ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance. ETSI 2015. All rights reserved

ETSI SECURITY WEEK EIDAS Overview CEN/ETSI esignature Standardization including standards for TSP Compliance

esignature Standards Framework Certificate Authority Time-stamping Signing Servers Validation Services Rules & procedures Formats Signature Creation / Validation Protection Profiles TSPs supporting esignature 4 6 Trusted Lists Providers 1 5 Signature Creation & Validation Trust Application Service Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Registered email Long term preservation XAdES (XML) CAdES (CMS) PAdES (PDF) AdES in Mobile envmts ASiC (containers) 2 (CEN) Common Criteria Protection profiles Smart Cards HSMs Signing services ETSI 2015 All rights reserved Signature Creation Devices 2 3 Cryptographic Suites Key generation Hash functions Signature algorithms Key lengths...

3 eidas Audit Requirement Article 20.1 Qualified trust service providers shall be audited at their own expense at least every 24 months by a conformity assessment body. The purpose of the audit shall be to confirm that the qualified trust service providers and the qualified trust services provided by them fulfil the requirements laid down in this Regulation. The qualified trust service providers shall submit the resulting conformity assessment report to the supervisory body within the period of three working days after receiving it.

CA Browser Forum Audit Requirement The CA SHALL undergo an audit in accordance with one of the following schemes: 1. WebTrust for Certification Authorities v2.0; 2. A national scheme that audits conformance to ETSI TS 102 042 (to be replaced by EN 319 411-1); 3. A scheme that audits conformance to ISO 21188:2006; 4. If a Government CA is required by its Certificate Policy.. 4 Baseline requirements v1.3.0 section 8.4

5 Ref ETSI TSP Standards Overview (ETSI) Conformity Assessment Timestamping EN 319 403 TSP Conformity Assessment General CAB Forum / Other eidas Qualified Policy EN 319 421 Time-stamping Qual / Other Ref EN 319 401 General TSP Ref EN 319 411-1 TSP issuing Certs Ref EN 319 411-2 TSP issuing Qual Certs Profiles EN 319 422 (RFC 3161) Replaces TS 102 042 EN 319 412 (X.509) Replaces TS 101 456

ETSI EN 319 403 TSP Conformity Assessment Model TSP Assessment Scheme Trusted List Supervisory Body European co-operation for Accreditation (EA) National Accreditation Body Auditor s Competence Accredited by National body 6 ETSI 2013 All rights reserved Notification Assessment Report Assessment request Conformity Assessment Body TSP Assessment Assessors Assessors Assessment Criteria Audit TSP Against Regulation / standard criteria (e.g. EN 319 411-2)

7 EN 319 403 Basis Primary reference: ISO 17065: Conformity Assessment of Products and Service Additional requirements incorporated from: ISO 17021: Conformity Assessment of Management Systems

ETSI EN 319 403 Audit Report 8 The audited trust service fulfils the criteria and is certified conformant for the given scope: CA Brower Requirements / Regulation Standardised criteria (e.g. EN 319 411-1) Applicable trust services (TSP issuing certificates for electronic signature, TSP issuing certificates for web site) Applicable trust service policy (e.g. ETSI Qualified Certificate Policy, Extended Validation Certificate Policy Basis of audit: TSP s Risk analysis, time spent, audit methodology Details of result: Any non-conformances, commentary, changes from previous audit

9 ETSI EN 319 411-2 Check List

10 ETSI EN 319 411-2 + EN 319 401 Regulation Mapping

Model for usage of ETSI TSP Standards eidas eidas eidas Supervisory Supervisory Supervisory Body Body Body Certification of conformance To EN 319 411--2 + certification / confirmation against eidas requirements Conformity Assessment Body Application Application Provider Application Provider Provider Certification of conformance To EN 319 411-1 + certification / confirmation against CA Brower Baseline / EV requirements 11 TSP Checklist supporting Claim of conformance To EN 319 411-1 / -2

Conclusions 12 ETSI Technical Specifications ready very soon (TS 119 4xx) TSP and Audit body preparation for July 2016 / 2017 switch to regulation European Norms available Q2 2016 (EN 319 4xx) ETSI Documents: Free download http://www.etsi.org/standards-search E-Signature news: http://list.etsi.org/scripts/wa.exe?subed1=e-signatures_news&a=1 Further information: https://portal.etsi.org/tbsitemap/esi/trustserviceproviders.asp

