FR Ref. Ares(2013)2869715-13/08/2013 Feasibility study n an electrnic identificatin, authenticatin and signature plicy (IAS) FINAL REPORT A study prepared fr the Eurpean Cmmissin DG Cmmunicatins Netwrks, Cntent & Technlgy Digital Agenda fr Eurpe
This study was carried ut fr the Eurpean Cmmissin by Internal identificatin Cntract number: 30-CE-0413876/00-31 SMART 2010/0008 DISCLAIMER By the Eurpean Cmmissin, Directrate-General f Cmmunicatins Netwrks, Cntent & Technlgy. The infrmatin and views set ut in this publicatin are thse f the authr(s) and d nt necessarily reflect the fficial pinin f the Cmmissin. The Cmmissin des nt guarantee the accuracy f the data included in this study. Neither the Cmmissin nr any persn acting n the Cmmissin s behalf may be held respnsible fr the use which may be made f the infrmatin cntained therein. ISBN 978-92-79-31151-2 DOI: 10.2759/25928 Eurpean Unin, 2013. All rights reserved. Certain parts are licensed under cnditins t the EU. Reprductin is authrised prvided the surce is acknwledged.
Table f cntents 1. SUMMARY OF THE STUDY GOALS AND SCOPE... 1.1 Backgrund f the Study... 1.2 Scpe f the Study... 1.3 Rle f this dcument in the Study... 2. APPENDICES... 2.1 Deliverable D.1: IAS in the Eurpean plicy cntext... 2.2 Deliverable D.2: IAS in Eurpe, an verview f the state f the art... 2.3 Deliverable D.3: Prpsal fr a Eurpean IAS plicy framewrk...
1. Summary f the Study gals and scpe 1.1 Backgrund f the Study The purpse f the present prject, as described in the tender specificatins, is t study the feasibility f a cmprehensive EU legal framewrk that wuld apply t all electrnic credentials needed t secure electrnic transactins as well as the ancillary services needed t use them: electrnic identificatin, authenticatin, signature, seals, certified delivery and a vluntary fficial email address. The perspective f the legal framewrk wuld be t facilitate the smth wrking f electrnic transactins in the internal market. In ther wrds, it wuld be based n article 114 f the Treaty n the Functining f EU (TFEU). The Digital Agenda cnfirms that "Electrnic identity (eid) technlgies and authenticatin services are essential fr transactins n the internet bth in the private and public sectrs. Tday the mst cmmn way t authenticate is the use f passwrds. Fr many applicatins this may be sufficient, but mre secure slutins are increasingly needed. As there will be many slutins, industry, supprted by plicy actins in particular egvernment services - shuld ensure interperability based n standards and pen develpment platfrms." The Cmmissin, therefre, will "In 2011 prpse a revisin f the esignature Directive with a view t prvide a legal framewrk fr crss-brder recgnitin and interperability f secure eauthenticatin systems". This Study aims t prvide inputs fr this actin. 1.2 Scpe f the Study The scpe f this study is t determine if and hw a cmprehensive Eurpean IAS framewrk culd be frmed, including the legal, technical and trust cmpnents required fr such a framewrk. Each f these cmpnents will be defined by the study team, in a way that will allw them t serve as building blcks and t be cmbined int a cmprehensive plicy framewrk cvering IAS services and ancillary services. The study shuld culminate in a recmmendatin frm the study team t the Cmmissin n hw a cmplete and functining legal, technical and trust framewrk fr IAS services culd be cnstructed. This recmmendatin shuld build n cnsultatins f selected experts thrugh direct discussins and wrkshps, as well as the feedback received thrugh the Cmmissin's 2011 public cnsultatin n electrnic identificatin, authenticatin and signatures. In this way, the study team aims t prvide an immediately usable prpsal, while ptimally allwing the Cmmissin rm t adapt t future plicy discussins r changed plicy preferences.
1.3 Rle f this dcument in the Study Apart frm a general n-ging supprt task t the Cmmissin, the present Study cnsists f three tasks that crrespnd t a lgical phase in the study. The phases and tasks can be graphically summarized as fllws: The current dcument crrespnds t all phases in the verview abve and cntains the final versins f the deliverables prduced during the three phases. This Final Study Reprt cntains the fllwing dcuments: Deliverable D.1.1.b: IAS in the Eurpean plicy cntext Deliverable D.2.2.b: IAS in Eurpe, an verview f the state f the art Deliverable D.3.2.b: Prpsal fr a Eurpean IAS plicy framewrk
2. Appendices 2.1 Deliverable D.1.1.b: IAS in the Eurpean plicy cntext 2.2 Deliverable D.2.2.b: IAS in Eurpe, an verview f the state f the art 2.3 Deliverable D.3.2b: Prpsal fr a Eurpean IAS plicy framewrk
Study n an electrnic identificatin, authenticatin and signature plicy (IAS) IAS in the Eurpean plicy cntext Final Versin (D.1.1.b) 20 February 2013
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) This study was cmmissined by the Eurpean Cmmissin's Infrmatin Sciety and Media Directrate-General, in respnse t the general invitatin t tender f the Directrate- General Infrmatin Sciety and Media, n SMART N 2010/008. The study des nt, hwever, express the Cmmissin's fficial views. The views expressed and all recmmendatins made are thse f the authrs. 2
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Table f cntents 1. SUMMARY OF THE STUDY GOALS AND SCOPE... 4 1.1 Backgrund f the Study... 4 1.2 Scpe f the Study... 4 1.3 Rle f this dcument in the Study... 5 2. DEFINING IAS... 7 2.1 What are IAS services?... 7 2.2 Putting the basic definitins in a services perspective... 24 2.3 Interim Observatins... 32 3. POLICY NEEDS FOR IAS IN THE DIGITAL SINGLE MARKET... 35 3.1 Hw d IAS services fit in the Digital Single Market?... 35 3.2 Needs fr a functining IAS internal market... 41 3.3 The internatinal dimensin: needs and challenges... 42 4. REVIEW OF PAST IAS POLICY: SCOPE, IMPACT AND CHALLENGES... 43 4.1 Analysis f the impact f EU plicy n IAS: hw (in)cmplete is the picture?... 43 4.2 Identificatin f key gaps... 49 5. THE ROAD AHEAD... 61 5.1 Hw useful is the esignatures Directive as a starting pint fr IAS regulatins?... 61 5.2 Weaknesses f the esignatures Directive lessns learned... 64 5.3 What are the alternatives?... 68 6. CONCLUSIONS... 70 6.1 IAS summary f challenges and gals frm a plicy perspective... 71 6.2 Perspectives fr a future cmprehensive trust services framewrk... 73 7. APPENDICES... 76 7.1 Abbreviatins... 76 7.2 Wrkshp reprt: analysis f cmments received... 78 7.3 Surces f IAS use cases... 82 3
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 1. Summary f the Study gals and scpe 1.1 Backgrund f the Study The purpse f the present prject, as described in the tender specificatins, is t study the feasibility f a cmprehensive EU legal framewrk that wuld apply t electrnic assertins needed t secure electrnic transactins as well as the ancillary services needed t use them: electrnic identificatin, authenticatin, signature, seals, certified delivery. The perspective wuld be t facilitate the smth wrking f electrnic transactins in the internal market. In ther wrds, it wuld be based n article 114 f the Treaty n the Functining f EU (TFEU). The Digital Agenda cnfirms that "Electrnic identity (eid) technlgies and authenticatin services are essential fr transactins n the internet bth in the private and public sectrs. Tday the mst cmmn way t authenticate is the use f passwrds. Fr many applicatins this may be sufficient, but mre secure slutins are increasingly needed. As there will be many slutins, industry, supprted by plicy actins in particular egvernment services - shuld ensure interperability based n standards and pen develpment platfrms." The Cmmissin, therefre, will "In 2011 prpse a revisin f the esignature Directive with a view t prvide a legal framewrk fr crss-brder recgnitin and interperability f secure eauthenticatin systems". This Study aims t prvide inputs fr this actin. 1.2 Scpe f the Study The scpe f this study is t determine if and hw a cmprehensive Eurpean IAS framewrk culd be frmed, including the legal, technical and trust cmpnents required fr such a framewrk. The study shuld include recmmendatins n hw a cmplete and functining legal, technical and trust framewrk fr IAS services culd be cnstructed. This recmmendatin shuld build n cnsultatins f selected experts thrugh direct discussins and wrkshps, as well as the feedback received thrugh the Cmmissin's 2011 public cnsultatin n electrnic identificatin, authenticatin and signatures. 4
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 1.3 Rle f this dcument in the Study The present Study mainly cnsists f three tasks that crrespnd t a lgical phase in the study. The phases and tasks can be graphically summarized as fllws: Figure 1: IAS study phases The current dcument is Deliverable 1.1 - IAS in the Eurpean plicy cntext, and crrespnds t Phase 1 in the verview abve. The gal f this reprt is t create the basis fr the develpment f a cmprehensive plicy framewrk, specifically by: Defining IAS: it is abslutely crucial that participants in the IAS plicy debate have a clear and cmmn understanding f IAS cncepts. Sectin 2 will therefre cnsist f elabrating the study team s understanding f the main ntins, and building up, frm the industry and legal standards, the definitins aimed t serve as cmmn basis and language. Understanding Eurpean IAS plicy needs: in rder t define a cmprehensive IAS plicy framewrk, it must first be clear what the Eurpean needs and ambitins 5
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) in this area are. This will be analyzed in Sectin 3 f the reprt, building n the relevant sectins f the Digital Agenda. Determining t what extent the existing IAS plicy framewrk in Eurpe already cvers these plicy needs: It is imprtant t understand the impact f this framewrk n IAS, and t determine what the gaps (if any) are. This will be examined in Sectin 4 f the reprt. Establishing a rad frward: if there are indeed gaps between IAS plicy needs and the current framewrk, we will need t determine hw these can be reslved. While a cmprehensive visin n this tpic will be develped in Phase 3 f the Study, we can already define in Sectin 5 f the present dcument what the main cnceptual ptins are. This dcument has been finalized in tw iteratins: A draft versin (D.1.1) utlining the study team s initial thughts and pinins n the fur aspects utlined abve. This draft was presented t the Stakehlders fr discussin. A final versin (D.1.1.b) based n the feedback received. As indicated in the graphic abve, this reprt has been used as ne f the key inputs fr the recmmendatins f phase 3. 6
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 2. Defining IAS 2.1 What are IAS services? With regard t defining IAS services, the cre challenge is twfld: there are t many and ften even different, cnflicting r verlapping definitins f the basic terms; the fields f identity, authenticatin and signature are highly linked in practise while bearing their wn differences. Hwever cnsidering (i) the current mve twards the ratinalisatin f the entire esignature standardisatin framewrk in the cntext f the executin f Mandate M460 1, (ii) the recent EC Decisins enabling Member States harmnising the publicatin f trust infrmatin n supervised r accredited certificatin services supprting electrnic signatures and hence ratinalising smehw the related trust framewrk, (iii) the plitical decisin t better and further address IAS frm a plicy perspective and establishment f further legal measures as cnfirmed in the Digital Agenda fr Eurpe 2, the Eurpean egvernment Actin Plan 3 and the Single Market Act 4, (iv) the executin f the present study aiming t adequately supprt this legal track, arriving at a cmmn semantic basis is difficult but clearly necessary. There will be rarely a better pprtunity and mmentum fr establishing a sund and cnsistent set f definitins between all legal, technical and trust framewrks. We will elabrate in this sectin the terminlgy and definitin building blcks we need fr the study n the basis f the esignature Directive 1999/93/EC, the Mdinis study 5 (cvering exclusively the identificatin and authenticatin aspects) and the draft ratinalised 1 Mandate M460 is a standardisatin mandate given end 2009 by the EC t the Eurpean Standardisatin Organisatins CEN, CENELEC and ETSI in the field f infrmatin and cmmunicatin technlgies applied t electrnic signatures. Fr further infrmatin see: http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/eu_legislatin/standardisatin/index_en.htm 2 Digital Agenda fr Eurpe COM(2010)245 f 19 May 2010: key actins n PSCs, e-id, esignatures. 3 Eurpean egvernment Actin Plan COM(2010)743. 4 Single Market Act COM(2011)206, 13 April 2011 - pririty actin n Digital Single Market (sectin 2.7). 5 Mdinis Study n Identity Management in egvernment Cmmn terminlgical framewrk fr interperable electrnic identity management, v2.01, Nvember 23, 2005. 7
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) framewrk fr electrnic signature standardisatin (DSR/ESI-000099) 6 and related standards, while ratinalising and arbitrating when facing cnflicting r verlapping definitins. Entity & Identity The first basic term we will here define is the term 'entity'. Entity: means any natural r legal persn r any infrmatin system that shall be characterised thrugh a cllectin f identity attributes f which at least ne subset f such identity attributes uniquely represents it. We believe imprtant, as stressed in Mdinis, t keep this definitin pen t any type f persn (including natural persns f curse but als legal persns r public sectr bdies) while further defining ther types f entities (e.g. cmputers r ther frms f machinery, digital resurces r prcesses) as cvered by any "infrmatin system" as defined in Framewrk Decisin 2005/222/JHA f 24 February 2005 n attacks against infrmatin systems 7. The fllwing definitin f 'identity' is als based n the Mdinis definitin. Identity: The identity f an entity means the cllectin f all the entity s identity attributes. An entity has nly ne such cllectin r set f all its identity attributes; t this extent ne can say that ne entity has nly ne identity. Each f the identity attributes frm this cllectin needs nt necessarily be unique t that entity but sme and ften several subsets f such identity attributes can uniquely identify an entity. Unique Identity: means a cllectin f an entity s identity attributes that uniquely represents that entity. 6 Draft Ratinalised Framewrk Fr Electrnic Signature Standardisatin (DSR/ESI-000099) available frm http://prtal.etsi.rg/stfs/stf_hmepages/stf425/stf425.asp and elabrated in the cntext f Mandate M460. 7 Defined as any device r grup f inter-cnnected r related devices which perfrms autmatic prcessing f cmputer data, as well as cmputer data stred, prcessed, retrieved r transmitted by them fr the purpses f their peratin, use, prtectin and maintenance ; see http://eurlex.eurpa.eu/lexuriserv/lexuriserv.d?uri=celex:32005f0222:en:not 8
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Sub-sets r cllectin f an entity's identity attributes that des nt uniquely identify an entity are ften called "partial identities". Identity Attribute: means a distinct, measurable, physical r abstract named prperty belnging t an entity. Cmmn examples f such identity attributes include name, surname(s), natinality, date and place f birth, address, bimetric data, prfessinal r hnrific title, gender, age statement,..., but als ther characteristics such as, pssessin f a public/private key pair, a delegatin, a grant culd be cnsidered as identity attributes. A unique identifier is a special type f identity attribute that, n its wn uniquely identifies an entity. Identity Attribute Assertin: means an electrnic attestatin which links ne r mre identity attributes t a unique identity f an entity and cnfirms the identity f that entity. The term assertin is preferred t the term 'credential' which is ften misused r misunderstd. Such electrnic attestatin may nt be delivered under the frm f digital certificates, which is the mst cmmn type in a PKI wrld, but under ther frms f signed statements (i.e. X/C/PAdES frmatted signatures, SAML messages, XACML statements). Digital Certificates and Attribute Certificates can be cnsidered as special types f Identity Attribute Assertins as they mainly link a specific type f identity attribute, namely a signature verificatin data, t an entity. Mandates 8, authrisatins 9 and ther types f permissins 10 can als be seen as specific types f identity attribute assertins. Figure 2 belw illustrates a nn exhaustive list f different sub-sets f identity attribute assertins. An "fficial identity" can be defined as an Identity Attribute Assertin delivered by r n behalf f a public sectr bdy 11 acting as an Identity Attribute Assertin Prvider 12. 8 Mandate can be defined as a revcable rle (i.e. a set f ne r mre authrisatins related t a specific applicatin r service) r a set f revcable rles which refer t ne r mre permissins granted by an identified entity t anther identified entity t perfrm well-defined actins with legal cnsequences in the name and fr the accunt f the frmer. [Mdinis] 9 Authrisatin, here, refers t the permissin f an authenticated entity t perfrm a defined actin r t use a defined service/resurce. [Mdinis] 10 Permissin describes the privileges granted t an authenticated entity (e.g. priviledge with respect t lw-level peratins that may be perfrmed n sme resurce such as read, write, delete, execute, create, etc.). [Based n Mdinis] 11 Defined in Directive 2003/98/EC f the Eurpean Parliament and f the Cuncil f 17 Nvember 2003 n the re-use f public sectr infrmatin, as the State, reginal r lcal authrities, bdies gverned by public law and assciatins frmed by ne r several such authrities r ne r several such bdies 9
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Identity Attribute Assertins Digital Certificates Attributes Certificates Permissins Authrisatins Mandates Figure 2: Identity Attribute Assertins Identificatin can then be defined as the prcess f using claimed (e.g. by means f Identity Attribute Assertin) r bserved attributes f an entity t deduce wh the entity is. It can lead t a unique r a partial identity. Authenticatin Authenticatin is the crrbratin f a claimed set f attributes r facts with a specified, r understd, level f cnfidence 5. Authenticatin is typically divided int data authenticatin and entity authenticatin. We will als further define the cncept f data authenticatin data as it will later serve as building blck t define electrnic signatures and clarify the distinctin and interrelatin between thse cncepts. Entity Authenticatin: means the crrbratin f the claimed identity f an entity and a set f its bserved attributes. 5 Data Authenticatin: means the crrbratin that the rigin and the integrity f data are as claimed. 5 Data Authenticatin Data: means data in electrnic frm which are attached t r lgically assciated with ther electrnic data and which crrbrates the identity f the entity at the gverned by public law ; see http://eurlex.eurpa.eu/lexuriserv/lexuriserv.d?uri=celex:32003l0098:en:not 12 See definitin further in the text. 10
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) rigin f the assciated data and the integrity f the assciated data. The current definitin f electrnic signature in Directive 1999/93/EC (Art.2.1) ( data in electrnic frm which are attached t r lgically assciated with ther electrnic data and which serve as a methd f authenticatin ) is actually equivalent t the abve data authenticatin data definitin. This has been surce f lng misunderstanding between technical and legal wrlds als linked t the fact that the mst currently deplyed PKI based technlgy fr implementing rely n the exact same cryptgraphic peratin fr implementing electrnic signatures and PKI based authenticatin. We prpse t add t the cncept f electrnic signature the expressin f a cnsent, an intent r cmmitment. Of curse the expressin f such an explicit cnsent r cmmitment culd be that the signature is created with n ther purpse than authenticating the signatry as an entity. The definitin f electrnic signature is given later in the present sectin and ther aspects f the legal issues related t the current definitin f electrnic signature in Directive 1999/93/EC are als discussed in Sectin 3. Practical examples f use f data authenticatin data fr nt being an electrnic signature are Message Authenticatin Cdes, being key-dependent ne-way hash functins which can be used t authenticate files between users As in many cases a device is used t btain such data r entity authenticatin, we further define the ntin f authenticatin device. Authenticatin Device: means cnfigured tls, sftware r hardware used by an entity fr the purpse f entity r data authenticatin. Tday these devices take many frms and invlve ne r mre factrs (the classic 'what yu are', 'what yu knw', what 'yu pssess', and the mre recent 'hw yu behave'), and supprt the crrbratin f the claimed identity and the related relevant set f identity attributes, particularly it typically includes UserID/passwrd, One Time Passwrd (OTP) slutins, TAN cards, PKI based tkens and smart cards. In a number f usage scenaris, the Authenticatin Device may require an interface device such as a keybard, a bimetric capturing device, r a card reader with r withut a PINpad. Authenticatin Interface Device: means cnfigured tls, sftware r hardware used by an entity fr the purpse f authenticatin in cnjunctin with an Authenticatin Device t facilitate r enable the use f the latter. 11
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Signatures Similarly t the previus identificatin and authenticatin related sets f definitins, the first basic term that we will here define is the term 'signatry'. Signatry: means a persn wh hlds a signature creatin device and {acts, creates an electrnic signature} either n his wn behalf r n behalf f the natural r legal persn r public sectr bdy he represents. 5 Nte: text between { } designates that a chice shuld be made between several pssible terms, in this latter chice, the underlined term is the ne prpsed. The first ccurrence f the wrd persn is nt qualified t be natural r legal persn. The ntin f persn is interpreted differently in EU Member States. In sme Member States a legal persn is entitled t sign with the same rights and effects that a natural persn. Hwever if we later cnsider specific types f electrnic signatures, namely electrnic seals which are generated by signatries being legal persn, public sectr bdies 13, cmpetent authrities, r public authrities, then either we enlarge this first ccurrence f 'persn' t 'natural r legal persn' (with the r being als meant t cnsider cases fr which this legal persn is nt an ptin in sme Member States). Electrnic Signature: means data authenticatin data which {states, indicates the expressin f, expresses} a {binding cmmitment, cnsent, intent, endrsement, adherence} frm the signatry twards the assciated data. Nte: text between { } designates that a chice shuld be made between several pssible terms, in this latter chice, the underlined term is the ne prpsed. 13 Defined in Directive 2003/98/EC f the Eurpean Parliament and f the Cuncil f 17 Nvember 2003 n the re-use f public sectr infrmatin, as the State, reginal r lcal authrities, bdies gverned by public law and assciatins frmed by ne r several such authrities r ne r several such bdies gverned by public law ; see http://eurlex.eurpa.eu/lexuriserv/lexuriserv.d?uri=celex:32003l0098:en:not 12
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) This cnsent may be expressed in an explicit r implicit manner (while it wuld be far better being explicit). As explained previusly and als as experienced in real life, electrnic signature can be used fr the purpse f entity authenticatin r fr the purpse f data authenticatin; the desired gal wuld then be reflected in the expressed cnsent. It is wrth stressing the "universal" nature f electrnic signature in the sense that it is applicable t any cntext and situatin. Intrinsically, an electrnic signature is f the same nature when used fr egvernment applicatins, fr a private sectr applicatin r fr any ther type f use. In rder t address expressed market requirements and cmments highlighted in the results f the Public Cnsultatin, we intrduce specific types f electrnic signatures, namely electrnic seals which are generated by signatries being legal persn r public (sectr) bdies. Electrnic Seal: means an electrnic signature created by a legal persn r a public sectr bdy. Similarly t what is dne in Directive 1999/93/EC, we further refine the definitin f advanced and qualified electrnic signatures and electrnic seals. Advanced Electrnic Signature ( 14 ): means an electrnic signature which meets the fllwing requirements: (a) it is uniquely linked t the signatry; (b) it is capable f identifying the signatry; (c) it is created using means that the signatry can maintain under his sle cntrl; and (d) it is linked t the data t which it relates in such a manner that any subsequent change f the data is detectable. Advanced Electrnic Seal: means an advanced electrnic signature created by a legal persn r a public sectr bdy. Qualified Electrnic Signature ( 15 ): means an advanced electrnic signature which is based n a qualified certificate [issued t a natural persn] and which is created by a secure signature creatin device. Qualified Electrnic Seal: means a qualified electrnic signature fr which the signatry is 14 Directive 1999/93/EC, Art.2.2. 15 Based n Directive 1999/93/EC, Art.5.1. 13
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) a legal persn r a public sectr bdy. It can be bserved that Directive 1999/93/EC, and the abve definitins, defines electrnic signatures in a brad and technlgy neutral way. It is the pinin f the IAS Study team that at the time f cnducting ur Study, the nly viable large-scale implementatin available is based n cryptgraphy. Cryptgraphic primitives are available frm varius different mathematical families (e.g. RSA, ElGamal, ECC). These are based n different mathematical cncepts (the hardness f factring, the hardness f cmputing the discrete lgarithm, and the hardness f finding pints n elliptic curves). Hwever, they ffer cmparable functinality. While being then less technlgy neutral the fllwing definitins are imprtant and kept frm Directive 1999/93/EC: Signature Creatin Data ( 16 ): means unique data, such as cdes r private cryptgraphic keys, which are used by the signatry t create an electrnic signature. Signature Creatin Device ( 17 ): means cnfigured sftware r hardware used t implement the signature creatin data. Secure Signature Creatin Device ( 18 ): means a signature-creatin device which meets the requirements laid dwn in Annex III f Directive 1999/93/EC. Signature Verificatin Data ( 19 ): means data, such as cdes r public cryptgraphic keys, which are used fr the purpse f verifying an electrnic signature. Signature Verificatin Device ( 20 ): means cnfigured sftware r hardware used t implement the signature verificatin data. The expressin f a cnsent/intent/cmmitment as a cnditin f an electrnic signature, is already present in sme Member States implementatin f Directive 1999/93/EC (e.g. in the 16 Directive 1999/93/EC, Art.2.4. 17 Directive 1999/93/EC, Art.2.5. 18 Directive 1999/93/EC, Art.2.6. 19 Directive 1999/93/EC, Art.2.7. 20 Directive 1999/93/EC, Art.2.8. 14
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Grand-Duchy f Luxemburg) and in signature related standards e.g. when cmbining ETSI TS 101 733 v1.2.2 definitins f "digital signatures" and f "signers": Digital signature: data appended t, r a cryptgraphic transfrmatin f, a data unit that allws a recipient f the data unit t prve the surce and integrity f the data unit and prtect against frgery, e.g. by the recipient (ISO 7498-2). Signer: entity that creates an electrnic signature. The Signer is the entity that initially creates the electrnic signature. When the signer digitally signs ver data using the prescribed frmat, this represents a cmmitment n behalf f the signing entity t the data being signed. Mrever the expressin f a (signed) cmmitment is already a standardised feature f electrnic signature frmats whether based n XAdES, CAdES r PAdES prfiles. Furthermre, prducing electrnic signatures, data authenticatin data r authenticatin itself as an entity suppses the cunterpart f verifying such electrnic signatures, data authenticatin data and entity authenticatin which is the gal f s-called verifiers r relying parties. Bth signers and authenticating parties n the ne side and relying parties n the ther side are likely t rely n ne r mre entities helping them t execute their task and t build trust relatinships between them, the s-called trust service prviders. Such entities supprt the signer/authenticating parties and verifiers by means f supprting trust services and related trust service tkens as tangibles utputs f such services. Such services typically include the prvisin f identity attributes assertins, in particular the prvisins f digital certificates used t guarantee the identity f a signer r an authenticating party and their related services (e.g. registratin services, certificate status validity services, certificate revcatin services, repsitry services), the prvisin f time-stamping services as the ntin f trusted time may be f critical imprtance when securing transactins and in particular electrnic signatures and authenticatin, signature generatin and signature validatin services, archiving r infrmatin preservatin services. Trust Service Prviders The fllwing definitins are prpsed t serve as building blcks in the cntext f the study. They are mstly based n the current Draft Ratinalised Framewrk Fr Electrnic Signature Standardisatin 6 and the EFVS study 21. 21 EFVS Study Framewrk cntract ENTR/05/58-SECURITY, SC N 14 Final Reprt "Cmmn Slutin Mdel: Cmpletin f the framewrk fr Signature Validatin Services", February 2010. http://ec.eurpa.eu/idabc/servlets/dcf934.pdf?id=32633. 15
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Trust Service: means an electrnic service which enhances trust and cnfidence in electrnic transactins. Nte: Such trust services are typically but nt necessarily using cryptgraphic techniques r invlving cnfidential material. Trust Service Prvider: means an entity which prvides ne r mre electrnic Trust Services. Trust Service Tken: means a physical r binary (lgical) bject generated r issued as a result f the use f a Trust Service. Nte: Examples f binary Trust Service Tkens are Identity Attribute Assertin, like Certificates, CRLs, Time-Stamp Tkens, OCSP respnses, Digitised Data, Registered Electrnic Delivery and Infrmatin Preservatin Recrd. Similarly t the cncept f qualified electrnic signature, we will define: Qualified Trust Service Tken: means a Trust Service Tken that meets the requirements laid dwn in a specific annex/list, and that is prvided by a Trust Service Prvider wh fulfils the requirements laid dwn in a specific annex/list and that in cnsequence benefits frm a legal certainty. There is n cncept f Qualified Trust Service Prvider (TSP) but well f a TSP issuing Qualified Trust Service and Qualified Trust Service Tkens. We can identify: Qualified Time-Stamp Tken, Qualified Digitised Data, Qualified Certificate, Qualified Registered Electrnic Delivery, Qualified Infrmatin Preservatin Recrd, Qualified Identity Attribute Assertin, etc. Trust Service Prviders issuing certificates We suggest replacing the cncept f Certificatin Service Prvider defined in Art. 2.11 f Directive 1999/93/EC as an entity r a legal r natural persn wh issues certificates r prvides ther services related t electrnic signatures by the cncept f Trust Service Prvider issuing certificates with the fllwing definitins: 16
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Trust Service Prvider issuing certificates: means a Trust Service Prvider wh issues Certificates and prvides related Certificate creatin, assignment and life cycle management services. Certificate: means an Identity Attribute Assertin which links signature verificatin data t a unique identity f an entity t which the signature verificatin data belngs. An Attribute Certificate means a Certificate which links signature verificatin data t ne r mre identity attributes and cnfirms that thse identity attributes belngs t the entity t which the signature verificatin data belngs. Certificates and Attribute Certificates are special types f Identity Attribute Assertins as they link a specific type f identity attribute, namely a signature verificatin data, t an entity. Electrnic signature can be used fr the purpse f entity authenticatin r fr the purpse f authenticating data; it wuld then be reflected in the expressed cnsent as per the definitin f Electrnic Signature. Using X.509 based Certificates and the related signature creatin and verificatin data fr the purpse f entity authenticatin means implementing electrnic signatures (usually applied n randm assciated data) fr which the expressed cnsent is limited t the scpe and purpse f identifying the signatry authenticating itself thrugh such means. It shuld be nted that the expressin f this cnsent may be explicit r implicit but it shuld always be stated as clearly as pssible. Qualified Certificate ( 22 ): means a certificate which meets the requirements laid dwn in Annex I f Directive 1999/93/EC and is prvided by a Trust Service Prvider issuing certificates wh fulfils the requirements laid dwn in Annex II f Directive 1999/93/EC. We suggest t review the requirements currently laid dwn in thse Annexes I and II as part f the Phase 3 f the IAS study. Signature Generatin and Validatin Service Prviders Signature Generatin Service Prvider: means a Trust Service Prvider which prvides Trust Services that allw secure remte management f signatry s signature creatin device and generatin f electrnic signatures by means f such a remtely managed 22 Directive 1999/93/EC, Art.2.10. 17
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) device. Thse elements may rely n a Signature Plicy that can be either explicit r implicit, be defined by the Signature Generatin Service Prvider (SGSP) r the relying party using the SGSP services r jintly negtiated by the parties. Signature Plicy: means a set f rules fr the creatin and validatin f ne r mre electrnic signatures that defines the technical and prcedural requirements fr creatin, validatin and (lng term) management f this(these) electrnic signature(s), in rder t meet a particular business need, and under which the signature(s) can be determined t be valid. There can be human readable r machine prcessable presentatin f signature plicies. Signature Validatin Assertin: means an electrnic attestatin prvided by a Signature Validatin Service Prvider that cnfirms the results f the validatin f an electrnic signature. Signature Validatin Service Prvider [based n EFVS study 21 ]: means a Trust Service Prvider ffering the fllwing services in relatin t an electrnic signature supprted by certificates issued by certificate issuing services frm TSP's issuing certificates (CAs): a) Validatin f the certificates supprting the electrnic signature; Nte: This validatin step shuld be extended t include the certificate chain, starting frm the signatry s certificate up t a trusted (rt) CA certificate. b) Validatin f the electrnic signature. Thse services ((a) and (b) abve) may rely n a Signature Plicy that can be either explicit r implicit, be defined by the SVSP r the relying party using the SVSP services r jintly negtiated by the parties. It shuld be nted that Signature Validatin Service Prvider (SVSP) prviding the abve services may als prvide extended services that may ptinally include but nt be limited t the fllwing additinal services: 18 Trusted Time services (e.g. Time-stamping services, Time-marking services); (Lng term) Archiving f the signatures and/r signed dcuments; The extensin f such signatures fr preservatin purpses; The maintenance f the signature/dcument frmats; Any additinal transactinal service r delivery service related t the signed dcuments and signatures.
