The IDA Catalogue. of GENERIC SERVICES. Interchange of Data between Administrations

Transcription

1 Interchange of Data between Administrations EUROPEAN COMMISSION ENTERPRISE DIRECTORATE- GENERAL INTERCHANGE OF DATA BETWEEN ADMINISTRATIONS PROGRAMME

2 Interchange of Data between Administrations 2 of Generic Services This document describes the current catalogue of IDA generic services. These services follow the model of the IDA interoperability pyramid, which illustrates the IDA approach: Currently, IDA provides three generic services (TESTA, CIRCA and PKICUG), together with an interoperability framework - the Architecture Guidelines to support the implementation of projects of common interest that involve the generalised exchange of information at the trans-european level, with transport provided by TESTA, information handling by CIRCA and security by PKICUG. TESTA is an IP-based backbone that provides telecommunications services at the transnational level. CIRCA provides a document repository and group-work tool to manage the information holdings of IDA projects, and PKICUG ensures secure access to web repositories (i.e. authentication of clients and servers, and confidentiality of exchanged information). The Architectural Guidelines offer a framework for the establishment of these services, a structure for users who wish to interoperate with IDA projects, and general advice on issues related to interoperability between these services and with the national applications of the Member States. Further information on IDA and the services described in this catalogue may be found at the following address: IDA Interoperability pyramid Generic services are defined as telematic network functionalities which meet common user requirements, such as data collection, data dissemination, data exchange, and security. The characteristics of each service shall be clearly specified and associated with a guaranteed level of quality Decision No 1720/1999/EC of the European Parliament and of the Council of 12 July 1999 adopting a series of actions and measures in order to ensure interoperability of and access to trans- European networks for the electronic interchange of data between administrations (IDA).

3 3 TESTA What is TESTA? TESTA offers European administrations a telecommunications interconnection platform. It simplifies data exchanges while guaranteeing performance, availability and security to a degree not available through other communication networks. TESTA follows the model of domains defined in the IDA architecture Guidelines: each actor is responsible for the part of the network in his domain. IDA provides the EuroDomain, which interconnects national, regional and local networks. What services can TESTA provide? TESTA provides telecommunication services for administrative data exchanges. These are built around a European backbone network maintained by a telecommunications operator. This is the so-called EuroDomain, which is separate and protected from the public Internet. The EuroDomain: is dedicated to trans-european communications of the public sector and provides access to the highest number of European administrations of any private network; operates at speeds that make it capable of accommodating real-time applications; protects local domain security by systematically using network address translation at each access point; operates on a clear IP addressing plan structured by geography and operates on a dedicated range of addresses that are not Internetroutable; has in-built redundant routing and is governed by availability guarantees, network monitoring and security incident intervention capabilities are in place; provides information confidentiality through the introduction of encryption and other protective measures, both on the level of the backbone network and at local levels; encourages network service integration with other IDA services, such as IDA's public key infrastructure (PKI) and workgroup support tool (CIRCA); it is managed by one contractual responsibility: IDA. Access to the EuroDomain can be established at bandwidths of 64 Kbits to 34 Mbits. TESTA also provides network-related application services, such as: Domain Name Services; relay; Information gateways; Network Time Protocol services (NTP); File Transfer Protocol services (FTP); Web hosting services. How to request TESTA services? How to request TESTA services? The procedure for requesting services is simple. Interested parties should notify the IDA unit of their interest, indicating which sites require access to TESTA and who they need to communicate with, as well as what type of services is requested. Information about the legal basis of their exchange of data should also be provided so that IDA can check eligibility. The address is: entr-ida@cec.eu.int. IDA will consult national network co-ordinators on implementation options. Unless reasonable justification is given, preference will be given to establishing connections through national administrative networks. In exceptional circumstances, direct links to TESTA can be made available, but these can be paid only for the duration of one year. Further information For additional information on TESTA, please consult the IDA website at:

4 Interchange of Data between Administrations 4 What is CIRCA? CIRCA (Communication and Information Resource Centre Administrator) is a WWW-based environment providing on-line-services that offer a common virtual space for work-groups and networks, enabling the effective and secure sharing of resources and documents. The CIRCA service is available for users from Public Administrations. It is accessible via the Internet and also via TESTA. It is organised around interest groups, i.e. a private workspace for a group of people that need to collaborate to achieve common objectives and tasks. Although all groups have access to the same set of functionalities, the environment is fully customisable for a given interest group and the information is restricted to the members of that specific group. What services can CIRCA provide? CIRCA provides management, group-work and customer support services. MANAGEMENT SERVICES INTEREST GROUPS: CIRCA is organised around Interest Groups (I/G) i.e. a private workspace for a group of people that need to collaborate to achieve common objectives and tasks. The environment is fully customisable for a given I/G and information access is restricted to the members of that specific I/G. ACCESS CLASS: Members of a working group usually play different roles, such as chairman, contributor, secretary or member. CIRCA offers the possibility to replicate such roles by providing for different access classes, thus customising users access rights to specific data elements, functionalities and operations in the I/G. A specific access class, the Leader, is granted extra privileges to administrate, manage and customise the I/G. ADMINISTRATION: CIRCA provides full remote control on access rights assignment, configuration and customisation of the interest groups. GROUP-WORK SERVICES LIBRARY: Documents are stored in fully-customisable sections and sub-sections; multi-lingualism, version control and notification of document availability are supported. Documents can be uploaded, viewed and downloaded on-line or sent by . DIRECTORY: Management of list of Members and Contacts. MEETING SPACE: For announcements, venue, agenda and participants list as well as a virtual forum functionality (i.e. a chat room). NEWSGROUPS: Forum for discussion among members of interest groups. Interface to , including a notification by function. SECURITY: Can be set in addition to the classic login/ password i.e. use of SSL encryption and/or certificates (see the IDA PKI services). SEARCH : Multilingual search for any document accommodated within an Interest Group space. CUSTOMER SUPPORT SERVICES CIRCA also provides customer support services. These include: Demonstration and customer-specific consulting services; Training and documentation; Helpdesk. How to request CIRCA services? Requests may be sent to the following address: circasupport@cec.eu.int. Further information Additional information on CIRCA is available at:

5 5 PKICUG What is PKICUG? PKI stands for Public Key Infrastructure for Closed User Groups. It consists of organisational measures and technical tools that contribute to establishing and maintaining a secure and trustworthy environment for the exchange of information over computer networks. PKI CUG was launched in It provides a Certification Authority (CA) available to the members of IDA projects of common interest to securely exchange information by electronic means between the Member States and with the European Institutions. The IDA PKI currently provides electronic certificates to servers and to users for their mutual recognition. It is designed for closed user groups and allows participants to authenticate their identity and protect the confidentiality and integrity of the information exchanged. All applications using an infrastructure able to exploit X.509 certificates can potentially use the IDA PKI. Certificates issued by the IDA PKI for use in a closed user group can also be used in other sectoral projects provided that the administrator of the other network agrees. What services can PKICUG provide? For a web application, a PKI enables the following services: Server authentication, i.e. a guarantee to the user that they are accessing the correct server, not to a false one (that kind of situation is called a "masquerade"); Client authentication, i.e. a guarantee that the server is able to authenticate the identity of the user, not someone masquerading as the user; Confidentiality, i.e. encryption of exchanged data with a key that only the user and the server know. These services are provided by using products that comply with the SSL protocol. SSL stands for Secure Socket Layer; it is used in conjunction with the TCP (Transport Control Protocol) to establish secure point-to-point dialogues. Most common web servers and clients (browsers) use SSL to introduce security into web connections through the use of asymmetric cryptography techniques. To request and get a certificate, all that is required is a computer with access to the Internet or the TESTA network and an access. The IDA PKI will work with most common products such as Netscape and Internet Explorer. The most recent versions of browsers, preferably the 128 bit enabled versions, are recommended as they are more user friendly concerning security management. The general procedure to obtain a certificate is as follows: 1. The user generates a key pair and the associated certificate request with the help of a downloadable applet (programme); 2. The Registration Authority (RA) and the requestor exchange the necessary information to verify the user s identity and the legitimacy of the certificate request; alternatively, a Local Registration Authority (LRA) is called on to testify that the requestor actually is entitled to receive a certificate. The information exchanged is to establish the requestor s identity and this can vary between sectoral projects; 3. The RA accepts or rejects the request. If accepted the RA registers this with the CA server; 4. If the request was accepted, the CA creates the public certificate of the user (certificate holder) and informs the user where and how they may get it (usually by downloading it from the CA server). The requestor downloads his/her public key certificate and saves it securely together with the private key. The security module (e.g. encryption, electronic signature) of the application (e.g. programme) can now use the certificate and associated key pair; 5. Relying parties download public key certificates from the CA directory according to their needs. Certificate storage The above procedure is for so-called soft certificates stored on the computer disk. The IDA PKI can also deliver certificates stored on smart cards.