13 ADDITIONAL INFORMATION eidas Standards Status

esignature Standards Framework Certificate Authority Time-stamping Signing Servers Validation Services Rules & procedures Formats Signature Creation / Validation Protection Profiles TSPs supporting esignature 4 6 Trusted Lists Providers 1 5 Signature Creation & Validation Trust Application Service Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Registered email Long term preservation XAdES (XML) CAdES (CMS) PAdES (PDF) AdES in Mobile envmts ASiC (containers) 14 (CEN) Common Criteria Protection profiles Smart Cards HSMs Signing services ETSI 2015 All rights reserved Signature Creation Devices 2 3 Cryptographic Suites Key generation Hash functions Signature algorithms Key lengths...

Signature (+Seal) Creation & Validation (ETSI) Set of Standards being finalised at concurrent ETSI meeting Immediate Publication as Technical Specification Follow on as European Norm in 2016 (common text) TS 119 102-1 / EN 319 102-1: Procedures for Creation and Validation of AdES Digital Signatures. Part 1: Creation and Validation. TS 119 122 / EN 319 122: CAdES digital signatures. TS 119 132 / EN 319 132: XAdES digital signatures. TS 119 142 / EN 319 142: PAdES digital signatures. TS 119 162 / EN 319 162: Associated Signatures Containers. TS 119 172 / EN 319 172 1: Signature policies 15

esignature Standards Framework Certificate Authority Time-stamping Signing Servers Validation Services Rules & procedures Formats Signature Creation / Validation Protection Profiles TSPs supporting esignature 4 6 Trusted Lists Providers 1 5 Signature Creation & Validation Trust Application Service Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Registered email Long term preservation XAdES (XML) CAdES (CMS) PAdES (PDF) AdES in Mobile envmts ASiC (containers) 16 (CEN) Common Criteria Protection profiles Smart Cards HSMs Signing services ETSI 2015 All rights reserved Signature Creation Devices 2 3 Cryptographic Suites Key generation Hash functions Signature algorithms Key lengths...

Signing Devices (CEN) 17 EN 419 211-1 to -5: Protection profiles for secure signature creation device Published End 2013, 2015 Plan Technical Report describing EN 419 221-1 to -5: Protection profiles for TSP Cryptographic modules Parts 1-4: Based on old Directive, Stable document going through formal process Part 5: Aimed at Regulation, Supports: Signing, sealing, remote server signing and authentication Formal evaluation and review starting

18 Signing Devices remote server signing (CEN) * TS 419 241 - Security Requirements for Trustworthy Systems Supporting Server Signing * Published March 2015 Being update as EN 419 241-1 EN 419 241-2 & 3 Protection profiles for Server Signing * Part 2: Trustworthy signature creation module 2 differing alternatives submitted Editors asked to produce a single solution

19 Signing Devices other (CEN) EN 419 231 - Protection profile for trustworthy systems supporting time stamping Formal evaluation and review starting EN 419 261 Security requirements for trustworthy systems managing certificates and time-stamps Published early 2015

esignature Standards Framework Certificate Authority Time-stamping Signing Servers Validation Services Rules & procedures Formats Signature Creation / Validation Protection Profiles TSPs supporting esignature 4 6 Trusted Lists Providers 1 5 Signature Creation & Validation Trust Application Service Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Registered email Long term preservation XAdES (XML) CAdES (CMS) PAdES (PDF) AdES in Mobile envmts ASiC (containers) 20 (CEN) Common Criteria Protection profiles Smart Cards HSMs Signing services ETSI 2015 All rights reserved Signature Creation Devices 2 3 Cryptographic Suites Key generation Hash functions Signature algorithms Key lengths...

