Cpy with prbative value: cpy which preserves its integrity (prperty f accuracy and cmpleteness, ISO/IEC 27000:2014) Preservatin: archiving f digital files in an electrnic medium fr lng-term use Qualified PSDC: Prestataire de Services de Dématérialisatin u de Cnservatin supervised and qualified by the Digital trust department f ILNAS 23

24 NATIONAL LAW OF 25 JULY 2015 ON ELECTRONIC ARCHIVING Abut the legal value f electrnic cpies Presumptin f cnfrmity with the riginal f electrnic cpies dne by a qualified PSDC -> Electrnic cpies have the same legal value as the riginal dcument, except when there is a prve f the ppsite An electrnic cpy cannt be rejected by a judge, because f its electrnic frmat An electrnic cpy cannt be rejected by a judge, because it has nt been realised by a qualified PSDC 24

25 SUMMARY Digital trust Definitin and cncept Digital trust department f ILNAS Eurpean eidas regulatin n electrnic identificatin and trust services Electrnic archiving Natinal law f 25 July 2015 n electrnic archiving Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Grand-ducal regulatin f 25 July 2015 n digitizatin and preservatin f dcuments 25

26 SUPERVISION SCHEME FOR QUALIFIED PSDC Trusted list Eurpean cperatin fr Accreditatin (EA) Internatinal Accreditatin Frum (IAF) Supervisin status ILNAS (Natinal Supervisry Bdy) Assessment & supervisin cnclusins Digitisatin Electrnic archiving Organisatin Ntificatin fr supervisin Assessment reprt Natinal Accreditatin Bdy (OLAS) Accredited Cnfrmity Assessment Bdy (CAB) Accreditatin against ETSI EN Assessrs Cnfrmity assessment (audit) against the grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 26

27 SUPERVISION SCHEME FOR QUALIFIED PSDC Preparatin f the PSDC Cnfrm t the grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Specify a plicy Risk evaluatin Specify the practices f digitizatin and e-archiving Implement an ISMS Dcument & implement the prcedures Realize internal audits Implement crrective actins Realize management review Apply fr certificatin at an accredited Cnfrmity Assessment Bdy 27

28 SUPERVISION SCHEME FOR QUALIFIED PSDC Cnfrmity assessment Accrding t the grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Technical and dcumentary assessment Intermediary reprt Crrective actins and their assessment, final assessment reprt The CAB des nt decide n the qualified PSDC status Cnfrmity assessment cycle Initial audit Surveillance audit at least every 12 mnths If mre than 12 mnths between 2 audits, the certificatin is lst Every 3 years: re-assessment 28

29 SUPERVISION SCHEME FOR QUALIFIED PSDC Accreditatin f Cnfrmity Assessment Bdies (CABs) CAB has t be accredited by OLAS r by any ther accreditatin bdy recgnized by OLAS in the cntext f Eurpean r internatinal mutual recgnitin Accrding t ETSI EN V2.2.2 Requirements fr cnfrmity assessment bdies assessing Trust Service Prviders ISO/IEC specifies general requirements fr CABs perfrming certificatin f prducts, prcesses, r services Nt fcused n any specific applicatin dmain where CABs wrk General requirements are supplemented t prvide additinal dedicated requirements fr CABs perfrming certificatin f Trust Service Prviders (TSPs) Des nt repeat requirements frm ISO/IEC 17065:2012 but fllws its dcument structure Incrprates many requirements relating t the audit f a TSP's management system, as defined in ISO/IEC and in ISO/IEC

30 SUPERVISION SCHEME FOR QUALIFIED PSDC Accreditatin f CABs accrding t ETSI EN V2.2.2 Cnfrmity assessment: prcess demnstrating whether specified requirements relating t a prduct, prcess, service, system, persn r bdy have been fulfilled Cnfrmity assessment bdy: bdy that perfrms cnfrmity assessment services which is accredited as cmpetent t carry ut cnfrmity assessment f a qualified trust service prvider and the qualified trust services it prvides Natinal accreditatin bdy: sle bdy in a State that perfrms accreditatin with authrity derived frm the State Trust service: electrnic service which enhances trust and cnfidence in electrnic transactins NOTE: Such trust services are typically but nt necessarily using cryptgraphic techniques r invlving cnfidential material Trust Service Prvider (TSP): entity which prvides ne r mre electrnic trust services 30

31 SUPERVISION SCHEME FOR QUALIFIED PSDC Accreditatin f CABs accrding t ETSI EN V2.2.2 General requirements Legal and cntractual matters Management f impartiality Activities nt cnflicting with impartiality Liability and financing Nn-discriminatry cnditins Cnfidentiality Publicly available infrmatin Structural requirements Organizatinal structure and tp management Mechanism fr safeguarding impartiality 31

32 SUPERVISION SCHEME FOR QUALIFIED PSDC Accreditatin f CABs accrding t ETSI EN V2.2.2 Resurce requirements Cnfrmity Assessment Bdy persnnel Management f cmpetence Training f audit teams Resurces fr evaluatin Cmpetence f Cnfrmity Assessment Bdy persnnel Cmpetences fr all functins Cmpetences fr applicatin review Cmpetences and prerequisites fr auditing Cmpetences fr review Cmpetences fr certificatin decisin Cmpetences fr Technical Experts Audit team Audit team leader 32

33 SUPERVISION SCHEME FOR QUALIFIED PSDC Accreditatin f CABs accrding t ETSI EN V2.2.2 Prcess requirements Applicatin Applicatin Review Audit Review Certificatin decisin Certificatin dcumentatin Directry f certified prducts Surveillance Changes affecting certificatin Terminatin, reductin, suspensin r withdrawal f certificatin Recrds Cmplaints and appeals 33

