NIST-Workshop 10 & 11 April 2013

Similar documents
STANDARDISIERUNG FÜR EIDAS IM MANDATE/460

ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance. ETSI All rights reserved

DS : Trust eservices. The policy context: eidas Regulation

ETSI TC ESI PRESENTATION TO CAB FORUM. ETSI All rights reserved

ETSI SR V1.1.2 ( )

ETSI TR V0.0.3 ( )

Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market

Implementation of eidas through Member States Supervisory Bodies

Electronic signature and compliance assurance: what s new?

Security framework. Guidelines for trust services providers Part 1. Version 1.0 December 2013

ETSI TS V2.1.1 ( )

ETSI TS V2.1.1 ( ) Technical Specification

Submitted to the EC on 03/06/2012. COMPETITIVENESS AND INNOVATION FRAMEWORK PROGRAMME ICT Policy Support Programme (ICT PSP) e-codex

Regulation on electronic identification and trust services for electronic transactions in the internal market

esignature building block Introduction to the Connecting Europe Facility DIGIT Directorate-General for Informatics

ETSI TS V1.1.1 ( ) Technical Specification

ETSI TS V2.1.2 ( )

SSLPost Electronic Document Signing

LEGAL FRAMEWORK FOR E-SIGNATURE IN LITHUANIA AND ENVISAGED CHANGES OF THE NEW EU REGULATION

Prof. Udo Helmbrecht

ETSI EN V2.2.2 ( )

Auditor view about ETSI and WebTrust criteria. Christoph SUTTER

TECHNICAL REPORT Electronic Signatures and Infrastructures (ESI); The framework for standardization of signatures: overview

ETSI TR V1.1.1 ( )

TTP.NL Scheme. for management system certification. of Trust Service Providers issuing. Qualified Certificates for Electronic Signatures,

fulfils all requirements defined in the technical specification The appendix to the certificate is part of the certificate and consists of 6 pages.

Technical Specification Electronic Signatures and Infrastructures (ESI); ASiC Baseline Profile

ETSI TS V1.1.1 ( )

Qualified Time Stamping and eregistered Delivery Services Overall considerations

A7-0365/133

CA Self-Governance: CA / Browser Forum Guidelines and Other Industry Developments. Ben Wilson, Chair, CA / Browser Forum

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke


Making Digital Signatures Work across National Borders

ETSI TS V1.1.1 ( ) Technical Specification

IAS2. ets Market analysis

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

CERTIFICATION PRACTICE STATEMENT UPDATE

FOR A PAPERLESS FUTURE. Petr DOLEJŠÍ Senior Solution Consultant SEFIRA Czech Republic

Trusted e-id Infrastructures and services in EU

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme

Draft ETSI EN V1.1.1 ( )

ETSI TR V1.1.1 ( )

QuoVadis Group. EUGridPMA Update September 2014

ETSI TS V1.1.1 ( ) Technical Specification

fulfils all requirements defined in the technical specification The appendix to the certificate is part of the certificate and consists of 6 pages.

Best prac*ces in Cer*fying and Signing PDFs

Digital Signature Verification using Historic Data

Electronic Signatures in Norway Supervision and Legal Aspects

FSSC Q. Certification module for food quality in compliance with ISO 9001:2008. Quality module REQUIREMENTS

Electronic Archive Information System

Technical Description. DigitalSign 3.1. State of the art legally valid electronic signature. The best, most secure and complete software for

Securing Identities & Trust

ETSI TS V2.4.1 ( )

IAF Informative Document. Transition Planning Guidance for ISO 9001:2015. Issue 1 (IAF ID 9:2015)

e-szigno Digital Signature Application

ETSI EN V1.1.1 ( )

Technical Report Electronic Signatures and Infrastructures (ESI); Data Preservation Systems Security; Part 2: Guidelines for Assessors

ETSI TS V1.1.2 ( ) Technical Specification

An Electronic Signature Service Infrastructure for the European Commission

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

PKI - current and future

Digital Signature Service. e-contract.be BVBA 2 september 2015

ETSI TS V2.1.1 ( ) Technical Specification

ETSI TS V1.1.1 ( ) Technical Specification

Terms of Reference of the SEPA Cards Certification Management Body (SCCMB)

Digital signature and e-government: legal framework and opportunities. Raúl Rubio Baker & McKenzie

Long term electronic signatures or documents retention

Egypt s E-Signature & PKInfrastructure

Specifying the content and formal specifications of document formats for QES

View from a European Trust Service Provider Server Signing: Return of experience and certification strategy

Digital Signature: Efficient, Cut Cost and Manage Risk. Formula for Strong Digital Security

Future directions of the AusCERT Certificate Service

(Draft) Transition Planning Guidance for ISO 9001:2015

COMMISSION OF THE EUROPEAN COMMUNITIES

Dr. Vangelis OUZOUNIS Senior Expert Security Policies ENISA.