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Qualified Signature Validatin Assertin: means a Signature Validatin Assertin that meets the requirements laid dwn in a specific annex/list, including the prvisin t end-users with specific guarantees with regard t the trustwrthiness and legal reliability f the electrnic signature, i.e. assessing the legal value f the signature and prviding an acceptable liability mdel that allws the relying party t rely legally n this statement; such guarantees can rely n statements made n sme technical r legal requirements and/r quality criteria n certificates and electrnic signatures, and is prvided by a Trust Service Prvider wh fulfils the requirements laid dwn in a specific annex/list and that in cnsequence wuld benefit frm a legal certainty. This may invlve all r a limited cmbinatin f rules described in mre details in the EFVS study. 21 Time-Stamping Service Prviders Time-Stamping Service Prvider: means a Trust Service Prvider which issues Time- Stamp Tkens. This entity may als be referred t as a Time-Stamping Authrity. Time-Stamp Tken: means a data bject that binds a representatin f a datum t a particular time, thus establishing evidence that the datum existed befre that time. Infrmatin Preservatin Service Prviders Infrmatin Preservatin Service Prvider (IPSP): means a Trust Applicatin Service Prvider which prvides trust services t which infrmatin, amng which dcuments, is entrusted in an agreed frm (digital r analg) fr being securely kept in digital frm fr a perid f time specified in the applicable agreement; this service is expected t be able t exhibit all preserved infrmatin at any mment during, r at the end f, the preservatin perid. Nte: Cfr ETSI TS 101 533. 19
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Registered Electrnic Delivery Service Prviders Registered Electrnic Delivery: means enhanced frm f data transmitted by electrnic means (ex. e-mail, dcument, message) which prvides evidence relating t the handling f the data including prf f submissin and delivery. Registered Electrnic Delivery Service Prvider: means a Trust Applicatin Service Prvider which prvides Registered Electrnic Delivery trust services. Identity Attribute Assertin Service Prviders Identity Attribute Assertin Prvider: means a Trust Service Prvider that prvides Identity Attribute Assertins. Supervisin f Service Prviders The cncept f supervisin f service prviders issuing qualified certificates is an essential building blck f the current Directive 1999/93/EC as it allws implementatin f a trust mdel f thse qualified electrnic signatures benefiting f an autmatic equivalence t hand written signatures as explained further in the legal sectin f the present dcument. Hwever the implementatin in practice f such a cncept has lead t several issues: the c-existence and differences between the interpretatin f an 'apprpriate system that allws fr supervisin' (as intrduced by Art 3.3 f the Directive) and f 'vluntary accreditatin' (as defined in Art. 2.13 f the Directive) are nt always, if ever, understd clearly, even by thse wh are in charge f such systems; the terms and definitins used are ften verlapping r cnflicting with the terminlgy used in the audit and assessment wrld; the divergence f implementatin in practice f the cncept f "apprpriate [...] supervisin" by Member States has lead t significant differences in the effective implementatin f the cntrls underlying such a supervisin ranging frm very basic cntrls up t frmal certificatin. The recent Digintar case has, if nthing else, shwn that there is a clear need fr sufficiently effective supervisin, since security 20
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) risks can have a very serius impact n the trustwrthiness f CAs and n their ecnmic utility. Given the imprtance f supervisin as a tl fr establishing and maintaining trust in trust service prviders, it is ur strng belief that it is time t mve twards a mre structured and specified system fr allwing effective, systematic, independent and dcumented supervisin fr btaining evidence and evaluating such evidence bjectively. It is prpsed that such a mre structured and specified supervisin system shuld be intrduced fr qualified trust services, while similar systems may be kept vluntary fr nn-qualified trust services. The present dcument recmmends the system t rely n standardised cnfrmance criteria against which the (qualified) trust services (shall) will be assessed (audited) and that the assessment f cnfrmance f trust services and prviders f related trust services t the standardised cnfrmance criteria (including standard plicies and practices) is perfrmed by auditrs against standardised cnfrmance assessment prcesses. These auditrs shuld be accredited as perating t standard audit practices (e.g. by a Natinal Accreditatin Bdy such as UKAS in UK, ENAC in Spain, DAkkS in Germany, NAT in Hungary, full list at http://www.eurpean-accreditatin.rg/cntent/ea/members.htm, as thse Natinal Accreditatin Bdies perate under cmmn practices and have crss recgnitin thrugh the Eurpean c-peratin fr Accreditatin (EA) and all are members f the Internatinal Accreditatin Frum 23 ). It is expected that the MS Supervisry Bdy (i.e. the Administratin in charge f the supervisin) culd rely n such accredited auditrs, internally r externally if lacking relevant cmpetencies themselves, wh will be assigned, under a selectin prcess t be defined, with the missin f the effective audit f the qualified trust services (mandatry) r f a nnqualified trust services upn request by the TSP prviding such services (vluntary). 23 The Internatinal Accreditatin Frum, Inc. (IAF) is the wrld assciatin f Cnfrmance Assessment Accreditatin Bdies and ther bdies interested in cnfrmance assessment in the fields f management systems, prducts, services, persnnel and ther similar prgrammes f cnfrmance assessment. Its primary functin is t develp a single wrldwide prgram f cnfrmance assessment which reduces risk fr business and its custmers by assuring them that accredited certificates may be relied upn. 21
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Natinal Supervisin scheme Trusted List f supervised Trust Services Supervisry Bdy (MS Administratin in charge f supervisin) Natinal Accreditatin Bdy Internatinal Accreditatin Frum (IAF) Supervisin (incl. Audit) status & cnclusins Evaluatrs Evaluatrs Accredited Auditrs Audit Trust Services frm TSP Figure 3 A pssible supervisin audit prcess flw is depicted in Figure 4 belw and is based n the CROBIES study 24. 1. Cmplaints r bservatin f nn-cnfrmity r regular r randm cntrl nce supervised (audited) 6. Evaluatin f reprt MS Supervisry Bdy 2. Designatin & Missin allcatin 1. Ntificatin / Request fr Supervisin n the basis f a selfdeclaratin f cnfrmance 5. Audit reprt Accredited Auditrs 4. Audit 3. Designatin acceptance/ refusal 7. Supervisin cnclusins (incl. Audit reprt) and Supervisin status ntified Trust Services frm TSP Figure 4 24 Study n Crss-Brder Interperability f esignatures (CROBIES), A reprt t the Eurpean Cmmissin frm SEALED, time.lex and Siemens (Versin 1.0, 2010); available at http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/crbies_study/index_en.htm. 22
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Supervisin based n a cmmn set f cnfrmance criteria established n a standardised basis (i.e. in the cntext f mandate M460), specified per type f qualified trust service and based n a standardised cntrl prcess (i.e. based n well-established audit practices), tgether with the inclusin f qualified trust services in natinal Trusted Lists will ensure a mre efficient and safer market than it is tday. Trust Framewrk Standardisatin Framewrk Trusted List f supervised Trust Services Internatinal Accreditatin Frum (IAF) Guidance Natinal Supervisin scheme Supervisin (incl. Audit) status & cnclusins Supervisry Bdy (MS Administratin in charge f supervisin) Evaluatrs Evaluatrs Accredited Auditrs Natinal Accreditatin Bdy Cnfrmance (Audit) Criteria (declined per cntrlled activity) Cnfrmance Assessment (Audit) Prcess Plicy & Security Requirements Technical Specificatins Cnfrmance Assessment Testing Cmpliance & Interperability Audit Trust Services frm TSP Accreditatin Mdel & Prcess Flw 6. Evaluatin f reprt 1. Cmplaints r bservatin f nn-cnfrmity r regular r randm cntrl nce supervised (audited) MS Supervisry Bdy 1. Ntificatin / Request fr 2. Designatin Supervisin n the basis f a selfdeclaratin f cnfrmance & Missin allcatin Accredited Auditrs 5. Audit reprt 4. Audit 3. Designatin acceptance/ refusal 7. Supervisin cnclusins (incl. Audit reprt) and Supervisin status ntified Trust Services frm TSP Legal Framewrk Cmmn sectin: Specific Trust Services Principles esignatures (e-cnsent) Requirements n Trust esignatures, eseals Specific Service Prviders eidentity Attribute Assertins Sectins Internal Market Identity Attributes Assertins (e.g. Certificates, signed statements) Requirements Supervisin/Accreditatin Mandates, Authrisatins fr guaranteed (incl. Trusted Lists) Pseudnyms legal effect Harmnisatin / Mutual «Official eid» Liability Recgnitin eauthenticatin (Data &/r Entity) References t Technlgical neutrality + Time-Stamps standards legal effect f cmpliance t esignature Validatin Assertins standards ( New Apprach ) Registered Electrnic Delivery Privacy and Data usage Infrmatin Preservatin (earchiving) plicies Digitised Data (certified true t the riginal) cvering -Signature Creatin & Validatin -Signature Creatin Devices - Signature Cryptgraphic Suites - Trust Service Prviders supprting esignatures - TSP issuing Certificates -TSP issuing time-stamps -Signature Generatin SP - Signature Validatin SP - Trust Applicatin Service Prviders - Registered email / edelivery - Infrmatin Preservatin SP -Trust Service Status Lists Prviders Figure 5 Trust Service Status Lists Service Prviders The fllwing definitins are used Trust Service Status List: means a signed list presentatin f the trust service status infrmatin n which interested parties may determine whether a trust service is r was perating under the apprval f any recgnized scheme at either the time the service was prvided, r the time at which a transactin reliant n that service tk place. This is the base cncept frm which Trusted List is a baseline prfile applied t the cntext f Directive 1999/93/EC and CD 2009/767/EC amended by CD 2010/425/EU. Trusted List: refers t a Eurpean Unin Member State's "Supervisin/Accreditatin Trust Service Status List f certificatin services frm Certificatin Service Prviders, which are supervised / accredited by the referenced Member State fr cmpliance with the relevant 23
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) prvisins laid dwn in Directive 1999/93/EC". Nte: Based n CD 2009/767/EC amended by 2010/425/EU. Trust Service Status List Prvider: means a Trust Service Prvider issuing a Trust Service Status List. 2.2 Putting the basic definitins in a services perspective In this Study, the relatinships and interactins between Electrnic Identificatin, Authenticatin and Signature are initially cnsidered frm the basic islated service perspectives. Subsequently we cnsider them frm their verlaps. Perspective 1 - Electrnic Identificatin We cnsider Electrnic Identificatin the family f Use Cases fr an identifiable entity (Mdinis term) that address the lifecycle f cllectin f attributes, establishment, activatin, mdificatin, archival. We cnsider Electrnic Identificatin as distinct frm Electrnic Authenticatin. With regard t Electrnic Identificatin, we distinguish between Electrnic Identity Establishment, and Electrnic Identity Use: Electrnic Identity Establishment is addressed by an enrlment prcess that: Captures the selected identity attributes. This may include bimetric attributes. Such attributes shuld be derived frm an authentic surce. Relates thse attributes t a primary key (electrnic identity primary key, i.e. an identifier cnsisting in itself a Unique Identity) fr later retrieval. There is typically a repsitry r database that may be centralised r decentralised in nature. May include: Crrbratin f different infrmatin surces as t cnfirm the identity that is t be established; The allcatin f identity attribute assertins and related authenticatin devices (e.g. an identity card, a scial services card, userid and passwrd r a tken) fr use in subsequent authenticatin. 24
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Electrnic Identity Use cntains a wide range f pssible Use Cases where the electrnic identity primary key (i.e. a Unique Identity), the related identity attributes, r additinal infrmatin linked t the abve are used. This includes 1:N identificatin as in the cntext f law enfrcement r brder cntrl. Bth establishment and use shuld take int cnsideratin respect fr privacy and cnsent. Cnsent f the identifiable entity may be present r absent, depending n the Use Case. It can be assumed t be present when e.g. enrlling fr and cllecting an emplyee identificatin badge. It may be absent when using the identity attributes f a drunk driver wh tried t escape frm the accident he caused. Typical use cases include: Selectin f beneficiaries (address, family status, age, etc) fr e.g. a gvernmental benefit; Studies and evaluatins fr diverse purpses (public health, marketing campaigns, spam, ); Member recruitment; HR prcessing; Identificatin f citizens, migrants, and asylum seekers; Identificatin f criminals; Identity prfiling; Fr a cmprehensive list f surces f identity Use Cases, refer e.g. t the appendices. When cnsidering an identificatin scheme where all desired prperties f ideal identity management are met such as uniqueness f an entity, persistency f identities, minimal disclsure f identity attributes, full user cntrl, annymity, data privacy, etc., ne can cnsider and mdel as fllws the way f addressing the basic identity building blcks and related services defined in the previus sectin. Every persn is unique in the Wrld. The same uniqueness principle may apply whether dealing with natural r legal persns (including public sectr bdies). This might be als applicable fr a wide set f ther types f entities r infrmatin systems when suitable and applicable. Uniqueness f natural persns is characterised by bimetrical prperties such as DNA, fingerprint, retina and many thers r when ultimately required thrugh a cmbinatin 25
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) f such means. Unfrtunately tday nne f them is perfect with current state-f-the-art technlgy. In the ideal wrld there wuld be a technlgy prviding sme inimitable unique identity (IUI) 25 t every natural persn and have as prperties t be: a Unique Identity f the entity it is related t; 100% unique t that entity; derived frm bimetric prperties with 100% reliability fr a lifetime; be as shrt as pssible. The same cncept f IUI with such prperties wuld be als smehw easier t be established fr legal persns thrugh a universal unique identificatin scheme while it may be that finding an agreement n such a scheme wuld take a lng time and effrts 26. Hwever the current state-f-the art can certainly rely n the cncept f Unique Identity 27 as defined in the previus sectin while trying t evlve twards Inimitable Unique Identity in the future, t allw derivatin f such UI (r IUI) thrugh ne-way functin resulting in a reasnably shrt and meaningless, hence annymus and privacy enabling, string f bits, namely the Unique Identity Derivatin (a special type f electrnic identity primary key as named abve, i.e. a special unique identifier cnsisting in itself a Unique Identity f the entity it is related t). A certain degree f cntrl, prbably a full cntrl, is desired by the persn in questin (r its authrised representatives) n such UI (r IUI) derivatin prcess as the result will still cnsist in unique identities but f the type that can be mre easily manageable and ensuring sme annymity t the entity it represents. Such derivatin prcess culd then be perfrmed by the persn itself r sme entity the persn trusts r needs t prve his identity (UI r IUI). Identity Attribute Assertin Prviders (that mat als be called Attribute Authrities in shrt) are Trust Service Prviders that are trusted t prvide Identity Attribute Assertins t entities, i.e. t assign identity attributes t persns (identified thrugh their unique identities, UIs, r IUI, r derivatins f such UIs r derivatins f their IUI) in frms f assertins which bind the UI Derivatin t a specific attribute with a certain degree f security, quality and assurance (e.g. integrity f the assertin, trustwrthiness and authenticity f the Identity Assertin Service Prvider, reliability f the assertin cntent and assignment prcess). This 25 This cncept is based n wrk and discussins with Tarvi Martens Directr f SK, Estnia while slightly ratinalised and generalised fr applicatin t a wider set f market, business, r scial netwrk implementatins than the sle "fficial" gvernmental eid schemes. 26 Initial wrk has been dne in this area in the cntext f CEN CWA 16036: Cyber-Identity - Unique Identificatin Systems Fr Organizatins and Parts Theref, Nvember 2009. 27 i.e. a cllectin f an entity s identity attributes that uniquely represents that entity. 26
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) degree wuld ideally be 100% in the cntext f an fficial Gvernmental identificatin scheme but may vary between different levels in mre relaxed market r business r scial applicatin dmains. In practical terms such identity attribute assertins are electrnically signed by the issuing Identity Attribute Assertin Prvider. Such electrnic signatures will naturally include expressin f cmmitment related t the guarantee given by the IAAP n the level f assurance t be given t the assertin. Different levels f granularity may als be implemented ranging frm assertins binding nly ne identity attribute t a UI (r IUI) Derivatin t assertins binding tw r mre attributes t the same UI (r IUI) Derivatin. A related feature f an ideal IAS system wuld be t allw the persn (i.e. identified by the UI r IUI r a Derivatin) t be in full cntrl f its identity attributes and related assertins. In sme cases attribute assignment may be carried ut with the request f an authrised representatives (e.g. parents with regards t a child, legal representative with regards t a legal persn), r by IAAP acting slely but with the cnsent f the persn (e.g. citizenship, academic degree, prfessinal qualificatin, medical status) but in all cases the persn shuld have (sle) cntrl n the usage f its attributes. IAAP shuld fllw the fllwing rules and be accrdingly supervised r cntrlled depending n the type and nature f the service (e.g. mandatry supervisin fr qualified service, industry certificatin r labelling fr ther market services): being bliged t keep attribute histry, give ut assertins (included histrical) in real-time (t third parties) nly with Permissin f the identified persn. In ther wrds a persn may but wuld never be bliged t carry r save his/her assertins. These may be reliably stred in IAAP systems and released t 3 rd parties nly when UI (r IUI) Derivatin wner agrees. In sme cases, the persn might want sme attribute (such as Public Key) t be available t anyne withut Permissin. Annymity and privacy can be achieved by generating as many derived UI (r IUI) Derivatins, being annymus in essence. A persn culd have multiple UI Derivatins but still based n ne f its UIs (r its IUI). The UI Derivatin wner, i.e. the persn t wh it relates, is the nly ne wh can prve if necessary (issuing IAAP, when such a Trust Service Prvider is used, hlds the secret by definitin) that his/her UI (r IUI) is related t the UI (r IUI) Derivatin. A persn is free t chse whether ther IAAP's are issuing assertins t his/her real UI r t sme f his/her UI Derivatin. The cncept, nt new in essence, based n a ratinalisatin f the use f unique identifiers, is hwever simple and pwerful enugh t build sund basic building blcks when defining a cmmn basis fr a cnsistent IAS plicy. 27
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) A Public Key (r mre widely Signature Verificatin Data) is a special identity attribute that can be asserted t UI (r IUI) Derivatins by special IAAP's the s-called Trust Service Prviders issuing Digital Certificates. Like any ther assertin it des nt need t cntain any additinal data. A persn can be asserted with multiple Public Keys with multiple assertins, in this case Public Keys are practically named in distinguished manner (e.g. as Public Key fr Qualified Signature, etc.). The persn has f curse a sle cntrl ver Private Key(s) (Signature Creatin data) assciated with crrespnding Public Key(s) (Signature Verificatin Data) and this is part f the assertin cmmitment given by the TSP issuing certificates when electrnically signing the assertin(s). Permissins fr releasing individual assertins frm IAAP's are created with Private Key(s) (Signature Creatin Data). Fr example, if the persn wants his/her Surname t be released t sme 3 rd _party then he/she uses a Private Key t sign Permissin in frm f P [ My_UIDerivatin, Surname,3 rd _persn_uiderivatin,timeframe, IAAP_UIDerivatin ]. This Permissin can be used by the identified 3 rd _persn t request and get access t persn s surname by cntacting the apprpriate IAAP (IAAP_UIDerivatin) in specified timeframe. The Permissin can als specify histrical time e.g. what my surname was 10 years ag. Integrity and authenticity f the Permissin can be verified using privately knwn r publicly available assertin f UIDerivatin and Public Key frm the issuing Trust Service Prvider. Such identity attribute assertins and the abve explained mechanism can be advantageusly used t build up simple but efficient, privacy enabled and pwerful schemes fr implementing mandates, authrisatin, delegatin f pwers (and signatures) allwing decentralised mdels and empwering existing authentic surces t implement such mdels n the basis f mere electrnic signatures. Tw (r even mre) mdels may cexists, namely n the ne side, an "fficial gvernmental based eid" mdel in which the IUI is established n a clse t 100% certainty (r t the highest pssible level) and a gvernmental eid authenticatin device and/r set f identity attribute assertins are delivered t citizen by an fficial IAAP allwing its wner t sign r authenticate him/herself with a maximal level f assurance fr him/herself and relying parties, and n the ther side, ne r mre "business applicatin dmain" driven mdel relying either n an UI Derivatin f an fficially established IUI r frm an UI that is established n ad hc basis with a certain level f assurance t build a "business applicatin dmain" electrnic ID mdel, i.e. a device and/r set f identity attribute assertins that are delivered t the business applicatin dmain participants by a business entity acting as an IAAP. This can range frm current lw level assurance 28
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) identity based mdels n tday's scial netwrks, t mdels reaching banking sectr quality requirements fr securing ebanking applicatins. These mdels can certainly cexists and als leverage ne n the ther (prvided that it is the ne with a lwer level f assurance that can leverage the ne having a higher level and that levels f the services r their cmpnents can be cmpared) and benefit frm the same IAS plicy mdel and being regulated accrdingly when this is required and t the extent it is needed. Tday sme natinal eid mdels are evlving in that directin (e.g. German eid scheme). Hwever the quality f enrlment and the quality f authenticatin are equally t be cnsidered. Perspective 2 - Entity Authenticatin Entity authenticatin is the prcess f establishing an acceptable level f assurance that a claimed identity is genuine. In the cntext f identity claims, it is cmmn t refer t the parties as Claimant and Verifier. The Claimant is claiming the identity, typically using sme frm f identity attribute assertin. The Verifier is verifying the claim. They may call upn a third party services such as an IdP (identity Prvider) during the prtcl. Identity Attribute Assertins may be based n smething the claimant knws (a passwrd r PIN), has (an identity authenticatin device), and is (static bimetrics such as facial image, fingerprints, iris). Mre recently dynamic bimetrics are being cnsidered, such as gait (the patterns f mvements f e.g. limbs). The authenticatin may be mutual, where each party authenticates against the ther. De fact this is dne with prtcls such as TLS/SSL. Multiparty arrangements are pssible, where mre than tw parties are invlved. Obviusly there exist scenaris where privacy needs t be preserved r enhanced. This is where we situate PETs (Privacy Enhancing Techniques). Such privacy may need t be guaranteed abslutely, r it may be cnditinal. In the latter case it may be revked when certain cnditins are met/unmet. Typical Use Cases include: Demnstratin f hlding a credential fr being eligible fr benefits (address, family status, age, etc) by the claimant; Lgn t an electrnic Service Prvider r egvernment service; Managing the dmtic services f yur huse; Internet buying; Internet selling (including reputatin management aspects); 29
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Listening t streaming music thrugh a paying subscriptin; Brder cntrl; Vting; Checking mail and vice-mail. Taking privacy-preservatin int cnsideratin is pssible in each f these Use Cases. If privacy-preservatin wuld be part f the Use Case frm ne viewpint, there might be cmplementary viewpints that mandate privacy revcatin. Cnsider cmputer-related crime in general, and particular identity impersnatin, mney laundering, paedphilic activities, cyber attacks, virus spreading r terrrist financing. Perspective 3 - Signature creatin When a Signer signs, he perfrms a number f steps that create a signature which serves at authenticating the data t be signed and assciates t it the expressin f a cnsent r cmmitment t the signed data. The first bvius use case fr electrnic signatures is t mimic the hand written signatures and hence the cnsent r cmmitment and aim f the signer may be that the electrnic signature is meant and recgnised as equivalent t a handwritten signature with a legal binding f the signer t the signed data. Besides such an expected legal effect and scpe f the signature, different natures r types f cmmitments may be assciated t the signed data with r withut the expressin f a desired legal effect. This can range frm psitive r negative assertins r even mixing them t express mre cmplex natures f the cnsent f signer t a signed data r dcument. This typically includes: Apprval f the cntent and meaning f the signed data r dcument, Being the riginatr f the signed data r dcument, Signature is meant t authenticate the signer as riginatr and ensure the integrity f the data (with r withut any ther legal binding t the cntent f the signed data), Review and apprval in a specific apprval flw cntext, Signature f a cntract, Signature f an fficial act, Signature with the aim f witnessing a data r an event r a dcument (e.g. being an agreement between tw r mre ther parties), etc. Typical use cases include the signing an electrnic dcument (XML, PDF, MS-Wrd, ) in different applicatin cntexts in whatever type f electrnically prcessed cmmunicatin r 30
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) transactin (e.g. ebusiness, ebanking, egvernment, eprcurement, evat, eguichet, eprcedures, ehealth, ejustice, etc). Mre ften in electrnic business prcesses, a single business prcess invlves mre than ne but a cmbinatin f electrnic signatures lgically rdered the ne t the ther, in terms f timing and sequencing but als in terms f cnsent and cmmitments. The nature f the cnsent may then be much mre cmplex. As shwn in the abve described identificatin perspective, electrnic signatures are intrinsically built n identificatin and authenticatin building blcks and services. Electrnic signature can serve t secure and implement identity attribute assertins ranging frm the assignment f "classic" identity attributes, digital certificates, mandates, authrisatins, time related assertin (e.g. time-stamping), etc. but als be used as an authenticatin device n the basis f which the signatry's claimed identity can be crrbrated by a verifier r relying party. Perspective 4 - Signature validatin Signature verificatin cnsists in the simple principle f verifying an electrnic signature thrugh the use f privately r publicly available signature verificatin data knwn with a certain level f assurance t be assciated t an identified entity wh is in pssessin f the crrespnding signature creatin data used t generate the electrnic signature t be verified. This prcess may reveal t be a quite cmplex prcess n a technical basis depending n the technlgy being used fr which each cmpnent r service supprting such a verificatin prcess must be adequately verified accrding t a certain set f rules r plicies the verifier will rely n t be cnvinced that the electrnic signature can be cnsidered valid t a certain level f assurance. The main difficulty in this prcess, besides the cmplexity inherent t the technlgy being used and its inherent interperability issues 28, lies in the adequacy and cnsistency between the different assurance levels having been defined r nt t qualify each and every cmpnent building blck r services that supprts the signature verificatin. This cvers ntably the quality, security r assurance level f the signature creatin device, the digital certificate f the signer, the practices used by the issuing TSP t register the certificate 28 T this extent a specific Specialist Task Frce (STF) and assciated effrts are currently deplyed t fixing the specificatins f signature validatin prcedures (See STF 427 QF3 aspects n the ETSI ESI STF 427 hmepage (http://prtal.etsi.rg/stfs/stf_hmepages/stf427/stf427.asp). The fact that this type f effrts are still being needed fr a quite mature 30 years ld technlgy is quite revealing f the inherent cmplexity f such a prcess. 31
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) subscriber, t issue the certificate and t maintain and prvide infrmatin abut its validity status, the integrity and authenticity f the underlying identity attribute assertins whether related t the signatry itself r t the issuing IAAP r t any Trust Service Prvider used in the signature creatin r validatin prcess (e.g. Signature Generatin Service Prvider, Signature Validatin Service Prvider). S far n cnsistent mdel fr establishing the level f assurance has been cnslidated fr the whle picture f such cmpnents underlying the signature creatin and validatin prcess. Hwever sme prmising 4-level based schemes are emerging either frm the Kantara r the STORK initiatives; even if they are limited smehw t the I and A aspects f an IAS mdel, it is wrth t cnsider t establish and leverage n these mdels t build a pragmatic 4-level based Assurance Mdel fr an IAS plicy. 2.3 Interim Observatins Using the cncepts utlined in the paragraphs abve, fllwing bservatins can be made: Overlap is present in practise As illustrated in the preceding sectins, in many Use Cases, the usage f I, A and S verlaps significantly bth frm a cnceptual and a practical perspective. Slutins are in place but still lack interperability Large-scale identity and authenticatin systems have been build and are deplyed, but tday remain lcked int their sil s. They include aspects f signatures as well. This is e.g. illustrated by: ICAO MRTD/PKD, arguably the largest identity and authenticatin system (r rather system f systems ) wrldwide, but based n its wn standards such as ICAO 9303 (glbally based n PKI); SIM (Subscriber Identity Mdule) cards fr mbile phnes, with mre than tw billin cards in use wrldwide prbably the largest de-fact identity standard; The wrldwide SWIFT system fr glbal funds transfer is secured by PKI; The netwrk f suppliers in the Defence s industry based it s security n PKI (TSCP Transglbal Secure Cllabratin Platfrm); The EU Digital Tachygraph system, with its EU-wide PKI (ERCA Eurpean Rt Certificatin Authrity) and varius cards, including driver identificatin cards. Existing identity slutins are already widely diverging, as illustrated e.g. by the differences between the Belgian eid and the German epa: 32
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) The Belgian eid allws anybdy wh is physically in pssessin f the card t read the data n the card (bviusly nly the designated gvernment entity can update the infrmatin); The German epa nly allws reading by authrised terminals, and fr authrised purpses, and it generates different pseudnyms fr different Use Cases t prtect the privacy f its hlder r allws revealing infrmatin n a need t knw basis. Interperability is nt supprted except n pilt level As demnstrated by the CIP-IST-Large Scale Pilt STORK 29, the definitin f interperability requirements is difficult but nt impssible. STORK defines hw a slutin n crss-brder level can make natinal eids interperable withut changing their systems and interfering n infrastructures. Sme effrts are still needed t ensure the sustainability f its results. When a large scale EU r glbal enterprise wants t manage the IAS aspects f emplyees, cntractrs and partners, it faces a highly diversified landscape in bth legal and technical terms. This is highly inefficient and cstly. Scial netwrk slutins might fill vids and becme de-fact standards In the real wrld we bserve Use Cases where e.g. a mbile phne number and the bill frm the mbile peratr are used t identity and authenticate a persn when applying fr a bank lan. Such Use Case is legally nt regulated tday, but fills a clear vid. If e.g. Facebk r Ggle-based identities becme widespread, they might fill this gap. Once such identities wuld be in use, they might set the de-fact standard, making regulatin even harder. Privacy preservatin is mstly lacking in the current apprach Current slutins such as the abve are nt r rarely based n systems that take int accunt requirements fr privacy preservatin, minimum disclsure r cnsent. A cnsistent set f basic definitins and cncepts are required as a cmmn basis fr building cnsistent and a sund IAS plicy Current definitins, cncepts and languages are ften defined and understd differently between thse legal, technical and trust wrlds. We have started this study by establishing a first draft ratinalisatin f cmmnly adpted definitins while simplifying the picture in essence. The prpsed cncepts, definitins and related building blcks and services are aimed t supprt the implementatin f a ideal wrld f electrnic identity, authenticatin and signatures where all desired prperties such as uniqueness f entities, persistency f 29 Secure identity across brders linked - www.eid-strk.eu. 33
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) identities, privacy, minimal disclsure f attributes, highest level f adequacy between the expected and experienced level f assurance when validating identities and electrnic signatures, full user cntrl, annymity, etc. Tday situatin still differs frm such an ideal wrld but it is believed that this is still realistically achievable with the current state-f-the art and future trends and emerging technlgies (ne f the bjectives f Phase 2 is t assess such a fact). 34
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 3. Plicy needs fr IAS in the Digital Single Market 3.1 Hw d IAS services fit in the Digital Single Market? Until recently, the rle f IAS as a whle (cvering electrnic identificatin, authenticatin and signature services) has nly been dealt with in a piecemeal fashin in Eurpean regulatins. The main regulatry interventin has been the esignatures Directive, which aimed t supprt the internal market fr certificatin services, with a strng emphasis n esignature services. Since the adptin f the Directive in 1999, several ther legal instruments have referenced the esignatures cncepts established by the Directive (including e.g. the Sixth VAT Directive and the Public Prcurement Directives), whereas identificatin and authenticatin have nt been directly addressed. It is hwever interesting t nte that the 2007 Payment Services Directive (PSD) prvides a definitin f the cncept f authenticatin, stating that "authenticatin" means a prcedure which allws the payment service prvider t verify the use f a specific payment instrument, including its persnalised security features. 30 This definitin f curse uniquely targets the PSD cntext, meaning that it has a limited impact n ther Eurpean plicy areas. Hwever, plicy fcus n the imprtance f IAS services in the internal market has increased with the adptin f the Digital Agenda. The Digital Agenda was published as a Cmmunicatin f the Eurpean Cmmissin in 2010, 31 and cntains the cmmn Eurpean strategy fr creating a flurishing digital ecnmy by 2020. It utlines a number f plicies and actins that supprt this bjective, gruped arund varius actin areas. Fr the purpses f this reprt, the mst relevant actin area relates t imprving trust and security. The Digital Agenda psitins esignatures in the brader cntext f trust and security challenges in the infrmatin sciety, which include such tpics as misapprpriatin f identity, fraud, cyber crime, data prtectin, privacy-by-design, and critical infrmatin 30 Directive 2007/64/EC f the Eurpean Parliament and f the Cuncil f 13 Nvember 2007 n payment services in the internal market, art. 4,19.; see http://eur-lex.eurpa.eu/lexuriserv/lexuriserv.d?uri=oj:l:2007:319:0001:01:en:html 31 Cmmunicatin frm the Cmmissin t the Eurpean Parliament, the Cuncil, the Eurpean Ecnmic and Scial Cmmittee and the Cmmittee f the Regins, A Digital Agenda fr Eurpe 26.8.2010; COM(2010) 245 final/2. 35
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) infrastructure prtectin. ESignatures (and electrnic identities) can be cnsidered as mechanisms that can cntribute t building viable slutins n each f these pints. The Agenda crrectly stresses the necessity f ensuring the trustwrthiness f technlgy as a prerequisite t its use in practice. Recgnizing that the Directive has nt been entirely successful in meeting its stated purpse f facilitat[ing] the use f electrnic signatures and cntribut[ing] t their legal recgnitin (article 1 f the Directive), the Digital Agenda prpses a revisin f the esignatures Directive, with a view t prvide a legal framewrk fr crss-brder recgnitin and interperability f secure eauthenticatin systems. It is wrth nting the phrasing f the prpsed actin set ut in the Agenda: the revisin shuld result in a legal framewrk fr secure eauthenticatin systems. The Cmmissin might have als simply called fr a revisin fcusing n secure electrnic signatures. The brader terminlgy used in the Digital Agenda culd be taken t suggest that electrnic authenticatin services in a brader sense are nw cntemplated as an area where regulatin might be beneficial and justified. The specific challenges relating t electrnic identificatin undubtedly play a rle in this particular phrasing. Indeed, the Agenda cntains a further related actin, namely t prpse by 2012 a Cuncil and Parliament Decisin t ensure mutual recgnitin f e-identificatin and e-authenticatin acrss the EU based n nline authenticatin services t be ffered in all Member States (which may use the mst apprpriate fficial citizen dcuments issued by the public r the private sectr). This actin culd be used t address ne f the current challenges in relatin t electrnic identificatin: while innvative EU prjects (such as the large scale pilt STORK 32 ) have develped functining technical slutins t eid challenges, there is currently n brader legal r plicy framewrk t mve these pilts int peratinal slutins fr the general public. The inclusin f this actin in the Digital Agenda suggests that a Cmmissin Decisin culd clarify this pint, by ensuring at a minimum that Member States have a list f electrnic identificatin methds frm ther Member States that they agree t treat as equivalent. Thus, the Agenda seems t have a strategy t imprve the trustwrthiness f eauthenticatin systems, albeit withut specifying at this stage exactly what thse systems might entail. While this summary fcuses n the trust and security aspects f the Digital Agenda, it shuld be recgnized that the Agenda takes a much brader perspective, and crrectly ntes that the EU has in many respects failed t bring abut a true Digital Single Market, in which n-line service brders are eliminated (r at least reduced) in the same way as fr the ffline single market. 32 https://www.eid-strk.eu/. 36
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Specifically, the Agenda ntes that: [t]he internet is brderless, but nline markets, bth glbally and in the EU, are still separated by multiple barriers affecting nt nly access t pan-eurpean telecm services but als t what shuld be glbal internet services and cntent. This is untenable. First, the creatin f attractive nline cntent and services and its free circulatin inside the EU and acrss its brders are fundamental t stimulate the virtuus cycle f demand. Hwever, persistent fragmentatin is stifling Eurpe's cmpetitiveness in the digital ecnmy. It is therefre nt surprising that the EU is falling behind in markets such as media services, bth in terms f what cnsumers can access, and in terms f business mdels that can create jbs in Eurpe. Mst f the recent successful internet businesses (such as Ggle, ebay, Amazn and Facebk) riginate utside f Eurpe. Secnd, despite the bdy f key single market legislatin n ecmmerce, einvicing and esignatures, transactins in the digital envirnment are still t cmplex, with incnsistent implementatin f the rules acrss Member States. Third, cnsumers and businesses are still faced with cnsiderable uncertainty abut their rights and legal prtectin when ding business n line. Furth, Eurpe is far frm having a single market fr telecm services. The single market therefre needs a fundamental update t bring it int the internet era. These bservatins can als be applied t eauthenticatin services in general. The recent Public cnsultatin n electrnic identificatin, authenticatin and signatures 33 have prvided sme supprt f the Digital Agenda s statements frm the perspective f thers with an interest r cncern in the matter, asking amng ther pints which trust building services and credentials shuld be cnsidered fr regulatin at the Eurpean level in rder t ensure their crss-brder use. The 418 respndents t the questin prvided the fllwing replies: Fr which f the fllwing trust building services and credentials shuld legal r regulatry measures be cnsidered at EU-level in rder t ensure their crss-brder use? Number f replies % f ttal number f replies t this questin Certified electrnic dcuments in general 270 64,59% Electrnic seals 216 51,67% Time stamping 219 52,39% 33 Fr an verview f the cnsultatin s questins, apprach, and all received cntributins, see http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/eu_legislatin/revisin/pub_cns/index_en.htm. 37
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Certified delivery f mail 195 46,65% Authrisatins/mandates 194 46,41% Lng term archiving 191 45,69% Electrnic transferable recrds 136 32,54% Official delivery address 119 28,47% Others (please list) 68 16,27% Pseudnyms 67 16,03% Annymus agents 47 11,24% Nne 26 6,22% Thus, nly 6,22% felt that n further trust services required any regulatin. Respndents wh chse this answer and prvided additinal cmments frequently stated that regulatins were unnecessary r t rigid, and that standardizatin, accreditatin schemes and private sectr initiatives wuld be adequate t address crss brder challenges. Amng thse wh felt that new regulatins culd be valuable, certified electrnic dcuments in general withut further definitin in the cnsultatin were the main service type chsen fr further regulatin (64,59% f respndents), with electrnic seals and time stamping each als being mentined by mre than half f respndents. 38
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) The fifth sectin f the cnsultatin recalled the "Digital Agenda fr Eurpe" cmmunicatin in which the Cmmissin has prpsed tw key actins directed at the creatin f a well functining digital single market with a view t eliminate the current barriers t the use f e- signatures, e-identificatin and e-authenticatin acrss Eurpe. Specifically, key actin 3 f the Digital Agenda fcuses n the revisin f the esignatures Directive, whereas key actin 16 targets a Cuncil and Parliament Decisin t ensure the mutual recgnitin f e- identificatin and e-authenticatin acrss the EU based n nline 'authenticatin services' t be ffered in all Member States. In this cntext the respndents were asked what Eurpean Unin legislative measures n e- signatures, e-authenticatin f natural and legal persn claims as well as e-identificatin wuld be apprpriate t best meet the challenges f the digital single market. The respnses received n the nature f necessary legal measures n e-signatures, e- identificatin and e-authenticatin shw n clear indicatin. 39
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Q23: What EU legislative measures n eid, e-sig, e-auth. wuld be apprpriate? (exclusive answers) Ambiguus answer; 3; 0,7% Dn't knw; 35; 8,4% N EU legislatin is needed; 23; 5,5% N answer; 48; 11,5% ONLY Revise the existing legal framewrk embracing all requirements relating t e- signatures, e- identificatin and e- authenticatin and related issues; 109; 26,1% Other; 15; 3,6% BOTH Revise the existing legal framewrk embracing all requi... AND (Fcus n light and limited measures t fac... OR Opt fr different measures t allw fr...); 94; 22,5% ONLY Fcus n light and limited measures t facilitate faster decisin and implementatin OR Opt fr different measures t allw fr distinct fcus, prgress and speed f adptin; 90; 21,6% The main bservatin is that nly 5,5% f the respndents feel that n legislatin is needed, whereas the largest grup f 26,1% cnsiders a cmprehensive legal framewrk t be mst apprpriate. 21,6% are in favur f lighter and mre limited measures t facilitate faster adptin and implementatin r preferred mre specific targeted measures. 22,5% prefer at the same time a cmprehensive apprach but achieved by light r different means. Althugh 48,6% f respndents prefer a revised legal framewrk embracing all requirements relating t e-signatures, e-identificatin and e-authenticatin and related issues, the answers d nt allw hwever t find ut if a majrity prefers a set f measures r an all-encmpassing measure. The pie chart abve shws the answers f the respndents in a re-prcessed manner, where respndents culd chse multiple answers t the fllwing six ptins: "Revise the existing legal framewrk embracing all requirements relating t e-signatures, e-identificatin and e-authenticatin and related issues / Opt fr different measures t allw fr distinct fcus, prgress and speed f adptin / Fcus n light and limited measures t facilitate faster decisin and implementatin / N EU legislatin is needed / I dn't knw / Other". Thus, it wuld appear that bth the Cmmissin and market players are aware f the imprtance f IAS services as a tl fr enhancing trust and security in the Digital Single Market. 40
