ETSI TC ESI PRESENTATION TO CAB FORUM. ETSI All rights reserved

Transcription

1 ETSI TC ESI PRESENTATION TO CAB FORUM Iñigo Barreira March 2015 meeting, Cupertino ETSI All rights reserved

2 Index ETSI Deliverables. Dates ETSI audits eidas timeline: Qualified web site certificates RFC 3647 and Code signing status CA day Berlin AOB 2

3 3 ETSI DELIVERABLES

4 ETSI deliverables. Current situation Current situation: TS remains recommended reference for compliance to CABF (versions of EN & issued in 2013 were not aligned under to new regulation and are very soon to be replaced) ETSI has drafted replacement TS in EN for policies (including CABF SSL EV, BR and NetSec) and EN for profiles aligned with eidas regulation currently being revised to take into account public review comments to be published in Q (initially as Technical Specifications TS / TS ) for adoption from July 2016 (when eidas requirements comes into force) 4 ETSI has published requirements for conformity assessments TS (to be EN ) for adoption from July 2016 Suggestion to require that ETSI audits are carried out only by auditing bodies accredited in accordance with Annex E of TS in line with the direction being taken for EU audits in line with the regulation.

5 ETSI deliverables to be published 2015 Q2 Trust Service Providers Supporting Electronic Signatures for public comment until Feb 15 th EN General Policy Requirements for Trust Service Providers EN Policy and security requirements for Trust Service Providers issuing certificates : General requirements : Requirements for trust service providers issuing EU qualified certificates EN Certificate Profiles : Overview and common data structures : Certificate profile for certificates issued to natural persons : Certificate profile for certificates issued to legal persons : Certificate profile for web site certificates issued to organisations : QCStatements EN Policy and Security Requirements for Trust Service Providers issuing Electronic Time-Stamps EN Time-stamping protocol and electronic time-stamp profiles 5

6 Other ETSI deliverables of interest EN : Conformity Assessment for Trust Service Providers TS : Cryptographic suites for secure electronic signatures, aka Algo paper Yet to come: TS for code signing. At the moment, EN can be used. 6

7 ETSI deliverables regarding web site certs EN includes CAB Forum Network Security requirements EN x reference EN for security of TSPs generic controls requirements EN x include CA key ceremony (root and subordinates) EN / 411-x already recommends use of ISO controls identifying the specific controls that are appropriate. EN references CAB Forum specific controls as appropriate. All parts of EN will have an informative Annex in the form of a check list with all the controls listed in the EN. EN includes all the audit process and report and the capabilities of the auditor, using ISO

8 Simplified picture of European Norms with relevance for CA/B-Forum Policy EN CA/B-Requirements NCP+ PTC=(EVC+OV/DV) (ex ) Policy EN Qualified based on eidas Requirements (ex ) : Certificate profile natural persons : Certificate profile for web site certificates issued to organisations : Certificate profile legal persons ETSI All right EN General Policy Req. EN Conformity Assessment 8

9 9 ETSI Audits

10 ETSI web site for TSPs Message warning This list is for information only. The relevant national accreditation body should be contacted to affirm the status of a conformity assessment body. Inclusion or noninclusion in this list and should not be taken as a definitive statement of accreditation status of a conformity assessment body. Conformity assessment bodies that wish to be included this list should contact ETSI ([email protected]) with information concerning their accreditation as required in TS Annex E or TS V This should include a web link or document providing evidence of their accreditation with a link to any further information about their audit including an up to date list of certified conformity assessments against ETSI standards. 10

11 How to accredit ETSI audits Find which National accreditation body (NAB) belongs to that country by checking the EA web site and/or IAF Check if the conformity assessment body (CAB) is accredited under its own NAB Check if the CAB is accredited to perform ETSI audits - To July 2016: Annex E of the TS From July 2016: TS (to be EN ) 11

12 eidas and audits The situation with regard to the eidas Regulation is the following: the EC lets the EA (European for Accreditation) implement the TSP s assessment framework (i.e. all TSP, Q_ or non_q TSPs). This is done in the framework of the EA mission under Regulation 765/2008 (i.e. creating the framework for NABs (national accreditation bodies) to accredit CABs for the assessment of any type of things in any kind of sectors, for example TSP (CAs)). The situation today is that EA already started the discussions around the eidas topics and there is an agreement on the principle that, within the ISO framework applied to certification bodies, ETSI EN would be the conformity assessment guidance framework for TSPs audit. The next step is to fix the TSP audit criteria against which the TSP will be audited ( allows to use the x x series, and/or other documents). However, EA is already considering the current proposed TS for the purpose of TSPs evaluation in general The planning is, once this TS is published, the NABs can start accrediting CABs in their country for the TSPs assessment against the TS It should take a bit more than 1,5 year to have the first CABs accredited since the NAB are supposed to perform the very first audit with the CAB in order to assess their competencies Theoretically, one could have duly accredited CABs for 411-x within 20 months, provided the EA and NABs are doing their mission correctly. 12 ETSI All rights reserved

13 13 eidas Timeline

14 eidas Timeline of implementation Entry into force of the regulation Voluntary recognition eids Date of application of rules for trust services Mandatory recognition of eids

15 Implementing act on EU Trust Mark for QTS Launch of e-mark U Trust Competition End of submission period Public online voting End of voting By Adoption of the implementing act 6

16 16 RFC 3647 and Code signing status

17 RFC 3647 and Code signing status RFC 3647 STF 458 is discussing Draft will circulate internally by the end of March to take a decission Standards affected: EN and Code signing status An initial TS draft will be proposed by the next ESI meeting at the end of April 17

18 18 CA Day - Berlin

19 Invitation for 5. CA-Day in Berlin 09. of June 2015 in Berlin Venue Unter den Linden at the Brandenburg Gate Organized by TÜVIT, Bundesdruckerei/D-Trust and ETSI STF 458 Overview on EU Regulation, CA/B-Forum and Browser-Requirements On 08. of June a Google CT-Workshop is in preparation. 19 ETSI All rights reserved

20 Thank you! Interesting links TSP standards: All drafts are available here: General e-signature EU Regulation

21 AOB THANK YOU ON BEHALF OF ETSI ESI STF