ROADMAP. A Pan-European framework for electronic identification, authentication and signature

Signature policy for TUPAS Witnessed Signed Document

Exploring ADSS Server Signing Services

ETSI TS V2.1.1 ( ) Technical Specification

January 2015 Copyright 2015 GSM Association

TC TrustCenter GmbH Time-Stamp Practice and Disclosure Statement

ETSI TS V1.4.3 ( )

Regulatory Impact Analysis on the legal and institutional framework for the electronic signature I. INTRODUCTION TITLE:

IAF Mandatory Document for the use of Computer Assisted Auditing Techniques ( CAAT ) for Accredited Certification of Management Systems

Landscape of eid in Europe in 2013

Rolling out eidas Regulation (EU) 910/2014. Boosting trust & security in the Digital Single Market

Transcription:

NIST-Workshop 10 & 11 April 2013 EUROPEAN APPROACH TO OVERSIGHT OF "TRUST SERVICE PROVIDERS" Presented by Arno Fiedler, Member of European Telecommunications Standards Institute Electronic Signatures and Infrastructures, Specialist Task Force 458 ETSI 2012 All rights reserved

Topics 1. ETSI at a glance 2. Current voluntary Audit Scheme for TSP issuing SSL-Certificates based on ETSI Standards and Specs 3.1. Legal Framework: EU Draft regulation on EIDAS 3.2. Shaped Standards Framework: EU Mandate 460 3.3. Proactive Trust Framework 4. Next Steps 5. Summary 2 ETSI 2012. All rights reserved

1. ETSI activities GSM, DECT, TETRA, 3GPP: UMTS, LTE, ESI:TSL, XAdES, PAdES, REM Standards in support of EU regulation Standards for global ICT markets Interoperability Testing 3 ETSI 2012. All rights reserved

1. Membership Over 700 companies, big and small, from 62 countries on 5 continents 4 Manufacturers, network operators, service and content providers, national administrations, ministries, universities, research bodies, consultancies, user organizations ETSI 2012. All rights reserved A powerful and dynamic mix of skills, resources and ambitions

2. ETSI Recommended Practices for CAs issuing Web Certificates Year 2008 ETSI Published TS 102 042 Policy Requirements for Certification Authorities issuing Public Key Certificates that Generalizes requirements specified in TS 101 456 for Qualified Certificates. Year 2010 Versions TS 102 042 references CAB guidelines for specific requirements for Extended Validation Web Certificates Year 2012 CAB Forum Baseline guidelines to be adopted by all Certification Authorities issuing web certificates - Only compliant CAs to be included in browsers End of Year 2012: ETSI issued actual policy and audit guides for Baseline and Extended Validation. 7 ETSI 2012. All rights reserved

2. & Certification Actual (Best) Practise for SSL 8: Recognition by Applications (OS + Browser + TSL) 7: International / Audit Scheme 6: National Supervision and/or Accreditation Scheme operator 5: Independent Auditing / Body 4: TSP Conformity Framework and Audit Requirements 3: Standard for Certification Policy 2: Published Certification Practice Statement 1: TSP systems and procedures 8 ETSI 2011. All rights reserved

2. & Certification actual TSP Perspective (german example) 8: Recognition by Applications (e. g. Mozilla, Opera, MS, Google, Adobe Rootstore) 7: International Scheme (e.g. EA: European Cooperation for Accreditation or IAF: International Accreditation Forum) 6: National Scheme (e. g. DAkkS: Deutsche Akkreditierungsstelle) 5: Independent Auditing / Body (e.g. TÜVIT) 4: TSP Conformity Framework (ISO 17065+ ETSI TR 102 123 + CA/B-Forum) 3: Standard CP (ETSI TS 102 042 + CA/B-Forum Req) 2: Published CPS (e.g. D-TRUST CPS and Conformance Claim) 1: TSP systems and procedures (CEN14167 or/and Common Criteria or/and FIPS 140-2) 9 ETSI 2011. All rights reserved

New approach to I-A-S in Europe 10 ETSI 2012. All rights reserved

3. Crobies Study in 2010: Key success factors for esignatures Realizations, consistency and mapping of efficient Legal, Technical, Trust and Promotional frameworks are key success factors to convince market & business stakeholders of the possible ROI of esignatures securing their eprocesses. Sound CSPs &Trust Services Provisioning market for interoperable and cross-border use esignatures Promotion Consistency & formal (efficient) mapping Sound Legal Framework Different level of ES Range of ES prod/serv. Different types of CSPs International dimension Sound Standardization Framework Covering whole range of ES prod / serv., ES types and types of CSPs Business practice driven Appropriate guidance International dimension Sound Trust Framework Supervision of CSPs Voluntary accreditation Trust Status Lists Application labelling