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 3.2 Needs fr a functining IAS internal market If IAS services are indeed t play a rle as trust/security enablers in the Digital Single Market as freseen in the Digital Agenda, then a Eurpean plicy framewrk is required that ensures that these services are understd and perceived as sufficiently trustwrthy themselves. This implies a cmmn understanding n a number f key elements t be addressed by a cmprehensive IAS apprach, specifically: An unambiguus understanding f IAS services and ancillary services, including definitins f these services and an verview f hw they relate. At present, nly esignatures have a cmmn definitin at the Eurpean level, and (as will be examined belw), even n this tpic sme ambiguity remains. The plicy gals that an IAS apprach shuld cver, including such aspects as the enabling f the internal market, technlgical neutrality and legal reliability. These gals are currently dictated by the prvisins f the Digital Agenda. The legal translatin f these plicy gals and requirements, stipulating the gal f the regulatry text, definitins f basic cncepts, prvisins n general bligatins fr trust service prviders, data prtectin, liability, internal market rules, legal effect f services, any supervisin/accreditatin mechanisms, etc. A basis fr this already exists via the esignatures Directive. In the sectin belw, we will examine t what extent the esignatures Directive is adequate t address IAS challenges. The trust framewrk needed t supprt a cmprehensive IAS apprach. With respect t esignatures, this has been implemented primarily thrugh supervisry/accreditatin mechanisms. Hwever, these nly relate t esignatures, and nt t identificatin r authenticatin services in general. A similar basis fr cmmn trust in the EU wuld appear t be required fr IAS in general. The technical framewrk required t enable the cmprehensive IAS apprach, including standardisatin needs. Again, much wrk has already been dne at the Eurpean level with respect t esignatures, but this is nt the case fr IAS services in general. A cmmn thread in this verview is the fact that these needs have been cvered t a significant extent in the EU with respect t esignatures, but nt with respect t any ther types f IAS services. It wuld seem that this is a gap that wuld need t be addressed in rder t achieve the gals f the Digital Agenda. 41
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 3.3 The internatinal dimensin: needs and challenges The summary f plicy gals abve fcuses very strngly n the Eurpean Digital Single Market. Hwever, IAS services d nt r at least shuld nt perate in Eurpean islatin. Markets are internatinal, and any IAS plicy apprach adpted at the Eurpean level needs t recgnize the imprtance f being able t align with internatinal initiatives and gd practices. This is crucial t avid Eurpean IAS service prviders becming islated frm internatinal markets. Indeed, the Digital Agenda recgnizes the imprtance f its internatinal dimensin in a separate chapter: 2.8. Internatinal aspects f the Digital Agenda The Eurpean Digital Agenda aims t make Eurpe a pwerhuse f smart, sustainable and inclusive grwth n the glbal stage. The seven pillars in the Digital Agenda all have internatinal dimensins. The Digital Single Market in particular needs an external face because prgress n many f the plicy issues can nly be made n an internatinal level. Interperability and standards recgnised at the wrld scale can help prmte mre rapid innvatin by lwering the risks and csts f new technlgies. [ ]Thus an internatinal dimensin f the Digital Agenda in rder t cmplete the actins abve is crucial[ ]. This emphasis n the internatinal dimensin was als eched in the afrementined public cnsultatin. As indicated in the summary 34, many respnses made reference t the imprtance f internatinal standardizatin, if pssible supprted thrugh internatinal agreements t use the same standards in internatinal transactins. Eurpean standards shuld be prmted at the internatinal level t supprt this prcess. This same bservatin was als made with respect t the infrmatin security and data prtectin aspects f eid, esignatures and eauthenticatin: while Eurpean cllabratin and harmnizatin is beneficial and shuld be cntinued as a pririty, a truly internatinal framewrk wuld eventually need t emerge t address the challenges f the internatinal ecnmy. Several respndents hwever als warned against attempts t unilaterally impse Eurpean perceptins r slutins, as this culd have an adverse impact n internatinal trade. Thus, it is clear that any Eurpean IAS plicy framewrk shuld be cnceptually able t integrate seamlessly with internatinal develpments, in rder t supprt nt nly the internal market, but als internatinal markets. 34 Eurpean Cmmissin, Infrmatin Sciety and Media Directrate-General, Public cnsultatin n electrnic identificatin, authenticatin and signatures in the Eurpean digital single market - Overview f respnses, Brussels, 12.8.2011, http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/dcs/pub_cns/cnsultatin_summary.pdf, p. 30. 42
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 4. Review f past IAS plicy: scpe, impact and challenges 4.1 Analysis f the impact f EU plicy n IAS: hw (in)cmplete is the picture? The primary EU instrument in the IAS dmain thus far is undubtedly Directive 1999/93/EC f the Eurpean Parliament and f the Cuncil f 13 December 1999 n a Cmmunity framewrk fr electrnic signatures (the esignatures Directive). This Directive states its purpse in article 2: it aims t facilitate the use f electrnic signatures and t cntribute t their legal recgnitin. It establishes a legal framewrk fr electrnic signatures and certain certificatin-services in rder t ensure the prper functining f the internal market. The Directive aimed t ensure that legal uncertainties surrunding the value f esignatures wuld nt becme a barrier t the budding esignatures market in the Eurpean Unin, r perhaps mre accurately, that such uncertainties culd reasnably be kept t a minimum. The eliminatin f any kind f legal uncertainty was (and remains) a practical impssibility, due t the large variety f appraches t esignatures and their technical characteristics. The Eurpean law maker had t tread a fine line between flexibility (allwing different technlgies with different degrees f reliability) and legal certainty (ensuring the predictability f the legal value f at least sme types f esignature). This resulted in the cmprmise that is nw relatively well knwn. Cnceptually, the Directive creates tw fundamental esignature types, n the basis f which a third type can be built: 1. The basic e-signature cncept, i.e. data in electrnic frm which are attached t r lgically assciated with ther electrnic data and which serve as a methd f authenticatin; 2. The advanced e-signature cncept, i.e. an electrnic signature which: (a) is uniquely linked t the signatry; (b) is capable f identifying the signatry; (c) is created using means that the signatry can maintain under his sle cntrl; and (d) is linked t the data t which it relates in such a manner that any subsequent change f the data is detectable. 43
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) In practical terms, the advanced e-signature definitin is technlgically neutral. Hwever, in the current state f the art it is nly implemented thrugh the use f cryptgraphic technlgies. 3. The advanced electrnic signatures which are based n a qualified certificate and which are created by a secure-signature-creatin device, cmmnly referred t as qualified electrnic signatures. This is als the terminlgy that will be used in this article. When cnsidering legal certainty hwever, the Directive cntains nly tw tiers: 1. All esignatures benefit frm a nn-discriminatin rule (article 5.2), meaning bradly that their legal effectiveness and admissibility as evidence in legal prceedings cannt be denied merely n the grunds f being electrnic r f nt cmplying with ne f the requirements fr qualified signatures. Of curse, this des nt eliminate the pssibility f esignatures being rejected fr any number f ther reasns, including fr instance the use f insufficiently reliable technlgies, taking int accunt all circumstances which are relevant t the case (e.g. the behaviur f the parties after an e-signature has been created). 2. Only qualified signatures benefit frm the presumptin f equivalence rule (article 5.1), meaning that these signatures are autmatically cnsidered t satisfy the legal requirements f a signature in the same manner as a hand written signature, and that they are always admissible as evidence in legal prceedings. In effect, the system f legal certainty in the Directive is remarkably binary: qualified signatures are endwed with apparent legal certainty, and ther types f esignatures are nt. This situatin can be affected substantially by additinal rules, such as by specific laws declaring ther frms f e-signature t als be equivalent t hand written signatures, r mre typically by cntractual arrangements in which the relevant parties make separate arrangements n the legal validity and admissibility f esignatures in advance. The cnceptual framewrk in Eurpean e-signature laws is thus very much centered arund esignatures as a tl fr emulating hand written signatures. While the market access and internal market rules (articles 3 and 4 f the Directive) apply t all types f certificatin service prviders and certificatin services, the nly prvisin in the Directive that gverns the legal effect f these services is fcused n achieving equivalence with hand written signatures. This bservatin may appear t be trivial, but it is nt. Frm a technical perspective, the cryptgraphic prcess f signing specific data can serve many ther functins which have little t n lgical cnnectin t a hand written signature. As examples, ne might cnsider: The identificatin f a persn (entity authenticatin) may use identical technlgies, yet there is n intentin f achieving equivalence t a hand written signature. 44
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) The use f electrnic stamps r seals, where a entity signs a dcument t authenticate it n behalf f a legal persn (e.g. a cmpany seal r administrative stamp), r even n behalf f an cmputer system r prcess, in which hand written signatures may be entirely inapprpriate r even nnsensical as an analgy. Authrizatin management, where the user wants t demnstrate a certain legal mandate (e.g. t cnfirm the status f dctr, lawyer, ntary public, etc) r access/usage right (e.g. the status f emplyee, citizenship, r simply f being an adult). In these cases, equivalence t a hand written signature may nt necessarily be the desired gal. Time stamping, where the equivalence t a hand written signature is irrelevant, since the nly intentin is t add a trustwrthy time reference t a specific transactin. The Directive is much less relevant t all f these functins. This is nt t say that it has n effect n them: First, the e-signature itself is defined as data in electrnic frm which are attached t r lgically assciated with ther electrnic data and which serve as a methd f authenticatin (emphasis added). This definitin makes n explicit r implied reference t the purpse f creating a substitute fr a hand written signature; indeed, based n this terminlgy alne, all f the examples abve culd be said t be cvered by the definitin f an electrnic signature, since they are all methds f authenticatin (either entity authenticatin r data authenticatin). 35 Secnd, the ntin f a certificatin-service-prvider is very bradly defined in the Directive as an entity r a legal r natural persn wh issues certificates r prvides ther services related t electrnic signatures (emphasis added). Again, the definitin is s brad that virtually all types f authenticatin service prviders culd be said t be cvered. Nne the less, even under this brad interpretatin f the Directive s terminlgy, the Directive des nt prvide a cmprehensive material legal framewrk fr the services mentined abve. Admittedly, the market access and internal market prvisins f the Directive (mainly article 4.1) apply, meaning that Member States may establish the rules which apply t service prviders established n their territries, and that they may nt restrict the prvisin f services riginating frm anther Member State. This is f curse vitally imprtant, given the Digital Single Market ambitins f the Digital Agenda. Hwever, with respect t the legal value f trust services, the relevant prvisins f the Directive (article 5 f the Directive) are nly meaningful when the signatry aims t create a 35 Patrick Van Eecke, De handtekening in het recht, Van pennentrek tt elektrnische handtekening [The signature in a legal cntext, frm scrawl t electrnic signature], Larcier, 2004, 420 (608),and Stephen Masn, Electrnic Signatures in Law, (2nd edn, Tttel, 2007), 4.5 als illustrate this issue. 45
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) substitute fr a hand written signature. In all the ther examples mentined abve, it is impssible n the basis f the Directive t link any legal value t a service, ther than perhaps t state that its electrnic nature des nt invalidate it utright. As legal supprt t a trust service ges, this wuld appear t be a relatively weak endrsement. In cnclusin, the implicit fcus f the Directive is quite clearly n enabling electrnic tls that emulate traditinal hand written signatures t be recgnized as a frm f esignature. It aims t achieve this effect thrugh a number f simple and lgical rules and principles. The rules established by the Directive address the legal, technical and trust landscape required t allw an interperable esignatures market t functin, with a strng fcus n electrnic signatures. The cnceptual framewrk (definitins f e-signature tiers and CSPs) has already been briefly explained abve, as has the apprach f the legal effect f esignatures. Hwever, the ther building blcks als deserve sme cnsideratin, if nly t help explain why the Directive has nt been able t achieve the desired purpse. As a basic fundatin f the Directive, the free market principle (r mre truthfully: the internal market rules) are a lgical cnsequence f treating certificatin services as a market service. T enable the internal market, it is vitally imprtant that Member States cannt set arbitrary barriers t freign CSPs. This gal has been implemented via article 4 f the Directive, declaring that [e]ach Member State shall apply the natinal prvisins which it adpts pursuant t this Directive t certificatin-service-prviders established n its territry and t the services which they prvide. Member States may nt restrict the prvisin f certificatin-services riginating in anther Member State in the fields cvered by this Directive. CSPs are thus largely gverned by a cuntry-f-rigin rule, which ensures that they d nt need t cmply with 27 materially different sets f rules if they chse t perate in all 27 Member States. As a technical tl, advanced esignatures als require a minimum cmmn technical framewrk t ensure their peratin. This technical framewrk is nt included directly in the Directive as such. Indeed, that wuld have been a pr strategic chice, given the relative prcedural cmplexity f renegtiating a Directive, which wuld make it very difficult t keep the technical framewrk updated. Instead, the Directive cntains nly a fairly high level set f requirements in its fur annexes, relating t: Annex I: requirements fr qualified certificates Annex II: requirements fr certificatin-service-prviders issuing qualified certificates Annex III: requirements fr secure signature-creatin devices Annex IV: recmmendatins fr secure signature verificatin With respect t technical standardizatin, the Annexes d nt aim t prvide guidance fr specific implementatin r assessment activities, as they are far t generic fr that 46
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) purpse. Instead, the Directive fresees the pssibility f prviding additinal guidance thrugh Cmmissin Decisins, t be taken upn the advice f an Electrnic-Signature Cmmittee created under article 9 f the Directive, thus cllquially knwn as the Article 9 Cmmittee. This Cmmittee may: clarify the requirements laid dwn in the Annexes; clarify the criteria that Member States shuld apply when designating a bdy t determine the cnfrmity f secure signature-creatin-devices with the requirements f the Directive; clarify generally recgnized standards fr electrnic signature prducts, ntably by establishing and publishing reference numbers f such standards in the Official Jurnal f the Eurpean Unin. When this has been dne, the internal market prvisins f article 3.5 require the Member States t presume that meeting thse standards als implies cmpliance with the requirements laid dwn in Annex II, pint (f) (relating t the requirement fr CSPs issuing qualified certificates t use trustwrthy systems and prducts which are prtected against mdificatin and ensure the technical and cryptgraphic security f the prcess supprted by them), and in Annex III (requirements fr secure signature-creatin devices). Thrugh this prcess, The Cmmissin adpted tw Decisins: Decisin 2000/709/EC 36 establishing the minimum criteria fr cnfrmity assessment bdies, and Decisin 2003/511/EC 37 publishing reference numbers t three generally recgnized standards 38 fr electrnic signature prducts which create a presumptin f cmpliance with part f the qualified electrnic signature requirements. Perhaps surprisingly, neither ne f these 36 2000/709/EC: Cmmissin Decisin f 6 Nvember 2000 n the minimum criteria t be taken int accunt by Member States when designating bdies in accrdance with article 3(4) f Directive 1999/93/EC f the Eurpean Parliament and f the Cuncil n a Cmmunity framewrk fr electrnic signatures (ntified under dcument number C(2000) 3179) (Text with EEA relevance) OJ L 289, 16.11.2000, p. 42 43. 37 2003/511/EC: Cmmissin Decisin f 14 July 2003 n the publicatin f reference numbers f generally recgnised standards fr electrnic signature prducts in accrdance with Directive 1999/93/EC f the Eurpean Parliament and f the Cuncil (Text with EEA relevance) (ntified under dcument number C(2003) 2439) OJ L 175, 15.7.2003, p. 45 46. 38 Ntably the fllwing standards: CWA 14167-1 (March 2003): security requirements fr trustwrthy systems managing certificates fr electrnic signatures - Part 1: System Security Requirements; CWA 14167-2 (March 2002): security requirements fr trustwrthy systems managing certificates fr electrnic signatures - Part 2: cryptgraphic mdule fr CSP signing peratins - Prtectin Prfile (MCSO-PP); CWA 14169 (March 2002): secure signature-creatin devices. 47
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Decisins was ever updated, despite develpments in glbal e-signature standardizatin initiatives. 39 Finally, the Directive als incrprated a trust infrastructure t supprt certificatin service prviders. Essentially, the trusted (r untrusted) state f an electrnic signature is a functin f many factrs, ne f which is the rle f a trusted third party. In the absence f a trusted third party (e.g. a simple e-signature cnsisting f a text file appended t an e-mail, where the text file and e-mail are bth slely created by the signatry), an e-signature has a limited ability t prvide cnfidence in the text that has been signed, where the authenticity f the e- mail is uncertain. In thse cases, the signature amunts t little mre than the wrd f the signatry, which was already reflected in the signed text withut any signature. Thrugh the invlvement f a trusted third party (such as the CSP issuing signature certificates in a PKIbased advanced e-signature system), relying parties have a mre substantial anchr t which they can attach cnfidence. If they knw that the issuer is trustwrthy, then that remves at least ne pssible area f dubt. A significant issue is hw a relying party can determine whether such a trusted third party is in fact t be trusted. 40 The Directive prvides a slutin t this questin thrugh the cncepts f supervisin, cnfrmity determinatins and accreditatin: Member States must establish apprpriate supervisin schemes, in which (at a minimum) CSPs established within their brders that issue qualified certificates t the public are supervised (article 3.3 f the Directive). Since qualified certificates are a prerequisite t creating qualified signatures, this implies that qualified signature slutins by definitin benefit frm sme degree f supervisin, thus imprving their trustwrthiness. As nted abve, the secnd cmpnent f a qualified signature (apart frm the qualified certificate) is the use f a secure signature-creatin-device. The Directive specifies that Member States can designate bdies with assessing the cmpliance f such devices with the requirements f the Directive (as laid dwn in Annex III). Such findings f cnfrmity are t be recgnized in all Member States (article 3.4). Finally, Member States are als allwed t intrduce vluntary accreditatin schemes aiming at enhanced levels f certificatin-service prvisin (article 3.2 f the Directive). Member States can use such schemes t institute quality labels, r t define trust levels f signature types in an effrt t make the market mre 39 Fr list f standards acrss the glbe, see the secnd deliverable f this Study ( D2.1 IAS in Eurpe: an verview f the state f the art ) 40 On this tpic, nte chapters 11, 12 and 13 in Stephen Masn, Electrnic Signatures in Law and Patrick Van Eecke, De handtekening in het recht, Van pennentrek tt elektrnische handtekening [The signature in a legal cntext, frm scrawl t electrnic signature], Larcier, 2004, 543-560 48
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) transparent and intuitive t cnsumers and service prviders. It is imprtant t recgnize that enhanced levels f certificatin-service prvisin des nt necessarily imply a high reliability f e-signature slutins; even basic (nnadvanced) esignatures may be subject t vluntary accreditatin, irrespective f their bjective reliability. The Directive requires that the cnditins related t such schemes must be bjective, transparent, prprtinate and nn-discriminatry, t avid market distrtins. Hwever, since accreditatin schemes are by definitin established at the natinal level, they tend t enable trust at the expense f interperability, since freign service prviders are less likely t have a business case fr seeking vluntary accreditatin in anther Member State, even if their signature slutins bjectively meet r exceed the requirements f the vluntary scheme. On the basis f these trust enablers, each Member State must have a supervisry bdy t supervise CSPs issuing qualified certificates t the public. In additin, it may als have an accreditatin bdy t manage any vluntary accreditatin scheme, and it may have ne r mre cnfrmity assessment bdies t determine the cmpliance f any suppsed secure signature creatin devices. Cnceptually, this apprach is sund, as it ensures that the legal and technical framewrk are linked thrugh a wrkable supervisry framewrk. Thus, the Directive prvided a basic legal framewrk that established the main legal, technical and trust building blcks. While clearly slanted twards state f the art PKI slutins, this was cnsidered t be apprpriate t sustain an interperable esignatures market. 4.2 Identificatin f key gaps A cursry examinatin f current EU initiatives invlving r requiring the crss brder use f esignatures (e.g. in relatin t e-prcurement, e-justice, e-invicing, the implementatin f the Services Directive, r any exchange f authentic e-dcuments) shws that the esignature Directive has largely failed t achieve this bjective f an interperable esignatures market. Even leading initiatives in this area are still develping r pilting slutins, twelve years after the adptin f the Directive. Slutins fr crss brder interperability either require clsed cntractual framewrks essentially cutting ut the influence f the Directive t a large extent r abandn the high-security, high-certainty gals f the Directive by adpting simple (nn-pki) e-signature slutins r by reducing the trust assurances t relying parties. In effect, even if ne accepts that the esignature Directive has helped create a market fr advanced esignature services at the natinal level, any beneficial effect n the internal market (i.e. at the crss brder level) is mdest at best. 49
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) A number f factrs can be identified that may be partly respnsible fr the lack f an internal market fr advanced esignatures, r mre generally fr the lack f crss brder interperability. It is imprtant t recgnize that nt all f these factrs are related t the EU framewrk fr esignatures as briefly described abve. Fr ne, it is inherently difficult t prvide an apprpriate legal framewrk in a technlgical area which evlves very quickly, ntably in rder t respnd apprpriately t security challenges. This is especially true in relatin t electrnic signatures, where new standards are cntinuusly develped and algrithms are deprecated when weaknesses becme apparent. Apart frm technical cmplexity, the Eurpean advanced esignature market in 1999 was als still develping rapidly, with relatively little services being made available as standalne prducts fr the public in mst EU Member States. Finally, as was already nted in the intrductin t this reprt, the business case fr the advanced esignatures as a separate service (i.e. in islatin frm applicatins in which they are intended t be used, such as e-banking) remains uncertain. All f these elements made it inherently cmplex t create a legal framewrk that wuld enable a flurishing internal market fr advanced e- signature services. Nevertheless, the current EU framewrk is clearly als nt withut its flaws, and a number f issues can be clearly linked t the lack f an internal market. Already in 2003, an exhaustive study n the legal and market aspects f electrnic signatures cnducted n behalf f the Eurpean Cmmissin and available n-line, pinted t sme flaws f the current legal framewrk n e-signatures. 41 The study came t the fllwing findings, which are still relevant tday: The study team fund ut that mst f the EU Member States have, mre r less faithfully, transpsed the Directive int natinal legislatin. In additin, many f the nn-eu cuntries surveyed have based their wn electrnic signatures and delivery f signature related services legislatin n that f the EU Directive. Frm a technical pint f view the Directive has even influenced internatinal standardizatin initiatives, such as the IETF standardizatin wrk n Qualified Certificates. It is clear that the Directive has influenced legal and technical activities utside f the Eurpean Unin bundaries. New terminlgy intrduced by the Directive (especially Qualified Certificate, Advanced Electrnic Signature, Certificatin Service Prvider) has been taken n bard by the EEA cuntries, Switzerland, the Accessin and the Candidate cuntries. 41 Study n The legal aspects f the applicatin f Directive 1999/93/EC and n the practical applicatins f the electrnic signature (Member States, EEA, Candidate cuntries), A reprt t the Eurpean Cmmissin frm K.U.Leuven, Landwell, HN Cnsulting and Secrv (versin 1.0, 2003), see http://ec.eurpa.eu/infrmatin_sciety/eeurpe/2005/all_abut/security/electrnic_sig_reprt.pdf. 50
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Althugh the brad lines f the Directive have been respected by the Member States when transpsing the Directive, a number f issues have nevertheless been identified as prblematic. These prblems can mainly be attributed t a misinterpretatin f the Directive s wrding, which in turn leads t divergences in natinal laws and/r divergences in the practical applicatin f the rules. Regarding the market access rules as stipulated by Article 3 f the Directive, the fllwing remarks need t be made. The gd news is that fr the mment, nne f the Member States surveyed submit the prvisin f certificatin services by prviders established in anther Member State t prir authrizatin, thus frmally respecting Article 3.1 n market access. It is, indeed, perfectly pssible fr a CSP established in ne Member State t prvide certificatin services in anther Member States, withut having t ask the prir permissin f a natinal authrity. This was nt pssible everywhere in Eurpe befre the Directive was issued and transpsed. On the ther hand, varius Member States have established supervisin schemes that are very clse t prir authrizatin, and are pssibly infringing Article 3.1 prvisins. Given that CSPs have been established in all but a few f the cuntries surveyed and given that the majrity f supervisin schemes are still in the very early stages f develpment, it is impssible t cmpare yet the practical implicatins f the supervisin systems. Nevertheless, it has becme bvius that there are very imprtant divergences between the varius supervisin schemes in the Member States. Althugh the effect f these divergences remains limited, since mst f the CSPs still perate exclusively in their hme cuntry, the divergences will begin t shw a negative impact nce Eurpean r nn-eurpean prviders start t launch mre crss-brder certificatin services acrss the EU. Als, the Directive s rules n vluntary accreditatin seem t be misunderstd by natinal gvernments. Many Eurpean cuntries wrngfully cnsider vluntary accreditatin schemes as a means f cntrlling whether r nt a Certificatin Service Prvider perates in cmpliance with the prvisins f the Directive. Anther alarming bservatin is that the vluntary accreditatin schemes, in many Eurpean cuntries, are in practice, nt really vluntary. A typical example being that many natinal e-gvernment prgrammes nly accept accredited CSPs t participate in the prgramme, and thus indirectly blige a CSP t get an accreditatin. This evlutin is certainly nt in line with the Directive s visin. Cncerning the s-called public sectr exceptin f Article 3.7, which allws Member States t make use f electrnic signatures in the public sectr subject t pssible additinal requirements, we have seen divergences in bth the interpretatin and implementatin f this prvisin. It seems clear that in many cuntries the use f electrnic signatures in the public sectr is subject t additinal 51
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) (security) requirements. Cmmunicating electrnically with public authrities is in many Eurpean cuntries pssible nly thrugh the use f signatures based n Qualified Certificates issued by an accredited CSP. Member States need t be reminded that applying additinal cnditins can nly be justified by bjective reasns and shuld nly relate t the specific characteristics f the applicatin cncerned. Als, Member States need t ensure that basic cmpetitin rules are nt being infringed by their initiatives. As t the cnfrmity assessment f secure signature-creatin devices many cuntries seem quite reluctant t designate their wn designated bdies fr SSCD assessment. This may be due t the very high SSCD security requirements and the lack f active manufacturers in mst cuntries. Anther reasn is the very large resurces needed fr perating an assessment bdy. The prcess f assessing a prduct is usually extremely expensive as well as time-cnsuming. Tw further reasns why vendrs are smetimes reluctant t have their prducts assessed is that an assessment is ften nly valid fr a fixed amunt f time (the prduct needs t be re-assessed), and a cnfrmity assessment freezes a prduct s that it cannt be changed (e.g., in rder t apply a security patch) withut making invalid the assessment. Cnsequently, althugh but a small number f SSCDs have been assessed; all f these have been assessed by a relatively small number f designated bdies. Only in Austria, Germany and the Czech Republic has the number f prducts assessed been higher than tw. In sme cuntries (Austria, Germany) signature prducts ther than SSCDs have been assessed as well The nn-discriminatin principle f electrnic signatures, as regulated by Article 5.2 f the Directive, has been taken ver by natinal legislatrs. Hwever, the transpsitin f Article 5.2 has nt always been explicitly dne and in thse cuntries with an explicit transpsitin the scpe f Article 5.2 has nt always been cvered in its entirety. It is nt yet clear whether this rather vague transpsitin in sme cuntries has a practical impact n the legal use f electrnic signatures. Thus, hw electrnic signatures will be treated in future natinal legislatin and case law requires clse mnitring. It wuld be t premature t jump t early cnclusins n judges psitin vis-à-vis electrnic signature given that t date there are but a few legal cases n this subject. Indeed, until recently, the sample f case law tackling directly r simply evking electrnic signatures issues is still t small and fragmented t be cnsidered as representative enugh f the judge s mind in this area. As t the legal effect f Qualified Electrnic Signatures (the nes regulated by Article 5.1 f the Directive), there has been a general tendency in the majrity f Eurpean cuntries t explicitly recgnise the equivalence between a handwritten 52
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) signature and a specific type f signature by impsing the same r slightly different cnditins than the nes stipulated in Article 5.1. It is, hwever, imprtant t knw that the Directive bliges Member States nly t make sure that a Qualified Electrnic Signature is legally speaking treated in the same way as a handwitten signature, but that it des nt regulate the legal use and cnsequences f a handwritten signature itself, and thus nt the legal cnsequences f the Qualified Electrnic Signature either. The legal use and cnsequences (which transactins need a signature, which evidential value is given t a signature, etc) remains a natinally regulated matter. Qualified electrnic signatures need t be in cmpliance with the requirements as stated by the first three Annexes f the Directive. It is, therefre, imprtant that the Annexes are crrectly transpsed int natinal legislatin. The implementatin f Annex I is very similar in mst f thse cuntries. The nly risk is related t interperability prblems which might ccur if technical implementatins f Annex I diverge by, fr example, nt using ETSI TS 101 862, r any ther cmmn frmat fr encding the requirements f Annex I. The Cmmissin shuld therefre prmte the use f interperability standards fr the technical implementatins f Annex I. Fr the implementatin f Annex II, implementatin levels are smetimes quite varying, meaning that the establishment and running f a CSP will differ cnsiderably. Any rganizatin wishing t establish a CSP business in several cuntries must therefre adapt itself t different requirements and prcedures. Prduct vendrs will als have difficulties building prducts fr this very fragmented market. In additin, several cuntries put additinal detailed and unnecessary requirements n the CSP, thus creating barriers fr the establishment f a CSP. The Cmmissin shuld therefre pint ut any unnecessary and excessive requirements fr CSPs, which might be perceived as market bstacles. Fr the implementatin f Annex III, there is als evidence f fragmentatin. The requirements fr SSCDs are, fr example, much higher in Austria and Pland than in sme ther Eurpean cuntries. As far as Annex IV is cncerned, Article 3.6 is very clear. The list cntains nly recmmendatins, which have t be taken int accunt by the Member States and the Eurpean Cmmissin when they wrk tgether in rder t prmte the develpment and the use f signature-verificatin devices. They can, in ur pinin, nt be changed int bligatry requirements at a natinal level, as sme Member States have dne. With very few exceptins, all Eurpean cuntries have prvided fr a special liability prvisin transpsing Article 6 f the Directive int natinal legislatin. Within the Eurpean Unin, the respective liability clauses f the EU Member States have fllwed the wrding and ratinale f Article 6. In cases where transpsitin was nt explicit, the general tendency has been t prvide stricter liability clauses, by 53
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) bradening the scpe f applicatin f the Article, ntably, by extending the list f liability causes as laid dwn in the Directive. All cuntries under examinatin have prescribed in their natinal laws rules n the legal recgnitin f freign (nn-eea) Qualified Certificates in their territry. Only Ireland, the UK and Malta, d nt distinguish between dmestic and freign Qualified Certificates. Mst f the EU and EEA cuntries have faithfully transpsed the cnditins f Article 7 int their natinal legislatin. In the Accessin and Candidate cuntries the situatin appears t be smewhat mre cmplicated. The implementatin f the data prtectin rules f Article 8 int natinal legislatin apparently did nt pse any real difficulties. Sme cuntries, thugh, did nt crrectly implement article 8.2 f the Directive. In thse cuntries, a CSP is nt bliged t fllw the stricter data prtectin rules, whereas a CSP established in anther Member State must adhere t its natinal rules. This may give rise t cmplaints f unfair cmpetitin in that it culd act as an bstacle trade within the internal market. Further discussin als needs t centre n whether the stringent rules f Article 8.2 fr CPS issued certificates t the public, (such as bligatin t fr direct persnal data cllectin), are realistic, given that mst CSP data is btained frm third parties such as a lcal registratin authrity. The use f a pseudnym in a certificate is allwed in all but tw f the cuntries surveyed. Only Estnian and Bulgarian electrnic signature legislatin frbids the use f pseudnyms in their natinal rules n Qualified Certificates. Many cuntries explicitly require the disclsure f real names t the public authrities upn request and under strict cnditins. An imprtant questin, which needs t be psed, is what des the use f electrnic signatures in Eurpe really mean? The number f supervised and accredited CSPs issuing Qualified Certificates in the Eurpean cuntries varies cnsiderably frm cuntry t cuntry, with many cuntries having either n r nly ne CSP. In the few cuntries where any larger numbers f Qualified Certificates have been issued, this is almst exclusively due t sme frm r anther f gvernment prmtin. There is currently n natural market demand fr Qualified Certificates and related services. The largest applicatin area in Eurpe fr electrnic signatures is generally linked t e-banking applicatins in a clsed user envirnment, and thus utside the scpe f the Directive. Within the scpe f the Directive, very few applicatins are in use tday and they are almst whlly limited t e-gvernment. It is interesting t nte that many applicatin service prviders currently n the market falsely believe that their applicatins require Qualified Electrnic Signatures as a minimum in rder t be legally cmpliant, leading t unnecessary csts and cmplexity n planning and designing fr the use f Qualified Electrnic Signatures. 54
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Technlgy evlves rapidly and in the near future many electrnic signature technical slutins will be based n new technlgical develpments, such as new secure PC envirnments, mbile signatures and signature servers. Cnsequently, supervisin bdies, designated bdies and thers invlved in the regulatin f Qualified Electrnic Signatures shuld lk at these technlgies with an pen mind and nt restrict security assessments t what is knwn and available tday. The lack f interperability, bth at natinal and crss-brder level, is a big bstacle fr market acceptance and the prliferatin f electrnic signatures. It has resulted in many islated islands f electrnic signature applicatins, where certificates frm nly ne CA can be used fr ne applicatin. In a few cases nly can certificates frm multiple CAs be used fr multiple applicatins. Much mre shuld therefre have been dne earlier at a Eurpean level t prmte interperability. The EESSI (Eurpean Electrnic Signature Standardisatin Initiative) prgramme has develped sme 30 standards that are Directive cmpliant. Hwever, the fact that article 3.5 f the Directive des nt allw t refer t all standards, as well as the delay in develping the standards and having their references published in the Official Jurnal, has led t a situatin whereby several cuntries have either develped their wn technical interpretatins f the Directive, (leading t varying requirements in different cuntries), r else have waited fr standards t be develped, leading t a vacuum fr prduct and service vendrs n the market. Nt until the publicatin f references t standards in the Official Jurnal in July 2003 has there been any clarity n the standards acceptable t all Member States. Anther risk relating t interperability is that currently nly ne set f standards related t Qualified Electrnic Signatures (based n PKI) currently exists, which may hinder further technlgies being used fr Qualified Electrnic Signatures. Furthermre, due t the limitatin f the A9C mandate, it has prven impssible t refer t additinal standards." Anther exhaustive study f these issues and their effect was cnducted n behalf f the Eurpean Cmmissin in 2010 under the acrnym CROBIES (Study n Crss-Brder Interperability f esignatures), which is available fr nline cnsultatin. 42 Briefly summarized, the CROBIES study identified, amngst ther things, the fllwing weaknesses and criticisms: 42 Study n Crss-Brder Interperability f esignatures (CROBIES), A reprt t the Eurpean Cmmissin frm SEALED, time.lex and Siemens (Versin 1.0, 2010); available at http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/crbies_study/index_en.htm. 55
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) The legal framewrk is unclear and ambiguus n certain imprtant pints. Fr instance, pinin is split in the Member States n the questin f whether the cncept f a signatry can include legal entities, i.e. whether an e-signature can be ascribed directly t a cmpany rather than t the persn signing n behalf f that cmpany. Similarly, it is still debated whether a secure-signature-creatin device (SSCD) must underg an affirmative cnfrmity assessment by a designated bdy, r whether such an assessment is merely advisable t remve r reduce dubts n its status. The technical framewrk is utdated and des nt link clearly t legal requirements. The Cmmissin Decisin abve nly references three specific standards which are partially utdated and d nt unambiguusly apply t sme advanced e-signature creatin appraches. Fr instance, the use f mbile telephnes r HSMs (Hardware security mdules) is increasingly ppular in the advanced e-signature market, yet these are nt clearly addressed by the referenced standards. 43 Furthermre, the EU standardizatin landscape is highly cmplex: beynd the afrementined three standards, there are arund 30 ther standardizatin prjects whse link t specific legal requirements is nt clear. The fact that Cmmissin Decisins under the Directive can nly create a presumptin f cmpliance with the requirements f Annex II(f) and Annex III f the Directive, and nt with ther requirements, makes it even harder t assess any frmal value t these standardizatin dcuments. The trust framewrk is t vague t create justifiable trust in the internal market. As described abve, CSPs issuing qualified certificates t the public are subject t natinal supervisin schemes. Hwever, the Directive merely requires that these supervisin schemes are apprpriate, withut prviding guidance t the Member States as t what this entails. As shwn in the CROBIES study, natinal requirements range frm a simple ntificatin letter t the supervisin bdy t full and peridically recurring audits, creating an uneven trust landscape, nt t mentin internal market distrtins. Apart frm this inequality, there was n hmgeneus way fr relying parties t determine whether a CSP was indeed supervised in practice, since supervisin bdies did nt have a cmmn cmmunicatin strategy n this issue. This prblem was nly addressed in Octber 2009 ten years after the adptin f the Directive when a Cmmissin Decisin 44 issued against the 43 Fr instance, see Frederic Stumpf, Markus Sacher, Claudia Eckert and Alexander Rßnagel, The creatin f Qualified Signatures with Trusted Platfrm Mdules, Digital Evidence and Electrnic Signature Law Review, 4 (2007) 61 6. 44 Cmmissin Decisin 2009/767/EC f 16 Octber 2009 setting ut measures facilitating the use f prcedures by electrnic means thrugh the pints f single cntact under Directive 2006/123/EC f the Eurpean Parliament and f the Cuncil n services in the internal market, OJ L 274, 20.10.2009 p. 36 56
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) backdrp f the Services Directive required supervising bdies t use a cmmn trusted list apprach t publicly annunce the supervisin status f their CSPs. Prir t that time, relying parties wuld need t check the supervisin status f a CSP manually each time they wanted t rely n a signature. Similarly, when SSCDs have undergne cnfrmity assessments (the need f which is already unclear, as nted abve), there is n cmmn apprach t publish this status, and n way t keep this status updated ver time as ptential weaknesses threatening the SSCD status are uncvered. Clearly, the legal, technical and trust framewrks established by the esignature Directive have their flaws. It shuld be nted hwever that these flaws primarily apply t qualified signature slutins, since questins related t supervisin and SSCDs are much less relevant t ther signature types. Nnetheless, since the esignature Directive nly created a clear and predictable legal effect fr these types f signatures, this can be cnsidered a real weakness. While imprtant, these prblems culd be fixed thrugh limited changes and updates f the legal, technical and trust framewrk. There is, hwever, a brader weakness in the Directive, which wuld require substantially greater changes. As nted abve under the descriptin f the scpe f the Directive, its prvisins clearly fcus principally n electrnic signatures as a substitute fr hand written signatures. This emphasis disregards the reality that finding a substitute fr hand written signatures is nly ne pssible applicatin f certificatin services. As described in the definitins sectin abve (Sectin 2 f this dcument), the relatinship between esignatures and ther services (including identificatin, time stamping, electrnic registered mail etc) is mre nuanced. esignatures are ultimately an assertin, generated by a cmbinatin f tls (e.g. SSCD, card reader, keys) and services (e.g. certificate issuance, time stamping). Only a few f these tls and services have been regulated by the current esignatures Directive, despite the fact that all f them are being used n the Eurpean internal market tday. esignatures bth build n these ther tls and services, and serve as a building blck fr thers, withut these tls and services being regulated. In ther wrds, the esignatures Directive fcuses n ne link in a chain, withut cnsidering the full picture. (Crrigendum t Cmmissin Decisin 2009/767/EC f 16 Octber 2009 setting ut measures facilitating the use f prcedures by electrnic means thrugh the pints f single cntact under Directive 2006/123/EC f the Eurpean Parliament and f the Cuncil n services in the internal market (OJ L 274, 20.10.2009 ) OJ L 299, 14/11/2009 P. 0018 0054); as amended by the Cmmissin Decisin f 28 July 2010 amending Decisin 2009/767/EC as regards the establishment, maintenance and publicatin f trusted lists f certificatin service prviders supervised/accredited by Member States, OJ L 199, 31.7.2010, p. 30. 57