21 Cryptographic Suites (ETSI) ETSI TS 119 312: Cryptographic Suites Published Nov 2015 May pass on maintenance to ENISA

esignature Standards Framework Certificate Authority Time-stamping Signing Servers Validation Services Rules & procedures Formats Signature Creation / Validation Protection Profiles TSPs supporting esignature 4 6 Trusted Lists Providers 1 5 Signature Creation & Validation Trust Application Service Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Registered email Long term preservation XAdES (XML) CAdES (CMS) PAdES (PDF) AdES in Mobile envmts ASiC (containers) 22 (CEN) Common Criteria Protection profiles Smart Cards HSMs Signing services ETSI 2015 All rights reserved Signature Creation Devices 2 3 Cryptographic Suites Key generation Hash functions Signature algorithms Key lengths...

23 R e f ETSI TSP Standards Overview (ETSI) Conformity Assessment Timestamping EN 319 403 TSP Conformity Assessment General CAB Forum / Other eidas Qualified Policy EN 319 421 Time-stamping Qual / Other EN 319 401 General TSP EN 319 411-1 TSP issuing Certs Profiles EN 319 422 EN 319 412 (RFC 3161) Ref Ref Replaces TS 102 042 Ref (X.509) EN 319 411-2 TSP issuing Qual Certs Replaces TS 101 456

TSP Standards Status (Conformity Assessment) EN 319 403 / TS 119 403 TSP Conformity Assessment TS v119 403 2.1.1 Published Nov 2015 EN review comment considered and new version agreed No major change to approach * * To be discussed further later in FESA meeting 24

25 TSP Standards Status (Policy Requirements) EN 319 401 / TS 119 401 General Policy Requirements for TSPs Text agreed to be published and EN process start EN 319 411 / TS 119 411 Policy Requirements for TSPs issuing Certificates References EN 319 401 for general requirements Part 1: General requirements (aligned with CA Browser Forum Requirements) (replaces TS 101 042) Part 2: TSPs issuing EU qualified certificates (replaces TS 102 042) Text agreed to be published and EN review starting

26 TSP Standards Status (Certificate Profiles) EN 319 412 / TS 119 412 : Certificate Profiles Part 1: Overview and common data structures Part 2: Certificate profile for certificates issued to natural persons Part 3: Certificate profile for certificates issued to legal persons Part 4: Certificate profile for web site certificates issued to organizations Part 5: "QCStatements Text agreed to be published as TS and start EN process

TSP Standards Status (Time-stamping) EN 319 421 Policy and Security Requirements for Trust Service Providers issuing Electronic Time-Stamps References EN 319 401 for general requirements Equivalent to existing ETSI TS 102 023 Includes variant for qualified time-stamping 27 EN 319 422 Time-stamping protocol and electronic timestamp profiles Profiles RFC 3161 Equivalent to existing ETSI TS 101 861 Separate requirement for Qualified time-stamping statement ETSI 2011. All rights reserved

esignature Standards Framework Certificate Authority Time-stamping Signing Servers Validation Services Rules & procedures Formats Signature Creation / Validation Protection Profiles TSPs supporting esignature 4 6 Trusted Lists Providers 1 5 Signature Creation & Validation Trust Application Service Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Registered email Long term preservation XAdES (XML) CAdES (CMS) PAdES (PDF) AdES in Mobile envmts ASiC (containers) 28 (CEN) Common Criteria Protection profiles Smart Cards HSMs Signing services ETSI 2015 All rights reserved Signature Creation Devices 2 3 Cryptographic Suites Key generation Hash functions Signature algorithms Key lengths...

TASP Standards TS 102 640 Registered e-mail Published 2011 Proposal to EU commission for updates E_Delivery Standardisation plans identified in SR 019 530 Proposal to EU commission for standardisation 29 Long term preservation Proposal to EU commission for study on standardisation requirements

esignature Standards Framework Certificate Authority Time-stamping Signing Servers Validation Services Rules & procedures Formats Signature Creation / Validation Protection Profiles TSPs supporting esignature 4 6 Trusted Lists Providers 1 5 Signature Creation & Validation Trust Application Service Providers List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists) Registered email Long term preservation XAdES (XML) CAdES (CMS) PAdES (PDF) AdES in Mobile envmts ASiC (containers) 30 (CEN) Common Criteria Protection profiles Smart Cards HSMs Signing services ETSI 2015 All rights reserved Signature Creation Devices 2 3 Cryptographic Suites Key generation Hash functions Signature algorithms Key lengths...

31 Trusted Lists TS 119 612 v1.2.1 Trusted Lists Published 2015-04