3. Crobies Study in 2010: Key success factors for esignatures Realizations, consistency and mapping of efficient Legal, Technical, Trust and Promotional frameworks are key success factors to convince market & business stakeholders of the possible ROI of esignatures securing their eprocesses. Sound CSPs &Trust Services Provisioning market for interoperable and cross-border use esignatures Also applicable for SSL-Certs! Promotion Consistency & formal (efficient) mapping Sound Legal Framework Different level of ES Range of ES prod/serv. Different types of CSPs International dimension Sound Standardization Framework Covering whole range of ES prod / serv., ES types and types of CSPs Business practice driven Appropriate guidance International dimension Sound Trust Framework Supervision of CSPs Voluntary accreditation Trust Status Lists Application labelling

3.1 New approach for legal framework: Draft EU EIDAS- Regulation 13 June 2012 EU Commission publish first draft regulation on electronic identification and trust services for electronic transactions in the internal market. Added Mutual recognition of electronic identification [E-ID] Extended Supervision of Certification Service Providers to Trust Service Providers, includes proactive supervision Qualified Electronic trust services: Electronic signatures interoperability and usability, Electronic seals interoperability and usability, Time stamping, Electronic delivery service, Electronic documents admissibility, ETSI 2012. All rights reserved Website authentication.

14 ETSI 2013. All rights reserved

3.2 Standards Framework I: M460 European Commission mandate EC founded esignatures standardization activities 4 years: 2011-2015 1st phase (executed) definition of a rationalized standardization framework, in collaboration with CEN several specifications upgrades primarily aimed at providing quick technical fixes to existing electronic signatures standards, and definition of test specifications 2nd phase (starting now) implement the rationalized standardization framework support the new EU Regulation on electronic identification and trust services for electronic transactions in the internal market (exp. approval in 2014) 15

3.2 Standards Framework II Mandate/460 6 Trust Service Status Lists Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Issuing certificates Time-stamping Signing Servers Validation Services TSPs supporting esignature 4 5 Trust Application Service Providers Registered email Long term preservation Rules & procedures Formats Signature Creation / Validation Protection Profiles 1 Signature Creation & Validation XAdES (XML) CAdES (CMS) PAdES (PDF) AdES in Mobile envmts ASiC (containers) Made by CEN: SSCDs (e.g. SC) HSMs & other SCDs Signature Creation Devices 2 3 Cryptographic Suites Key generation Hash functions Signature algorithms Key lengths...

3.3 Trust Framework: Model for TSP Conformity TSP Scheme Trust Service Status List Trust Service Status Notification Body Supervisory Body Report European co-operation for Accreditation (EA) National Accreditation Body Notification Conformity Body Assessors Assessors request Criteria TSP 17 ETSI 2012. All rights reserved

3.3 Trust Framework: TSP Conformity Model TSP Scheme Trust Service Status List Trust Service Status Notification Body European co-operation for Accreditation (EA) National Accreditation Body Auditor s Competence Accredited by National body in line with pan-european Auditor Accreditation Scheme Based on Audit report TSP status Set in Trust Service Status List Notification Report request Conformity Body TSP Assessors Assessors Criteria Audit TSP Against standard criteria (e.g. EN 319 411-2) ETSI 2012. All rights reserved

4. Next Steps In Spring 2013 EU Commission publish new 2nd draft regulation on electronic identification and trust services for electronic transactions in the internal market. Under EU Mandate 460 (2013 to 2015) ETSI commissioned to produce European Norm for TSP Conformity European Norms for Best Practices (Policy Requirements) Qualified Certificates for Personal Signing Qualified Certificates for organisational seals Qualified Time-stamping Services Qualified Website Certificates (should be EN 319 411-4). Option to operate as Sector Specific implementation of ISO 27001 21 ETSI 2012. All rights reserved

5. Summary Existing national conformity assessment schemes (ISO/IEC 17021/17065) are a suitable and powerful framework for voluntary security assessments of TSPs (Reactive Supervision) ETSI criteria provide CP's and valuable requirements for the different types of conformity assessment activities Additional mandatory network security requirements and certified products will enhance the overall security level of TSPs significantly The new draft EU-Regulation will deliver a complete legal and trust framework for Proactive Supervision on qualified level ETSI standards will be a fundamental part in future EU legislation (delegating acts). but: relying parties have to consume Trust 22 ETSI 2013. All rights reserved

Thank you! ETSI Download : http://pda.etsi.org/pda/queryform.asp Enter keyword / title / document number Draft EU Regulation: http://eur-lex.europa.eu/lexuriserv/lexuriserv.do?uri=com:2012:0238:fin:en:pdf Contact: Arno Fiedler: STF 458 arno.fiedler@nimbus-berlin.com Nick Pope: Lead STF 458 (TSP & e-signature standards) nick.pope@thales-esecurity.com 23 ETSI 2012 All rights reserved

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information