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) The main questin is what the Eurpean plicy gals with respect t this full chain f prducts and services shuld be. If the gal is merely t ensure that these prducts and services related t esignatures can benefit frm a frmally free market, then the esignatures Directive is largely adequate. Clearly, the Directive is nt perfect in this respect. Market distrtins remain due t e.g. the differences in supervisin regimes at natinal level, meaning that tw therwise identical CSPs in tw different Member States might be subject t vastly different supervisin requirements, thus creating additinal expenses and a cmpetitive disadvantage fr CSPs in stricter cuntries. Similarly, the internal market clause des nt have a clear impact n public sectr applicatins (e.g. fr egvernment services), as Article 3.7 f the Directive leaves a fairly vague margin f appreciatin fr Member States t impse additinal requirements n esignatures used in public sectr services. As a result, it is frequently unclear whether restrictins impsed by Member States are a legitimate applicatin f Article 3.7, r a vilatin f the Directive s rules. Nne the less, in spite f these clear shrtcmings which still need t be rectified, the Directive already includes market access rules and internal market principles (Articles 3 and 4) that apply t certificatin-service-prviders and certificatin-services in general. This wuld include IAS service prviders and IAS services in general, withut any limitatin twards esignatures. As a result, prir authrisatin schemes fr such services wuld nt be permitted (Article 3.1), nr any ther type f restrictin twards the prvisin f such services riginating in anther Member State (Article 4.1), and the service prviders wuld largely be subject t the laws f the Member State in which they are established (Article 4.1). Finally, the free circulatin f electrnic-signature prducts is guaranteed by (Article 4.2). Thus, a free market fr IAS services in general has already been established t a large degree. Hwever, with respect t esignatures, the Directive made a further chice t nt nly pen the market, but als t assign a legal value t certain esignatures, based n a series f requirements and bligatins, especially with respect t CSPs issuing qualified certificates t the public. This secnd facet has nt been regulated fr ther IAS services. The questin is whether it shuld als be a Eurpean plicy gal t als g ne step further fr these ther IAS services, by e.g. als set minimum standards and requirements fr ther tls and services in rder t prvide them with a clear legal value as well. A strng argument can be made fr this psitin. As nted abve, mre and mre IAS services are emerging n the Eurpean market. If the nly cmmn Eurpean regulatin relates t free market access, Member States may intrduce natinal regulatins that specify requirements in rder t achieve a certain legal effect (althugh they may bviusly nt impse requirements fr merely being allwed t prvide services within their brders, as this wuld be cntrary t the Directive s free market rules). Hwever, such regulatins can als distrt the Eurpean internal market fr IAS services: even if an IAS service prvider is allwed t prvide services in ther Member States (as guaranteed by the 58
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) esignatures Directive), it cannt prvide guarantees with respect t the legal value f its services, at least nt withut assessing this against lcal legislatins. Wrse yet, such legislatin may be cntradictry between cuntries, meaning that a service prvider wuld at the very least need t mdify its service ffering n a per cuntry basis, r simply be unable t benefit frm any legal value in sme Member States. De fact, this is a significant disruptin f the IAS market in Eurpe. Frm that perspective, the Directive s primary fcus n esignatures as a substitute fr hand written signatures means that it is unable t create trust at the Eurpean level in IAS service prviders. This wuld suggest that the current situatin is cntrary t the gals f the Digital Agenda, and that a brader apprach is required. As an example, an esignature as a substitute fr a hand written signature is nly meaningful if it can be adequately linked t a signatry, either as an identifiable individual, r at least by a pseudnym. Indeed, the esignature Directive recgnizes this issue, as it defines certificates as electrnic attestatins which link signature-verificatin data t a persn and cnfirm the identity f that persn (article 2.9). Similarly, advanced 45 signatures under the Directive must (amngst thers) be uniquely linked t the signatry 46 and capable f identifying the signatry (article 2.2). Thus, when esignatures are intended t emulate hand written signatures, identificatin is a prerequisite. Yet the Directive des nt address hw this shuld be dne, ther than t nte that the use f pseudnyms in certificates shuld nt prevent Member States frm requiring identificatin f persns pursuant t Cmmunity r natinal law (recital 25). This requirement is eched in Annex II (d) in relatin t qualified signature certificates, nting that CSPs must verify, by apprpriate means in accrdance with natinal law, the identity and, if applicable, any specific attributes f the persn t which a qualified certificate is issued. Identificatin (either as an independent prcess preceding the issuing f signature certificates r as a separate type f authenticatin service) is nt harmnized by the Directive in any meaningful way. The same bservatin applies t time stamping, anther type f certificatin service that supprts the determinatin f the authenticity f esignatures. The value t be given t an esignature is partly predicated n the mechanism used t reliably determine when it was created. This is a crucial questin, since relying parties mainly need t be able t assess whether an esignature was valid at the time it was created, nt merely at the present time (which may be years later). The time factr is an imprtant pillar t the trustwrthiness f 45 Interestingly, n such requirement applies t the base ntin f electrnic signatures, fr which the Directive requires that they serve as a methd f authenticatin in general. This is in line with the bservatin made abve, namely that electrnic signatures in general culd be interpreted t cver any applicatin f authenticatin services, but that the Directive nly prvides a meaningful legal framewrk fr esignatures as a substitute fr hand written signatures. 46 Fr a critical analysis f this cncept, see Stephen Masn, Electrnic Signatures in Law, 4.9. 59
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) esignatures and a valuable certificatin service in its wn right. Again, the Directive des nt cver this aspect in a meaningful way. Other ancillary services build n these tls: electrnic archiving depends n time stamping, 47 and electrnic registered mail requires bth reliable identificatin f the signatries (senders and recipients alike) and time stamping. In the absence f the basic tls, the derivative services cannt be created either. In shrt, it is imprtant t recgnize that esignatures are a cmpnent f an ecsystem f certificatin services. When the Directive cvers nly ne element f that ecsystem (and imperfectly at that, as argued abve), new market distrtins will inevitably arise. Sme Member States have already made the decisin f creating their wn natinal legal framewrks fr sme f these certificatin services, including time stamping, electrnic registered mail and archiving. In the absence f harmnizing prvisins at the Eurpean level, this is creating new internal market barriers: a qualified time stamping service in Member State A may have n legal value in Member State B, either because Member State B has n legal framewrk fr this type f service, r because the legal framewrk is different. In practical terms, the time stamping service prvider has n way f learning abut pssible issues ther than t seek legal advice n a cuntry by cuntry basis, in rder t discver whether its service has any value utside f its natinal brders, and what changes might be necessary t satisfy natinal legal requirements. This wuld appear t be a textbk example f the type f barrier that the Eurpean internal market shuld aim t avid. Based n these bservatins, it wuld appear that the esignature Directive is in serius need f review, at a minimum t fix the smaller issues mentined abve. Hwever, this may als be a gd pprtunity t braden the legal framewrk t ensure that certificatin services are mre cmprehensively cvered and t avid further barriers in the internal market. Obviusly, the lessns learned frm the esignature Directive shuld be cnsidered if this brader apprach is taken. 47 Stefanie Fischer-Dieskau and Daniel Wilke, Electrnically signed dcuments: legal requirements and measures fr their lng-term cnservatin Digital Evidence and Electrnic Signature Law Review, 3 (2006) 40 44 60
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 5. The rad ahead 5.1 Hw useful is the esignatures Directive as a starting pint fr IAS regulatins? The Digital Agenda has unambiguusly annunced a revisin f the esignature Directive, which will prbably strive t fix at a minimum the shrtcmings summarized elsewhere in this reprt, tgether with a pssible Decisin t ensure mutual recgnitin f certain eids between Member States. This wuld undubtedly be a gd step frward fr the EU. Nne the less, a brader apprach seems equally viable, building n the bservatin that e- authenticatin systems (t use the terminlgy f the Digital Agenda) are similar in mst respects, but differ in small imprtant details. This can already be witnessed in the terminlgy as discussed abve: the definitin f an electrnic signature as presented by the Directive ( data in electrnic frm which are attached t r lgically assciated with ther electrnic data and which serve as a methd f authenticatin ) is brad enugh t ptentially cver esignatures (in the equivalent-t-handwritten sense), eid and time stamping, amng many thers. It is wrth cnsidering whether a similar plicy framewrk is als pssible, and even desirable, fr these related services. As a starting pint, it is pssible t cnsider prir experiences acrss the Member States. The need fr a legal framewrk fr ancillary services (time stamping, cmpany seals, electrnic registered e-mail, lng term archiving) has been knwn fr sme time, and sme Member States have been active in this field. T name but a few examples: Austria, as ne f the leading EU Member States in this area, has implemented legislatin regulating nt nly esignatures, but als electrnic identificatin, thrugh the 2004 egvernment Act. 48 Belgium adpted a generic legal framewrk fr certain trusted services in 2007, 49 including electrnic registered mail, time stamping and electrnic archiving. Despite a recent update fr the rules n electrnic registered mail in 2010 (integrated int the general esignatures Act), executive rules were never fixed, and the law remains largely inperative at present. Hwever, new legislatin in this area is planned fr the near future. 48 E-Gvernment-Gesetz. 49 Wet van 15 mei 2007 tt vaststelling van een juridisch kader vr smmige verleners van vertruwensdiensten/ Li du 15 mai 2007 fixant un cadre juridique pur certains prestataires de services de cnfiance. 61
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) The Czech Republic has implemented rules fr time stamping in its esignatures Act f 2000. 50 Interestingly, the law uses the same lgic and terminlgy ( qualified time stamp ) that is als in vgue fr esignatures. Estnia, as anther technlgy leader in the EU, has a legal framewrk 51 that supprts (and indeed requires) time stamping, digital stamps (advanced esignatures created by legal entities), and fficial e-mails. Similarly, Finland has adpted an Act n strng electrnic identificatin and electrnic signatures. 52 Germany likewise intrduced the ntin f qualified time stamping in its esignatures Act. 53 Italian law cntains rules n electrnic registered mail. 54 The Slvakian esignatures Act cntains specific rules fr time stamping. 55 The Slvenian esignatures Act recgnizes the cncept f a time stamp as being cmparable t advanced esignatures, with the same rules applying by changing thse things which need t be changed; 56 Finally, the Spanish Act n Electrnic Citizen Access t Public Services 57 recgnizes esignatures, e-seals (cmpany signatures), and time stamping. This listing is neither fully up t date nr exhaustive. Its purpse is merely t illustrate that a significant and increasing number f Member States have recgnized the imprtant rle f e-authenticatin systems ther than mere esignatures, and that they have prvided a legal 50 Zákn č. 227/2000 Sb., elektrnickém pdpisu a změně některých dalších záknů (zákn elektrnickém pdpisu). 51 Digitaalallkirja seadus, RT I 2000, 26, 150. 52 Laki vahvasta sähköisestä tunnistamisesta ja sähköisistä allekirjituksista, 7.8.2009/617. 53 Gesetz über Rahmenbedingungen für elektrnische Signaturen (Signaturgesetz - SigG) vm 16.5.2001 (BGBl. I S. 876). 54 Thrugh the Cdice dell Amministrazine Digitale (the current versin is Decret Legislativ 30 dicembre 2010, n. 235); Rberta Falciai and Laura Liberati, The Italian certified e-mail system, Digital Evidence and Electrnic Signature Law Review, 3 (2006) 50 54. 55 Zákn č.215/2002 Z.z. elektrnickm pdpise a zmene a dplnení niektrých záknv The Slvakian Act ( as amended r v znení neskrších predpisv ) was cnslidated in 2009 ( 9 f this Act still explicitly refers t time stamping (Časvá pečiatka time stamping)), see http://www.zbierka.sk/zz/predpisy/default.aspx?predpisid=208862&filename=zz2009-00076- 0208862&Rcnik=2009. 56 Zakn elektrnskem pslvanju in elektrnskem pdpisu. 57 Ley 11/2007, de 22 de juni, de acces electrónic de ls ciudadans a ls Servicis Públics. 62
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) framewrk fr such services. When ding s, these laws are ften integrated r at least clsely aligned with general esignature rules. This is imprtant fr tw reasns. First, it suggests that the principles and challenges fr varius e-authenticatin systems are similar, and that it might be pssible t address them in unisn. Secnd, it als shws a ptential internal market barrier. If time stamping service prvider A can guarantee the legal value f its services in ne cuntry (fr instance, because it is cnsidered a qualified time stamping service in that cuntry) but nt in anther cuntry (fr instance, because that cuntry has n rules, r wrse yet, different nes), then that creates a market barrier. This is a challenge fr the EU t address, as it was an almst identical bservatin that lead t the adptin f the esignatures Directive. 58 Indeed, if we lk at the cnceptual needs behind a cmprehensive IAS plicy as listed abve, we already cmmented that all f these were already addressed (even if imperfectly) by the esignatures Directive: An unambiguus understanding f IAS services and ancillary services The plicy gals that an IAS apprach shuld cver, including such aspects as the enabling f the internal market, technlgical neutrality and legal reliability. The legal translatin f these plicy gals and requirements, stipulating the gal f the regulatry text, definitins f basic cncepts, prvisins n general bligatins fr trust service prviders, data prtectin, liability, internal market rules, legal effect f services, any supervisin/accreditatin mechanisms, etc. The trust framewrk needed t supprt a cmprehensive IAS apprach. The technical framewrk required t enable the cmprehensive IAS apprach, including standardisatin needs. At least theretically, this suggests that it wuld be pssible t apply the same apprach t a cmprehensive IAS framewrk. 58 Fr example, see the table f diverging natinal legislatins n p. 4-5 f the 1998 Prpsal fr a Eurpean Parliament and Cuncil Directive n a cmmn framewrk fr electrnic signatures, at http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/dcs/cm1998_0297en.pdf. The table is strikingly similar t the list abve. 63
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 5.2 Weaknesses f the esignatures Directive lessns learned The verview abve suggests that the regulatry apprach f the esignatures Directive might be applied t IAS services in general. Hwever, it shuld als be recgnize that the esignatures Directive has a number f weaknesses that wuld need t be addressed in future plicy initiatives. Fr a full analysis f these, we can refer t earlier studies referenced abve. In the sectin belw, sme f the main lessns learned are summarized, based n the cnclusins and recmmendatins f these earlier studies. 5.2.1 Supervisin f CSPs The Eurpean Member States have always had difficulties in striking a balance between apprpriate supervisin f Certificatin Service Prviders and the prhibitin t submit their activities t prir authrizatin. It wuld therefre be useful t publish guidelines n hw the supervisin can be rganized in rder t make it cnfrm t the Directive s prvisins. The guidelines t be published by the Eurpean Cmmissin can als be used t clarify a number f currently unreslved legal issues in this area. One f the mst difficult questins is t knw what the ntin f establishment n the territry in practice means fr a Certificatin Service Prvider (fr example, certificate issuer established in ne Member State but cllabrating with registratin authrities, directry service prviders, etc. in ther Member States: wh is in charge f the supervisin?). Nt all Member States have established a scheme fr the apprpriate supervisin f CSPs issuing Qualified Certificates t the public. This wuld need t be rectified, because this situatin creates the pssibility fr CSPs established in thse Member States t issue Qualified Certificates t the public in ther Member States withut being submitted t apprpriate supervisin. This harms the trust mdel behind the Directive. Ideally the supervisin schemes in the Member States shuld be harmnized, at least t a certain degree. Since EESSI already has published a number f valuable dcuments in this area it is recmmended that supervisry authrities be encuraged t make use f these specificatins. Use f such specificatins by supervisry authrities has t be clsely mnitred. 64
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 5.2.2 Vluntary accreditatin Measures shuld be taken in rder t clarify the visin f the Eurpean legislatr with regard t vluntary accreditatin schemes fr Certificatin Service Prviders. Specifically, crss-brder accreditatin shuld be encuraged as a way f facilitating interperability. The Cmmissin shuld, n the ther hand, discurage as much as pssible the establishment f natinal accreditatin schemes fr Certificatin Service Prviders issuing Qualified Certificates t the public. The Cmmissin shuld stimulate the clustering f effrts n a Cmmunity level. The bjective shuld be t establish a limited number f high quality Eurpean accreditatin schemes, preferably fcusing n r specialising in specific categries f certificatin services fr applicatin dmains. 5.2.3 Secure signature-creatin devices. Partly because the Directive currently sets very high requirements n SSCDs, such devices still find their way t the market t rarely. In rder t stimulate the prductin f secure signature-creatin devices, the requirements fr frmal assessment need t be mre hmgeneus, clear and flexible in the future. The prcedures fr btaining a cnfrmity declaratin shuld be shrter and less cstly. The Eurpean Cmmissin shuld supprt every effrt in this directin. As t the rules t be fllwed by the designated cnfrmity assessment bdies, the Cmmissin shuld prvide crdinatin and guidance. The Cmmissin Decisin f 2000 n the minimum criteria when designating cnfrmity assessment bdies is a valuable first step but needs t be pursued. The independent, transparent and nndiscriminatry character f the assessment prcedure shuld ideally be mnitred. 5.2.4 Public sectr exceptin The Cmmissin shuld clarify the interpretatin f the cnditins that are needed befre the Member States can use the public sectr exceptin f Art. 3.7 f the Directive. Member States shuld be made aware that the nn-discriminatin rule f Art. 5.2 f the Directive applies nt nly t the private but als t the public sectr. This prvisin f the Directive can be misused t justify a lack f interperability in egvernment applicatins, which is hardly the intent f the Eurpean lawmaker. 65
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Effrts twards imprvement f interperability between e-gvernment prgrammes and particularly between their electrnic signature applicatins shuld be supprted r initiated at a Eurpean level. 5.2.5 Qualified Electrnic Signatures With regard t Art. 5.1 there is primarily a need fr clarificatin abut the scpe f this prvisin. It shuld be made clear t all interested parties that 1) qualified electrnic signature is nt a synnym f legally valid electrnic signature and 2) fulfilling the requirements f a qualified electrnic signature is ne but by n means the nly - way t allw equivalence t handwritten signatures. Frm a Eurpean perspective the success f Art. 5.1 depends entirely n the availability f a very well standardized and easily recgnisable Eurpean qualified electrnic signature, including nt nly criteria fr creatin devices and certificates but specifying the cmplete signature chain. Recent effrts in the cntext f the Services Directive (such as the afrementined establishment f natinal trust lists) can serve as significant enablers in this respect; and similar initiatives culd be cnsidered fr ther requirements with respect t qualified electrnic signatures, such as SSCDs. Member States shuld be made aware that the cncept f the qualified electrnic signature is mainly useful fr crss-brder transactins in Eurpe. It serves as a passprt that guarantees in every Member State the applicatin f the rules applicable t handwritten signatures. The Annexes have been mre r less literally transpsed int natinal legislatin by virtually all the cuntries surveyed. The remaining task is t make sure that the implementatin gets streamlined thrughut Eurpe. Every effrt in this directin shuld be supprted. Natinal implementatins f the Annexes have, n the ther hand, t be firmly discuraged. The Cmmissin shuld take actin against thse Member States wh have nt crrectly transpsed the Annexes by, fr example, translating the recmmendatins f Annex IV int requirements fr qualified electrnic signature at a natinal level. 66
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 5.2.6 Nn-discriminatin rule With regard t the applicatin f Art. 5.2 there is a primary need fr clarificatin. All interested parties shuld be better infrmed abut the bjective and the scpe f this prvisin. The Cmmissin shuld systematically examine if the Member States have issued legislatin referring t Qualified r Advanced Electrnic Signatures and detect where such references dn t cmply with the rule f Art. 5.2. 5.2.7 Standardizatin The Cmmissin and Member States must ensure that all Member States crrectly implement the presumptin f cnfrmity with standards referenced in the Official Jurnal. This has nt always been the case in all Member States. The Cmmissin and Member States shuld encurage further wrk n standards related t Annex II (f) and Annex III, in rder t prmte the use f alternative technlgies fr qualified electrnic signature. Althugh the present standards are mstly technlgy neutral (within the framewrk f PKI), they still favur the use f smart cards as SSCDs, fr example. The lng-term maintenance f the standards referenced in the Official Jurnal must be ensured, either by transferring the current CWAs t a mre permanent bdy, fr example ETSI, r prmte the CWAs t Eurpean Nrms. The Cmmissin must urgently ensure the acceptance f a cmmn specificatin fr algrithms and parameters, as well as a cmmn maintenance prcedure fr that specificatin. The cmplex areas f archiving and lng-term validatin f electrnically signed dcuments are ften perceived as bstacles fr the use f electrnic signatures. The Cmmissin shuld prmte wrk n guidelines and standards in these areas. The Cmmissin and the Member States shuld find mechanisms t prmte/recmmend the standards fr interperability already develped by ETSI within the framewrk f EESSI. 67
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 5.2.8 Data prtectin It is necessary t ensure that any electrnic authenticatin prcess cmplies with persnal data prtectin requirements. The current Eurpean regulatry framewrk is very much fcused n the use f identity certificates. In recent years, attentin has shifted twards better privacy prtectin in the nline envirnment. Research has been dne n varius pssibilities cmbining electrnic authenticatin with the needs fr annymity r the use f multiple virtual identities. The effrts f the Eurpean Unin t prmte advanced persnal data prtectin fr its citizens shuld nt be cntradicted by its regulatry framewrk fr electrnic authenticatin. Clser examinatin is needed n the pssibilities t cmbine annymity and pseudnymity with the prvisins f the esignatures Directive. These lessns shuld be taken int accunt fr any future update f the esignatures Directive, and especially when cntemplating the extensin f the esignatures Directive t cver ther IAS services. 5.3 What are the alternatives? The verview abve shws that the regulatry apprach f the esignatures Directive, while having clear weaknesses t be addressed, culd cnceptually be applied t ther IAS services as well. Hwever, it shuld als be recgnized that there are alternative appraches, and that a single cmprehensive legal framewrk (an IAS Directive, with natinal IAS supervisry bdies and Eurpean generally recgnized IAS standards ) may nt be the mst effective apprach. All alternatives need t be duly recgnized. Cnceptually, a number f ptins are available t the Cmmissin. Apart frm the tw default plicy ptins (i.e. the n plicy ptin f having n framewrk at all, and the status qu ptin f keeping the esignatures Directive as is), the fllwing pssibilities are theretically available: A lighter, simpler esignatures framewrk, based e.g. n the 2001 UNCITRAL Mdel Law n Electrnic Signatures 59, at the exclusin f any ther IAS services; A light IAS framewrk based n the New Apprach regulatry style; Making nly minimal changes t the esignatures Directive t address sme f the shrtcmings mentined abve, but withut further tuching upn ther IAS services; 59 See http://www.uncitral.rg/uncitral/uncitral_texts/electrnic_cmmerce/2001mdel_signatures.html 68
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Adpting separate directives (r ther regulatry instruments) fr each IAS service t be cvered as the need is recgnized (an esignatures Directive/Decisin, an eid Directive/Decisin, a Time stamping Directive/Decisin, etc.). A mixture f these instruments culd als be cnsidered, as is suggested by the actins f the Digital Agenda (which suggests a revisin f the esignatures Directive withut speculating yet n what the result wuld be; and a Decisin n the mutual recgnitin f eids); Adpting a cmprehensive IAS Directive. In the fllwing steps f this Study, we will develp and assess the pssible ptins fr a future IAS plicy framewrk. 69
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 6. Cnclusins The current Directive is very strngly fcused n ne IAS business mdel, namely the prvisin f services aiming t create esignatures as substitutes fr hand written signatures, which was the centre f the attentin frm 1998 and 2000 but which has prgressively been replaced by a much mre hetergeneus and cmplex IAS market situatin. The regulatry framewrk thus includes, fr example, quite detailed rules fr certificate prviders issuing signature certificates t the public but des nt deal with ther categries f IAS r trust service prviders. The regulatry needs relating t ther categries f trust service prviders are nevertheless at least as urgent as thse with regard t certificatin authrities. There is, fr example, a clear need fr regulatin dealing with archival service prviders, r with registered mail services. Frm a users perspective it is difficult t understand why such services remain cmpletely unregulated, while at the same such a cmplex regulatry framewrk has been established fr issuers f certificates. In the table belw, the main plicy gals with respect t IAS services are summarized, alng with a brief mapping t the current scpe f the esignatures Directive, and a high level prpsal fr expanding the scpe f the esignatures Directive t cver ther IAS services, while addressing the weaknesses f the current legal framewrk as described abve. 70
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 6.1 IAS summary f challenges and gals frm a plicy perspective General Plicy bjective: t facilitate the smth wrking f electrnic transactins in the internal market (as nted in the Tender specificatins fr this Study) This implies that IAS services shuld be addressed as a market service, and that the gal f a Eurpean plicy framewrk fr IAS shuld be t enhance trust in IAS services fr users Specific plicy bjectives as Free internal market fr IAS Free internal market fr IAS Crss-brder legal acceptance f Prmting the market IAS related described in the Digital Agenda services prducts IAS services and prducts (i.e. n prir authrisatin r legal (i.e. free circulatin f cmpliant (i.e. legal validity f IAS services (i.e. legal framewrk fr IAS must restrictin; and applicatin f prducts) shuld nt be questinable) be cnducive t enable trust) cuntry f rigin rules) Des the current legal framewrk match the plicy bjectives? Free internal market fr certificatin services (n Free internal market fr signature prducts (n authrisatin, Crss-brder legal acceptance f electrnic signatures Prmting the market f data authenticatin related services Current Directive limited t "data authenticatin" (cfr recital 4 and 8) authrisatin, cuntry f rigin) See art. 3.1 and art. 4.1 cuntry f rigin) See art. 4.2 See art. 5 and prducts See recital 11 Challenges in relatin t Ambiguities lead t diverging Ambiguities lead t diverging Ambiguities lead t diverging T many ambiguities; bad esignatures based n the applicatin (supervisin applicatin (assessment applicatin (SSCD requirements, alignment between legal, current Directive prcesses and criteria) requirements, prcesses and supervisin prcesses) technical and trust framewrk. criteria) 71
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Challenges in relatin t IAS based n the current Directive Limited difficulties, but internal market bstacles fr IAS services may be created thrugh natinal laws Internal market bstacles due t ambiguity f the scpe f the prvisins f the Directive: are IAS services ther than esignatures affected and hw? This is uncertain. N crss-brder legal acceptance f ther IAS related results (time-stamp, seal, archive, ) N prmtin f ther IAS prducts and services. The current Directive des nt enable this in any meaningful way Envisaged legal framewrk fr IAS services: what changes are needed? Braden the scpe f the internal market clauses. Ensure that IAS services are unambiguusly cvered. Braden the scpe f the internal market clauses Ensure that IAS prducts are unambiguusly cvered. Intrduce legal acceptance clause fr ther IAS results and intrduce similar minimum requirements fr IAS results Prmte the market f ther IAS prducts and services Hw can changes be implemented? Optin 1: braden definitin f certificatin service prvider r braden definitin f electrnic signature (currently limited t 'data authenticatin') Or Optin 2: intrduce new definitins fr IAS service prviders Optin 1: braden definitin f electrnic signature prduct Or Optin 2: intrduce new definitin fr IAS prducts Implement similar regimes as fr electrnic signatures, i.e. cmbinatin f general acceptance clause and equivalence clause fr ther IAS services. Establish equivalent requirements fr ther IAS services. Make reference t ther IAS services and prducts in recitals Ensure scpe f internal market clauses als includes IAS services and prducts Clearly, while the esignatures Directive is a cnceptually sund mdel, further IAS guidance is needed in rder t enable trust in IAS market services, as required by the Digital Agenda. Existing practices and examples will be identified and assessed in Deliverable 2 f this Study, and plicy ptins will be defined in deliverable 3, alng with a prpsal fr a suitable legal framewrk fr IAS services. 72
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 6.2 Perspectives fr a future cmprehensive trust services framewrk While mre precise prpsals fr a future trust services framewrk will be develped in future deliverables f this Study, the viability f a mdel based n the apprach f the current esignatures Directive can already be briefly demnstrated in this sectin, building n sme f the bservatins made abve. The definitins prvided in Sectin 2 f this dcument can be used as a basis fr the establishment f a new IAS plicy. Cnsidering the IAS plicy challenges and gals as described abve, the figure belw prvides an illustratin f a pssible structure fr a future IAS trust services framewrk, which wuld need t be implemented in practice thrugh apprpriate legal, technical and rganisatinal utputs. Cmmn sectin: Principles Requirements n Trust Service Prviders Internal Market Supervisin/Accreditatin (incl. Trusted Lists) Harmnisatin / Mutual Recgnitin Technlgical neutrality + legal effect f cmpliance t standards ( New Apprach ) Privacy and Data usage plicies Specific Trust Services esignatures (e-cnsent) esignatures, eseals eidentity Attribute Assertins Identity Attributes Assertins (e.g. Certificates, signed statements) Mandates, Authrisatins Pseudnyms «Official eid» eauthenticatin (Data &/r Entity) Time-Stamps esignature Validatin Assertins Registered Electrnic Delivery Infrmatin Preservatin (earchiving) Digitised Data (certified true t the riginal) Specific Sectins Requirements fr guaranteed legal effect Liability References t standards Figure 8 As the abve figure illustrates, it shuld cnceptually be pssible fr a future IAS plicy framewrk (including the legal translatin f this plicy int e.g. a Directive r a Decisin) t establish a series f cmmn principles fr all trust services, and t define the unique characteristics f each trust service in a separate sectin. These trust service specific sectins culd be structured as listed in the figure abve. A first trust service type wuld then crrespnd t electrnic signatures (as currently als cvered by the esignatures Directive), establishing rules fr different types f signature (frm simple t qualified, as well as depending n the type f signatry 73
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) signature r seal), the signature creatin devices and Signature Generatin Service Prviders. The secnd sectin wuld cver amng ther elements TSPs issuing certificates. As is currently already the case fr esignatures, specific prvisins wuld apply t trust service tkens that meet the requirements laid dwn in a specific annex/list ( qualified tkens, in analgy with qualified signatures), and which wuld be prvided by a Trust Service Prvider wh fulfils the requirements laid dwn in a specific annex/list (analgus t CSPs issuing qualified certificates t the public under the present Directive), s that these tkens can then benefit frm a predictable and harmnized legal value. If desired, plicy prvisins and technical requirements culd be aligned n multiple levels f assurance (LA), as illustrated in the Table 1 belw. Qualified (LA4) ESig ESeal Time-Stamp Digitised Data Digital Certificate RED RED receipt I.P. Archive IAA SCD/ACD Signature Validatin Assertin AdESig + QC + SSCD AdESeal + QC + SSCD Equivalent t Legal Handwritten Certainty signature QTST QDD QC (crrespnds t QCP+ certifi cate plicy) Legal Certainty Legal Certainty Legal Certainty LA3 AdESig QC AdESeal QC (crres pnds t QCP certificate plicy) LA2 AdESig AdESeal (crrespnds t NCP+ r NCP certificate plicy) LA1 ESig ESeal (crres pnds t LCP certificate plicy) QRED QREDreceipt QIPA QIAA SSCD/ SACD Legal Legal Certainty Certainty Legal Certainty QSVA Legal Legal Legal Certainty Certainty Certainty Table 1 Obviusly, it is nt necessary fr multiple levels f assurance t be defined fr each type f trust service (indeed, fr sme trust services the existence f multiple levels f assurance may nt be meaningful), but the mdel is flexible enugh t allw this if desired, r t allw standardisatin bdies t standardise n these matters. Fr sme service types, including specifically electrnic identificatin, this is an imprtant asset. The mdel may als be further aligned t the "quality classificatin scheme fr esignature elements" defined in CROBIES 24 WP 5.2 (depicted here belw) and the "esignature Business factrs" apprach underlying a business guidance apprach t electrnic signature implementatin as annexed t the ETSI/CEN Draft Special Reprt Ratinalised Framewrk fr esignature standardisatin 6. 74
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) Figure 9 Clearly, there are many ways t frmalize and structure this visin, as already explained abve (see Sectin 5.3 - What are the alternatives?), and difficult chices will need t be made n the types f trusted services t be cvered by a future Eurpean IAS plicy framewrk. This questin will be examined and addressed by future deliverables f this study. Nne the less, the brief utlined presented abve may serve as an illustratin that a cmprehensive trust services framewrk based n a set f cmmn principles appears t be cnceptually viable, and wuld be capable f addressing the Eurpean plicy gals in this area. 75
7. Appendices Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 7.1 Abbreviatins AdES cvers AdES ig, AdES eal, and AdES tamp AdESeal Advanced Electrnic Seal AdESig Advanced Electrnic Signature AdEStamp Advanced Electrnic Stamp AdES QC Advanced Electrnic Signature supprted by a Qualified Certificate CRL Certificate Revcatin List IAA Identity Attribute Assertin IAAP Identity Attribute Assertin Prvider IPSP Infrmatin Preservatin Service Prvider IUI Inimitable Unique Identity OCSP Online Certificate Status Prtcl PKC Public Key Certificate QC Qualified Certificate QES Qualified Electrnic Signature RED Registered Electrnic Delivery REM Registered Electrnic Mail SGSP Signature Generatin Service Prvider SP Signature Plicy 76
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) SSCD SVSP TASP TL TSL TSP Secure Signature Creatin Device Signature Validatin Service Prvider Trust Applicatin Prvider Trusted List Trust-service Status List Trust Service Prvider TSP PKC Trust Service Prvider issuing Public Key Certificates TSP QC TSSLP TSSP TST TSrT UI Trust Service Prvider issuing Qualified Certificates Trust Service Status List Prvider Time Stamping Service Prvider Time Stamp Tken Trust Service Tken Unique Identity 77
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 7.2 Wrkshp reprt: analysis f cmments received 7.2.1 Scpe f the present sectin The IAS Study team cmmitted t send t the Cmmissin updated and finalized deliverables D1 and D2 integrating the feedback received at the Study wrkshp held in Brussels n 3rd f Octber 2011 as well as integrating feedback received after the wrkshp via the IAS Study website r any ther means f cmmunicatin. Surprisingly, mst f the received cmments d nt specifically relate t deliverables D1 and D2, but are rather riented twards the descriptin f gaps identified in the Directive 1999/93/EC and / r are fcusing n tpics that respndents fund relevant t intrduce in the framewrk f a new Regulatin n IAS. The present sectin bundles the received inputs and classifies them int cnsideratins that have an impact n D1 and/r D2 n ne hand, and elements that are mre relevant t take int accunt fr the establishment f the new Regulatin n IAS. In particular, the present sectin distinguishes elements that impact D1 and/r D2 directly and prpsals r cmments that cannt be taken up directly, while prviding an explanatin why these prpsals r cmments cannt be taken int accunt. Based n the cnducted review f the feedback and inputs received, it appears that the general bservatins and analysis f the study team s first reprt were relatively widely accepted as valid and that mst f the relevant prpsals were either already present in the deliverables, r that they relate specifically t the definitins in D1. Thus, instead f amending D1 with each and every respndent s prpsals (which are ccasinally cntradictry between the varius crrespndents and d nt take int accunt the subsequent discussins with the Cmmissin), the IAS team prefers t keep the initial terminlgy withut mdifying D1. Any mdificatins wuld create the risk f sme respndents feeling that definitins are mving away even further frm their inputs than befre. Rather than intrducing such harmful dichtmy, the IAS team prefers t cnsider the initial D1 definitins as a starting pint fr the establishment f the definitins, cnsidering that the prpsals frm the respndent, when relevant, have been taken int accunt fr building the ad-hc deliverable tgether with the utputs f the discussins with the Cmmissin. 78
7.2.2 Summary wrkshp feedback Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) a. Tpics t cnsider fr the IAS regulatin Firstly, it is clear that the general bservatins and analysis f the study team s first deliverable D1 were relatively widely accepted as valid. Ntwithstanding smaller cncerns highlighted in the IAS prject Wrkshp reprt delivered t the Cmmissin in Octber 2011 ntably with respect t the imprtance f cntext and the rle f ecnsent as an element f esignatures the reprt therefre seems fundamentally suitable as a basis fr taking the study t the next stages. Fr thse next stages hwever, and ntably with respect t the drafting f plicy prpsals, several cncerns were raised. A red thread within these cmments was the need t retain a light tuch framewrk, and ntably t ensure that nt all details are set in stne by future regulatins. Thus, the study team will need t state carefully why certain prpsals wuld be necessary and prprtinate t achieve the EU s plicy gals, in rder t ensure that it remains as light tuch as pssible withut endangering the achievement f these plicy gals. A similar bservatin was als made with respect t the scpe f future prpsals. The extensin f regulatins t cver electrnic identificatin and ancillary services causes sme cncerns with sme f the stakehlders. It is ften nt yet clear what the market fr these services is, r indeed whether there is a significant market fr them, and the regulatry framewrk shuld take care nt t disrupt the evlutin f these markets by creating (rather than remving) barriers. Hwever, ther cmments g in a diametrically ppsite directin, pleading fr this extensin as ancillary services are intrinsically linked t esignatures and already cvered by natinal/lcal rules. Finally, stakehlders repeatedly emphasized the need t ensure that the IAS framewrk (including legal and technical aspects) is capable f aligning with internatinal evlutins. The key gal is interperability n an internatinal market, and the creatin f a Eurpean island f harmnized service shuld be avided. b. Specific cmments and impacts n D1 and D2 A few very specific cmments were raised during the wrkshp, specifically with regard t the terminlgy used in IAS D1: - A series f cmments recmmends tackling privacy mre clsely, in particular by cnsidering cncepts like untraceably, transparency, annymity, pseudnymity, etc. 79
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) - Sme f the cre cncepts within D1 are questined as they shuld als cnsider the prcesses and cntext; cntext is an imprtant factr fr defining identity, and this is currently nt recgnized in the definitins. In additin, with regard t the initiatives t cnsider in IAS D2: - A participant recmmends that IAS team takes int accunt several initiatives nt mentined yet in D2. In particular, NATO is als develping a plan fr managing access t glbal cmmns (incl. cyberspace). They are lking t establish standards as part f an internatinal cyber security strategy. Als, a recent Interpl study shwed thrugh tw reprts n identity fraud that ID fraud is a tp enabler fr crime, leading t parliamentary initiatives. Outcme: These prjects are nt mentined as such. Identity fraud shuld be fught amngst ther with a sund IAS regulatry framewrk, but requires a separate framewrk upstream frm generic IAS rules, and is thus cnsidered as beynd the scpe f the IAS study. - A participant recmmends that the IAS team takes int accunt the ABC4trust initiative. Outcme: This prject is already mentined in D2.1. 7.2.3 Specific feedback received frm individual experts The study team received further feedback after the wrkshp frm individual experts, largely in the frm f written cntributins. The received feedback is analysed in the sectins belw per respndent. Befre explring them in sme detail, it is hwever wrth highlighting sme trends that deserve mre emphasis, as mst f the respndents share a cnvergent pinin n these tpics. - A large cncern fr privacy is expressed in relatin f Identificatin and Authenticatin especially and mst f the respndents draw ur attentin t the principles f privacy by design and user-centric privacy, based n minimal data disclsure technlgies (n a need-tknw basis), zer-knwledge cryptgraphy, cmbined r nt with the interventin f identity prvider, untraceability, untrackability, annymity, pseudnymity, etc. A few respndents explicitly refer t the ABC4Trust initiative active in that field. - Many cmments insist n the need t deal with the legal entity signature (r eseal). 80
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) - Sme f the cmments suggest that besides cnsidering a regulatin n IAS, ne als needs t cnsider the relevance and ptential benefits f having n regulatin. Finally, it is wrth nting that the cncept f cnsent as being inherently linked t esignatures is debated. Sme respndents are strngly in favur f unambiguusly binding an esignatures with cnsent (r cmmitment r intentin t sign ) f the signatry n the signed data, while thers are reluctant as this wuld limit the scpe f the esignature cncept in general. 81
Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b) 7.3 Surces f IAS use cases FIDIS Future f Identity in Infrmatin Sciety www.fidis.net Cases: fidis-wp2- del2.2_cases stries_and_s cenari.pdf fidis-wp2- del2.6_identity_in_a_netwrke d_wrld-usecases.pdf Mdinis (2005-2007) https://www.csic.esat.kuleuven.be/ mdinisidm/twiki/bin/view.cgi/main/webh me Prime Privacy enhancing identity management research prject FP6 www.prime-prject.eu Cases: https://www.primeprject.eu/prime_prducts/rep rts/reqs/pub_del_d2.2.a_ec_ WP2.2_v5_Final.pdf PrimeLife The FP7 cntinuatin f Prime www.primelife.eu STORK Secure identity across brders linked - www.eid-strk.eu Cases: - D4.2 Final Reprt n eid Prcess Flws - D7.4 Cmmn specificatins A2A - List f Cmmissin A2A services f Cmmn Interest TAS3 Trusted Architecture fr Securely Shared Services www.tas3.eu 82
83 Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b)
84 Final Reprt - IAS in the Eurpean plicy cntext (D.1.1.b)
Study n an electrnic identificatin, authenticatin and signature plicy (IAS) IAS in Eurpe: an verview f the state f the art Final Versin (D 2.2.b) 18 January 2013
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) This study was cmmissined by the Eurpean Cmmissin's Infrmatin Sciety and Media Directrate-General, in respnse t the general invitatin t tender f the Directrate-General Infrmatin Sciety and Media, n SMART N 2010/008. The study des nt, hwever, express the Cmmissin's fficial views. The views expressed and all recmmendatins made are thse f the authrs. 2