6 Interchange of Data between Administrations 6 Hardware signing unit Certificate request Certificate download (acceptance) DIRECTORY Cert. Management system Queue Certification Authority (Belgacom) Certificate download (usage) Approval of refusal Verification of the user identify 2 3 Certification holder (end user) LRA RA Relying party (end user) User requirements Users are, of course, responsible for assessing if and how the IDA PKI meets their require-ments for authentication, integrity, non-repudiation and confidentiality. Consequently, before certificates are issued to a sector a user requirements study is carried out to determine user needs for security and to ensure that the IDA PKI is suitable for providing the required security services. This short study also identifies any requirements specific to the sectoral project that might require additional services (e.g. in the area of registration of users) not covered by the generic PKI service. Standards As required by Decision 1720/1999/EC (the IDA Interoperability Decision) the IDA PKI complies with the relevant standards and publicly available specifications (e.g. open Internet standards and specifications) for electronic certificates and for security services (such as confidentiality) as provided by the SSL and S/MIME protocols. As the PKI evolves to meet new business requirements (e.g. electronic signatures, secure mail-enabled applications, interoperability with national PKIs, etc.) future new services will also be compliant with the relevant standards and publicly available specifications. It is intended that implementations for secure e- mail and electronic signature will comply, where required, with the requirements of Directive 1999/93/EC. (This is currently the subject of a pilot project. When the results of this project are known the IDA PKI will be modified, if required, to support such requirements.) It is also intended that the IDA PKI will satisfy the requirements for the communication of information classified as EU-restricted now being considered by the Council Secretariat and the Commission Services. How to request PKICUG services Potential users of the PKICUG should contact IDA directly. The address is: entr-ida@cec.eu.int. Further information Additional information is available on the Reference legal and security practices page at the IDA web site:

7 7 Architecture Guidelines What are the IDA Architecture Guidelines (AG)? The IDA architecture guidelines describe concepts and references for the implementation of a Trans- European Service for telematics built on a well-defined common architecture. This architecture is the basis for a Trans-European infrastructure that will enable easy and reliable interchange of data and ensure the achievement of interoperability within and across different administrative sectors and, also, with the private sector and the citizens. What do the AG provide? The architecture guidelines offer common descriptions and technical references for a wide spectrum of services, including managed network and transmission services (such as IP services) and application services (such as messaging and EDI services) as well as security, support services and directory services. Due to the fast evolution of technology, the architecture guidelines must be updated regularly to keep pace with the software and hardware developments as well as with the volatile market and trends. Its maintenance is a continuous process: the user requirements of the sectors are continuously collected and compiled. A yearly review of the technical handbook, combined with an in depth examination of the general concepts used, guarantee that the architecture guidelines reflect the current technological and market trends and the evolving needs of the administrations. A wide dissemination of the guidelines in the sectors and the member states promotes wider adoption of good solutions and replicability of application developments. Further information The Guidelines are divided into three documents: Part I General Guidance; Part II Technical Handbook; Part III Glossary. Part I provides general information on architectural principles to be enforced in real life projects. In Part II more detailed guidance is given, by referencing technical specifications for candidate technology to meet the requirements. Part III consists of a list of references, glossary of terms and a list of abbreviations. The latest version approved (5.3 of 2001) is available at:

8 IDA is a European Commission driven strategic initiative using advances in information and communications technology to support rapid electronic exchange of information between Member State administrations. The objective is to improve Community decisionmaking, facilitate operation of the internal market and accelerate policy implementation. Contacts for IDA generic services TESTA : Pieter Wellens pieter.wellens@cec.eu.int CIRCA : Christian Devillers christian.devillers@cec.eu.int PKICUG : Fredrik Olsson Hector fredrik.olsson-hector@cec.eu.int Architecture Guidelines : Gavino Murgia gavino.murgia@cec.eu.int Further information about IDA may be found on the IDA web site at: Manuscript revised in October European Communities, 2002 While a great deal of care has been taken in drafting this document, the European Commission does not guarantee the accuracy of the data included in this brochure, nor does it accept responsibility for any use made thereof. Reproduction is authorised provided the source is acknowledged.