34 SUPERVISION SCHEME FOR QUALIFIED PSDC Accreditatin f CABs accrding t ETSI EN V2.2.2 Management system requirements Optins General management system dcumentatin Cntrl f dcuments Cntrl f recrds Management review Internal audits Crrective actins Preventive actins 34

35 SUPERVISION SCHEME FOR QUALIFIED PSDC Validatin f ntificatin by ILNAS Analyse f the audit reprt Validity f accreditatin f the CAB and its scpe Validity f certificatin f the PSDC and its scpe Cmpetence f assessrs in regard t the law n electrnic archiving and the grand-ducal regulatins Cmpliance f the assessment t the grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Assessment reprt written in ne f the administratin languages accrding t the law n legal languages f 24 February 1984 r in English All majr nn-cnfrmities reprted during assessment are crrected 35

36 SUPERVISION SCHEME FOR QUALIFIED PSDC Supervisin by ILNAS PSDCs shall ntify all changes in their infrastructure and rganizatin t ILNAS At least biannual meetings between ILNAS and the PSDC Vluntary cessatin f supervisin n demand f the PSDC Revcatin f PSDC status in case f majr nn-cnfrmity 36

37 SUPERVISION SCHEME FOR QUALIFIED PSDC Trusted List Registratin f the supervisin status in the natinal trusted list Publicatin f the trusted list n Service type identifier ETSI TS V2.1.1 URI: Descriptin: an Archival service. URI: Descriptin: an Archival service that cannt be identified by a specific PKI-based public key Service infrmatin extensins ETSI TS V2.1.1 Additinal Service Infrmatin Extensin specifies additinal infrmatin n a service. PSDC-D, PSDC-C, PSDC-DC (Natinal Law f 25 July 2015 n electrnic archiving) 37

38 SUPERVISION SCHEME FOR QUALIFIED PSDC PSDC statuses ETSI TS V Recgnized at natinal level In cmpliance with the prvisins laid dwn in the applicable natinal legislatin Indicates that the Supervisry Bdy has granted an "apprved" status Deprecated at natinal level In cmpliance with the prvisins laid dwn in the applicable natinal legislatin Indicates that the previusly "apprved" status has been withdrawn by the Supervisry Bdy 38

39 SUPERVISION SCHEME FOR QUALIFIED PSDC Cnfrmity Assessment Guidance Practical advice fr any participant f the assessment Based n return f experience Prmte understanding f the requirements and cntrls established in the grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Prmte the evaluatin and implementatin f the cntrls Assure that requirements and cntrls cmply t their bjectives Published n 39

40 SUMMARY Digital trust Definitin and cncept Digital trust department f ILNAS Eurpean eidas regulatin n electrnic identificatin and trust services Electrnic archiving Natinal law f 25 July 2015 n electrnic archiving Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Grand-ducal regulatin f 25 July 2015 n digitizatin and preservatin f dcuments 40

41 GRAND-DUCAL REGULATION OF 25 JULY 2015 ON EXECUTION OF ARTICLE 4 PARAGRAPH 1 Requirements and cntrls fr certifying digitisatin r e-archiving service prviders Unique reference cntaining all the cnditins fr btaining the qualified PSDC status Based n internatinal standards ISO/IEC 27001:2013 ISO/IEC 27002:2013 ISO 30301:2011 Published in the Mémrial A N 150 f 4 August

42 SUMMARY Digital trust Definitin and cncept Digital trust department f ILNAS Eurpean eidas regulatin n electrnic identificatin and trust services Electrnic archiving Natinal law f 25 July 2015 n electrnic archiving Supervisin scheme fr qualified PSDCs Grand-ducal regulatin f 25 July 2015 n executin f article 4 paragraph 1 Grand-ducal regulatin f 25 July 2015 n digitizatin and preservatin f dcuments 42

43 GRAND-DUCAL REGULATION OF 25 JULY 2015 ON DIGITIZATION AND PRESERVATION OF DOCUMENTS Cpy with prbative value Cpy which preserves its integrity (prperty f accuracy and cmpleteness ISO/IEC 27000:2014) Identical image f the riginal Systematically executed withut gaps Executed accrding t prcedures, which are archived as lng as the cpies Preserved with care In a systematic rder Integrity assured 43

44 GRAND-DUCAL REGULATION OF 25 JULY 2015 ON DIGITIZATION AND PRESERVATION OF DOCUMENTS Digitizatin Authenticity f the cpy with prbative value has t be assured Digitizatin prcess has t preserve the integrity f the cntent and appearance f the riginal Every cpy with prbative value has t cntain a timestamp f its creatin An updated lg file cntaining the histry f the cpy with prbative value is instantly available 44

45 GRAND-DUCAL REGULATION OF 25 JULY 2015 ON DIGITIZATION AND PRESERVATION OF DOCUMENTS Digital preservatin Electrnic cpies with prbative value and digital riginal files have t be permanent Preservatin f the integrity f the file r Archived as an secured electrnic dcument r signed with a qualified signature If e-dcuments with prbative value are transferred frm ne supprt t anther r if the frmat is changed, the wner has t prve the cncrdance Preservatin systems fr e-dcuments with prbative value have t Cntain the security t preserve integrity f the e-dcuments Allw instantly access t the e-dcuments and assuring authenticity and integrity with the riginal dcument 45

46 THANK YOU Fr Yur Attentin Fr mre infrmatin: ILNAS Département de la cnfiance numérique 1, Avenue du Swing L-4367 Belvaux (+352) (+352)