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Table f cntents 1. SUMMARY OF THE STUDY GOALS AND SCOPE... 5 1.1 Backgrund f the Study... 5 1.2 Scpe f the Study... 5 1.3 Rle f this dcument in the Study... 6 2. OVERVIEW OF CURRENT LEGISLATIVE LANDSCAPE AT NATIONAL, EU AND INTERNATIONAL LEVELS... 8 2.1 Relevant laws in Member States: scpe, impact and gaps... 8 2.1.1 Austria...8 2.1.2 Belgium...13 2.1.3 Czech Republic...25 2.1.4 Estnia...29 2.1.5 Finland...30 2.1.6 France...36 2.1.7 Italy...42 2.1.8 Rmania...45 2.1.9 Slvakia...50 2.1.10 Slvenia...52 2.1.11 Spain...53 2.2 Relevant laws frm utside f the EU: scpe, impact and gaps... 56 2.2.1 Brazil...56 2.2.2 Malaysia...59 2.2.3 United States f America...61 3. OVERVIEW OF CURRENT NORMATIVE LANDSCAPE AT EU LEVEL... 65 3.1 esignature standardisatin framewrk... 65 3.1.1 Mandate M460 - a Ratinalised Framewrk fr Eurpean esignature standards 65 3.1.2 Inventry f esignature standards...71 3.1.3 Wrk Prgramme...72 3.2 Identity and Authenticatin standardisatin framewrk... 72 3.2.1 ETSI SIM...72 3.2.2 ETSI identity pre-standardisatin effrts...73 3.2.3 CEN initiative in standardising cyber identity and unique identificatin f legal persn and parts theref...73 3.2.4 CEN TC 224 WG s...74 3
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 4. LEADING STUDIES, PROJECTS AND POLICY INITIATIVES... 79 4.1 Identity and Authenticatin... 79 4.1.1 The private sectr perspective: scpe, impact and lessns learned...79 4.1.2 The public sectr perspective: scpe, impact and lessns learned...81 4.1.3 The service supplier/vendr perspective: scpe, impact and lessns learned.86 4.1.4 The academic perspective...89 4.1.5 Beynd the EU Member States...91 4.2 esignatures... 94 4.2.1 Eurpean Cmmissin driven actins...94 4.2.2 Use f esignatures in Large Scale Pilts: scpe, impact and lessns learned 100 4.2.3 Eurpean sectr specific initiatives...102 5. CONCLUSIONS... 103 4
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 1. Summary f the Study gals and scpe 1.1 Backgrund f the Study The purpse f the present prject, as described in the tender specificatins, is t study the feasibility f a cmprehensive EU legal framewrk that wuld apply t electrnic assertins needed t secure electrnic transactins as well as the ancillary services needed t use them: electrnic identificatin, authenticatin, signature, seals, certified delivery. The perspective wuld be t facilitate the smth wrking f electrnic transactins in the internal market. In ther wrds, it wuld be based n article 114 f the Treaty n the Functining f EU (TFEU). The Digital Agenda cnfirms that "Electrnic identity (eid) technlgies and authenticatin services are essential fr transactins n the internet bth in the private and public sectrs. Tday the mst cmmn way t authenticate is the use f passwrds. Fr many applicatins this may be sufficient, but mre secure slutins are increasingly needed. As there will be many slutins, industry, supprted by plicy actins in particular egvernment services - shuld ensure interperability based n standards and pen develpment platfrms." The Cmmissin, therefre, will "In 2011 prpse a revisin f the esignature Directive with a view t prvide a legal framewrk fr crss-brder recgnitin and interperability f secure eauthenticatin systems". This Study aims t prvide inputs fr this actin. 1.2 Scpe f the Study The scpe f this study is t determine if and hw a cmprehensive Eurpean IAS framewrk culd be frmed, including the legal, technical and trust cmpnents required fr such a framewrk. The study shuld include recmmendatins n hw a cmplete and functining legal, technical and trust framewrk fr IAS services culd be cnstructed. This recmmendatin shuld build n cnsultatins f selected experts thrugh direct discussins and wrkshps, as well as the feedback received thrugh the Cmmissin's 2011 public cnsultatin n electrnic identificatin, authenticatin and signatures. 5
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 1.3 Rle f this dcument in the Study The present Study mainly cnsists f three tasks that crrespnd t a lgical phase in the study. The phases and tasks can be graphically summarized as fllws: Figure 1: IAS study phases The current dcument is Deliverable 2.1 - IAS in Eurpe: an verview f the state f the art, and crrespnds t Phase 2 in the verview abve. The gal f this reprt is: t prvide a summary f the main IAS initiatives frm a legal, technical and plicy perspective that may impact the creatin f a cmprehensive Eurpean IAS framewrk. Specifically, this reprt will attempt t identify the main relevant past realisatins, their scpe, and any lessns learned. n the basis f this verview, this reprt will then identify any gaps t be filled r incnsistencies t be harmnized. 6
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) finally, the verview f past initiatives (including laws and standards) can serve t identify gd practices, which might prve useful as a mdel fr IAS plicy at the Eurpean level. This dcument has been finalized in tw iteratins: An initial draft versin f D.2.1. This dcument utlines the study team s initial thughts and pinins n the fur aspects utlined abve. This draft was presented t the Stakehlders fr discussin. Based n the feedback received, a final versin has been prduced. The analysis f the feedback received frm experts and frm the wrkshp shws that the initial deliverable D.2.1 cnsiders the state-f-the in the field f IAS in a quite cmplete and apprpriate manner as the cmments frm the experts and the wrkshp refer either (mstly) t initiatives already cnsidered in the deliverable r (smetimes) t initiatives ut f scpe f the study. Fr the details n each and every feedbacks and justificatin n the reasn why sme cmments can eventually nt be cnsidered within D2, the reader is invited t read the dcument annexed t the final versin f D1.1. As indicated in the graphic abve, this reprt is ne f the key inputs fr the recmmendatins f phase 3. Specifically, the gd practices identified in this reprt have been a valuable input fr drafting EU plicy recmmendatins that are grunded in natinal practice and experience. 7
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 2. Overview f current legislative landscape at natinal, EU and internatinal levels 2.1 Relevant laws in Member States: scpe, impact and gaps As has already been briefly signalled in the first deliverable f this study, several Member States have gne beynd the scpe f the esignatures Directive by implementing a legal framewrk that mre prfundly impacts IAS services, e.g. by prviding requirements fr time stamping services, electrnic registered mail, r certain subcategries f esignatures (e.g. cmpany seals r public sectr signatures). Clearly, these laws can be very instructive as examples t any future Eurpean IAS regulatry initiatives, by highlighting hw services can be defined, what requirements (if any) shuld be impsed, and what legal effect (if any) shuld be attached t them. In the sectins belw, we will examine the relevant legislatins f Member States wh have taken such a mre extensive apprach twards IAS. It shuld be emphasized that the verviews belw are likely nt cmplete. It has been drafted based n an extensive review by the study team f available literature; hwever, given the relative nvelty f this plicy area, it is nt unlikely that sme legal initiatives may nt be included in the list belw. 2.1.1 Austria a. General apprach and scpe f legislatin As ne f the EU s leading cuntries with respect t egvernment, Austria has adpted legislatin regulating nt nly esignatures thrugh the esignatures Act (Signaturgesetzes 1 ), but als electrnic identificatin, thrugh the 2004 1 See http://www.signatur.rtr.at/en/legal/sigg.html 8
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) egvernment Act (E-Gvernment-Gesetz 2 ). Bth f these expand significantly n the basic scpe f the esignatures Directive: the esignatures Act intrduces rules fr time stamping (Zeitstempeldienste), including qualified time stamping (Qualifizierte Zeitstempeldienste); the egvernment Act supprts the use f the Citizen Card (Bürgerkarte) cncept, i.e. the use f a means f authenticatin (nt necessarily in the frm f a smart card) fr the purpses f identificatin, electrnic signing and string representatin data 3. Thus, apart frm general esignature rules, the Act als prvides rules with respect t identity and authenticity ( 2-3). Furthermre, as an egvernment act, it als prvides rules fr a specific categry f signatures fr civil servants (the Amtssignatur, 19) and fr the authenticity f printuts f electrnic dcuments ( 20). Fr the esignatures Act, the added value cmpared t the esignatures Directive can be summarized as fllws: the entire Act is stated t apply equally t CSPs issuing qualified signature certificates r qualified time stamping certificates ( 1.3); the qualified time stamp (qualifizierter Zeitstempel) is defined in 2.12 as an electrnic assertin stating that specific electrnic data has been presented at a specific pint in time, which meets the security requirements f this Federal Act and f any regulatins issued n its basis ; high level requirements fr qualified timestamping service prviders are stated in 10, fcusing n the requirements t implement apprpriate security guarantees t ensure the accuracy and authenticity f its assertins, and in dcumenting its apprach t ensuring the reliability f its services thrugh its plicies. Trustwrthy systems, prducts and prcesses must be used fr the creatin and strage f timestamps that prvide prtectins against mdificatin that ensure technical and cryptgraphic security. Signature creatin data are t be kept secret, and the TSP must ensure that qualified time stamp data cannt be frged r manipulated withut detectin. 2 http://www.ris.bka.gv.at/geltendefassung.wxe?abfrage=bundesnrmen&gesetzesnummer=200 03230 3 See http://ec.eurpa.eu/idabc/servlets/dc097b.pdf?id=32320 9 See
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Bth fr qualified signatures and qualified time stamps, the security requirements f 18 must be met. This paragraph als allws the adptin f mre specific security requirements, and requires cnfrmity assessment bdies t determine cmpliance. Mre specific requirements have been set thrugh the esignature Ordinance 4, fr which 11 defines requirements fr qualified time stamping. These include ntably: The mandatry use f an SSCD, and cmpliance with algrithms and parameters specified in Annex t the Ordinance; The use f certificates that are intended specifically and exclusively fr the purpses f time stamping, and which have been marked as such; Data and time must be asserted in CET, specifically in summer time; any ther time znes must be specifically mentined; The TSP may nt allw deviatin frm the real time exceeding ne minute; Any restrictins in the availability ver time f the service must be explicitly cmmunicated. Interestingly, the legal effect f qualified time stamping is nt defined alng with the legal effect f qualified electrnic signatures ( 4), nr anywhere else in the Act, ther than in the definitin f the qualified time stamp itself ( stating that specific electrnic data has been presented at a specific pint in time ). With respect t the egvernment Act, the apprach can be briefly summarized as fllws: The Act defines crucial cncepts such as identity, unique identity, identificatin, authenticity and authenticatin in 2. The fllwing definitins are used: "Identity": the designatin f the individuality f thse invlved by characteristics that are particularly well suited t allw them t be distinguished frm thers; including thrugh such characteristics as 4 See http://www.signatur.rtr.at/en/legal/sigv.html 10
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) their name, date and place f birth, but als the cmpany number r alphanumerical numbers; "Unique identity": the designatin f the individuality f thse invlved by ne r mre characteristics, allwing them t be uniquely distinguished frm all thers; "Identificatin": the prcess f validating r establishing the identity; "Authenticity": the truthfulness f a declaratin f will r f an act, in the sense that the claimed authr can be determined t be the actual authr; "Authenticatin": the prcess f validating r establishing authenticity. A Citizen s card is in turn defined as a lgical unit that allws the creatin f a qualified signature and which cntains a s-called identity link (Persnenbindung), and which may als cntain representatin data. The identity link is issued by the surcepin (Stammzahl) Register Authrity. It is a signed SAML recrd cntaining: the surcepin which is the citizen s unique identifier derived frm the Central Resident Register (r the Supplementary Register) the citizen s name and date f birth data that links the identity link t the qualified certificate stred n the tken the signature f the surcepin Register Authrity The surcepin may nly be stred in the identity link in the citizen card, thus is under sle cntrl f the citizen. SurcePINs therwise benefit frm explicit legal prtectins ( 12). The eidm mdel implemented using the citizen cards is based n sectrspecific PINs that are derived frm the surcepins. Using cryptgraphic neway functins the sectr-specific identifiers are calculated s that the citizen is uniquely identified in ne sectr, but identifiers in different sectrs cannt be unlawfully crss-related. The Sectr Delineatin Regulatin (E- Gvernment-Bereichsabgrenzungsverrdnung - E-Gv-BerAbgrV) defines 26 sectrs f State Activity s that within each sectr using the same identifier n data prtectin issue is caused. 11
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) In electrnic cmmunicatin with the public sectr, access rights t persnal data can nly be granted if the unique identity and the authenticity f the access request can be demnstrated. Identificatin is hwever nt a rutine prcess: the Act specifies that it may nly be requested by a public authrity insfar as this is necessary in the curse f its fficial functin ( 3). Despite the designatin f being an egvernment Act, it als specifies certain rules fr using the citizen card in the private sectr ( 14-15). Cmpanies can use the citizen card t derive private sectr-specific PINs that are unique within their sphere, but cannt be crss-linked with identifiers f ther entities. Fr electrnic signatures created by public administratins, s-called fficial signatures (Amtssignatur) have been defined in the egvernment Act ( 18). Official signatures are indicated by an attribute in the certificate (an bject identifier). They serve t facilitate recgnitin f the fact that a dcument riginates frm an authrity. The fficial signature is represented in the electrnic versin f the dcument by an image which the authrity has published n the Internet. Furthermre, the public authrity is required t prvide infrmatin n hw t validate the signature. Finally, the egvernment Act specifies that edcuments signed with an fficial signature have equal legal value t fficial attestatins (öffentlichen Urkunde) ( 19). The print-ut f the dcument itself must indicate a website where it can be electrnically validated. 12
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) b. Lessns learned Bth Acts are very instructive n a number f pints: With respect t the esignatures Act, the simple integratin f qualified time stamping (and nly qualified time stamping, withut any nnqualified level) is interesting. The legal effect is indirectly stated, namely by nting its functin in the definitin, and thrugh its security requirements (e.g. allwing nly ne minute f deviatin with the actual time). Otherwise, very few additinal prvisins appear t have been necessary, in cmparisn t the generic esignatures rules. With respect t the egvernment Act, the definitins are highly instructive, especially the distinctin between identities and unique identities. The implementatin is very privacy riented and reliable, building n fficial identity registers and bfuscating the primary identity number thrugh a mechanism f cntext specific derivative numbers via the identity link. Hwever, this is als an apprach which may be harder t transpse t ther cuntries, given the reliance n pre-existing infrastructure (ntably reliable identity registers and a unique identificatin number) implemented thrugh Citizen Cards. The fficial signature is an interesting cncept, especially in cmbinatin with the edcument validity and validatin infrmatin bligatins (i.e. their legal equivalence t fficial attestatins and the supprt fr validatin f print-uts, which facilitates the transitin between paper and electrnic dcuments). 2.1.2 Belgium a. General apprach and scpe f legislatin (a) Applicable legislatin The first legal instrument f relevance is the preliminary draft f a bill which wuld expand the scpe f the current E-signatures Act f 9 July 2001 by integrating ancillary services such as electrnic archiving and electrnic registered mail in the current E-signatures Act. Due t nging difficulties with the gvernment in Belgium, 13
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) there has been a delay in reviewing and adpting legislatin which are deemed t be nn-urgent. A part f this preliminary draft, namely the chapter n electrnic registered mail, was intrduced in the Act f 13 December 2010 since this fit in with the liberalisatin f the pstal sectr. This new legislatin mdified the act gverning the rganisatin f pstal services in Belgium and intrduced legal cnstraints fr the electrnic registered mail in the Act f 9 July 2001. "Electrnic registered mail" was defined as "any service f electrnic data transfer that includes a lump sum guarantee against the risk f lss, theft r damage f the data, in which the sender, pssibly at his request, receives prf f sending and/r f delivery t the addressee. Under the mdified E-signatures Act, electrnic registered mail was cnsidered t meet the requirements f registered mail, unless further regulatry requirements apply. In the absence f such requirements, electrnic registered mail will be usable in all cases where traditinal registered mail is legally required. The cnstraints included in the Act f 13 December 2010 were t be effective n 30 June 2011. Unfrtunately, Belgium passed the legislatin frgetting t ntify the Eurpean Cmmissin and withut fllwing the prvided prcedure under the "transparency" Eurpean Directive saying that any Act fr the infrmatin sciety dmain must be ntified t the Eurpean Cmmissin and is subject t a standstill perid f 3 mnths t give the Cmmissin the time t develp an pinin n the cmpliance f the Act at the Eurpean level. The Act f 13 December 2010 did nt cmply with this standstill bligatin and was published withut ntificatin and therefre the Act was withdrawn. Nevertheless, the preliminary draft still awaits apprval by the Belgian gvernment and is expected t be implemented int natinal law in the near future. Apart frm this preliminary draft, there is als a secnd legal instrument which requires mentining, namely the Belgian Act f 15 May 2007 cncerning the establishment f a legal framewrk fr certain trusted service prviders. The Act fresees that fr each f the services specific prvisins must be determined in executive (ryal) decrees, at the latest n 1 December 2007. Hwever, due t the lng-lasting difficulties within the Belgian gvernment (r lack theref), the Act never fully entered int frce due t missing executive (ryal) decrees. What fllws is a summary f the mst ntewrthy prvisins f these tw legal instruments. 14
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) (b) Preliminary draft New definitins The Act intrduces a number f new cncepts and als further specifies and/r bradens a number f existing ntins: "Certificatin service prvider" is bradened by the fllwing lyrics in italics: each natural r legal persn wh issues and manages certificates, r prvides electrnic archiving services r services f electrnic registered mail, r ther services regarding electrnic signatures. The cncept f "administratin" is bradened and adapted by the fllwing lyrics in italics: the services f the General Directrate Energy f the FPS Ecnmy, S.M.E.s, Self-Emplyed and Energy which is charged with the tasks regarding accreditatin and verificatin f the certificatin service prviders which issue qualified certificates, qualified electrnic archiving services r services f qualified electrnic registered mail services and are established in Belgium. The definitin f "electrnical archiving service" is added and defined as "service which primarily exists f retaining electrnic data and which is prvided by a certificatin service prvider f which is explited fr the wn accunt f a natural r legal persn." The definitin f "electrnic registered mail service" is added and defined as "service prvided by a certificatin service prvider regarding the transfer f electrnic data which exists f safeguarding n a flat-rate basis against the risks f lss, theft r damage f the data, whereby the sender, where apprpriate upn his request, receives an acknwledgement f the delivery and/r f the rder f the sending t the addressee." The definitin f "qualified electrnic archiving service" is added and defined as "electrnic archiving service prvided by a certificatin service prvider wh meets the requirements set frth in Annex V f this Act r which is explited fr its wn accunt by a natural r legal persn which meets the requirements f abvementined Annex, except fr the letters l, m and n." The definitin f "qualified electrnic registered mail" is added and defined as "electrnic registered mail service which is prvided by a certificatin service prvider wh meets the requirements set frth in Annex VI f this Act." 15
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Scpe The scpe f the preliminary draft is bradened (in cmparisn t the current legislatin) by adding, apart frm electrnic signatures, electrnic archiving and electrnic registered mail. The tasks f the certificatin service prviders, as mentined in the Act, is bradened frm nly prviding (qualified) certificates fr electrnic signatures t prviding (qualified) certificates fr electrnic archiving services and electrnic registered mail services. The pssibility fr the King t require additinal demands in a Ryal Decree fr the use f electrnic signatures in the public sectr is bradened t the ptin t requiring additinal demands als fr qualified electrnic archiving services r services f qualified electrnic registered mail. The scpe f chapter V f the Act is bradened frm nly applying t certificatin service prviders which issue certificates, t certificatin service prviders which als prvide qualified electrnic archiving services r qualified electrnic registered mail services. New prvisins A number f new prvisins has been intrduced by the Act. Firstly, the Act fresees that the certificatin service prvider which prvides qualified electrnic archiving services r qualified electrnic registered mail services t the public, can be held liable fr the damage he inflicts t each entity r natural r legal persn which is due t the nn-cmpliance f the requirements set frth in respectively Annex V r Annex VI f the Act, unless the certificatin service prvider can demnstrate that there is n negligence n his behalf. Such certificatin service prvider can determine the restrictins n the use f his service, prvided that these restrictins are recgnizable t third parties. The certificatin service prvider is nt liable fr damage resulting frm the use f the service whereby the indicated restrictins f use are transgressed. It was als added that in the event an acquisitin f the activities f a certificatin service prvider is nt pssible, the certificatin service prvider must infrm the users f his services f the terminatin f his services withut delay and ffer them the pssibility t transfer the files t anther service prvider within tw mnths at n additinal cst r t have the retained data returned. The fllwing prvisin n dcuments accepted as prf was added: "Subject t the applicatin f the specific legal and regulatry requirements a transcript realised by means f a qualified electrnic archiving service is cnsidered t cnstitute a trustwrthy and sustainable transcript in the sense f article 1335bis f the Civil Cde." The fllwing prvisin was als added: "The explicit r implicit requirement f a registered mail can be met prvided that the sender used an electrnic registered 16
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) mail service. Subject t the applicatin f specific legal r regulatry requirements regarding registered mail, a qualified electrnic registered mail is cnsidered t meet the explicit r implicit requirement f a registered mail." Finally, when the cntract regarding the electrnic archiving is terminated, fr whatever reasn, the prvider f the electrnic archiving service cannt invke a retentin right n the data twards the recipient f the service. At the terminatin f the electrnic archiving cntract, fr whatever reasn, the prvider f the electrnic archiving service must ask the recipient f the service by registered mail what shuld happen with the data which were given t him. In the event the recipient fails t answer within three mnths, the service prvider may prceed with the destructin f the data, prvided that there is n explicit prhibitin frm a judicial authrity r cmpetent administratin t d s. Requirements fr certificatin service prviders Annex V, cntaining the requirements fr certificatin service prviders f qualified electrnic archiving services, and Annex VI, cntaining the requirements fr certificatin service prviders f qualified electrnic registered mail services, are added. Bth Annexes include requirements f reliability, security, transparency and financial stability (including liability insurance), and als describes at a high level which rganisatinal prcesses are required t implement the services. Mre specifically, the certificatin service prviders must: a. Demnstrate that they are sufficiently trustwrthy t prvide certificatin services. b. Only retain and cnsult the data insfar it is necessary fr the executin f the service. c. Taking int accunt the state f the art, take all adequate technical and rganisatinal measures t secure the data against accidental r unauthrised destructin, lss, mdificatin, damage r access by unauthrised third parties. d. Apply the necessary measures t detect the nrmal and deceitful transactins t which the data are subject. The certificatin service prvider must, t the extent pssible, identify thse wh perfrm such transactins. He must register these data, ensure the dating f the data and retain the registered data during the entire retentin perid f the data cncerned. e. Take the necessary measures t keep the data legible at least during the legal r regulatry r cntractual term. 17
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) f. Apply the necessary measures, taking int accunt the state f the art, t avid any mdificatin f the retained electrnic data during the retentin, cnsulting r transfer, except fr the mdificatins regarding the carrier r the electrnic frmat f the data. g. Return the requested data in a legible and usable frmat as discussed with the recipient, within a reasnable perid f time upn request f the recipient f the service. h. Implement a system which prevents the vluntarily destructin f the archived data in rder t cmpletely r partially repair the data. i. Wrk with specialised persnnel, and where apprpriate with subcntractrs, wh have the specific knwledge, experience and qualificatins necessary fr carrying ut their services, and t submit them t a cnfidentiality bligatin. j. Use a dating system by means f electrnic registratin based n the crdinated universal time each time the date and/r time must be determined. k. Use, when scanning riginal paper dcuments, a system which reprduces the riginal dcument in electrnic frmat in a trustwrthy manner. l. Offer transparency twards the recipients regarding the ffered prvisin f services. m. Demnstrate impartiality twards the recipients f their services and twards third parties. n. Dispse f sufficient financial means t be able t prvide the service in accrdance with this Act and its executive decrees and particularly t be able t manage liability fr damage, by in any case be cvered by an adequate insurance.. At the time f sending f the message, prvide the identified addressee with a prf f sending, including an electrnic signature in the sense f article 4 4 f this act r any ther prcedure which is cntractually acknwledged as equal t a handwritten signature, indicating: - the identificatin f the service prvider: trade name, address and electrnic address; 18
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) - the name f the recipient (addressee) as reprted by the sender; - the date and time n which the message was prcessed by the system. p. Guarantee the riginality f the data by means f adequate security techniques, taking int accunt the state f the art. q. Allw the sender t be crrectly identified and the mment f sending be crrectly indicated. r. Prir t the sending being delivered, with r withut prf f sending, apprpriately verify the identity f the addressee f the electrnic registered mail, r where apprpriate the identity f the prxy. s. Upn request f the sender, and depending n the circumstances, deliver the prf f sending r refusal f the message by the addressee, f the prf f nndelivery. This prf is prvided with the date n which the message was received r refused by the addressee and cntains an electrnic signature f bth the service prvider and the addressee in the sense f article 4 4 f this act, r any ther prcedure which is cntractually acknwledged as being equal t a handwritten signature. The prf f nn-delivery must be prvided after expiratin f a term f fifteen days, starting frm the date f sending f the message. [Please nte: requirements d - h and k: N/A fr certificatin service prviders f electrnic registered mail; requirements - s: N/A fr certificatin service prviders f electrnic archiving] Verificatin and sanctining Since the scpe f the Act wuld be bradened t, apart frm electrnic signatures, als electrnic archiving and electrnic registered mail, the verificatin and sanctins as specified in chapter VII f the Act als apply t the certificatin service prviders f electrnic archiving services and electrnic registered mail services. (c) Act f 15 May 2007 Definitins Each f the fur services cvering electrnic data are defined in the Act. The definitins align with the definitins included in the Belgian Act f 11 March 2003 n the legal aspects f infrmatin sciety services. In practice anyne, either 19
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) legal r natural persn, can be a recipient f a trusted service. The trusted service may be used fr either prfessinal r ther purpses. "Prvider f electrnic archiving service": each natural r legal persn which, usually in exchange fr a remuneratin and upn request f the recipient f the service, prvides electrnic archiving services, whereby the retaining f the electrnic data cnstitutes an essential element f the ffered service. This definitin cvers anything which can be retained by a service prvider in ne way r anther, regardless f the carrier (CD-rm, hard drive, etc.) r regardless f the type f data (dcuments, cnnectin data, etc.). The definitin des nt entail that the ffered archiving service must be the principal activity f the service prvider. Imprtant t mentin is that the electrnic archiving f authentic deeds and dcuments which cncern tax, judicial r scial matters are explicitly excluded frm the scpe f the Act. "Prvider f electrnic time registratin service": each natural r legal persn which, usually in exchange fr a remuneratin and upn request f the recipient f the service, prvides services regarding the time registratin f a set f electrnic data. This definitin is very brad in a sense that it allws any service t be eligible fr electrnic time registratin. Hwever, this definitin des nt indicate which methd(s) f time registratin can be used. The Explanatry Memrandum clarifies this pint by indicating that especially time stamping must be cnsidered. This technique f time stamping des hwever nt register r date electrnic data, as is incrrectly suggested in the definitin. In reality it is a technique whereby the hash value f a file is sent t a server. The server will then return a digitally signed certificate with the exact time indicatin. The time is taken ver frm the atmic clck. "Prvider f electrnic registered mail service": each natural r legal persn which, usually in exchange fr a remuneratin and upn request f the recipient f the service, prvides a service existing f safeguarding n a flat-rate basis against the risks f lss, theft r damage, whereby the sender, r when apprpriate upn his request, receives a prf f the delivery and/r f the rder f the sending t the addressee. The way f defining electrnic registered mail services cpies the prcedure which is applied fr physical registered mail. The functins aspired by the physical registered mail are nt necessary implemented in an identical way in an electrnic envirnment. Prf f sending and receptin in such envirnment is mstly taken care f n the level f the server, thrugh autmatic and secured audit trails. 20
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Functinal equivalence is nt achieved by cpying the frmal prcedure but by starting frm the functins which have t be achieved. "Prvider f service regarding the temprary blcking f sums f mney": each natural r legal persn which, usually in exchange fr a remuneratin and upn request f the recipient f the service, in light f an agreement cncluded electrnically and n a distance, prvides a service aiming t blck a sum f mney which is depsited by the recipient f the service, and n the depsiting f that sum f mney t the addressee wh is bund t deliver a gd r a service in case the latter des nt cmply with his bligatin. The purpse f this service is t blck the purchase price n the accunt f a neutral third party in rder t prevent that bad faith sellers wuld receive mney withut ever delivering the gds r services. Scpe The Act applies t trusted service prviders wh are established in Belgium. Trusted service prviders wh are established elsewhere therefre d nt need t cmply with the prvisins f the Act, and therefre cannt prvide services which are cmpliant with the Belgian standards t generate certain legal cnsequences. The Act relates in particular t fur services which cver electrnic data, namely archiving, time registratin, registered mail and temprary blcking f sums f mney. Trusted service prviders, such as ntaries r banks, will have t apply divergent rules depending n whether they prcess paper r electrnic dcuments. A number f minimum quality standards is required, which are cmmn t all fur trusted services. The minimum quality standards cncern (i) impartiality, (ii) data prcessing, (iii) transparency, (iv) expertise, (v) cnfidentiality and (vi) liability fr damage. These quality standards resemble the requirements included in Annex V and Annex VI f the preliminary draft as discussed abve. T each f the quality standards, a system f verificatin and criminal sanctining is linked. In additin t the quality standards which are set frth in the Act, executive (ryal) decrees were expected t set frth specific prvisins fr each f the fur services, and t determine the legal value attributed t the data which is electrnically archived, electrnically time stamped r sent thrugh electrnic registered mail. In additin, these decrees were als planned t determine the verificatin and ntificatin prcedures f which the Administratin dispses, as well as the criminal sanctins which can be impsed. Because f the fact that this Act was drafted very quickly due t urgency, the Act relied n executive decrees fr the further elabratin f the legal framewrk. Hwever, these executive decrees were never taken and therefre the Act lacks effectiveness. 21
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Anther pint f criticism regarding this Act is that it is nt entirely cnsistent with the philsphy f the Eurpean legislatin in this dmain since it hampers the crssbrder prvisin f services n a Eurpean r glbal scale. This was als included in the Eurpean Cmmissin's remarks n the preliminary draft f this Act. Quality standards The quality standards must be seen as a cmpletin f the bligatins t which the service prviders were already subject based n general cntract and liability legislatin as well as legislatin n cmmercial practices and infrmatin sciety services. The quality standards are in turn cmpleted by the system f verificatin and criminal sanctins. The legislatr is f the pinin that in the event these quality standards are cmplied with, this will attribute legal cnsequences t the electrnic dcuments, data r sendings. Fr instance, regarding electrnic archiving, the electrnically archived dcument will be cnsidered equal t the paper archived dcument, until evidence f the cntrary. Cncerning the electrnically registered mail, the service will be estimated t fulfil the same functins as are traditinally attributed t the traditinally registered mail, until evidence f the cntrary. Impartiality: the trusted service prvider must demnstrate impartiality twards the recipients f their services and twards third parties. This implies that the trusted service prvider must abstract its wn financial dependence frm that f the client. Since it is nt specified what "impartiality" really implies and wh are cnsidered t be "third parties", it is advised t assess the impartiality f the trusted service prvider n a case by case basis. Data prcessing: Subject t the applicatin f the Data Prtectin Act f 8 December 1992, the trusted service prvider cannt withhld the received data fr any purpse. This prvisin nt nly implies that the data prcessr must cmply with the prvisins f the Data Prtectin Act, but als that the data prcessr and the data cntrller (persn respnsible fr the data prcessing) must cnclude an agreement stipulating the liability f each f the parties invlved. This bligatin is sanctined with a criminal penalty (namely a fine up t 137.500 EUR). In additin, the trusted service prvider must, taking int accunt the state f the art, apply reasnable measures t secure the received data and in particular prevent the data frm being transfrmed, damaged r made accessible t unauthrised third parties. This security bligatin applies t bth persnal data and ther data. 22 Transparency: the trusted service prvider must ffer t the recipients f the services, prir t the cntract being cncluded, direct access t the
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) fllwing infrmatin, which must be frmulated in a clear and cmprehensible way: - the exact way and cnditins f the use f the services; - the functining and accessibility f the services; - the security measures taken; - the ntificatin prcedure regarding incidents, cmplaints and disputes; - the ffered guarantees; - the scpe f their liability; - the scpe f the insurance cverage; - the exact peratin mdes and cnditins f the trusted service, including the impsed restrictins regarding the use theref, especially cncerning the legal cnsequences attached t the trusted service; relevant elements f that infrmatin must, upn request, als be put at the dispsal f third parties wh rely n the trusted service; - in the event the trusted service has been ntified, the accreditatin number received by the service prvider frm the Administratin. This transparency bligatin shuld allw recipients f the trusted services t make an infrmed decisin n which trusted service prvider they prefer t rely n, which is why the transparency bligatin is frmulated as a precntractual infrmatin bligatin. Trusted service prvider shuld carefully blige this transparency bligatin, as it is sanctined with a fine f up t 55.000 EUR. Expertise: the trusted service prvider is expected t wrk with persnnel which dispses f the specific skills necessary fr the prvisin f the services. The legislatr des nt cnfer any cncrete requirements, s it is up t the trusted service prvider t persnally determine f which skills his persnnel must dispse t adequately prvide the services. 23 Cnfidentiality: the trusted service prvider must submit its persnnel t a cnfidentiality bligatin. Althugh this is nt specifically mentined in the Act, it can be derived frm this prvisin that the trusted service prvider is
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) als persnally bund t treat the data received with cnfidentiality. Mre specifically all data which can be expected t have a cnfidential r sensitive nature fall under this cnfidentiality bligatin. This bligatin als applies t all infrmatin exchanged during the pre-cntractual phase. In practice this implies that the trusted service prvider will need t include cnfidentiality clauses in the emplyment cntracts with his persnnel r temprary wrkers, and will have t install additinal rganisatinal measures. This bligatin is nt specifically sanctined by the Act, s that there has t be reverted t the general liability prvisins f civil law t see which sanctins apply. Liability fr damage: the trusted service prvider must dispse f sufficient financial means t be able t prvide the service in accrdance with this Act and its executive decrees and particularly t be able t manage liability fr damage, by in any case be cvered by an adequate insurance. It has nt been further specified what must be understd by "sufficient financial means". Verificatin measures The Act fresees a warning prcedure initiated by the Minister f Ecnmy r the civil servant appinted by him, whereby the ffender is demanded (by registered mail with receipt f by delivery f a cpy f the reprt in which the factual elements are determined, r by electrnic registered mail) t terminate the infringing act. This allws the ffender t cmply with the prvisins f the act withut risking the criminal sanctins f the Act. The civil servants appinted by the Minister f Ecnmy are authrised t detect and identify the acts prhibited under this act. The detectin and identificatin by the civil servants is supervised by the attrney general r the federal attrney. In the event the damage inflicted t a third party is fully repaired, the civil servants appinted by the Minister f Ecnmy may suggest t the ffender the payment f a sum f which the payment will cancel the criminal prceedings. The amunts are t be determined by executive decree, and cannt be inferir r higher than the minimum and maximum fines freseen by the Act. The ffender is nt bliged t cnsent t the prpsitin f settlement and is free t chse t defend himself during criminal prceedings. Sanctins The Act fresees fines frm 1.375 up t 137.500 EUR fr persns infringing the quality standards and fr hindering the detectin and identificatin by civil servants f prhibited acts. In the event f a criminal cnvictin it is advisable t infrm the recipients f the trusted service n this, by affixing r publishing the judgment in newspapers r elsewhere. 24
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 2.1.3 Czech Republic a. General apprach and scpe f legislatin (a) Electrnic signatures Legislatin The legal framewrk n electrnic signatures in the Czech Republic is prvided by the Electrnic Signatures Act 227/2000 Cll. Ordinances belnging t this Act are the Ordinance n electrnic filling rms 496/2004 Cll., Ordinance n qualified certificatin service prviders prcedures 378/2006 Cll., and the Gvernment Decree 140/2000 Cll. n the list f free trade licences. The (very limited) Gvernment Decree 495/2004 Cll. implements the Electrnic Signatures Act and lays dwn rules fr public authrities in very general terms. The Decree further specifies which authrities have t prvide electrnic access and which infrmatin they have t prvide. Due t lack f pwer and resurces f the Ministry f Infrmatics (which was clsed in 2007 and cmpetences were transferred t the Ministry f Interir), the attempts in the Czech Republic t establish a centrally crdinated e-gvernment failed. Cnsequently, the ther administrative bdies created their prjects independently f the wishes f the Ministry f Infrmatics. At this mment, the e-gvernment is created by many applicatins develped in different ways by different public administratin bdies. This hwever is nt a crdinated prcess but rather a natural grwth f applicatins f resrts that depend n activities f respnsible persns in thse administrative bdies. 5 Electrnic signatures The Act prvides a definitin fr electrnic signatures and intrduces a system f qualified electrnic signatures and accredited qualificatin service prviders issuing qualified certificated, qualified system certificates (which can be issued t legal entities) and qualified time stamp tkens. As regards t electrnically exchanging infrmatin with public authrities, the Act fresees that the use f electrnic signatures in the public sectr may be subject t additinal requirements. Mre specifically, nly certified electrnic signatures and qualified certificates issued by accredited prviders f certificatin services can be used fr electrnically exchanging infrmatin with public authrities. In additin, the certificate has t cntain a scial security number. Electrnic signatures are defined in accrdance with the Directive, hwever, the definitin des nt cntain any requirement n the specific type f electrnic 5 IDABC, Study n Mutual Recgnitin f esignatures: update f Cuntry Prfiles - Czech cuntry prfile, July 2009, p. 4. 25
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) signature, nr n certificatin service prviders issuing nn-qualified certificates. Hwever, the Act des cntain requirements fr advanced electrnic signatures, namely: the electrnic signature is linked t the signatry; the electrnic signature is capable f identifying the signatry in relatin t a data message; the electrnic signature has been created and attached t a data message using means that the signatry can maintain under his sle cntrl; and the electrnic signature is linked t the data message t which it relates in such a manner that any subsequent change f the data is detectable. Summarised, electrnic signatures are nly accepted in the event a persn r entity is requesting fr infrmatin withut any dcument needing t be signed. Advanced electrnic signatures are accepted nly in a few cases (such as electrnic invicing). Cnsequently in mst cases the nly legal slutin is t use electrnic signatures based n qualified certificates issued by an accredited certificatin service prvider. Hwever, the use f qualified electrnic signatures is nt required by any act s in reality they are nt ften used. Althugh the Act des nt fresee a lng term validity fr electrnic signatures, there are hwever technical slutins, such as lng term signatures. These technical slutins are specified in ETSI standards but frm a legal pint f view it has nt been specified as t hw thse standards shuld be used. Electrnic marks Electrnic mark is the designatin f an electrnic signature based n a qualified certificate. Further t defining electrnic signatures, the Act als defines the cncept f electrnic marks as "data in electrnic frm which are attached t r lgically assciated with a data message and meets the fllwing requirements: the electrnic mark is unequivcally linked t the marking persn (a natural persn, legal persn r gvernment bdy that hlds an electrnic mark creatin device and marks a data message by an electrnic mark) and are capable f identifying that persn by means f a qualified system certificate; the electrnic mark has been created and attached t a data message using an electrnic mark creatin device that the marking persn can maintain under its sle cntrl; 26 the electrnic mark is linked t the data message t which it relates in such a manner that any subsequent change f the data is detectable.
