The Open PEPPOL e-id & e-signature http://www.peppol.eu/ Including inputs from the open PEPPOL community and from the world e-id presentation Rome October 3 rd 2013 alain.ducass@adetef.finances.gouv.fr
OpenPEPPOL AISBL The PEPPOL project reached a successful completion, 31 st of August 2012. OpenPEPPOL AISBL* has been operational from 1 st of September 2012, taking over ownership of PEPPOL results and governance responsibilities. OpenPEPPOL s goals are: Encourage European governments and their suppliers to continue implementing eprocurement using the PEPPOL specifications, promoting best practices Ensure that the PEPPOL network continues to grow in an open, accessible and compliant manner, supporting interoperability for European public services and helping Europe move towards a Digital Single Market Encourage the development of innovative PEPPOL-based ICT products and services supporting public procurement processes, fostering their use also in the B2B context *OpenPEPPOL is an international non-profit organisation under Belgian law founded by former PEPPOL consortium partners, with membership open to public and private organisations.
www.peppol.eu Organisation The e-id PEPPOL community will be launched in Rome on October 4th www.peppol.eu
www.peppol.eu Background 31 August 2012 end of the PEPPOL program with output approved by the Commission 31 August 2012 Transmission of the assets of the PEPPOL program to the Open PEPPOL association created under the Belgium law. Adoption of the esens program under ICT PSP to take over the 5 PSP programs: ecodex, EPSOS, PEPPOL, SPOCS, STORK. Pending discussion for a new Regulation on eid and etsp to replace Directive 1999/93 August 2013 : grant agreement sent to the esens consortium for signature 3rd October 2013 launch of the e-signature / e-id community within Open PEPPOL PEPPOL is an EU co-funded project CIP-ICT PSP-2007 No 224974
PEPPOL Validation scheme Decentralized approach (subsidiarity) Network of local services to collect, exchange and process certificates/signatures data European actor s role limited to registration of local services and network s info exchange ADETEF Esteral Consulting 5
www.peppol.eu Interoperability What Open PEPPOL wishes? Meaningful and timely recommendations and standards; Common business process and information models which capture user requirements independent of any specific technology; Mapping these models to new technologies as required.
Signature Interoperability Challenge France Loi 2001 230 Law Europe Directive 99/93 Décret 2001 272 Regulation Annexes 1, 2, 3 RGS (Art. 3 7) Arrêté 28/08/2006 Standards ETSI standards ADETEF Esteral Consulting 7
esignature Technical Validation Scheme 1.) PEPPOL XKMS Requester: end users 2.) PEPPOL XKMS Responder: Validation Services (VS) 3.) PEPPOL Public Registry Service (PPRS): VS addresses (TSLs) ADETEF Esteral Consulting 8
Infrastructure and Components ready to use Functional specifications for crossborder use of esignatures in public procurement 7 parts: 1. Background and Scope 2. E-tendering Pilot Specifications 3. Signature Policies 4. Architecture and Trust Models 5. XKMS v2 Interface Specification 6. OASIS DSS Interface Specification 7. eid and e-signature Quality Classification Latest version see D1.3 on line: Open source server Software Free to use validation client with API for integration Own implementation towards XKMS interface (with Toolkit) http://www.peppol.eu/deliverables/wp-1
PEPPOL Validation Parameters Output of XKMS 0 1 2 3 4 5 6 7 Certificate Policy ETSI 102-042 ETSI 101 456 none Exists LCP NCP NCP+ QCP QCP+ Independent Assurance self Ext. Doc. Int. audit Super Ext. audits Ext. certif. Super + Ext. audits Accre. + Ext. audits Public Key (length + algo.) Too weak 3 y. 5-10 years Increasing levels of security Hash function ETSI 102-176-1 Too weak 3 y. 5-10 years Increasing levels of security ADETEF Esteral Consulting 10 PEPPOL is an EU co-funded project CIP-ICT PSP-2007 No 224974
Cross-border e-signature market theoritical Belgium Finland Lithuania Norway Germany Poland Suisse Austria Spain France Italy Greece Bulgaria Czech Estonia Latvia Hungary Malta Netherlands Portugal Romania Slovakia Denmark Slovenia Sweden United Kingdom Luxembourg
Cross-border e-signature market At the end of PEPPOL Germany Bremen On Line (BOS) France Lex Persona (ADETEF) Estonia Unizeto 25 national TSL Italy Infocert (Infocamere) Greece (UPRC) Page 12 ADETEF Esteral Consulting
