ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance. ETSI All rights reserved

Transcription

1 ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance

2 esignature Standards Framework Certificate Authority Time-stamping Signing Servers Validation Services Rules & procedures Formats Signature Creation / Validation Protection Profiles TSPs supporting esignature 4 6 Trusted Lists Providers 1 5 Signature Creation & Validation Trust Application Service Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Registered Long term preservation XAdES (XML) CAdES (CMS) PAdES (PDF) AdES in Mobile envmts ASiC (containers) 2 (CEN) Common Criteria Protection profiles Smart Cards HSMs Signing services ETSI 2015 All rights reserved Signature Creation Devices 2 3 Cryptographic Suites Key generation Hash functions Signature algorithms Key lengths...

3 3 eidas Audit Requirement Article 20.1 Qualified trust service providers shall be audited at their own expense at least every 24 months by a conformity assessment body. The purpose of the audit shall be to confirm that the qualified trust service providers and the qualified trust services provided by them fulfil the requirements laid down in this Regulation. The qualified trust service providers shall submit the resulting conformity assessment report to the supervisory body within the period of three working days after receiving it.

4 CA Browser Forum Audit Requirement The CA SHALL undergo an audit in accordance with one of the following schemes: 1. WebTrust for Certification Authorities v2.0; 2. A national scheme that audits conformance to ETSI TS (to be replaced by EN ); 3. A scheme that audits conformance to ISO 21188:2006; 4. If a Government CA is required by its Certificate Policy.. 4 Baseline requirements v1.3.0 section 8.4

5 5 Ref ETSI TSP Standards Overview (ETSI) Conformity Assessment Timestamping EN TSP Conformity Assessment General CAB Forum / Other eidas Qualified Policy EN Time-stamping Qual / Other Ref EN General TSP Ref EN TSP issuing Certs Ref EN TSP issuing Qual Certs Profiles EN (RFC 3161) Replaces TS EN (X.509) Replaces TS

6 ETSI EN TSP Conformity Assessment Model TSP Assessment Scheme Trusted List Supervisory Body European co-operation for Accreditation (EA) National Accreditation Body Auditor s Competence Accredited by National body 6 ETSI 2013 All rights reserved Notification Assessment Report Assessment request Conformity Assessment Body TSP Assessment Assessors Assessors Assessment Criteria Audit TSP Against Regulation / standard criteria (e.g. EN )

7 7 EN Basis Primary reference: ISO 17065: Conformity Assessment of Products and Service Additional requirements incorporated from: ISO 17021: Conformity Assessment of Management Systems

8 ETSI EN Audit Report 8 The audited trust service fulfils the criteria and is certified conformant for the given scope: CA Brower Requirements / Regulation Standardised criteria (e.g. EN ) Applicable trust services (TSP issuing certificates for electronic signature, TSP issuing certificates for web site) Applicable trust service policy (e.g. ETSI Qualified Certificate Policy, Extended Validation Certificate Policy Basis of audit: TSP s Risk analysis, time spent, audit methodology Details of result: Any non-conformances, commentary, changes from previous audit

9 9 ETSI EN Check List

10 10 ETSI EN EN Regulation Mapping

11 Model for usage of ETSI TSP Standards eidas eidas eidas Supervisory Supervisory Supervisory Body Body Body Certification of conformance To EN certification / confirmation against eidas requirements Conformity Assessment Body Application Application Provider Application Provider Provider Certification of conformance To EN certification / confirmation against CA Brower Baseline / EV requirements 11 TSP Checklist supporting Claim of conformance To EN / -2

12 Conclusions 12 ETSI Technical Specifications ready very soon (TS 119 4xx) TSP and Audit body preparation for July 2016 / 2017 switch to regulation European Norms available Q (EN 319 4xx) ETSI Documents: Free download E-Signature news: Further information:

13 13 ADDITIONAL INFORMATION eidas Standards Status

15 Signature (+Seal) Creation & Validation (ETSI) Set of Standards being finalised at concurrent ETSI meeting Immediate Publication as Technical Specification Follow on as European Norm in 2016 (common text) TS / EN : Procedures for Creation and Validation of AdES Digital Signatures. Part 1: Creation and Validation. TS / EN : CAdES digital signatures. TS / EN : XAdES digital signatures. TS / EN : PAdES digital signatures. TS / EN : Associated Signatures Containers. TS / EN : Signature policies 15

17 Signing Devices (CEN) 17 EN to -5: Protection profiles for secure signature creation device Published End 2013, 2015 Plan Technical Report describing EN to -5: Protection profiles for TSP Cryptographic modules Parts 1-4: Based on old Directive, Stable document going through formal process Part 5: Aimed at Regulation, Supports: Signing, sealing, remote server signing and authentication Formal evaluation and review starting

18 18 Signing Devices remote server signing (CEN) * TS Security Requirements for Trustworthy Systems Supporting Server Signing * Published March 2015 Being update as EN EN & 3 Protection profiles for Server Signing * Part 2: Trustworthy signature creation module 2 differing alternatives submitted Editors asked to produce a single solution

19 19 Signing Devices other (CEN) EN Protection profile for trustworthy systems supporting time stamping Formal evaluation and review starting EN Security requirements for trustworthy systems managing certificates and time-stamps Published early 2015

21 21 Cryptographic Suites (ETSI) ETSI TS : Cryptographic Suites Published Nov 2015 May pass on maintenance to ENISA

23 23 R e f ETSI TSP Standards Overview (ETSI) Conformity Assessment Timestamping EN TSP Conformity Assessment General CAB Forum / Other eidas Qualified Policy EN Time-stamping Qual / Other EN General TSP EN TSP issuing Certs Profiles EN EN (RFC 3161) Ref Ref Replaces TS Ref (X.509) EN TSP issuing Qual Certs Replaces TS

24 TSP Standards Status (Conformity Assessment) EN / TS TSP Conformity Assessment TS v Published Nov 2015 EN review comment considered and new version agreed No major change to approach * * To be discussed further later in FESA meeting 24

25 25 TSP Standards Status (Policy Requirements) EN / TS General Policy Requirements for TSPs Text agreed to be published and EN process start EN / TS Policy Requirements for TSPs issuing Certificates References EN for general requirements Part 1: General requirements (aligned with CA Browser Forum Requirements) (replaces TS ) Part 2: TSPs issuing EU qualified certificates (replaces TS ) Text agreed to be published and EN review starting

26 26 TSP Standards Status (Certificate Profiles) EN / TS : Certificate Profiles Part 1: Overview and common data structures Part 2: Certificate profile for certificates issued to natural persons Part 3: Certificate profile for certificates issued to legal persons Part 4: Certificate profile for web site certificates issued to organizations Part 5: "QCStatements Text agreed to be published as TS and start EN process

27 TSP Standards Status (Time-stamping) EN Policy and Security Requirements for Trust Service Providers issuing Electronic Time-Stamps References EN for general requirements Equivalent to existing ETSI TS Includes variant for qualified time-stamping 27 EN Time-stamping protocol and electronic timestamp profiles Profiles RFC 3161 Equivalent to existing ETSI TS Separate requirement for Qualified time-stamping statement ETSI All rights reserved

29 TASP Standards TS Registered Published 2011 Proposal to EU commission for updates E_Delivery Standardisation plans identified in SR Proposal to EU commission for standardisation 29 Long term preservation Proposal to EU commission for study on standardisation requirements

31 31 Trusted Lists TS v1.2.1 Trusted Lists Published