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) The marking persn is subject t a number f bligatins, such as ntifying the certificatin service prvider wh has issued the qualified system certificate withut delay in the event there is a risk f abuse f its electrnic mark creatin data. Electrnic mark creatin data is unique data which is used by the marking persn t create electrnic marks. The use f an electrnic mark based n a qualified system certificate and created using an electrnic mark creatin device shall enable it t be verified that a data message has been marked with an electrnic mark by a marking persn. Qualified time stamps Qualified time stamps are defined as "a data message which has been issued by a qualified certificatin service prvider and which links data in electrnic frm t a mment in time in a trustwrthy manner, and guarantees that that data existed in electrnic frm befre the given mment in time. Qualified certificatin service prviders Qualified certificatin service prviders are charged with issuing qualified certificates and identifying the persn cncerned. The law des nt specify any cnditins heret s it is up t the certificatin service prvider t decide. In practice all qualified certificates are issued after persnal appearance. The nly exceptin heret is when a persn already has btained a certificate that is still valid and wishes t have a new certificate with the same data; in this case that persn can use the already issued certificate t sign the request. The E-gvernment Act 300/2008 (Act n Electrnic Cmmunicatin and Authrized Cnversin f Dcuments) enables natural and legal persns t cmmunicate with public authrities by electrnic means by creating a framewrk fr electrnic cmmunicatin between state authrities, territrial autnmies and public authrities, as well as fr their electrnic cmmunicatin with natural and legal persns. The Act establishes an electrnic delivery system ("Data Bxes") fr cmmunicatin with public authrities as well as fr authrised cnversin f the dcuments (frm paper t electrnic frm and vice versa). These s-called Data Bxes are best t be cmpared with an email accunt, which is made mandatry fr public administratin bdies and fr legal entities, and is vluntary fr natural persns. The Data Bxes supplements the cmmunicatin which was delivered thrugh rdinary mail and enables electrnic cmmunicatin with public authrities. Electrnic signatures will play an imprtant rle bth frm a delivery and cnversin pint f view. The delivery system will deliver bth signed and unsigned messages. While the authenticatin t the system can replace an electrnic signature fr citizens, wh d nt have t sign the messages while using the system, the dcuments sent frm the public authrities t the citizens must always be signed. Apart frm this, the system will attach a qualified timestamp t each message. The authrised cnversin f the dcuments will enable t cnvert the paper dcuments 27
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) int the electrnic frm and vice versa with the cnverted dcuments having the same legal effects as the riginal dcument. Bth electrnic signatures and qualified timestamps will be used fr this prcess. The details regarding the use f the Data Bxes infrmatin system are further explained in the Ordinance 194/2009. Amng e-gvernment applicatins using the electrnic signatures are public prcurement, e-health, e-justice, tax prtal and the Czech security administratin. When using electrnic signatures fr e-gvernment applicatins there is generally nly ne pssibility: it must be an advanced electrnic signature based n a qualified certificate issued by an accredited certificatin service prvider. Czech Republic des nt prvide fr any requirement regarding advanced electrnic signatures (except fr the definitin) nr n certificatin service prviders issuing nn-qualified certificates. Qualified certificates and qualified system certificates can be issued t any persn (qualified system certificate can als be issued t a legal entity), even t persns belnging t anther cuntry. The latter will nly cnstitute a prblem in the event the user frm that ther cuntry des nt have a qualified certificate issued by a qualified certificatin service prvider accredited in the Czech Republic, since this is a general requirement t use certificates issued by an accredited certificatin service prvider in e-gvernment applicatins. (b) Electrnic archiving The Act n Archiving and Recrd Management 499/2004 (as amended by the Act 190/2009) prvides a framewrk fr dcument archiving in general and electrnic archiving in particular, as well as fr the management f databases, the rights and bligatins f authrities dealing with dcuments, and the prcessing f persnal data. The Act n Natinal Registers 111/2009 (as amended by the Act 227/2009) deals with the prcess regarding the electrnisatin f public administratin. The Act defines the cntent f natinal registers and lays dwn the rights and bligatins regarding the creatin, use and peratin f the system. The Natinal Registers Authrity, an autnmus rganisatin bdy f the state and the administratr f the basis infrmatin system, was established by this Act. 28
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 2.1.4 Estnia a. General apprach and scpe f legislatin Legislatin and scpe The E-signatures Directive was transpsed int Estnian legislatin thrugh the Digital Signatures Act f 8 March 2000 (as amended in January 2009). The Act grants similar legal value t digital and handwritten signatures, in bth public and private sectrs, prvided that they cmply with the requirements set frth in the Act and unless therwise specified. The Digital Signatures Act als fresees an bligatin fr all public institutins t accept digitally signed dcuments. Electrnic signatures An electrnic (digital) signature is defined as "a data unit, created using a system f technical and rganisatinal means, which a signatry uses t indicate his r her cnnectin t a dcument." The requirements mentined abve include that the electrnic signature must enable unique identificatin f the signatry, enable determinatin f the time at which the signature is given and link the electrnic signature t data in such a manner that any subsequent change f the data r the meaning theref is detectable. In the terms f the E-signatures Directive, the Estnian Digital Signatures Act nly regulates advanced electrnic signatures. Other types f electrnic signatures can f curse be used, but the Act des nt cnfer them legal pwer. As regards t the legal effect, electrnic signatures are equalised with handwritten signatures. Nevertheless, if it is prved that the private key (signature creating device) was used fr giving the signature withut the cnsent f the hlder f the crrespnding certificate, the digital signature cannt be cnsidered as having the same legal cnsequences as the handwritten signature. In this event, the certificate hlder shall cmpensate damage caused t anther persn wh errneusly presumed that the signature was given by the certificate hlder, if the private key was used withut the cnsent f the certificate hlder due t the intent r grss negligence f the certificate hlder. Digital stamps ("digital seals") In additin t electrnic signatures, Estnian legislatin als fresees the use f digital stamps. Digital stamps are technically equal t electrnic signatures but have a legally different significance, since they can be perfrmed withut the direct cnsent f a physical persn and cnsequently allwing fr autmated stamping. Althugh digital signatures have been used fr many years, they nly received legal effect in January 2009 by the amendment f the Digital Signatures Act, which fresees in a definitin f the ntin f digital stamp in rder fr frthcming legislatin t use the ntin. Certificates fr digital stamping 29
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) can be issued t bth legal and natural persns, by a certificatin service prvider. It is expected that the public sectr will find a number f new applicatins fr the use f digital stamping and therefre increase the market in this area. Certificatin service prviders The cmpetence f the certificatin service prviders in Estnia is regulated by the Act, which includes requirements and regulates the supervisin. A certificatin service prvider must be a legal entity with a regulated minimum share capital. It must be registered with the Natinal Certificate Service Prvider Registry and carry ut an annual audit t ensure bth rganisatinal and systematic reliability. In additin, certificatin service prviders are required t be cvered by a liability insurance t safeguard against cmpensating faults made while prviding the service. It must be emphasized that under the current Digital Signatures Act, certificatin service prviders may nly certify persns identifiable by name and identificatin cde. The issuance f certificates t pseudnyms is currently nt cvered by the Act, even thugh It was discussed in parliament during the law adptin prcess (where it was deemed t cnstitute an unnecessary risk). Certificates issued by a certificatin service prvider are valid as f the beginning f the perid f validity set ut in the certificate but nt befre entry f the crrespnding data in the database f certificates which is maintained by the issue f the certificate. Time stamping service prviders The Digital Signatures Act als fresees a framewrk fr time stamping service prviders, fr which the requirements are generally the same as the requirements fr certificatin service prviders. The Act defines a time stamp as "a data unit which is created using a system f technical and rganisatinal means which certifies the existence f a dcument at a given time." The Act des nt specify a time stamp further int detail, but states that they must be bund t the time stamped data and be issued in such a manner as t preclude the pssibility f changing the data undetectably after btaining a time stamp. 2.1.5 Finland a. General apprach and scpe f legislatin The current legal framewrk in Finland fr e-identificatin and e-signatures is prvided by the Finnish Act n Strng Electrnic Identificatin and Electrnic Signatures (617/2009) ("the Identificatin Act"), which entered int frce n 1 30
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) September 2009 and replaced the repealed Act n Electrnic Signatures (14/2003) which implemented the E-signatures Directive. Definitins The Identificatin Act includes a number f interesting cncepts, which are defined as fllws: "Strng electrnic identificatin" means the identificatin f a persn and the verificatin f the authenticity and validity f the identificatin by an electrnic methd based n at least tw f the fllwing three alternatives: (a) passwrd r smething similar that the identificatin device hlder knws; (b) chip card r smething similar that the identificatin device hlder has in his pssessin; r (c) fingerprint r sme ther characteristic identifying the device hlder. "Identificatin device" means bjects r identifying data r characteristics that tgether frm the identifiers, identificatin devices and verificatin devices required fr strng electrnic identificatin. "Identificatin methd" means the entirety f the identificatin device and system required t create an individual strng electrnic identificatin event. "Identificatin service prvider" means a prvider ffering services fr strng electrnic identificatin t service prviders using them r issuing identificatin devices t the general public r bth. He must meet the fllwing requirements: (a) he must be f age; (b) he must nt have declared bankruptcy; (c) perating capacity must nt be restricted. In additin, the identificatin service prvider must be trustwrthy. He cannt be deemed trustwrthy if he has been cnvicted f a crime by a curt f law during the past five years, r has been fined during the past three years fr a felny that wuld make such persn bviusly unfit t act as an identificatin service prvider, r is he has previusly acted in a way that wuld make such persn an bviusly unfit identificatin service prvider. "Identificatin methd" means the entirety f the identificatin device and system required t create an individual strng electrnic identificatin event. The identificatin methd must meet the fllwing requirements (can pssibly be cmplemented with requirements f Ficra): 31
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) (a) the relevant methd shall be based n initial identificatin, where the relevant data can be verified afterwards; (b) the methd shall unambiguusly identify the identificatin device hlder; (c) the methd is sufficiently secure t ensure that nly the identificatin device hlder can use the device; and (d) the methd is sufficiently secure and reliable, taking int cnsideratin the relevant technical threats t data security. "Identificatin device hlder" means a natural persn t whm the identificatin service prvider has issued an identificatin device based n an agreement. The identificatin device hlder shall use the device accrding t the terms and cnditins f that agreement. If the device is nt used in accrdance with the terms and cnditins set frth in the agreement, the identificatin service prvider has the right t cancel r prevent the use f the device. In the event the identificatin device hlder has lst the identificatin device r if it is in the unauthrised pssessin f anther persn, he must immediately upn detectin ntify the identificatin service prvider r a designated party f this. "Initial identificatin" means the verificatin f the identity f the applicant fr an identificatin device in cnnectin with the acquisitin f the device. "Certificate" means an electrnic verificatin that cnfirms the identity r cnfirms the identity and links the data fr verifying a signature t the signatry, and that can be used fr strng electrnic identificatin and electrnic signatures. With the help f a certificate, it is pssible t verify a persn's identity, r verify an identity and link the verificatin data t the signatry f the signature. In additin t the public key, the certificate als cntains ther data, such as the name f a persn r rganisatin, the day the certificate was granted, the last day f validity r the individualised serial number. 32 "Qualified certificate" means a certificate that has been issued by a certificatin service prvider and includes an indicatin f the fact that the certificate is a qualified certificate, details f the certifier and the state in which the certifier is based, the signatry's name r a pseudnym, the signature verificatin data which crrespnds t the data in the signatry's pssessin used fr creating the signature, the perid f validity f the certificate, a symbl identifying the certificate, the certificatin service prvider's advanced electrnic signature, ptential limits n use f the
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) qualified certificate, and any special infrmatin n the signatry, shuld this be necessary. "Certificatin service prvider" means a natural persn r legal persn wh ffers certificates t the general public. Scpe The bjective f the Act is t create cmmn rules fr the prvisin f strng electrnic identificatin services. It will likewise prmte the prvisin f identificatin services and the use f electrnic signatures. The Act is funded n the principle that users must be able t trust infrmatin security and prtectin f privacy when they use strng electrnic identificatin services. Althugh the Act cntains few surprises regarding electrnic signatures, it is nevertheless interesting because f its prvisins n electrnic identificatin. The Act intrduces the cncept f "strng electrnic identificatin", which means the verificatin f the identity f a persn by an electrnic methd. It enables cnsumers t certify their identity safely as they use varius electrnic services, since thrugh strng electrnic identificatin, the identificatin device and its user can ultimately be cnnected t the persn's true identity. The identificatin device used fr strng electrnic identificatin are bank identifiers used by banks, the Ppulatin Register Centre's citizen certificate and telecm peratr's mbile certificates. Electrnic signatures The Act cnfirms the principle set frth by the Directive that electrnic signatures are legally just as binding as traditinal handwritten signatures n paper cntracts/dcuments, and intrduces the cncept f "strng electrnic identificatin". Furthermre, the Act takes int accunt the EU Digital Agenda bjectives which aim at an EU-wide, crss-brder identificatin slutins based n reliable natinal identificatin systems. The Act cmprises the idea that an electrnic signature based n strng electrnic identificatin can justifiably be cnsidered t prvide strnger legal prf f an identified persn's will t be bund by a specific agreement (either n the persn's behalf r n behalf f a cmpany r ther legal entity represented by that persn), than a traditinal handwritten signature n a paper cntract dcument, which can be mre difficult t later link t a specific persn, e.g. based n handwriting samples, than an electrnic signature based n strng electrnic identificatin. General guidance and mnitring f strng electrnic identificatin and electrnic signatures is the respnsibility f the Ministry f Transprt and Cmmunicatins. It is the respnsibility f Ficra (Finnish Cmmunicatins Regulatry Authrity) t mnitr cmpliance with the Act, and if required, Ficra will issue technical rders regarding reliability and data security requirements fr identificatin service prviders and certificatin service prviders ffering qualified certificates. Finally, the 33
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Data Prtectin Ombudsman is respnsible fr mnitring cmpliance with the prvisins f this Act regarding persnal data. Ficra has the right t btain the necessary infrmatin fr perfrming its tasks frm identificatin service prviders and certificatin service prviders ffering qualified certificates; Ficra als has the right t inspect the identificatin service prvider r his services, if it has reasn t suspect that they have materially breached the Act. Ficra shall perfrm a yearly audit f the certificatin service prvider issuing qualified certificates. Requirements The Act stipulates the requirements fr a device fr creating safe signatures. Such device shall be able t ensure in a sufficiently reliable manner that: the data used fr the creatin f the signatures is unique, that it will remain cnfidential and that it cannt be deduced frm any ther data; the signatures are prtected against frgery; the signatry will be able t prtect the data used fr the creatin f a signature against use by thers; and it will nt alter the infrmatin t be signed nr will it prevent the infrmatin frm being presented t the signatry prir t signing. Ficra may appint ntified bdies (private r public institutins) which will assess whether the device fr creating signatures meets the abvementined requirements. A qualified certificate may be issued by a certificatin service prvider ther than thse based in Finland prvided that he is based in a member state f the EEA and is a member f a vluntary accreditatin system in a member state f the EEA. The certificate must meet the requirements applicable t qualified certificates in the cuntry where he is based and must be guaranteed by a certifier wh is based in a member state f the EEA and wh meets the natinal requirements in the cuntry in questin. In the event the signatry has a weighty reasn t suspect the unauthrised use f data fr creating a signature, r any ther reasn fr ding s, the certificatin service prvider can, upn request f the signatry, cancel the qualified certificate. A certificatin service prvider issuing qualified certificates must submit a written ntificatin t Ficra, prir t the cmmencement f the peratin. Obligatins The Act sets frth a number f bligatins t be cmplied with by the identificatin service prviders, and mre specifically an identificatin service prvider must: 34
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Ntify the cmmencement f identificatin services by written ntificatin t the Ficra, including the name and cntact infrmatin f the service prvider, infrmatin abut the services and abut the requirements fr the identificatin methd and identificatin service prvider; Disclse t the applicant, prir t entering int an agreement fr an identificatin device, infrmatin abut the service prvider, the services ffered and their prices, the identificatin principles (define hw the prvider will perfrm its bligatins set ut in this Act and which lay dwn the cnditins gverning access t their identificatin services by service prviders using strng electrnic identificatin), the rights and respnsibilities f the parties, ptential limits f liability, cmplaint and dispute settlement prcedures, ptential restraints and restrictins n use regarding legal transactins, and ther ptential terms f use related t the identificatin device; Ensure that its persnnel has adequate expertise, experience and cmpetence; Dispse f sufficient financial resurces fr the peratin and fr cvering pssible liabilities fr damages; Prtect persnal data and ensure adequate infrmatin security, and ntify withut any undue delay service prviders using its services, identificatin device hlders and Ficra f severe risks and threats t its data security. Be respnsible fr the reliability and functinality f services and prducts prvided by peple wrking fr him. Ntificatin Service prviders ffering strng electrnic identificatin and qualified certificates must submit a ntificatin t Ficra. Ficra maintains a public register n identificatin service prviders and certificatin service prviders ffering qualified certificates. It als mnitrs that identificatin service prviders and certificatin service prviders ffering qualified certificates cmply with the bligatins impsed n them by the legislatin. Cnsumer cmplaints Ficra als acts as the appellate authrity in matters cncerning the peratins f identificatin service prviders and certificatin service prviders ffering qualified certificates, as well as electrnic signatures based n qualified certificates. Cnsumers may cntact Ficra if they suspect that the identificatin service prvider acts against the legislatin r regulatins regarding strng electrnic identificatin and electrnic signatures. 35
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Ombudsman The Data Prtectin Ombudsman mnitrs the cmpliance f prvisins cncerning persnal data by virtue f the Act n strng electrnic identificatin and electrnic signatures. Ficra and the Data Prtectin Ombudsman cllabrate with the Financial Supervisry Authrity, the Finnish Cmpetitin Authrity and the Cnsumer Agency when perfrming supervisin tasks. Liability The signatry is liable fr damages frm any unauthrised use f data that is used fr creating an advanced electrnic signature certified by a qualified certificate until the request fr cancelling the certificate has been received by the certificatin service prvider. A certificatin service prvider ffering qualified certificates shall be liable fr damages t smene relying n the qualified certificate if: data marked n the qualified certificate was incrrect at the time f issue f the certificate; the qualified certificate des meet the requirements set frth by the Act; the persn identified in the qualified certificate did nt, at the time f issue f the certificate, have in his r her pssessin the data used fr creating the signature crrespnding t the signature verifying data as stated r defined in the certificate; the creatin and verificatin data created by a certificatin service prvider r its subcntractr are incnsistent; the certificatin service prvider r its subcntractr did nt cancel the qualified certificate as prvided in the Act. Criminal sanctins The prvisins n penalties fr infringements f this Act are prvided in the Criminal Cde and the Persnal Data Act. 2.1.6 France a. General apprach and scpe f legislatin (a) Electrnic signatures Legislatin France has transpsed the E-signatures Directive thrugh the E- signatures Act f 13 March 2000, which adapted the Civil Cde rules f evidence, in rder t make electrnic dcuments and signatures legally acceptable. The Act 36
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) changed articles 1316, 1316-1, 1316-2, 1316-3, 1316-4 et 1326 f the Civil Cde and intrduced the legal equality f an electrnic signature and a traditinal, written signature. It includes a presumptin f reliability f which the cnditins are set frth in the Civil Cde, and f which the burden f prf rests n the signatry. Other relevant legislatin regarding electrnic signatures is the fllwing: The Act f 21 June 2004 n trust in the digital ecnmy (n 2004/575), which cntains the legal framewrk fr the develpment f e-cmmerce services in France. Amng thers, this Act regulates the liability f certificatin service prviders issuing qualified digital certificates (article 33). The Decree f 30 March 2001 (n 2001/272), which cntains technical specificatins n electrnic signatures and distinguishes the electrnic signature frm the secured electrnic signature (signature électrnique sécurisée). The electrnic signature is the signature cmplying with the cnditins set frth in the Civil Cde, while the secured electrnic signature in additin als cmplies with the requirements specified in the Decree, and is presumed t be reliable (fiable), which shifts the burden f prf f reliability f the signature in the event f a dispute befre a curt. The Decree specifies the requirements f the secured electrnic signature, which cver n the ne hand the hardware and sftware (certified by the Administratin) used t create the secured electrnic signature, and n the ther hand the cntent and the quality f the electrnic certificatins delivered by the certificatin service prviders. The Decree further specifies the framewrk f the activities f the service prviders which have t freely carry ut their activity. Frm the mment they meet all the requirements, the service prviders can demand t be acknwledged as being certified, which generates the presumptin f cmpliance with the requirements f the Decree. The Ordinance f 26 July 2004 with regard t the qualificatin f certificatin service prviders issuing digital certificates and t the accreditatin f the bdies in charge f the evaluatin f the certificatin service prviders describes the natinal scheme fr the qualificatin f certificatin service prviders issuing qualified certificates as defined in article 6 f the Decree 2001-272. The scheme is cmpleted by a psteriri cntrl by the DCSSI (Directin Centrale pur la Securité des Systèmes d Infrmatin), as prvided by article 9 f the Decree 2001-272. 37
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) The Ordinance n electrnic interactins between public services users and public authrities and amng public authrities f 8 December 2005 (n 2005/1516) (the s-called Teleservices Ordinance) attributes the same legal frce t an electrnic signature n public dcuments as that f a handwritten signature. Article 8 stipulates that the dcuments f administrative authrities may be subject t an electrnic signature. The electrnic signature is cnsidered t be legally valid prvided that it applies a prcedure, in accrdance with the prvisins n the general security repsitry, which allws the identificatin f the signatry, guarantees the link f the signature with the dcument t which it is attached and ensures the integrity f the dcument. Article 9 - III fresees that the security prducts and the trusted service prviders may btain a certificatin which certifies their cmpliance with the security level f the general security repsitry. The Decree f 18 April 2002 (n 2002-535) specifies the cnditins fr the attributin f such certificatin. The deliverance f such certificatin may, as regards t the trusted service prviders, be cnfided t entrusted t a private bdy authrized fr this purpse. Initiatives In additin t legislatin, France has als been wrking n further elabrating the peratin f e-gvernment. In particular, in Octber 2008 the "Digital France 2012" prject was adpted, which sets up a series f bjectives t be reached by 2012. The prject aims at generalising electrnic authenticatin means such as the natinal eid card. The result f the effrts is reflected in the central prtal www.service-public.fr/demarches24h24/, thrugh which the French gvernment ffers a large series f electrnic services t citizens, prfessinals and lcal cmmunities. Amng the mst frequently used services are requests fr birth certificates, ntificatins f a hme address change and access t health insurance accunts. 6 Reliability Pursuant t the decree f March 30, 2001, an electrnic signature is presumed reliable if it is created by using a "secured" signature creatin device and based n a qualified certificate. French law des nt use the terms electrnic signature r advanced electrnic signature as stated in the Directive n electrnic signatures but rather the term "secure". S, as t be secure, the electrnic signature shall be: 6 IDABC, Study n Mutual Recgnitin f esignatures: update n Cuntry Prfiles - French cuntry prfile, July 2009, p.5. 38
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) uniquely linked t the signatry; created using means that the signatry can maintain under their sle cntrl; and linked t the data t which it relates, in such a manner that any subsequent change f the data is detectable. Issues New legislative initiatives n electrnic signatures have faced ppsitin frm the Natinal Data Prcessing and Liberties Cmmissin (CNIL), which is cncerned abut the pssible threat t privacy that the use f electrnic signatures culd pse. It is particularly ppsed t the use f an individual's scial security cde as a mde f identificatin f the signatry, as is the Data Prtectin Authrity. The Natinal Data Prcessing and Liberties Cmmissin has questined the cmpatibility f such a prvisin with prper prtectin f persnal data. (b) Electrnic archiving [The fllwing infrmatin des nt entirely apply t the archiving f electrnic public archives, which are subject t specific prvisins n strage and instalment. The destructin f electrnic public archives, in whatever frmat, withut the prir authrisatin f the archiving administratin cnstitutes a crime.] Legislatin The Act f 13 March 2000 cntains multiple prvisins relating t the law f evidence. It amends the French Civil Cde: article 1316-1 allws an electrnic dcument as prf t the same extent as a written dcument n paper frmat, prvided that the dcument is retained in such cnditins which guarantee the integrity f the dcument. Article 1348 specifies what cnstitutes an authentic cpy. Article L 134-2 f the Cnsumer Cde, intrduced by the Act f 2004 n trust in the digital ecnmy, impses the archiving f a written dcument which prves the existence f any cntract drafted n an electrnic frmat and cncerning an amunt abve a certain threshld. This threshld is set at 120 EUR by the Decree f 16 February 2005 (n 2005-137). This prvisin, which particularly cncerns e-shps n the Internet, envisages facilitating settlement f disputes. The legal strage term fr the archiving is 10 years, which crrespnds t the prescriptin term fr cntracts. Regarding electrnic archiving, a set f nn-binding standards prvide cmpanies with a guideline fr electrnically archiving their dcuments, such as: Standard NR Z 42-013, published in 1999, is the mst well-knwn in France. It specifies the technical and rganisatinal measures allwing t guarantee 39
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) the integrity f the dcuments during their registratin, strage and restitutin. Standard NF Z 43-400. The OAIS (Open Archive Infrmatin System) is a cnceptual mdel designed t manage, archive and preserve numerical dcuments fr a lng term. It crrespnds t the ISO 14721:2003 standard (Space data and infrmatin transfer systems - Open archival infrmatin system - Reference mdel). Types f archives The French data prtectin authrity, the Natinal Data Prtectin and Liberties Cmmissin (CNIL Cmmissin Natinale de l'infrmatique et des Libertés), recmmends t hlders f numerical data t adpt an archiving plicy which varies depending n the nature f the archived data (current archives, intermediary archives and final archives), in rder t recncile the needs f the explitatin f the data with the right t privacy and the right t be frgtten. T d s, the CNIL uses the three categries f archives defined in the Heritage Cde: current archives, e.g. data relating t a client in light f a cntract; intermediary archives, which are f administrative imprtance fr the services cncerned: the retentin term is fixed by the applicable prescriptin prvisins; final archives, which are f histric, scientific r statistic imprtance: can be retained indefinitely. The current and intermediary archives can nly be stred fr the term necessary fr their prcessing, which is specified n the declaratin with the CNIL. The data cntrller must therefre prceed t the destructin f these archives in a timely manner. The intermediary archives are intended t be used by nly certain services, fr instance by the legal department. Managing the access security must ensure that nly these authrised persns have access t these data. Archiving electrnic mail Archiving electrnic mail meets different needs stemming frm IT departments as business departments. Three types f electrnic mail archiving are preferred by ver ne cmpany in tw. The mst frequent used type f electrnic mail archiving can be qualified as "ecnmical" archiving and respnds t the issues f management and cst reductin induced by the increasing augmentatin f electrnic mail which generates imprtant strage csts as well as a cngestin within email inbxes. Such archiving prjects are ften initiated by IT departments and can thereafter give rise t ther archiving prjects generating frm ther departments within a cmpany. 40
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) The tw ther types f archiving, mre cnsidered by the rganisatins than actually deplyed, assimilate t the "regulatry" archiving and the "prbative" archiving. Althugh bth are quite similar, the first can be distinguished by its mandatry character, which is due t a number f laws and regulatins bliging certain cmpanies t retain their electrnic mail which are specifically identified (invices, payrll, etc.) fr the event f an external verificatin. This type f archiving is mstly used by sales departments. In the event f "prbative" archiving, the cmpany takes n a preventative apprach by installing tls which allw it in case f a dispute t identify the dcuments necessary as evidence. This type f archiving is mstly used by legal departments. (c) Electrnic registered mail Legislatin Article 1369-8 f the French Civil Cde already prvided a prvisin regarding electrnic registered mail, hwever nly five years later an executive decree was prmulgated. The Decree f 2 February 2011 (n 2011-144) sets ut the requirements with regard t the identificatin f the third party respnsible fr mailing (its legal status and cntact details must be detailed), sending registered mail by electrnic means (identificatin f bth sender and recipient, with r withut acknwledgment f receipt, warranty fr lss, theft r deteriratin, etc.). The decree als prvides fr specific prcedures and timeframes fr the recipient t accept r refuse the registered e-mail. While the purpse f the abve measures is t adapt the legal requirements t the digital envirnment (especially in the light f the increasing imprtance f the cnclusin and perfrmance f cntracts thrugh electrnic means), these cnditins appear t be quite demanding s that they are expected t dampen the interest in using electrnic registered mail in cntrast t traditinal registered mail. Parties invlved Three parties are cncerned when sending an electrnic registered mail: an peratr, a sender and a recipient. The Decree specifies which infrmatin must be prvided and which transactins must be carried ut by each f the parties. The recipient will be able t accept r refuse the electrnic mailing f the registered letter, after ntificatin at the time f delivery. In practice, the peratr will ntify (e.g. by email) the recipient that he has an electrnic registered letter addressed t him. The recipient then has 15 days t decide whether r nt he wishes t receive the electrnic registered letter, r whether he prefers receiving a traditinal (paper) registered letter. It must be emphasized that in a B2B cntext, the 41
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) prfessinal wh receives an electrnic registered letter des nt have the ptin t refuse this electrnic frmat. Frm the mment f the sending f the electrnic registered letter t its recipient, the peratr must infrm the sender n this. T d s, the peratr must specify the sending number, the date and the time f sending and, pssibly, the name f the pstal service prvider charged with printing the electrnic registered letter n paper. The recipient authenticates himself in rder t read the letter, which implies the use f an electrnic signature with strage f the numeric imprint guaranteeing the integrity f this letter. The strage term fr the peratr is maximum ne year. This shrt strage term may lead t prblems in the event f legal prceedings, which can last fr years and in light f which it is recmmended t bth the sender as the recipient t cnserve the tracks f their crrespndence with the peratr. Issues The Decree als cntains a few tpics which fall int a "grey" area regarding their interpretatin. Fr instance the ntificatin f the recipient indicating his decisin regarding the refusal f the electrnic registered letter. If this ntificatin is sent by traditinal electrnic mail, is lst r has been filtered as spam, is it acceptable t then state that the registered letter has never been claimed? Anther example f a "grey" area is the idea f sending the electrnic registered letter n a paper frmat upn request f the recipient. This generates an ecnmic issue, since this chice r ptin des nt belng t the persn paying fr the electrnic registered mail service. This ptin fr the recipient culd lead t the result that in the end sending an electrnic registered letter culd turn ut t be mre expensive than a regular registered letter. 2.1.7 Italy a. General apprach and scpe f legislatin The Italian legislatin, and in particular the Cde f Digital Administratin ( Cdice dell Amministrazine Digitale 7, hereinafter the Cde ), regulates bth electrnic 7 Legislative Decree f 7 March 2005, nr. 82, available at http://www.digitpa.gv.it/principaliattivit/cdice-dellamministrazine-digitale#art48-cm1. 42
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) signature and electrnic identificatin. In particular, as regards ancillary services needed t secure electrnic transactins, the Cde sets frth rules in the field f: Electrnic registered e-mail ( psta elettrnica certificata ), defined as the cmmunicatin system able t certify the sending and delivery f an e-mail (art. 1, nr. 1, v-bis f the Cde). Accrding t this prvisin, the certificatin establishes a value f full legal evidence. Accrding t the spirit and gals f the Cde, and mre specifically as prvided fr under art. 48, nr. 1, f the Cde, dcuments that need a certificatin f sending and delivery can be sent thrugh electrnic registered e-mail (as preferred means f cmmunicatin) with, as a general rule, the same legal value f cmmunicatins sent thrugh (registered) mail (see art. 48, nr. 2, f the Cde); Time stamping ( validazine temprale ), defined under art. 1, nr. 1, bb f the Cde as the result f the electrnic prcedure t assign a date and a time t an electrnic dcument. Here t the certificatin has the value f full legal evidence. N further rules are prvided by the Cde. The electrnic registered e-mail is declared t be the preferred means f cmmunicatins between (i) different branches f the public administratin (art. 47, nr. 1, f the Cde) and (ii) the public administratin and the citizens and cmpanies 8, prvided that the citizen/cmpany btained an electrnic registered e-mail address and that this address has been registered in specific dedicated databases (nt clearly defined by the law, namely by the Law Decree f 29 Nvember 2008, nr. 185 that mentins these databases: it can be inferred frm the law that these databases include the Cmpanies Registry and the lists f members f liberal prfessins kept by prfessinal assciatins (art. 6 f the Cde). The databases can be cnsulted and prcessed by the different branches f the public administratin in accrdance with the prvisins set frth by the Natinal Data Prtectin Authrity (art. 6, nr. 1- bis, f the Cde). As regards cmpanies, the pssessin f an electrnic registered e-mail address is cmpulsry and cmpanies established befre 28 Nvember 2008 must cmmunicate this e-mail address t the Cmpanies Registry befre 29 Nvember 2011 (art. 16, nr. 6, f Law Decree f 29 Nvember 2008, nr. 185, cnverted int 8 The Cde sets frth that the submissin and exchange f applicatins, declaratins and dcuments between cmpanies/enterprises and public authrities is dne exclusively n electrnic way (art. 5-bis f the Cde). 43
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Law f 28 January 2009, nr. 2 9 ). Members f liberal prfessins enrlled in a registry, such as lawyers, accuntants, etc. must als have such an address, accrding t nr. 7 f the abvementined art. 16. Citizens in general terms are nt bliged t have an electrnic registered e-mail address but they may get ne (and in this case they may use it nly t cmmunicate with the public authrities). Public administratins as well shall have an electrnic registered e-mail address that shall be published in the Internet site f the public authrity cncerned (art. 54, nr. 1, d, f the Cde). It is als imprtant t highlight that applicatins and declaratins submitted t the public authrities thrugh electrnic registered e-mail are legally valid and accepted prvided that the authenticatin tkens have been issued thrugh the previus identificatin f the hlder and that the system administratr certifies this (art. 65, nr. 1, c-bis, f the Cde). The technical rules regarding the electrnic registered e-mail have been prvided fr by the Decree f the President f Republic f 11 February 2005, nr. 68 10, that establishes the principle that bth private entities and public authrities can be prviders f electrnic registered e-mail services, that prviders established in anther EU Member State can als perate in Italy if they meet the requirements under their natinal law that are equivalent t thse prvided by the Decree and that respect the technical rules applicable in Italy (art. 15, nr. 1). Thus, the law already includes internal market prvisins. The Cde is als fcused n the electrnic identificatin, defined under art. 1, nr. 1, u-ter, as the validatin f the data given in an exclusive and unequivcal way t a subject in rder t allw the identificatin in the electrnic systems thrugh adequate technlgies (als t the ends f guaranteeing access security). The main identificatin tkens are the natinal e-id card and the s-called Natinal Services Card ( Carta nazinale dei servizi, issued by sme lcal public authrities accrding t their will). Bth may cntain the credentials required fr electrnic signature please refer t art. 66 f the Cde). It can be pinted ut that: b. Lessns learned 9 The text is available (in Italian) at http://www.parlament.it/parlam/leggi/09002l.htm. 10 The text is available (in Italian) at http://www.digitpa.gv.it/sites/default/files/nrmativa/dpr_11- feb-2005_n.68.pdf. 44
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Interperability amng electrnic registered e-mail systems issued by prviders lcated in ther EU Member States is limited, since the freign prvider must cmply with the technical requirements applicable in Italy in rder t prvide e-mail services that are fully recgnizable by Italian public authrities. Thus, the impact f the internal market clause in the act is rather limited. The apprach in Italy is nt riented twards an pen market, but rather twards enabling/facilitating reliable cmmunicatin with the public sectr. This als explains why e.g. take-up f fficial mail addresses fr cmpanies is nt vluntary. The adptin f the natinal e-id card is nt yet fully cmplete and in any case the card, tgether with the Natinal Services Card, may eventually serve as e-signature tken (in this sense the Cde des nt clearly prvide that these cards are e-signature tkens). On the ther side, the Cde states that these cards are the access instruments t the nline services f public authrities when the electrnic identificatin is requested. 2.1.8 Rmania a. General apprach and scpe f legislatin The primary esignatures law in Rmania is the Law n. 455 / 2001. Hwever, tw separate laws have been implemented in additin, which cver electrnic time stamping (Law N. 451/2004 11 ; smetimes als referred t as tempral marking after the Rmanian terminlgy in the law Lege privind marca tempralã) and 11 http://www.glin.gv/dwnlad.actin?fulltextid=231816&dcumentid=122121&glinid=122121 fr a full text versin in Rmanian; r http://www.digisign.r/uplads/lege451_marcare_temprala_en.pdf fr an infrmal translatin in English. 45 See
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) electrnic archiving (Law n.135 / 2007 12 - Lege privind arhivarea dcumentelr în frmă electrnică). The main bservatins in relatin t Law N. 451/2004 (the time stamping act) can be summarized as fllws: The time stamp (marca tempralã) is defined as a cllectin f electrnic data, uniquely attached t an electrnic dcument; it certifies that certain electrnic data were presented at a given mment t the time stamping services prvider (article 2b); The law intrduces a cncept f time base (baza de timp), which is the unitary system f tempral reference which all the time stamping service prviders refer t, i.e. the cmmn time pint f reference (article 2d); the administratr/supplier f this time base is t be appinted by a regulatry and supervisry authrity (article 9); The law appints the same regulatry and supervisry authrity as in the esignatures act as being cmpetent fr time stamping as well; (article 2e); time stamping service prviders must ntify their activities t this authrity 30 days in advance (article 6). The authrity will set the minimum set f prcedures fr time stamp creatin and fr cntrl prcedures, and is cmpetent fr mnitring adherence t these bligatins. The cntent f a time stamp is regulated in article 3, and cnsists f : a) the stamp attached t the electrnic dcument subject t stamping; b) date and time related t the dcument subject t stamping, expressed in universal time; c) infrmatin that uniquely identifies the time stamping services prvider; 12 http://www.glin.gv/dwnlad.actin?fulltextid=231937&dcumentid=198225&searchdetails.sear chall=true&summarylang=en&search=&glinid=198225&searchdetails.querystring=pubn%3a% 22345%22&searchDetails.hitsPerPage=10&frmSearch=true&searchDetails.ffset=130&searchD etails.srtorder=default&searchdetails.querytype=boolean&searchdetails.shwsummary=tru e&searchdetails.activedrills= fr a Rmanian versin, and http://www.digisign.r/uplads/lege135_arhivare_electrnica_en.pdf fr an unfficial English language translatin. 46 See
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) d) the registratin number in the registry f the time stamping services prvider. High level security requirements are defined in the Act; these are similar t the high level requirements defined fr qualified esignature service prviders in the Directive. Hwever, it is wrth nting that the time stamping act des nt distinguish qualified/nn-qualified levels. Liability prvisins are set in article 10 f the act, and are largely identical t thse fr qualified esignature service prviders under the esignatures Directive. Specifically, the time stamping services prvider is liable fr any damage caused t any persn wh bases its cnduct n the legal effects f the timestamp: a) in terms f accuracy, at the issuing time f the timestamp, fr all the infrmatin it cntains; b) in terms f ensuring that when the timestamp is issued, the prvider identified therein wned the generatin data f the timestamp crrespnding t the timestamp verificatin data, stipulated in this Law; c) in terms f fulfilling all bligatins stipulated in art. 3-8. The time stamping services prvider is nt liable under paragraph (1) if it prves that, in spite f its due diligence, it culd nt prevent the damage. Technical and methdlgical rules are set thrugh a separate decree, namely Decisin n.896 f 2 Octber 2008 13. Article 19 f this Decisin directly references ETSI and ISO standards in relatin t time stamping; there is thus already an alignment t Eurpean and internatinal standards. With respect t the e-archiving act (Law n.135 / 2007), the fllwing pints are wrth nting: The scpe f the Act is stated as being the generatin, strage, access and use f electrnic dcuments archived r that are t be archived in electrnic 13 http://www.glin.gv/dwnlad.actin?fulltextid=196944&dcumentid=215798&glinid=215798 the full versin in Rmanian 47 See fr
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) archives (article 1); and cmpliance with a secnd act (the Natinal Archives Law n. 16/1996) is required (article 2). The law prvides definitins fr a number f key cncepts, including electrnic archives administratr, electrnic archives, electrnic archiving services prvider, and electrnic archiving system. The fllwing definitins are used: electrnic archives administratr natural r legal persn accredited by the specialized regulatry and mnitring authrity t administer the electrnic archiving system and the dcuments archived in the electrnic archives; electrnic archives the electrnic archiving system, alng with all archived electrnic dcuments; electrnic archiving services prvider any and all natural r legal persns accredited t prvide electrnic archiving services; electrnic archiving system electrnic IT system dedicated t the cllectin, strage, rganizatin and categrizing f electrnic dcuments in rder t stre, access and edit them; The act is market based: archiving services are available t anyne (public r private sectr, article 4), and n prir authrizatin can be required (article 5, based n the prvisins f the esignatures Directive). Nne the less, supervisin is required by a regulatry and supervisry authrity, which is (as with time stamping) the same authrity as fr CSPs prviding qualified signature certificates t the public; archiving service prviders must ntify their activities t this authrity 30 days in advance (article 6). The authrity will set the minimum set f prcedures fr time stamp creatin and fr cntrl prcedures, and is cmpetent fr mnitring adherence t these bligatins. Changes in security practices must be ntified t the authrity. The act has detailed prvisins fr including a dcument in an electrnic archive (article 7 and fllwing), which include the requirement f the dcument being signed by the submittr and by the archive administratr. The administratr has t attach a sheet t each dcument specifying: a) the wner f the electrnic dcument; b) the issuer f the electrnic dcument; c) the hlder f the right t dispse f the dcument; 48