www.peppol.eu The French Platforms As explained in the 2012 world e-id congress, the French Governement implemented on its website a PEPPOL interface to validate crossborder esignatures. This platform operated by Lex Persona got approximately 800 requests per month 1000 local authorities KLEKOON 400 local authorities DOUBLE TRADE PLACE (AIFE) Ministries & Chamber of Commerce & Ugap PEPPOL PEPPOL XKMS XKMS Validation Validation Cloud Cloud French Validation French Validation Node (Lex Persona) Node (Lex Persona) Sunnystamp Lex Persona Free access LP7VerifyBox Lex Persona SPL Xdemat & CG69 300 French local authorities
Mapping with the French RGS regulation RGS = Reference security Framework: three levels of certificate, signature, etc. more specific and detailled requirements Mapping table between RGS requirements and PEPPOL parameters PEPPOL parameters RGS * RGS ** RGS *** Qualified Certificate 2 (LCP) 4 (NCP+) 6 (QCP+) Independent Assurance 7 7 7 Hash function 1 (SHA-1) 2 (SHA-256) 1 (SHA-1) 2 (SHA-256) 1 (SHA-1) 2 (SHA-256) Key length 2 2 2 ADETEF Esteral Consulting 15 PEPPOL is an EU co-funded project CIP-ICT PSP-2007 No 224974
Commercial Scheme for esignature certificates 1 Accreditation authority per country (LSTI in France) are evaluated through ISO standards (ex by COFRAC) and they deliver accreditations to all e-signature actors. ~ 35 Certification operators (CO) are accredited by the accreditation authority and can set certification authorities such as Keynectis, Certinonis, Imprimerie nationale, Dimyotis, Chamber of notaries ) ~ 150 Certicifation authorities (CA) (ex Open Trust,) they are accredited by the accreditation authority and they issue esignature certificates for end-users. ~500 Registration authorities (RA) they are accredited by the accreditation authority and they register end-users to distribute certificates. (ex ANTS, HSBC, Cities, Post offices, Carrefour, local chambers of notaries, cities, ) ~ 5 000 Resellers They act as commercial intermediaries between the end users and the other actors. (supermarkets, bank agencies ) ~ 1 000 000 End-users
www.peppol.eu The Greek Platform Scope: esignature validation infrastructure pilot used to validate digital signatures signed VCD packages) Achievements: Needed infrastructure provided by UPRC (Greek XKMS Responder, deployed in a PEPPOL server) 2 hand-held transactions validated offline Overall assessment: Setup of necessary infrastructure National validation service will be maintained by UPRC
www.peppol.eu The Italian Platforms Chamber of Commerces PEPPOL PEPPOL XKMS XKMS Validation Validation Cloud Cloud Italian Validation Italian Validation Node (Infocemere) Node (Infocemere) Local Chamber of Commerces e-procurement platform Trusted lists other access points Infocamere (Italian chamber of commerce) is implementing a PEPPOL interface to validate crossborder esignatures based on InfoCert platform Ministry of Finance Other parties
www.peppol.eu The Polish Platform Experience of other countries to be developed by DIFI? PEPPOL is an EU co-funded project CIP-ICT PSP-2007 No 224974
www.peppol.eu The European Platform Bremen Online Services Seems to be still running the European platform Some points have to be cleared: who runs which component? who updates the ontologies? who gets the link with the other projects (ex DSS) whether Open Peppol is interested in extending the platform to non EU countries PEPPOL is an EU co-funded project CIP-ICT PSP-2007 No 224974
Open-Peppol esignature actors Page 21 ADETEF Esteral Consulting
www.peppol.eu Questions Some points have to be cleared: who runs which component? Do we have to take care of the validation parameters? which link with the other projects (ex DSS, e-sign Africa )? Is Open Peppol is interested in extending the platform to non European countries? who is interested in joining the e-signature comunity? PEPPOL is an EU co-funded project CIP-ICT PSP-2007 No 224974
www.peppol.eu New steps A workshop is planed in Paris around November 2013 together with DG Connect to collect ideas for the e-id and esignature crossborder recognition either at the European level (esens) or at the Euro-Mederranean one. Based on the PEPPOL experience, draft projects are on preparation for a European-African ; a Euro-Mediterranean and why not a world wide esignature recognition platform. All contributions are welcome. Contact : => alain.ducass@adetef.finance.gouv.fr => info@peppol.eu www.peppol.eu PEPPOL is an EU co-funded project CIP-ICT PSP-2007 No 224974
www.peppol.eu e-id The Norwegian Cie Signicat, presented in Nice 9 different e-id in the Scandic countries, offering crossborder interoperability The Stork 2.0. projects runs pilots for interoperability Some points have to be cleared: Which link between e-id and Open PEPPOL? Which link with Stork 2.0? PEPPOL is an EU co-funded project CIP-ICT PSP-2007 No 224974