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) d) the histry f the electrnic dcument; e) the type f electrnic dcument; f) the classificatin level f the electrnic dcument; 7. g) the digital frmat the electrnic dcument is archived in; 8. h) the key wrds required fr the identificatin f the electrnic dcument; 9. i) physical strage medium lcalizatin elements; j) sle identifier f the electrnic dcument within the electrnic archives; k) dcument's issue date; l) archiving date; m) dcument s maintenance term. Interestingly, the law can be applied t electrnically archive paper dcuments, as requirements fr this cnversin prcess are als included (article 8.3). Strage requirements are regulated separately (article 12), and include e.g. the requirement t maintain and depsit the surce cde fr all relevant sftware with the Natinal Archives. In this manner, retrieval pssibilities are prtected. The archiving service prvider must similarly ensure the availability f sftware that wuld allw the electrnic dcuments t be viewed, reprduced and stred (article 13). Access rules are similarly fixed (article 14), specifically the right fr the dcument wner t set access cnditins. High level bligatins are defined in the law itself; as fr time stamping, technical and methdlgical rules are set thrugh a separate decree, namely thrugh Ministerial Ordinance nr. 493/15.06.2009 14. 14 See http://www.pdf.cm.r/help-center/46-legislatie/120-rdinul-ministrului-mcsi-nr- 49315062009-privind-nrmele-tehnice-i-metdlgice-pentru-aplicarea-legii-nr-1352007-privindarhivarea-dcumentelr-in-frm-electrnic fr a full versin in Rmanian 49
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) b. Lessns learned The fllwing pints are f particular interest in the afrementined laws: It is wrth nting that Rmania has pted fr three separate acts n esignatures, time stamping and electrnic archiving. Nne the less, they all have a market fcus (i.e. they are nt egvernment specific), and share the same majr principles, which als becme clear by the crss references in the time stamping and e-archiving acts t the esignatures act (e.g. the use f a cmmn supervisry authrity; Bth the time stamping and the e-archiving acts intrduce nly ne categry f time stamping service prvider, withut distinguishing e.g. qualified and nn-qualified levels. Hwever, the implementatin f the acts fllws the same lgic as fr CSPs prviding qualified signature certificates t the public under the esignatures Directive. I.e., the lgic f bth acts is based arund a single mdel with predictable levels f reliability. The e-archiving act is particularly interesting due t its extensive cverage f all majr cncerns (creatin, strage and access), and due t the pssibility f electrnically string paper dcuments. Finally, it is wrth nting that neither law defines a clear legal effect fr their services ther than by defining what the service is. In ther wrds, neither f these laws cntains a legal equivalence rule. 2.1.9 Slvakia a. General apprach and scpe f legislatin The Slvak Act n electrnic signature ( Zákn č.215/2002 Z.z. elektrnickm pdpise a zmene a dplnení niektrých záknv, Act nr. 215 f 15 March 2002 15 ) prvides fr rules regarding time stamping ( Časvá pečiatka ), whse cnditin f applicability is the existence f an electrnic dcument, f a private key and f a public key ( 9 f the Act). The time stamp designed by the Slvak 15 The English versin is available at http://www.ictparliament.rg/nde/1980. The Slvak versin is available at http://www.nbusr.sk/ipublisher/files/nbusr.sk/elektrnickypdpis/zakny_ep/215_2002.pdf. 50
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) lawmaker is based n similar terms and technlgies as the electrnic signature, since the time stamping perates thanks t a private key, prduced by an accredited authrity, and by a public key, which has a qualified certificate issued by an accredited certificatin authrity. In fact, the act des nt make systematic distinctins between time stamping and esignatures, cnsidering ne as an applicatin f the ther. E.g. an accredited certificatin service is defined by the act as the issuance f qualified certificates, the annulment f qualified certificates, prviding lists f annulled qualified certificates, acknwledging the existence and validity f qualified certificates, searching fr and prviding issued qualified certificates, and the issuing and authenticatin f time stamps. The same supervisry authrity is cmpetent fr supervising and regulating time stamping activities as well (article 10). The definitin fr a time stamp is very clsely aligned with the definitin f an electrnic signature. Article 9 states that a time stamp is an infrmatin attached t an electrnic dcument r lgically linked t it therwise and must cmply with the fllwing requirements: (a) it may nt be prduced effectively withut knwledge f a private key intended fr this purpse and withut an electrnic dcument; (b) n the basis f the knwledge f the public key belnging t a private key used in prducing it, it is pssible t authenticate that the electrnic dcument t which it is attached r lgically linked therwise is equal t the electrnic dcument used fr its executin; (c) an accredited authrity has prduced it using a private key intended fr this purpse; (d) it may be executed slely by using a security equipment fr time stamp executing pursuant t Article 2, paragraph (x); the generally binding legal regulatins issued by the authrity shall stipulate details cncerning the requirements fr such a security equipment; (e) an accredited certificatin authrity has issued a qualified certificate t the public key belnging t a private key used fr executing it; (f) it enables unequivcally t identify the date and the time when it has been executed. The Act sets als rules abut archive maintenance under 18 f the Act. Certificatin authrities have the bligatin t stre fr at least ten years the fllwing items: (i) dcumentatin cncerning the rganizatinal, technical and 51
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) security means; (ii) riginals f applicatins fr issuance f certificates with the dcuments prving identity f the applicant; (iii) dcumentatin relating t annulled certificates. String can be dne als in electrnic frm in a secured envirnment. b. Lessns learned The Slvak legislatin is interesting in the sense that it strngly aligns the rules fr electrnic signatures and time stamping. Fr time stamping, n qualified level is freseen; nly a basic cncept fr which the legal effect is already included in its definitin. 2.1.10 Slvenia a. General apprach and scpe f legislatin The relevant legislatin in Slvenia is the Electrnic Cmmerce and Electrnic Signature Act f 23 June 2000 16 ( Zakn elektrnskem pslvanju in elektrnskem pdpisu ) which regulates the use f time stamps ( časvni žig ). Time stamp is defined by the Act under art. 2, nr. 5, as an electrnically signed certificate f the certificatin service prvider cnfirming the cntent f the specific data at the alleged time. Therefre it is cnceptually very clse t the ntin f electrnic signature, and in fact the law nly states that the prvisins regulating e- signature certificates and qualified certificates shall mutatis mutandis apply t the time stamp and t the services cncerning it (art. 25 f the Act). It is imprtant t stress that a qualified certificate is required t give legal effectiveness and admissibility as evidence t the time stamp, as prvided under art. 15 f the Act. Frm an rganizatinal perspective, certificatin service prviders d nt need prir authrizatin t perfrm their activities, but they must reprt the beginning f perfrming f the activities t the Ministry fr Ecnmy (see art. 18 (1) and (2) f the Act). Thus, the supervisry rules are cmparable t thse fr esignature certificate issuers. As regards archive maintenance, certificatin service prviders wh issue qualified certificates must stre all relevant infrmatin cncerning qualified certificates fr as 16 The English versin is available at http://www.ictparliament.rg/nde/1951. The Slvenia versin is available at http://www.uradni-list.si/1/bjava.jsp?urlid=200498&stevilka=4284. 52
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) lng as the data, marked with the time stamp t which the qualified time stamp is referred, will be stred, and at least fr five years frm the issuance f the certificate (art. 35 (1) f the Act). The infrmatin, listed explicitly by the Act under art. 35 (2), can be recrded electrnically. b. Lessns learned The Slvenian legislatin abut e-signature and related tls is highly fcused n security, which is well defined and regulated in the Act itself. Hwever, the mst remarkable aspect is the highly summary way in which time stamping is dealt with by the act: ther than the definitin, the nly prvisin in relatin t time stamping is the statement that the prvisins regulating e-signature certificates and qualified certificates shall mutatis mutandis apply t the time stamp and t the services cncerning it (art. 25 f the Act). Thus, a substantial degree f flexibility and interpretatin remains. 2.1.11 Spain a. General apprach and scpe f legislatin IAS services are affected by tw different pieces f legislatin in Spain: The Act n Electrnic Signature ( Ley de firma electrónica ) law nr. 59/2003 f 19 December 2003 17 ; and The Act n Citizens electrnic access t public services ( Ley de acces electrónic de ls ciudadans a ls servicis públics ) law nr. 11/2007 f 22 June 2007 18. The Act f 2003 regulates inter alia the adptin f a natinal e-id card, which allws the hlder t electrnically sign dcuments, since the card includes e- signature tls, as set frth by art. 15 (1) f this law. The Act under art. 16 (2) states that the gvernment shall assure that the e-signature tls included in the e-id card 17 The text is available in Spanish at http://nticias.juridicas.cm/base_dats/admin/l59-2003.html. 18 The text is available in Spanish at http://nticias.juridicas.cm/base_dats/admin/l11-2007.html. 53
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) are cmpatible with the e-signature tls that are generally adpted and accepted. On the basis f the infrmatin prvided by the Spanish gvernment, the certificate stred in the chip f the e-id card is a qualified e-signature certificate 19. The Act f 2007 n the ther side is applicable nly t the relatins between public administratins and between citizens n ne side and public administratins n the ther side, as clearly indicated by art. 2 (1) f the law. Accrding t this law, public administratins must accept electrnic signatures that meet the requirements f the law f 2003 as identificatin tls and as means t prve the authenticity and the integrity f electrnic dcuments (see art. 13 (1) f the law). The e-signatures that shall be accepted by public authrities are several: nt nly thse whse certificate is included in the e-id card but als ther advanced e-signatures, as well as ther e- signature systems that are used by the citizen (and that are nt advanced r qualified electrnic signatures), as pinted ut by the secnd paragraph f art. 13. Apart frm the basic signature cncept, the law als regulates the ntin f an e- seal, as a signature created by public administratins, which are linked nly t the administratin itself (art. 18 f the law). Every public fficer then may sign e- dcuments with his/her electrnic signature (eventually using the signature whse certificate is included in his/her e-id card), as pinted ut by art. 19 f the 2007 Act. Time stamps (sellad de tiemp) are als regulated by the Act f 2007, and are defined by the Annex (pint s) f the law as accreditatin by a trusted third party f the date and time f perfrmance f any peratin r transactin by electrnic means. They are used in case f submissin f electrnic applicatins and dcuments by citizens t a public administratin, since in this case the public authrity will stamp the applicatins and dcuments with the day and hur f submissin (see art. 25 (3) f the 2007 Act). In principle, the adptin f a time stamp n an administrative e-dcument is cmpulsry when the nature f the dcument requires its use, as indicated by art. 29 (2) f the law. b. Lessns learned The Spanish apprach t electrnic signature and related tls seems t be flexible enugh t stimulate cmpetitin between certificate prviders in the market. Hwever, it is interesting t nte that the time stamping cncept was nt intrduced 19 http://www.ads.gv.ba/v2/attachments/658_09_natinal_strategy_n_eid_sarajev.pdf (last retrieved n 26 Oct. 11). 54
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) in the primary esignatures Act, but rather in the Act n Citizens electrnic access t public services, indicating a public sectr rather than market fcus. 55
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 2.2 Relevant laws frm utside f the EU: scpe, impact and gaps Apart frm the afrementined Eurpean initiatives, lessns can pssibly als be learned frm the way nn-eu cuntries have dealt with IAS challenges thrugh their respective legislatins. In the sectins belw a number f interesting examples will be explred a bit further 2.2.1 Brazil a. General apprach and scpe f legislatin Brazil is ne f the frefrnt cuntries in the field f e-gvernment in Suth America (see fr instance the e-vte applied in the whle cuntry fr electins f plitical bdies, r the real estate e-registratin system 20 ) and therefre the cuntry has a cmplex legislative and regulatry set f rules in the field f e-signature, which als extend t ancillary fields such as ntably time stamping. Amng the several legal surces applicable in the field, a central psitin is taken by the Medida prvisória (Prvisinal Measure) nr. 2.200-2 f 24 August 2001 21 which creates the infrastructure f Brazilian public keys fr e-signature, called ICP-Brasil 22. The infrastructure, accrding t art. 1, shall guarantee the authenticity, integrity and legal validity f electrnic dcuments, f supprt applicatins and f applicatins that use digital certificates, as well as the realizatin f secure e-transactins. ICP-Brasil is a bdy managed by a bard whse members are appinted by the President f Republic, as prvided fr by art. 3. 20 Fr a list f legislative measures in the field f e-gvernment in Brazil please refer t http://www.certisign.cm.br/certificaca-digital/legislaca/nacinal (last retrieved n 28 Oct. 11). 21 The text is available in Prtuguese at https://www.planalt.gv.br/ccivil_03/mpv/antigas_2001/2200-2.htm. 22 Fr mre infrmatin please refer t http://www.iti.gv.br/twiki/bin/view/certificaca/webhme (last retrieved n 28 Oct. 11). 56
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) The structure f the digital certificate system in Brazil is cmpsed f tw pyramidal levels: The Rt Certificate Service Prvide ( Autridade Certificadra Raiz, hereinafter RCSP) at the tp level. The RCSP in practice is the ITI ( Institut Nacinal de Tecnlgia da Infrmaçã, Natinal IT Institute 23 ), and Several Certificate Service Prviders ( autridades certificadras ). Accrding t art. 5, the RCSP shall emit, send, distribute, revke and manage the certificates f the certificate service prviders at the lwer level. Furthermre, the RCSP manages the list f certificates that have been granted, revked and lst but it cannt prvide final users with digital certificates (art. 5, secnd paragraph). As prvided fr under art. 6, nly certificate service prviders can emit, send, distribute, revke and manage final users certificates. Art. 10, 1, is f pivtal imprtance since it states that electrnic dcuments signed with a certificatin prcess made available by ICP-Brasil (in ther wrds with a digital signature whse certificate has been granted by a certificate service prvider that is part f the ICP-Brasil system) are deemed t be authentic as regards the signatries f the dcument, in light f the prvisin f art. 219 f the Civil Cde (that says that the declaratins cntained in signed dcuments are deemed t be authentic in relatin t the signatries ). Thus, esignatures laws in Brazil fcus mre n the legal impact n the declaratins, rather than n the legal value f the signature itself. Time stamps are regulated as well in Brazil, namely by the fllwing administrative acts enacted by the managing bard f ICP-Brasil: Resluçã (Decisin) nr. 78 f 31 March 2010 24 ; Resluçã nr. 69 f 13 Octber 2009 25 ; Resluçã nr. 60 f 28 Nvember 2008 26. 23 http://www.iti.gv.br/twiki/bin/view/main/webhme 24 The text is available in Prtuguese at http://www.iti.gv.br/twiki/pub/certificaca/resluces /Resluca78.pdf 25 The text is available in Prtuguese at http://www.iti.gv.br/twiki/pub/certificaca/resluces/ Resluca69.pdf 57
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) These legal surces are reflected in the ICP-Brasil s dcument Visã Geral d Sistema de Carimbs d Temp na ICP-Brasil (General View abut the System f Time Stamps in the ICP-Brasil, DOC-ICP-11, versin 1.2, f 5 April 2010 27 ). Time stamps are prvided fr by third trusted parties called Autridades de Carimb d Temp (time stamps service prviders), cntrlled and audited by the RCSP (see 1.3). Accrding t 1.4 the use f time stamps is nt cmpulsry and e-signatures are valid even if they are nt assciated with a time stamp. The certificate system fr time stamps is pyramidal as well in the sense that at the tp f the structure there is the RCSP acting as Entidade de Auditria d Temp (Time Auditing Entity) that audits and synchrnizes the time stamp service prviders. The system perates thanks t and in cnnectin with Sistemas de Auditria e Sincrnism (Auditing and Synchrnizatin Systems, linked t an atmic clck) that make sure that the time stamps are crrect and precise. As regards nline identificatin and authenticatin, and mre precisely as regards e- ID dcuments, there exist different frms f electrnic dcuments in Brazil that allw identificatin f the hlder and signature f e-dcuments, thus cnferring t the dcument the same legal value as dcuments with an handwritten signature. Actually there is n natinal ID dcument linked t a unified federal citizens database, r better, this system (called Registr de Identidade Civil, Register f Civil Identity) is under implementatin that started its test phase in 2011 and will last nine years 28. Therefre, in the future Brazil will have a natinal e-id card with a chip where a certificate fr electrnic signature will be stred. Actually, hwever, citizens and cmpanies must use ther tkens t electrnically sign dcuments, such as inter alia the e-cpf 29 fr physical persns and the e- CNPJ 30 fr legal persns. 26 The text is available in Prtuguese at http://www.iti.gv.br/twiki/pub/certificaca/resluces/ Resluca_60.pdf 27 The text is available in Prtuguese at http://www.iti.gv.br/twiki/pub/certificaca/dcicp/doc- ICP-11_-_Versa_1.2.pdf 28 Fr mre infrmatin and fr a list t legislative references please refer t http://prtal.mj.gv.br/ric (last retrieved n 28 Oct. 11). 29 Cadastr de pessas físicas (Register f physical persns), used fr tax purpses. 30 Cadastr nacinal da pessa jurídica (Register f legal persns), used fr tax purpses. 58
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) In rder t btain a certificate fr electrnic signature ( certificad digital ), i.e. ne f the abvementined tkens, the applicant must chse ne between the several certificatin service prviders recgnised and apprved by ICP-Brasil, as pinted ut abve. Certificatin service prviders can be (and in practice are) bth private and legal entities (as prvided fr by art. 8 f the abvementined Medida prvisória nr. 2.200-2). The user is free t select which tken he needs and/r fr which purpse he requires the certificate (e.g. certificate fr e-justice services, fr e-health services etc.). After the real verificatin f the hlder s identity, the certificatin is granted by the certificate service prvider s that the hlder can be identified and authenticated nline and can sign electrnic dcuments. b. Lessns learned The main lessns that cme frm Brazil are: The e-signature system adpted in Brazil is pen in the sense that private peratrs can participate in the market as certificate service prviders, but at the same time there is a strng cntrl by a centralised and public authrity (the ITI acting as RCSP at the tp f the hierarchical structure). This allws cmpetitin in the market but at the same interperability between different e-signature systems is assured. On the ther hand, it als means that a single entity exercises cntrl ver the entire market. The apprach t the legal value f esignatures is smewhat different cmpared t that f the esignatures Directive: whereas the Eurpean mdel fcuses n the value f the signature itself, the Brazilian mdel lks at the impact n the signed infrmatin. The intrductin f a unified natinal e-id card with a certificate fr electrnic signature has been planned (and the implementatin phase started in 2011). Hwever, the intrductin f a natinal e-id card requires a majr refrm in the system f citizens natinal registries, which has been planned as well. The implementatin phase f these majr refrms is expected t last nine years. 59
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 2.2.2 Malaysia a. General apprach and scpe f legislatin Malaysia has adpted legislatin in relatin t esignatures as early as 1997 (the Digital Signature Act 1997 31, expanded by the esignatures Regulatin 1998 32 ). The latter is especially instructive with respect t time stamping, as Part IX f the Regulatin relates exclusively t time stamping, and cntains rules with respect t: Regulatin 58. Use f time-stamps. Regulatin 59. Effect f time-stamp by recgnised date/time stamp service. Regulatin 60. Stages f certificate f recgnitin fr date/time stamp services. Regulatin 61. Qualificatin requirements fr recgnitin. Regulatin 62. Functins f recgnised date/time stamp service. Regulatin 63. Chargeable fees. Regulatin 64. Applicatin fr certificate f recgnitin. Regulatin 65. Infrmatin required fr establishment stage. Regulatin 66. Infrmatin required fr peratin stage. Regulatin 67. Issue and renewal f certificate f recgnitin. Regulatin 68. Revcatin f certificate f recgnitin. Regulatin 69. Surrender f certificate f recgnitin. Regulatin 70. Register f Recgnised Date/Time Stamp Services. The legal effect f time stamps (Reg. 59) is addressed in a very straightfrward manner, nting that: (1) The date and time time-stamped n a dcument and digitally signed by a recgnised date/time stamp service shall, unless it is expressly prvided 31 See http://www.skmm.gv.my/link_file/the_law/newact/act%20562/act%20562/a0562.htm 32 http://www.skmm.gv.my/link_file/the_law/newact/act%20562/rules%20&%20regulatins/pua% 20359y1998/pua359y1998bi/pua0359y1998.htm 60 See
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) therwise, be deemed t be the date and time at which the dcument is signed r executed. (2) The date and time time-stamped n a dcument and digitally signed by a recgnised date/time stamp service shall be admissible in evidence in all legal prceedings withut further prf. Requirements fr time stamp service prviders are als defined (Reg.60) at a high level. It is ntewrthy that Malaysian regulatins require lcal ffices r lcal partnerships with Malaysian entities; thus, they are nt fcused n encuraging pen markets. Freign service prvider may hwever get accreditatin if they cmply with Malaysian legal requirements (Part X f the Regulatins). Service prviders are required t btain a certificate f recgnitin, which is issued by the Malaysian Cmmunicatins and Multimedia Cmmissin (MCMC). The MCMC thus acts as a supervisry authrity, albeit within a clear prir authrisatin scheme. With respect t the functinalities f time stamp service prviders, the Malaysian Regulatins (Reg.62) require service prviders t publish hash values f stamped dcuments in a recgnized repsitry, as a methd f ensuring that time stamps can be validated independently. b. Lessns learned The legal framewrk in Malaysia with respect t time stamping is relatively straightfrward and seems t be cmpatible with the existing Eurpean apprach in relatin t esignatures. Ntably, the definitin f a legal effect f time stamps can be particularly useful as a gd practice mdel fr Eurpean plicy initiatives. 2.2.3 United States f America a. General apprach and scpe f the legislatin (a) Legislatin n electrnic signatures In the US, a number f legal instruments prvide a regulatry framewrk fr electrnic signatures. Apart frm these federal laws, each State can prclame state legislatin regarding the subject. What fllws is a brief summary f each f the mst relevant US acts regarding electrnic signatures. 61
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) The Electrnic Signatures in Glbal and Natinal Cmmerce Act, enacted n 30 June 2000, is a federal acts facilitating the use f electrnic recrds and electrnic signatures in bth interstate and freign cmmercial transactins by attributing the validity and legal effect t cntracts entered int electrnically. This act lays ut the guidelines fr interstate cmmerce, and assimilates electrnic signatures and recrds with their paper equivalents. The Unifrm Electrnic Transactins Act, which has been adpted by 48 US states, aims at aligning the differing state laws ver areas such as retentin f paper recrds and the validity f electrnic signatures, and supprts the validity f electrnic cntracts as a viable medium f agreement. The Digital and Electrnic Authenticatin Law (als referred t as SEAL) was adpted in 1998 and sught t update the Bank Prtectin Act in regards t electrnic authenticatin techniques by financial institutins (1968). The law fresees different frms f electrnic authenticatin, such as bimetric, clickwrap, passwrd, public key infrastructure and security tken. The Gvernment Paperwrk Eliminatin Act (1999) requires federal agencies t use electrnic frms, electrnic filing and electrnic signatures (when practicable) t cnduct fficial business with the public. (b) Other initiatives In April 2011, the White Huse issued its "Natinal Strategy fr Trusted Identities in Cyberspace - Enhancing Online Chice, Efficiency, Security and Privacy" (hereinafter "Strategy"). This dcument aims at securing nline transactins fr businesses and individuals, and intrduces the cncept f an "Identity Ecsystem". This implies an nline envirnment where individuals and rganisatins will be able t trust each ther because they fllw agreed upn standards t btain and authenticate their digital identities and the digital identities f devices. The Identity Ecsystem is designed t securely supprt transactins that range frm annymus t fully-authenticated and frm lw t high-value. It will ffer, but will nt mandate, strnger identificatin and authenticatin while prtecting privacy by limiting the amunt f infrmatin that individuals must 62
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) disclse. The Identity Ecsystem is built arund fur guiding principles, namely: - the enhancement f privacy and supprt f civil liberties; - identity slutins must be secure and resilient; - ensure plicy and technlgy interperability amng identity slutins; - the Identity Ecsystem must be develped frm identity slutins that are cst-effective and easy t use. In its Strategy, the White Huse indicates the key players within the Identity Ecsystem 33 : An individual is a persn engaged in an nline transactin Individuals are the first pririty f the Strategy; A nn-persn entity (NPE) may als require authenticatin in the Identity Ecsystem NPEs can be rganizatins, hardware, netwrks, sftware, r services and are treated much like individuals within the Identity Ecsystem NPEs may engage in r supprt a transactin; The subject f a transactin may be an individual r an NPE; Attributes are a named quality r characteristic inherent in r ascribed t smene r sme-thing (fr example, this individual s age is at least 21 years ); A digital identity is a set f attributes that represent a subject in an nline transactin; An identity prvider (IDP) is respnsible fr establishing, maintaining, and securing the digital identity assciated with that subject. These prcesses include revking, suspending, and restring the subject s digital identity if necessary The identity prvider may als verify the identity f and sign up (enrl) a subject. Alternatively, verificatin and enrlment may be perfrmed by a separate enrlling agent; 33 White Huse, Strategy fr Trusted Identities in Cyberspace, April 2011, p. 21-22. 63
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) IDPs issue credentials, the infrmatin bjects used during a transactin t prvide evidence f the subject s identity. The credential may als prvide a link t the subject s authrity, rles, rights, privileges, and ther attributes; The credential can be stred n an identity medium: a device r bject (physical r virtual) used fr string ne r mre credentials, claims, r attributes related t a subject Identity media are available in many frmats, such as smart cards, security chips embedded in persnal cmputers, cell phnes, sftware based certificates, and Universal Serial Bus (USB) devices. Selecting the apprpriate identity medium and credential type is implementatin-specific and depends n the risk tlerance f the participating entities; A relying party (RP) makes transactin decisins based upn its receipt, validatin, and acceptance f a subject s authenticated credentials and attributes. Within the Identity Ecsystem, a relying party selects and trusts the identity and attribute prviders f their chice, based n risk and functinal requirements. Relying parties are nt required t integrate with all permutatins f credential types and identity media. Rather, they can trust an identity prvider s assertin f a valid subject credential, as apprpriate. Relying parties als typically need t identify and authenticate themselves t the subject as part f transactins in the Identity Ecsystem. Relying parties can chse the strength f the authenticatin and attributes required t access their services; An attribute prvider (AP) is respnsible fr the prcesses assciated with establishing and maintaining identity attributes. Attribute maintenance includes validating, updating, and revking the attribute claim. An attribute prvider asserts trusted, validated attribute claims in respnse t attribute requests frm relying parties. In certain instances, a subject may self-assert attribute claims t relying parties. Trusted, validated attributes infrm relying parties decisin t authrize subjects; Participants refer t the cllective subjects, identity prviders, attribute prviders, relying parties and identity media taking part in a given transactin; A trustmark is used t indicate that a prduct r service prvider has met the requirements f the Identity Ecsystem, as determined by an accreditatin authrity. The trustmark itself, and the way it is presented, will be resistant t tampering and frgery; participants shuld be able t bth visually and electrnically validate its authenticity. The trustmark helps individuals and rganizatins make infrmed chices abut the Identity Ecsystem-related practices f the service prviders and identity media they select. 64
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 3. Overview f current nrmative landscape at EU level 3.1 esignature standardisatin framewrk As the result f the standardisatin mandate M460 f the Eurpean Cmmissin t the Eurpean Standardisatin Organisatins, the current Eurpean esignature standardisatin framewrk is tday in the first stage f a cmplete ratinalisatin prcess aiming t vercme identified issues with regards t mutual recgnitin and interperability f esignatures and t ensure its effective and practical use in business driven implementatins. Despite sme successful and widely adptin f very specific standards, this ratinalisatin is an essential step twards the emergence f a sund EU standardisatin framewrk cntributing t the cnsistent mapping between the related legal, technical and trust requirements that will induce a sund market fr the crss-brder use and interperability f electrnic signatures ffering (business) stakehlders the sufficient certainty and mutual recgnitin f accrdingly implemented electrnic signatures thrughut Eurpe. 3.1.1 Mandate M460 - a Ratinalised Framewrk fr Eurpean esignature standards a. The backgrund At the end f the last century, the Eurpean Electrnic Signature Standardizatin Initiative (EESSI) was launched as a result f tw specific mandates frm the Cmmissin 34,35 t crdinate the Eurpean Standardizatin Organisatins CEN and ETSI in develping a number f standards fr esignature prducts that culd ease the adptin f electrnic signatures int the market, facilitate the 34 EESSI Mandate M279, Mandate t CEN, CENELEC and ETSI in supprt f a Eurpean legal framewrk fr electrnic signatures, Eurpean Cmmissin, 1998. 35 EESSI mandate M290, Mandate addressed t CEN, CENELEC and ETSI in supprt f the Eurpean legal framewrk fr electrnic signatures- Phase 2: Implementatin f the wrk prgramme resulting frm mandate M279 and presented in Sectin 8.3 f the (draft) reprt prepared by EESSI, Eurpean Cmmissin, 1999. 65
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) interperability f esignature based slutin and services, and map technical and industry driven plicy requirements t Directive 1999/93/EC n a Cmmunity framewrk fr electrnic signatures. The current state f the Eurpean esignature standardisatin as a result f EESSI and sme cntinuatin wrk frm ETSI and CEN includes a variety f esignature related tpics cvering als ancillary services t esignature. While being quite limited in scpe, the mapping between legal prvisins frm Directive 1999/93/EC and the EESSI derived esignature standardisatin framewrk were materialised by Cmmissin Decisin 2003/511/EC, n generally recgnised standards fr electrnic signature prducts. This decisin namely published "generally recgnised standards" fr electrnic signature prducts in cmpliance with article 3(5) f the Directive but n a very limited scpe (i.e. limited t SSCD requirements, Annex III f Directive, and requirements n trustwrthy systems, Annex II.f). The wide set f ther requirements were nt frmally mapped and leaving all ther legal prvisins and requirements laid dwn in Directive 1999/93/EC with unclear directins n what specificatins wuld meet these requirements despite the fact that the EESSI esignature standardisatin framewrk als cvered ancillary services t esignature and a quite cmplete set f technical prvisins with regards t esignature creatin, verificatin and preservatin. Emerging crss-brder use f esignatures and the increasing use f several market instruments (e.g. Services Directive, Public Prcurement, einvicing) that rely in their functining n esignatures and the framewrk set by the Signature Directive emphasized prblems with the mutual recgnitin and crss-brder interperability f esignature. Acknwledging the need t address the legal, technical and standardisatin related causes f these prblems, the Cmmissin launched a study n the standardisatin aspects f esignatures 36 which cncluded that the current multiplicity f standardizatin deliverables tgether with the lack f usage guidelines, the difficulty f access, the current academic apprach and lack f business rientatin, the numerus ptins and latitude fr divergent interpretatins and different technical implementatins were detrimental t the interperability f esignature, and frmulated a number f recmmendatins t mitigate this. Furthermre, the 36 "Study n the standardisatin aspects f e-signatures", SEALED, DLA Piper et al, 2007 (http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/dcs/standardisatin/reprt_esign_stan dard.pdf). 66
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Cmmissin evaluated the EESSI prcess resulting in recmmendatins t imprve its penness 37. In additin, as many f the current esignature standardisatin dcuments did nt reach the level f Eurpean Nrms (ENs), their status may be cnsidered t be uncertain. Subsequently, the Cmmissin launched the CROBIES 38 study t investigate slutins addressing sme specific issues regarding interperability and crssbrder use f esignatures and in particular prfiles f qualified certificates and signature frmats, (mutual) recgnitin f signature creatin devices as secure signature creatin devices in the sense f Directive 1999/93/EC, widely divergent implementatin f 'apprpriate' supervisin practices in Member States, as well as cmmn frmats fr prviding trust status infrmatin abut supervised / accredited certificatin services issuing qualified certificates r ancillary services supprting esignatures. Cnsequently, the Eurpean Cmmissin issued Standardisatin Mandate 460 39 t CEN, CENELEC and ETSI t update the existing esignature standardisatin deliverables, suggesting the establishment f a fully ratinalised framewrk, including implementatin guidelines, t vercme all these issues within the cntext f the Signature Directive, while taking int accunt its pssible revisin. CEN, CENELEC and ETSI respnded t M460 by setting up a tw-phase apprach starting first with defining such a ratinalised framewrk and fixing quickly what culd be quickly fixed n the basis f CROBIES suggestins and defining an assciated future wrk prgramme aiming t address any elements identified as missing in this ratinalise framewrk. Such a prgramme shuld then be executed in a secnd phase leading t a fully cnsistent and efficient set f ratinalised Eurpean esignatures standards that culd be far mre easily adpted by the market and lead t effective crss-brder and interperable esignatures cntributing greatly t a safer and successful esciety. 37 Evaluatin f the standardizatin prcedures in the cntext f the Eurpean electrnic signature standardizatin initiative, Js Dumrtier, 2002. 38 "CROBIES: Study ncrss-brder Interperability f esignatures", Siemens, SEALED and TimeLex, 2010 (http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/crbies_study/index_en.htm). 39 Mandate M460: "Standardisatin Mandate t the Eurpean Standardisatin Organisatins CEN, CENELEC and ETSI in the Field f Infrmatin and Cmmunicatin Technlgies Applied t Electrnic Signatures" (http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/eu_legislatin/standardisatin/index_en. htm). 67
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) The first phase f mandate M460 executin by CEN and ETSI is in its final drafting stage and drafts are being made available accrdingly fr: The Draft Ratinalised Framewrk fr esignature standardisatin 40 Quick fixes n General Guidance and Requirements n Certificate Service Prvider (CSP) cnfrmity assessment 41 whse bjective is t prduce a cmmn basis fr guidance n cnfrmance assessment, including requirements n auditrs, fr all frms CSPs including qualified, nnqualified, time-stamp, and validatin authrities. Quick fix n Interperable qualified certificate prfile whse bjective is t update the qualified certificate prfile standards 42 t address cncerns identified in the CROBIES reprt. This includes issues related t identificatin f legal and physical entities in relatin t these standards as well as updated requirements n current standardized infrmatin, which identifies that a certificate is a qualified certificate and t link the certificate with use f a Secure Signature Creatin Device (SSCD), which is needed t avid uncertainty ver the acceptability f the signature in relatin t legal requirements. Quick fix n Prcedures fr Signature Verificatin whse bjective is t develp a technical specificatin specifying hw t verify a digital signature within a given plicy cntext. Quick fix n Signature algrithms maintenance whse bjective is t maintain the guidance n signature algrithms. Quick fix n electrnic signature prfile 43 whse bjective is t specify a Baseline Prfile (ETSI Technical Specificatins) fr all the Advanced Electrnic Signatures, i.e. CAdES, XAdES, PAdES and ASiC (Assciated Signatures), which crrespnds t the minimum basic requirements in the cntext f the Directive 2006/123/EC f the Eurpean Parliament and f the Cuncil f 12 December 2006 n services in the internal market (EU Services Directive hencefrth), and prvide the same basic features with minimal number f ptins r n ptins at all. There will be tw versins f the fur deliverables 40 ETSI STF425: http://prtal.etsi.rg/stfs/stf_hmepages/stf425/stf425.asp, and in particular the Draft Special Reprt is available frm: http://prtal.etsi.rg/stfs/stf_hmepages/stf425/dsr_esi_000099v000002.zip. 41 ETSI STF 427: http://prtal.etsi.rg/stfs/stf_hmepages/stf427/stf427.asp, and in particular: http://prtal.etsi.rg/stfs/stf_hmepages/stf427/dts-esi-000075v000002.zip 42 ETSI TS 101 862 and ETSI TS 102 280. 43 ETSI STF 426: http://prtal.etsi.rg/stfs/stf_hmepages/stf426/stf426.asp. 68
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) C/X/PAdES and ASiC baseline-prfiles, respectively cnsidering the shrtterm signature verificatin requirements nly 44 and the secnd will cntain the shrt-term and a lng-term signature base-line prfile. Quick fix n the testing f electrnic signature standards 45 bjective is t develp: whse technical specificatins n cnfrmance testing fr the XAdES baseline prfile as specified as a result f the abve related quick fix n electrnic signatures prfiles", a cnfrmance testing tl fr the XAdES baseline prfile, and an interperability test event n PAdES signatures and ASiC - Assciated Signature Cntainers. Quick fix n updating CD 2003/511/EC referenced dcuments, namely CWA 14169:2004, CWA 14167-1:2003, CWA 14167-2:2004 and CWA 14167-4:2004 in view f the future update f this Decisin as freseen in the Actin Plan n esignatures & eidentificatin 46. b. The prpsed Ratinalised Framewrk The first draft f the prpsed Ratinalised Framewrk was published fr stakehlders review end f August 2011 47. In line with Eurpean Cmmissin M460, the bjectives f the ratinalisatin f the structure and presentatin f the Eurpean Electrnic Signature standardisatin dcuments are: T allw business stakehlders t mre easily implement and use prducts and services based n electrnic signatures thrugh the use f a radical business driven and guidance apprach. 44 ETSI ESI apprved versin available n: http://prtal.etsi.rg/stfs/stf_hmepages/stf426/stf426_deliv_2011-09-13.zip 45 ETSI STF 428: http://prtal.etsi.rg/stfs/stf_hmepages/stf428/stf428.asp. 46 Cmmunicatin frm the Cmmissin t the Cuncil, the Eurpean Parliament, the Eurpean Ecnmic and Scial Cmmittee and the Cmmittee f the Regins n an Actin Plan n esignatures and e-identificatin t facilitate the prvisin f crss-brder public services in the Single Market, COM(2008)798 f 28.11.08. 47 Draft Special Reprt is available frm: http://prtal.etsi.rg/stfs/stf_hmepages/stf425/dsr_esi_000099v000002.zip. 69
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) T facilitate mutual recgnitin and crss-brder interperability f esignatures. T simplify standards by reducing unnecessary ptins and aviding diverging interpretatins f the standards. T target a clear status f Eurpean Nrm fr standardisatin deliverables whenever applicable. T facilitate a glbal presentatin f the esignature standardisatin landscape, the availability and access t the standards. The first visible implementatin f this last bjective is the set-up f an esignature standards prtal accessible frm www.e-signatures-standards.eu. It is wrth nting that the ratinalised framewrk has been rganised arund 6 (functinal) areas and 5 types f dcumentatin, namely Guidance dcuments, Plicy and Security Requirements, Technical Specificatins, Cnfrmance Assessment Guidance, and dcuments related t the testing f cmpliance and interperability f prducts and services against requirements and specificatins. The 6 prpsed areas fr standardisatin f esignatures are the fllwing: 1. Signature Creatin and Validatin: fcusing n standards related t the creatin and validatin f electrnic signatures, cvering (i) expressin f rules and prcedures t be fllwed at creatin, verificatin and fr preservatin f esignatures fr lng term, (ii) signature frmat, packaging f signatures and signed dcuments, and (iii) prtectin prfiles fr signature creatin/verificatin applicatins. 2. Signature Creatin Device: fcusing n standards related t SSCD's as defined in the Signature Directive, n signature creatin devices used by Trust Service Prviders as well as ther types f signature creatin devices. 3. Cryptgraphic Suites: fcusing n aspects related t the use f signature cryptgraphic suites 48. 4. Trust Service Prviders supprting esignatures: including TSPs issuing Certificates, Time-Stamping Services Prviders, TSPs ffering signature validatin services, TSPs ffering remte signature creatin services (als called signing server). 48 I.e. the suite f esignature related algrithms including key generatin algrithm, signing algrithms with parameters and padding methd, verificatin algrithms, and hash functins. 70
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 5. Trust Applicatin Service Prviders: cvering Trust Service Prviders ffering value added services applying electrnic signatures and that relies n the generatin/verificatin f electrnic signatures in nrmal peratin (e.g. registered e-delivery services f electrnic dcuments and messages, as well as lng term archiving services). 6. Trust Service Status (List) Prvider: This area cvers the standardisatin related t the prvisin f trust service "apprval" status lists. 6 Trust Service Status Lists Prviders TSPs supprting esignature 4 5 Trust Applicatin Service Prviders 1 Signature Creatin & Validatin Signature Creatin Devices 2 3 Cryptgraphic Suites Figure: Overview f the esignature standardisatin Ratinalised Framewrk (surce ETSI) 3.1.2 Inventry f esignature standards As an input t the ratinalisatin f the current Eurpean esignature standardisatin framewrk, M460 driven ETSI STF 425 initiated a wrldwide inventry with regards t electrnic signature standards and related standardisatin dcuments and published the interim results f such an inventry end August 2011. This inventry includes standards, publicly available and regulatry specificatins frm the Internatinal, pan Eurpean, natinal and sectr (e.g. banking, e-invicing, bipharmaceutical) dmains. It is nt the purpse f the present dcument t red r refrmulate the wrk dne in ETSI but t refer t this essential piece f wrk. This inventry is available frm the ETSI STF 425 webpage 49 and frm the esignature standards dedicated website www.e-signatures-standards.eu. 49 ETSI STF 425: http://prtal.etsi.rg/stfs/stf_hmepages/stf425/stf425.asp. 71
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 3.1.3 Wrk Prgramme It is expected that 2 r 3 years wuld be needed t fully vercme the current issues and achieve a cmplete executin f the Wrk Prgramme leading t a fully cherent and business explitable Eurpean esignature Standards. The challenge will mainly cnsist in prviding f curse a sund standardisatin framewrk but als in setting up a smth migratin and transitin frm the current implemented (even if limited) market t the future requirements, while mapping clsely t the future IAS plicy framewrk and leveraging n and prviding a cmmnly defined basis t the existing Trusted Lists mdel (as per CD 2009/767/EC amended by CD 2010/425/EU) fr prviding a cmmn and harmnised way f prviding trust related infrmatin n any type f supervised/accredited trust services. 3.2 Identity and Authenticatin standardisatin framewrk At EU level, the main effrts are cncentrated in: ETSI s lng standing intrductin f identity and authenticatin in the frm f the SIM (Subscriber Identity Mdule) and the mre recent prestandardisatin Grup Specificatins" fr Identity management ; and CEN TC 224 (persnal identificatin, electrnic signature and cards and their related systems and peratins); Bth the SIM-riented and the emerging ETSI wrk is specifically riented twards the telecmmunicatin services industry, and t ur understanding des currently nt target brader acceptance. The CEN Technical Cmmittee 224 has prduced standards such as the ECC (Eurpean Citizen Card) standard which particularly target Electrnic Identity and Authenticatin. As a significant amunt f influential wrk has been dne in the past utside Eurpe, we included a shrt summary f this in appendix. 3.2.1 ETSI SIM ETSI defined the Subscriber Identity Mdule fr GSM 2G in 1990, and the 3GPP defined the USIM in 1999. While the term SIM refers bth t hardware and sftware, the term USIM nly refers t the sftware applicatin fr Subscriber Identificatin which is executing n the UICC (the hardware). The current cre specificatin is 3GPP TS 21.111. 72
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) With regard t identificatin and authenticatin, the standards define mechanisms and prtcl exchanges, but nt the algrithms. The peratrs have the chice fr making this selectin. Many peratrs rely n symmetric algrithms such as Milenage, which is related t the well-knwn Rijndael. 3.2.2 ETSI identity pre-standardisatin effrts ETSI has cmpleted its Identity Management pre-standardisatin specificatins supprting interperability and access cntrl early 2011. These specificatins are mainly fcused n the telecm industry. These specificatins aim t simplify hw users get authrized access t services and data beynd enterprise bundaries. They als supprt mre privacy thus reducing the cncerns in deplying these technlgies. This series f five pre-standardizatin specificatins (knwn as Grup Specificatins) marks the end f the first phase f a transfer f Eurpean R&D prjects f the Eurpean Cmmissin's 6th and 7th Framewrk prjects int specificatins fr industrial use. The specificatins were created by ETSI's Industry Specificatin Grup n 'Identity and access management fr Netwrks and Services' (ISG INS). This first set f grup specificatins supprt interperability and incrprate privacy int the telecms services and netwrks dmain. Fr example, Grup Specificatin GS INS 001 n Identity Management (IdM) interperability between Operatrs r Internet Service Prviders (ISPs) and Enterprise prvides mechanisms, interfaces and prtcls allwing scenaris where third party prviders share attributes with the peratr, r reuses its authenticatin. A typical instance is Single Sign-On, a prcedure by which a user gains access t all authrized cmmunicatin services, thus aviding the need fr repeated authenticatin. GS INS 003 n distributed user prfiles defines the relatinship between access cntrl and scietal privacy needs and the assciated legal framewrk. 3.2.3 CEN initiative in standardising cyber identity and unique identificatin f legal persn and parts theref Unique persistent identificatin f business entities by recgnised bdies and the verificatin f such identificatins in trustwrthy registers are a prerequisite fr interperability in electrnic cmmunicatins and transactins in pen user grups. 73
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) It is likely that standards fr electrnic business exchange may mandate the use f unique identifiers in certain fields but d nt specify hw they can be decded and reslved withut a bilateral agreement. CWA 16036 aims t discuss these issues and prvide standardisatin bdies with prper recmmendatins t achieve this gal. This dcument gives guidance n unique identificatin systems currently in use r emerging fr rganizatins and parts theref, cvering rganizatinal and peratinal rules and prcesses t enable interperability acrss multiple rganizatin identificatin schemes. It includes an analysis f existing systems and prpses recmmendatins n hw t achieve interperability amng them by using meta-identificatin systems. This quite interesting, and we believe essential, explratry wrk and recmmendatins fr supprting interperability and crss-brder use f identificatin schemes whether used fr identificatin, authenticatin r esignature purpses must be cntinued and extended t natural persns. 3.2.4 CEN TC 224 WG s This CEN Technical Cmmittee deals with persnal identificatin, electrnic signature and cards and their related systems and peratins. Its structure is depicted n their website as fllws: Figure: CEN/TC224 structure We cnsider the fllwing WG s particularly relevant frm an IAS perspective: CEN TC224/WG 15 Eurpean citizen card r ECC 74
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) CEN TC224/WG 16 Applicatin Interface fr smart cards used as Secure Signature Creatin Devices CEN TC224/WG 17 CEN TC224/WG 18 Prtectin Prfiles in the cntext f SSCD Interperability f bimetric recrded data In this TC, fllwing standards were recently published: EN 1332-1:2009 Identificatin card systems - Human-machine interface - Part 1: Design principles fr the user interface CEN/TS 15480-3:2010 Identificatin card systems - Eurpean Citizen Card - Part 3: Eurpean Citizen Card Interperability using an applicatin interface Furthermre, fllwing standards are in prgress: prcen/ts 15480-4 : Identificatin card systems - Eurpean Citizen Card - Part 4: Recmmendatins fr Eurpean Citizen Card issuance, peratin and use pren 14169-1: Prtectin Prfile fr Secure Signature Creatin Device - Part 1: Overview pren 14169-2: Prtectin Prfile fr Secure signature creatin device - Part 2: Device with key generatin pren 14169-3: Prtectin prfiles fr secure signature creatin device - Part 3: Device with key imprt pren 14169-4: Prtectin prfiles fr secure signature creatin device - Part 4: Extensin fr device with key generatin and trusted cmmunicatin with certificate generatin applicatin pren 14169-5 Prtectin prfiles fr secure signature creatin device - Part 5: Device with key generatin and trusted cmmunicatin with signaturecreatin applicatin pren 14169-6Prtectin prfiles fr secure signature creatin device - Part 6: Device with key imprt and trusted cmmunicatin with signature-creatin applicatin Security Requirements fr Device fr Authenticatin - Part 1: Prtectin prfile fr cre functinality 75
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Security Requirements fr Device fr Authenticatin - Part 2: Prtectin prfile fr extensin fr trusted channel t certificate generatin applicatin Security Requirements fr Device fr Authenticatin - Part 3: Additinal functinality fr security targets prcen/ts 15480-1 rev Identificatin card systems - Eurpean Citizen Card - Part 1: Physical, electrical and transprt prtcl characteristics prcen/ts 15480-2 rev Identificatin card systems - Eurpean Citizen Card - Part 2: Lgical data structures and security services Persnal Identificatin - Harmnizatin and interperability f slap-ten print capture fr Bimetrics EN 14890-1:2008/prA1 Applicatin Interface fr smart cards used as Secure Signature Creatin Devices - Part1: Basic services EN 14890-2:2008/prA1 Applicatin Interface fr smart cards used as Secure Signature Creatin Devices - Part 2: Additinal Services pren 16248-1 Security requirements fr device fr authenticatin - Part 1: Prtectin prfile fr cre functinality pren 16248-2 Security requirements fr device fr authenticatin - Part 2: Prtectin prfile fr extensin fr trusted channel t certificate generatin applicatin pren 1332-4 rev Identificatin card systems - Man-machine interface - Part 4: Cding f user requirements fr peple with special needs prcen/ts 15480-5 Identificatin card systems - Eurpean Citizen Card - Part 5: General Intrductin" (ECC-5) a. WG15 Eurpean citizen card Within WG15, the dcuments FprCEN/TS 15480-4 / ECC-4: "Part 4: Recmmendatins fr Eurpean Citizen Card issuance, peratin and use as well as FprCEN/TS 15480-2 / ECC-2: "Part 2: Lgical data structures and security services." 76
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) prcen/ts 15480-1 / ECC-1 "Part 1: Physical, electrical and transprt prtcl characteristics (under revisin). CEN/TS 15480-3:2010 / ECC-3 "Part 3: Eurpean Citizen Card Interperability using an applicatin interface was published 13/09/2010. Finally, with regard t prcen/ts 15480-5 ECC-5 Part 5: General Intrductin the NWI prpsal was accepted n 20/06/2011. b. WG 16 Applicatin Interface fr smart cards used as Secure Signature Creatin Devices (SSCD) With regard t WG16 status, fllwing statuses are relevant: Fr dcuments EN14890-1"Applicatin Interface fr smart cards used as Secure Signature Creatin Devices - Part 1: Basic services as well as fr EN14890-2 "Applicatin Interface fr smart cards used as Secure Signature Creatin Devices - Part 2: Additinal services a revisins have been accepted n 23/02/2011 The TC224 Secretary is als asked t prceed t the PWI cnsultatin n alignment with relevant ETSI standard t include the fllwing tpics: Web services n card Cntext specific authenticatin prtcls fr SSCDs fr adptin n smart card Algrithm paper ETSI TS 102176 with liaisn/participatin t the relevant standardizatin bdies. c. WG 17 Prtectin Prfiles in the cntext f SSCD With regard t the status f WG17, fllwing dcuments are under apprval pren14169-1 "Prtectin Prfile fr Secure Signature Creatin Device - Part 1: Overview d. WG18 Interperability f bimetric recrded data (pren14169-3, pren14169-4, pren14169-5, and pren14169-6) WG18 is a new WG cmpsed since 2010. Fllwing dcuments are relevant: 77 pren14169-3 Prtectin prfiles fr secure signature creatin device - Part 3: Device with key imprt
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) pren14169-4 Prtectin prfiles fr secure signature creatin device - Part 4: Extensin fr device with key generatin and trusted cmmunicatin with certificate generatin applicatin pren14169-5 Prtectin prfiles fr secure signature creatin device - Part 5: Device with key generatin and trusted cmmunicatin with signaturecreatin applicatin pren14169-6 Prtectin prfiles fr secure signature creatin device - 6: Device with key imprt and trusted cmmunicatin with signature-creatin applicatin" The new wrk item Recmmendatins fr using bimetrics in Eurpean autmated brder crssing is apprved and fficially pened (100% f psitive vtes, 6 cuntries cmmitted t participate: Germany, United Kingdm, Austria, Netherlands, Spain and France). The reslutin 857 is apprved and the wrk item is pened within the CEN/TC224/WG18. 78
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 4. Leading studies, prjects and plicy initiatives 4.1 Identity and Authenticatin 4.1.1 The private sectr perspective: scpe, impact and lessns learned a. Basic aspects The private sectr s use f identity and authenticatin services varies acrss the industry segments. In mst if nt all cases there is use f gvernment identificatin dcuments during the hiring prcess f emplyees. As these hiring prcesses als gradually mve t the Internet, electrnic identificatin is making inrads there. The identity f the applicant is tday still usually cnfirmed during the (mstly traditinal) emplyment cntract signing. An issue that many internatinal enterprises face is the fllwing scenari: An emplyee is hired by cmpany 1 in the grup, HR prcessing is dne in cuntry 1; The emplyee is fired e.g. fr miscnduct, HR in cuntry 1 flags him as n lnger t be cnsidered fit fr hiring; The emplyee is hired by cmpany 2 in the same grup in cuntry 2, HR prcessing is dne in cuntry 2; As HR prcessing is nt cnslidated, the fact that this emplyee is rehired is nly discvered after a t lng perid. Furthermre nce the applicant needs t be brught n-bard int the electrnic business systems f his emplyer, the situatin quickly becmes cmplicated in mst cases. Many large private sectr enterprises are structure in multiple tiers, such as the grup (r HQ) level, the functinal business unit level (which may r may nt be structured accrding t natinal bundaries), affiliates, and business partners. The relatin with the latter varies widely in terms f width and depth. Acrss these tiers staff, cntractrs and even autmated sftware prcesses need t access and exchange infrmatin. Tday, much f such infrmatin is still managed in technlgy sils (ERP s such as SAP and Oracle, varius platfrms 79
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) such as mainframe, Unix, Windws, and using a multitude f applicatin servers etc). These sils are rted in different technlgies, whse identity and authenticatin technlgies where nt at all intended t be interperable. Mst large-scale enterprises recgnized the need frm bth regulatry and efficiency/effectiveness perspectives t establish mre unified identity and authenticatin slutins, including e.g. SSO (Single Sign On). Hwever, in many enterprises, this is far frm realised as it is bth cmplex and expensive. b. Prjects In many sectrs (e.g. the Financial, the Telecm, the Healthcare and the Pharmaceutical Sectrs), mst enterprises launched an IAM (identity and access management) initiatives, ften running fr 3-5 years r lnger. In many enterprises, these prjects are currently still nging. Mre ften than nt tday s status is that a selective part f the applicatins is cvered fr a selectin f internal users. And while sme cmpany s indeed already succeeded at pening up e-services fr their external custmers, there are still numerus cmpanies where this is definitely nt the case. A significant interest is nw spurred fr the Identity as a Service cncept, particularly in the cntext f Clud cmputing. In such a case, an enterprise needs t bridge bth internal and external services (hsted in-huse, externally and in the clud ), as well as internal and external identity prviders. c. SWIFT s apprach It is remarkable that SWIFT has taken a slightly different apprach fr managing the interactin with their custmers, because they prefer t fcus n esignature mre than anything else. SWIFT ffers their custmers the 3SKey (SWIFT Secure Signature Key) which allws PKI signatures t be created n the basis f an annymus credential (private key and certificate) stred in a tken. It des nt cntain the name f any individual but just a Unique ID that is used by 3SKey subscribers t assciate the 3SKey user with the certificate. The activatin prcess des nt require the supply f any identificatin infrmatin abut the 3SKey user, and the business credential is entirely annymus. 80
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 4.1.2 The public sectr perspective: scpe, impact and lessns learned a. Electrnic ID Electrnic ID cards were intrduced in the late 1990 by varius Member States. This included the Finish eid card (December 1999), the Estnian eid card (January 2002), the Austrian citizen card (frm 2003, with mass-rlluts frm 2005), the Italian CIE / CNS (test phase 2003 fr CIE), and the Belgian eid card (2002/2003). They were hetergeneus frm a technlgy perspective, using smartcards (AT, BE, EE, ES, FI, GE, IT, PT, SE,.), Mbile eid s (AT, EE, FI, LU, NL, NO, UK, ), allwing sft certificates (ES, SE, SI, ), r even username/passwrd (NL, UK, ). They were issued by the public sectr, the private sectr r a cmbinatin. They are issued at federal, lcal, and reginal levels. Finally, they als make different use f identifiers which can be hrizntal (acrss the cuntry), sectr-specific r a cmbinatin. Fr an verview, see the dcument State f play cncerning the electrnic identity cards in the EU Member States (Brussels, 31 May 2010) 9949/10, frm the Eurpean Cuncil. 50 As many Use Cases were identified that require crss-brder usage f eid s, with it came the need fr interperability. Hwever, this shuld be balanced with the requirements fr Data Prtectin. b. STORK The STORK prject des nt change the Member State situatins, but aims at interperability. Running mainly frm February 2009 thrugh May 2011, it addressed functinal design, technical design (brrwing heavily frm SAML V2 fr the actual prtcls), implementatin, explitatin (including pilts) and evaluatin. As the prf f the pudding is in the eating, riginally five pilts were selected: crss brder authenticatin, safer chat, eid Student Mbility, eid electrnic delivery and EU Citizen Change f Address. Integratin f eid int the EC s ECAS authenticatin service was added as a sixth pilt. In general, STORK assumes a citizen has nline-access with eid, and cnsiders the fllwing use cases: 1. Authenticatin: in an nline access t a service prvider; 50 See http://www.statewatch.rg/news/2010/jun/eu-cuncil-id-cards-9949-10.pdf 81
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 2. Attribute Transfer (STORK defines eid as the identifier (e.g. natinal citizen ID), the rest (name, date f birth, qualificatin, ) are attributes ) 3. Attribute Verificatin: is a certain attribute presented by the citizen crrect? 4. Certificate Verificatin. When analysing the varius eid implementatins acrss the Member States, it can be bserved that server-side slutins, client-side slutins and cmbinatins are used. Sme gvernments selected smart card based eids, which led t the intrductin f client-side middleware t shield the card s implementatin specifics frm the applicatin. Sme gvernments intrduced server-side middleware t cater fr client-side independence frm multiple tkens. Mst slutins were established well befre there was a cmmn middleware standard. Arund 2006, the multipart standard ISO/IEC 24727 fr middleware ( Identificatin Cards - Integrated circuit cards prgramming interfaces ) was intrduced by Task Frce 9 f ISO/IEC JTC 1 SC 17/WG 4. It builds upn ISO/IEC 7816, with a fcus n services and interfaces, aims t be card type neutral, cntact and cntactless agnstic. Its gal is t fster interchangeable and interperable implementatins fr identificatin, authenticatin, and signature services. The standard made its way int many fields, including the US FIPS 201 (PIV) and the Eurpean Citizen Card. Hwever, many natinal eid slutins were already established prir t the existence f this standard. As a cnsequence, STORK had t create a mdel that culd accmmdate the varius existing mdels. They based their design n tw interperability mdels, referred t as Middleware (MW) and Pan-Eurpean Prxy Services (PEPS). Cmmn t thse mdels are the tw fundamental actrs, the Citizen and the Service Prvider. Citizen and Service Prvider may reside in the same r in different cuntries. It has t be nted that besides Austria and Germany, Member States have pted fr the PEPS apprach. The existing technical implementatins f eids in the Member States led t 4 pssible cmbinatins f MW and PEPS (PEPS=>PEPS, MW=>MW, MW=>PEPS, PEPS=>MW). Fr example in the case f a Citizen f cuntry-1 equipped with a PEPS (PEPS-C), wanting t use the services f a Service Prvider in cuntry-2, als equipped with a PEPS (PEPS-S) the fllwing happens: The Citizen cntacts the Service Prvider s applicatin, which decides t require eid-based authenticatin; 82
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) As the Citizen is frm anther cuntry than the SP, the authenticatin is reruted by the SP t his natinal PEPS (PEPS-S); the PEPS-S will rerute t the PEPS-C in the Citizen s cuntry, which will interact with the Citizen t create the apprpriate authenticatin assertin; This assertin will be presented by the Citizen t the Service Prvider, which evaluates it t decide whether he wants t accept it as a valid authenticatin respnse. There is a strng dependence f the abve scenari n electrnic signatures, as such authenticatin respnses are essentially electrnically signed XML assertin. The cnsumer f the respnse shuld bviusly verify the signature and validate it against revcatin services. The expressin SPware was intrduced t indicate the cmbinatin f client and server-side middleware, required t interface with a Service Prvider. T prvide a MW access at a PEPS r a PEPS interface at the SPware side, the cncept f a Virtual Identity Prvider was intrduced. The Austrian SPWare MOA-ID is actually the main precursr fr the STORK V-IDP. Fr example in the case f an Austrian student authenticating twards a Swedish university, the Swedish university will first query the Swedish PEPS, wh needs t cntact the Austrian identity prvider, which is based n a MW mdel (i.e. the student s card expects an SPware envirnment t functin). The Austrian identity prvider will present itself as a Virtual IdP t respnd t the request frm the Swedish PEPS. The scenari is further similar t the preceding ne. The technical implementatins f the STORK building blcks in the pilts rely n the SAML 2.0 prtcl suite frm OASIS. The Use Cases are based n tw SAML prfiles, the Web Brwser SSO Prfile, and the Hlder f Key Web Brwser SSO Prfile. The bindings nt cmmunicatin prtcls are based n HTTP-Pst and SOAP Binding. The request/respnse prtcls fr btaining an authenticatin assertin are based n the Authenticatin Request Prtcl. The latter was amended t include Attribute Query. Finally, at the lwest level, the SAML Authenticatin and Attribute Assertins are used. As a cnsequence, we nw bserve crss-brder electrnic services e.g. in the cntext f the general prvisin f services t citizens r enterprises. Fr example the Austrian www.help.gv.at prtal allws authenticatin via eid, mbile r nn- Austrian eid via STORK. 83
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Figure: eidentificatin and Authenticatin with Austrian eid card, mbile phne r via STORK n www.help.gv.at Demnstratrs fr crss-brder electrnic services include natinal prtals frm Austria (help.gv.at), Estnia (eesti.ee), Germany (mein-service-bw), Prtugal (prtaldcidada.pt) and the UK, ne reginal prtal frm Catalnia in Spain and ne specific service fr cmpliance activities fr wrking in Belgium (limsa.be). Fr example an Estnian citizen can select his hme cuntry n the limsa.be site, and will be ffered the pssibility t authenticate with his natinal eid. Figure: eidentificatin and Authenticatin with Estnian eid card riginating at www.limsa.be This allws the citizen frm the ther Member State t prepare and prcess his cmpliance t lcal scial requirements in Belgium. 84
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) c. SPOCS Simple Prcedures Online fr Crssbrder Services (SPOCS) is a pilt prject launched by the Eurpean Cmmissin that runs frm 2009 thrugh 2012. It aims t remve the administrative barriers Eurpean businesses face in ffering their services abrad. SPOCS is expected t further enhance the quality f electrnic prcedures cmpletin and has been designed fr businesses that have an interest in crss-brder activities. It will allw them t meet all the administrative bligatins thrugh a single cntact pint that will be available nline. The Pints f Single Cntact (PSC) act as intermediaries between service prviders and the natinal public administratins. These single intermediaries are designed t allw businesses t cmplete electrnically all the relevant administrative prcedures, such as btaining authrisatins t start an activity, which are necessary fr prviding their services in anther EU cuntry. SPOCS benefits frm the results achieved by its sister prjects, STORK (n electrnic identity) and PEPPOL (n electrnic prcurement), in relatin t mutual recgnitin fr the use f electrnic identity and signatures. It will be implemented in different phases and a special emphasis will be drawn n the develpment f cmmn specificatins and tls fr electrnic services, such as technical and semantic interperability, the prmtin f electrnic dcuments (edcuments) and the creatin f a services directry. As such it is bvius that identity, authenticatin and signature are prerequisites fr electrnic dcument delivery as envisaged in SPOCS. d. PEPPOL PEPPOL, the Pan-Eurpean Public Prcurement OnLine prject, was initiated in 2008. It aims at expanding market cnnectivity and interperability between eprcurement cmmunities. PEPPOL enables access t its standards-based IT transprt infrastructure thrugh access pints, and prvides services fr eprcurement with standardised electrnic dcument frmats (based n UBL and CEN/BII). PEPPOL facilitates the pre-award and pst-award prcurement prcess with standardised cmpnents by fcussing n the mst cmplex eprcurement elements (marked yellw in the graphic belw): 85
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Figure: Peppl Cmpnents As such, identificatin f the transacting partners as well as esignatures are parts f the PEPPOL ecsystem. 4.1.3 The service supplier/vendr perspective: scpe, impact and lessns learned a. The inside-t-utside apprach T manage identity and authenticatin within an enterprise r public institutin, mst entities make use f specific slutins frm vendrs and service suppliers which they implement in-huse. These slutins were riginally established t manage the internal ppulatin, and have gradually been expanding t serve external ppulatins as well. Within the scpe f market-riented prduct and services, there is an abundance f vendrs in the IA market. A significant market share is held by Siemens (Dir-X based prduct suite), Oracle/Sun (OIM/OAM/OIA), IBM (Tivli family), Micrsft, and Evidian. Many IA prducts f tday have a histry that reflects the numerus mergers and acquisitins in the IA vendr space. This is e.g. illustrated by the riginal Netscape Directry Server, whse cncepts cntinued int iplanet, later int Sun, and recently int Oracle. SAP acquired MaXware, essentially a cmpany 86
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) based n an Enterprise Directry prduct t integrate IAM functinality in their business slutins. There is significant rm t ffer IAM functinality as a service, and this can be cnsidered an emerging market. When an applicatin prvider ffers his services ver the Internet r in the clud, he is facing the challenge f integrating his custmer s identity, authenticatin and authrisatin system with his service ffer. This leads t the requirement t build a circle f trust, r a federatin. In such a federatin, trust services are required as a fundatin fr the IdPs (Identity Prviders) that ffer identity and authenticatin. Integratin requirements when cmpanies mve services t the clud bviusly increase the identity and authenticatin aspects, as well as the data prtectin aspects. b. The utside-t-inside apprach The scial netwrk applicatins were riginally seen as external t an entity s ppulatin. Their grwth brught a need t address identity, authenticatin and authrisatin (IAA) requirements. Fr example Facebk cntinuus t imprve their IAA slutins: 87 In 2006, the first versin f the Facebk API was intrduced, enabling users t share their infrmatin with the third party websites and applicatins. Many cmpanies leveraged these APIs, allwing users t cnnect their identity infrmatin frm Facebk, such as basic prfile, friends, phts infrmatin and mre, t third party websites, as well as desktp and mbile applicatins. In 2007, Facebk Platfrm was launched, which allwed third party develpers t build rich scial applicatins within Facebk. It uses the OAuth 2.0 prtcl fr authenticatin and authrizatin In 2008 Facebk Cnnect was intrduced which enabled third party websites t implement mre features f Facebk Platfrm ff f Facebk. It builds further n the OpenID and OAuth cncepts. In the pst http://develpers.facebk.cm/blg/pst/534/ is stated By Octber 1, 2011, we require that all website and canvas apps must exclusively supprt OAuth 2.0 (draft 20). All canvas apps must use the signed_request parameter. This als implies that ld, previus versins f ur SDKs will stp wrking, including the ld JavaScript SDK. As such we assume that at the time f putting tgether this study reprt, Facebk was strngly favuring Oauth 2.0. As specified in draft RFC The OAuth 2.0 Authrizatin Prtcl draft-ietf-auth-v2-12, OAuth includes fur rles wrking tgether t grant and prvide access t
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) prtected resurces (i.e. access restricted resurces which require authenticatin t access): resurce wner - An entity capable f granting access t a prtected resurce.when the resurce wner is a persn it is referred t as an enduser. resurce server - The server hsting the prtected resurces, capable f accepting and respnding t prtected resurce requests using access tkens. Client - An applicatin making prtected resurce requests n behalf f the resurce wner and with its authrizatin. authrizatin server - The server issuing access tkens t the client after successfully authenticating the resurce wner and btaining authrizatin. The Facebk implementatin f OAuth aims t give the user cntrl ver what a third party app can d with his infrmatin. It invlves three different steps: user authenticatin, app authrizatin and app authenticatin. User authenticatin ensures that the user is wh he claims t be. This may already be perfrmed in a step prir t the user wanting t access the third party app. App authrizatin ensures that the user knws what data and capabilities he is prviding t the app. App authenticatin ensures that the user is giving their infrmatin t the apprpriate app. Once these steps are cmplete, the app issues a user access tken that enables yu t access the user's infrmatin and take actins n their behalf. Furthermre, Facebk launched Cnnect with Facebk, referred t (http://develpers.facebk.cm/dcs/guides/web). This builds further n the cncepts frm OpenID and Oauth t give users the ability t take their identity and scial graph with them arund the Web. The bjective is that Facebk users represent themselves with their real names and real identities and take their identity infrmatin with them including prfile infrmatin, prfile picture, name, friends, phts, events, grups, and mre. It remains t be seen t what extent this is embraced by the user cmmunity. In this field there is a clear ptential fr crss-ver with the diverse identificatin and authenticatin services that are at the dispsal f the end user. They may have use cases where they prefer t use a simple userid and passwrd, and ther use cases where they prefer t rely n a private sectr r gvernment supplied eid. 51 51 Nte that PAYPAL is als using a similar apprach making use f OpenID and OAuth. 88
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 4.1.4 The academic perspective a. ABC4TRUST Attribute-based Credentials The gal f ABC4Trust (https://abc4trust.eu) is t address the federatin and interchangeability f technlgies that supprt trustwrthy yet privacy-preserving Attribute-based Credentials (ABC). S far credentials such as digitally signed pieces f persnal infrmatin r ther infrmatin used t authenticate r identify a user where nt designed t respect the users privacy. They invariably reveal the identity f the hlder even thugh the applicatin at hand ften needs much less infrmatin, fr instance nly cnfirmatin that the hlder is a teenager r is eligible fr scial benefits. In cntrast t that, Attribute-based Credentials allw a hlder t reveal just the minimal infrmatin required by the applicatin, withut giving away full identity infrmatin. These credentials thus facilitate the implementatin f a trustwrthy and at the same time privacy-prtecting digital sciety. Tday there are nly a handful f prpsals f hw t realize an ABC. Ntable is especially the appearance f tw technlgies, IBM s Identity Mixer (Camenisch) and Micrsft s U-Prve (Brands). The bjectives f ABC4Trust are t define a cmmn, unified architecture fr ABC systems t allw cmparing their respective features and cmbining them n cmmn platfrms, and t deliver pen reference implementatins f selected ABC systems and deply them in actual prductin pilts allwing prvably accredited members f restricted cmmunities t prvide annymus feedback n their cmmunity r its members. ABC4Trust develps and trials an ABC enabled architecture and related applicatin pilts. This will result in imprtant input fr the design f the upcming electrnic identity management infrastructure, and e.g. the related Eurpean Large Scale Actin (ELSA). The relatinship with IAS lies particularly in their intrductin f new paradigms such as annymus credentials and selective disclsure f attributes. This can be expected t drive new security expectatins frm end users and plicy makers. b. TAS³ - Trusted Architecture fr Securely Shared Services This IST FP7 funded Integrated Prject (http://tas3.eu) runs frm Jan 2008 thrugh Dec 2011. It fcuses n federated identity management and aims t integrate adaptive business-driven end2end Trust Services based n persnal infrmatin as well as Semantic integratin f Security, Trust, and Privacy cmpnents. It 89
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) addresses fur layers: Authenticatin fr federated identities, Authrizatin fr federated attributes, Trustwrthiness & Reputatin scres, and finally Data Prtectin plicy enfrcement. TAS³ fcuses n a Trusted Emplyability Platfrm and a Healthcare Demnstratr Platfrm. The relatinship with IAS lies particularly in hw they address federated identities, federated attributes and trustwrthiness. These can equally be expected t drive new security expectatins frm end users and plicy makers. c. PrimeLife PrimeLife is the FP7 cntinuatin f Prime in FP6. It runs frm March 2008 fr 40 Mnths. PrimeLife is addressing the cre privacy and trust issues pertaining t the challenges related t prtecting the autnmy and cntrl f users ver persnal infrmatin in daily interactin ver the Internet. This raises substantial new privacy challenges such as hw t prtect privacy in emerging Internet applicatins such as cllabrative scenaris and virtual cmmunities, and hw t maintain life-lng privacy. Its lng-term visin is t cunter the trend t life-lng persnal data trails withut cmprmising n functinality. It will build upn and expand the FP6 prject PRIME that has shwn hw privacy technlgies can enable citizens t execute their legal rights t cntrl persnal infrmatin in n-line transactins. The main bjective f the prject is t bring sustainable privacy and identity management t future netwrks and services: Fundamentally understand privacy-enhancing identity management fr life' (practical life, thrughut life & beynd) Bring privacy t the web and its applicatins Develp and make tls fr privacy friendly identity management widely available Reslving these issues requires substantial prgress in underlying technlgies. PrimeLife aims t substantially advance the state f the art in the areas f human cmputer interfaces, cnfigurable plicy languages, web service federatins, infrastructures and privacy-enhancing cryptgraphy. The relatinship with IAS lies particularly in hw they address privacy-enhancing identities. This is a fundamentally different apprach because such identities will be able t engage in transactins that d require prf f certain identity aspects r attributes nly, while further guaranteeing privacy. These can equally be expected t 90
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) drive new security expectatins frm end users and plicy makers alike, fr example in the brad area f e-demcracy. 4.1.5 Beynd the EU Member States Outside the EU there are many remarkable I, A and S initiatives. We highlight ne selected initiative, the eid and signature interperability framewrk that is currently under cnstructin in the GCC, as it is bth technlgically advanced and bears strng resemblance t the EU Member States situatin. a. The GCC apprach GCC is the acrnym fr Gulf Cperatin Cuncil including six cuntries namely, Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates. The number f GCC ppulatin is estimated t be arund 40 millin peple (GCC Prtal, 2011). GCC citizens can usually travel freely between member states withut the need fr visas, and can use either their passprts r natinal identity cards fr brder crssings. All GCC cuntries have initiated a natinal identity card prgrams with smart cards, bimetrics, and PKI. The majrity f GCC states have develped e-identity service mdels with varying levels f cmplexity, including Qatar, Saudi Arabia, United Arab Emirates, Oman, and Kuwait. They intrduced prjects t accelerate the adptin f e-identity in their lcal scieties mainly in the cntext f e-gvernment. Amng these prjects, GCC cuntries are wrking t develp a cmmn e-identity infrastructure that will enable the authenticatin f GCC citizens by any service prvider at a member state e.g., brder cntrl, public services, etc. In light f the imminent requirement t enable e- identity n the GCC level, interperability represents a majr challenge. While all GCC e-identity cards are ISO 7816 standard cmpliant, certain characteristics f the GCC cards are issuer specific, as a cnsequence f the prprietary applicatins (i.e. applets). These applicatins have their wn file layuts and cmmunicate via a dedicated set f APDUs (Applicatin Prtcl Data Units). All GCC cuntries develped middleware applicatins t enable interactin and access t their electrnic identity cards. These are nt necessarily cmpatible. The fllwing typical building blcks are present: e-identity cmmn middleware: sftware libraries expsing the e-identity card business functins t service prviders. 91
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) e-identity discvery service: a server dedicated t discvering the target e- identity t query the client terminal in rder t execute a specific card transactin. e-identity Validatin Gateway (VG): a Server expsing the e-identity scheme wner card validatin services as web services available ver the clud. b. The UAE apprach UAE is a pineer in its bimetric implementatin. It has integrated multiple bimetric technlgies in critical infrastructure systems in the last decade, including: Iris recgnitin At the cuntry's entry pints, all visitrs are required t underg an iris scan. The UAE began the implementatin f iris recgnitin technlgy at its brders in 2001 t inhibit illegal entry f persns in the cuntry. The UAE was the first in the wrld t intrduce such a large scale deplyment f this technlgy. Tday, all f the UAE's land, air and sea prts f entry are equipped with iris systems. UAE iris watch-list database is currently mst likely the largest in the wrld, bth in terms f number f iris recrds enrlled (mre than 2.3 millin peple) and number f iris cmparisns perfrmed daily. Facial Recgnitin Facial recgnitin (facial n the mve) has been implemented at UAE airprts in 2008 t enhance security prcedures and detect persns wh might pse a threat t the cuntry. The system allws identificatin checks t be perfrmed frm a distance withut a persn's active participatin. The system helps inspectrs at cntrl pints inside the airprts t implement cntinuus and practive checks designed t immediately detect persns wh shuld be denied entry r detained. Fingerprint based - Electrnic Gates UAE has anther bimetric applicatin wrking at its airprts; namely bimetric based electrnic gates (e-gate). The e-gate facility which was first intrduced in 2002 in Dubai Internatinal Airprt, is the first airprt in the regin and the third in the wrld ffering this service t travellers. The service is basically available fr quick passage thrugh passprt cntrl. The electrnic gate uses fingerprint bimetrics t autmatically prcess all registered passengers arriving and leaving frm any f the UAE airprts. This is a passenger clearance system that cnsiderably accelerates the mvement f traffic thrugh electrnic screening f passengers' data with the help f a smart card. It was estimated that mre than 4 millin travellers used electrnic gates in 2010. 92
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) Electrnic Passprt The UAE gvernment is in the prcess f launching its new electrnic (bimetric) passprt. The new passprt cntains bimetric infrmatin mainly fingerprints and an ICAO standard phtgraph. The infrmatin n the chips can be scanned and verified at airprts, ther prts and brder psts. PKI technlgy is used t sign the electrnic data stred in the passprt micrprcessr chip. This is expected t enhance the current security features f passprts and prvide greater prtectin against tampering and reduce the risk f identity fraud. The issuance prcess is linked with the expiry f the existing passprts as it will be replaced with the electrnic nes. The bigraphical and fingerprint data are pulled electrnically frm the natinal identity register. Natinal Identity Register Anther large scale bimetric prgram was launched in 2003. The prgram aims t set up a natinal identity register and t enrl an estimated 9 millin ppulatin in the cuntry. This prgram, which is als referred t by the UAE gvernment as the natinal identity management infrastructure, aims t serve multiple strategic bjectives. The primary bjective was t set up a gvernment entity that has an imperative rle as the single surce fr persnal identity prvisin in the Cuntry. Federal DNA Prject The gvernment has begun a DNA identificatin database develpment in 2010. The prject which is still in its pilt phase, targets t cllect DNA samples f 10 millin peple bth natinal citizens and freign residents in the next few years. The federal DNA database is primarily seen t cntribute t areas related t crime detectin and identificatin f criminals. The market in the UAE has seen sme trails f bimetrics in public and private sectrs hwever they were primarily limited t the field f physical access cntrl. The applicatin f the new UAE bimetric identity card capabilities, t prvide secure identificatin and persnal verificatin slutins, is envisaged t imprve public acceptance f the technlgy and vitalise electrnic transactins. c. The UAE eid UAE issues a smart cards t its citizens and residents. It is Java based and serves the dual purpse f an applicatin platfrm as well as secure strage. The applicatin platfrm allws algrithms t run n the card. The secure strage 93
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) enables tamper prf string f identity data including bimetric data. The UAE was ne f the early adpters f match-n-card feature. This feature enables fingerprint Match-n-Card user authenticatin as an alternative and t cmplement smart card PIN verificatin. This in turn gives access t the digital certificates n the card that can then be used fr lgn, digital signature, file encryptin, secure VPN access amng ther services. This slutin prvides a secure tw r three factr authenticatin capability. The card is a hybrid smartcard that als cntains PIN prtected persnal data including digital certificates, and the hlder s bigraphical data and tw best fingerprints. The card is envisaged t be the nly acceptable identity dcument t access any gvernment and sme critical private sectr services like the financial sectr. The multi-applicatin card is designed t be cmpliant with the tw majr industry standards: the Glbal Platfrm Card Specificatin Versin 2.0.1, and the Visa Card Implementatin Requirements Cnfiguratin 1-Cmpact. Bth the Java Card Runtime Envirnment (JCRE) and the Glbal Platfrm (GP) standards cntribute t the security features f the UAE Natinal ID card. Java prvides cryptgraphic mechanisms and enfrces firewalls t prtect applicatins and maintain data and peratin security within the multi-applicatin shared card space. The GP 2.0.1 specificatins extend the Java Card cryptgraphic authenticatin mechanisms t ensure dynamic and secure lading/ updating f individual applicatins in the dynamic and multi-applet Java Card. There are five applets n the card: ID and epurse applet, PKI applet, Match n Card applet fr the bimetrics, etravel Applet fr ICAO, and a MIFARE Applet fr public transprt. Cmmunicatin with the card can nly be established using the SDK/Tl Kit distributed by the gvernment. Fr mre infrmatin we refer t the article Twards Federated e-identity Management acrss GCC A Slutin s framewrk by Dr Ali M. Al-Khuri and Malek Bechlaghem. 4.2 esignatures 4.2.1 Eurpean Cmmissin driven actins At EU level a set f significant initiatives have been implemented since the emphasising f interperability and mutual recgnitin barriers, whether technical r 94
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) legal, t the (crss-brder) use f electrnic signatures 52, starting with the Actin Plan n esignatures and eidentificatin t facilitate the prvisin f crssbrder public services in the Single Market published in 2008. It assumed that the creatin f a cmprehensive and pragmatic framewrk t achieve interperable esignatures (and eid) wuld simplify access f enterprises and citizens t crssbrder electrnic public services and wuld als benefit t B2B and B2C transactins and that the crss-brder use f QES and AdES based n QC culd be imprved very quickly because f their clear legal status under Directive 1999/93/EC and the substantial existing standardisatin wrk. In supprt f this Actin Plan, the Cmmissin launched the CROBIES Study 53 t analyse the requirements and establish a general strategy fr crss-brder use f QES and AES based n QC within the existing legal framewrk set by the Directive. The CROBIES study cncluded that a recast f the existing legal, standardisatin and trust framewrks related t ES, supprted by apprpriate prmtinal and educatinal effrts, is essential t imprve interperability and crss-brder use f ES. Hwever CROBIES fcused in five wrking packages (WP) n several quickwin actins that culd imprve sme very specific aspects f the interperability, crss-brder use and mutual recgnitin f QES and AES based n QC within the current legal framewrk: 1. WP1. A prpsal fr a cmmn mdel fr supervisin and accreditatin f certificatin service prviders issuing qualified certificates (and ther services ancillary t e-signatures) because Directive 1999/93/EC des nt specify hw supervisin shuld be rganised. 2. WP2. The establishment f a Trusted List fr certificatin services issuing qualified certificates. The resulting deliverable was the key 52 Preliminary Study n Mutual recgnitin f esignatures (2007): This study cllected and analysed infrmatin n esignatures appraches in egvernment applicatins in the Member States and determined interperability barriers and ptential slutins. Study n Mutual recgnitin f esignatures (2009): This study updated cuntry prfiles in rder t imprve infrmatin n the advanced electrnic signatures in use in egvernment applicatins. Study n the Standardisatin aspects f esignatures (2007): This study analysed the use made by enterprises, market players and ther stakehlders f the standard referenced by Decisin 2003/511/EC and ther related standards resulting frm EESSI and subsequent ESO's wrks in that matter. It assessed whether the business mdel chsen by Directive 1999/93/EC was still relevant given the technlgical develpments. It cncluded that the current EU esignature standardisatin landscape is t cmplex t use due t the multiplicity f dcuments, the lack f business rientatin and usage guidelines, the difficulty f access and frmulated recmmendatins t vercme these issues. 53 http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/crbies_study/index_en.htm. 95
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) technical input fr the establishment f CD 2009/767/EC amended by CD2010/425/EU that bliges MS t accept certain esignatures (if these are required) and establish a cmmn template and set f specificatins fr the establishment, maintenance and publicatin f Trusted List (TLs) indicating the supervisin/accreditatin status infrmatin n certificatin services issuing qualified certificates and n a vluntary basis n ther supervised / accredited ancillary services t esignatures. 3. WP3. A prpsal fr an interperable qualified signature certificate prfile t imprve the prvisin, in bth machine prcessable and human readable ways, f infrmatin n the qualified status f a certificate and n the indicatin that the e-signatures it supprt are created by a secure signature creatin device as defined by Directive 1999/93/EC 4. WP4. A prpsed framewrk fr interperable Secure Signature Creatin Devices. Althugh Annex III t the Directive gives high level requirements fr secure devices and specific standards were develped fr their assessment, interpretatin and implementatin at natinal level still varies quite widely. T reslve this issue, CROBIES frmulated recmmendatins fr a hmgeneus interpretatin f the Directive at the Eurpean level. 5. WP5. A prpsed mdel fr prviding guidelines and guidance fr implementatin f crss-brder and interperable e-signatures. CROBIES als prpsed a quality classificatin fr e-signatures as well as a means t maintain a Eurpean list f recmmended cryptgraphic algrithms fr e-signature. The recmmendatins n the recast f the Eurpean esignature standardisatin landscape was put int practice thrugh the issuance by the Eurpean Cmmissin f the Standardisatin Mandate 460 54 t CEN, CENELEC and ETSI t update the existing esignature standardisatin deliverables, suggesting the establishment f a fully ratinalised framewrk, including implementatin guidelines, t vercme all these issues within the cntext f the Signature Directive, while taking int accunt its pssible revisin. See sectin 3.1.1 fr mre details. In 2010, the Cmmissin released a Digital Agenda fr Eurpe 55, being Eurpe's strategy fr a flurishing digital ecnmy by 2020. It cnsists f seven actin areas, tw f which relate t eauthenticatin (Key Actin 3) and eidentificatin (Key Actin 16). The Cmmissin acknwledged that despite the existing key single market 54 Mandate M460: "Standardisatin Mandate t the Eurpean Standardisatin Organisatins CEN, CENELEC and ETSI in the Field f Infrmatin and Cmmunicatin Technlgies Applied t Electrnic Signatures" (http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/eu_legislatin/standardisatin/index_en. htm). 55 A Digital Agenda fr Eurpe, 2010. The Digital Agenda is ne f the seven flagship initiatives f the Eurpe2020 Strategy, the EU's grwth strategy fr the cming decade. See http://ec.eurpa.eu/infrmatin_sciety/digital-agenda/index_en.htm 96
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) legislatin, nline transactins are still t cmplicated and fragmented markets limit the demands fr crss-brder transactins. Therefre, it annunces as a Key Actin 3 under the first pillar a revisin f the esignature Directive with a view t prvide a legal framewrk fr crss-brder recgnitin and interperability f secure eauthenticatin systems. Furthermre, initiated by IDABC, the Cmmissin launched the EFVS Study 56 t examine the existing issues frm the perspective f signature validatin at the Eurpean level and t assess the legal, peratinal and technical feasibility f a Eurpean scale esignature verificatin functinality. The study analysed selected existing esignature verificatin slutins n the market, examined the feasibility and need fr a cmmn EU validatin slutin but cncluded that in the current envirnment f missing legal regulatins fr Signature Validatin Service Prviders, inapprpriate standards and a trust framewrk n an ad hc basis it is virtually impssible t design cmprehensive and durable validatin slutins with a general EU level impact. Therefre, the Study stated the need fr a brader perspective and prpsed as well a cmprehensive revisin f the existing legal, technical and trust framewrk. On 18 February 2011, the Eurpean Cmmissin launched 57 in the cntext f the Digital Agenda fr Eurpe 58 a Public Cnsultatin regarding electrnic identificatin, authenticatin and signatures 59, which clsed n 15 April 2011. The purpse f the public cnsultatin was t prvide input fr plicymakers n hw electrnic identificatin, authenticatin and signatures can cntribute t deliver the Eurpean digital single market. The Eurpean Cmmissin als invited representatives frm the public and private sectrs and academia t a stakehlder wrkshp 60 n 10 March 2011 t debate n what legislative measures are needed 56 EFVS study: descriptin, analysis and assessment reprts: http://ec.eurpa.eu/idabc/en/dcument/7764.html. 57 See the press release at http://eurpa.eu/rapid/pressreleasesactin.d?reference=ip/11/198&frmat=html&aged=0&lan guage=en&guilanguage=en 58 See http://ec.eurpa.eu/infrmatin_sciety/digital-agenda/index_en.htm. 59 See http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/eu_legislatin/revisin/pub_cns/index_ en.htm 60 Stakehlders wrkshp Digital Agenda fr Eurpe: electrnic identificatin, authenticatin and signatures in the Eurpean digital single market: http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/eu_legislatin/revisin/ws_3_2011/index _en.htm. 97
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) t address the challenges ahead. The bjective f the wrkshp was t ffer an interactive frum t exchange views and t cnfrnt different psitins n the questins raised in the public cnsultatin. The Eurpean Cmmissin received mre than 400 cntributins frm a wide range f actrs, including Member States, EU and natinal rganisatins, reginal and lcal authrities, business and prfessinal federatins, individual cmpanies, NGOs, and many Eurpean citizens. Mst cntributins were made via the Cmmissin s nline cnsultatin tl (IPM Interactive Plicy Making), and several thers were sent in as separate submissins. 61 Rughly half f the submissins riginated frm these rganisatins, with the ther half f the respndents being frm individual citizens. Main findings n IAS usages The verall usage f e-ias tls by the respndents is reprted t be relatively high (arund 80 %), with respnses shwing n significant difference between rganisatins and individuals. IAS tls are mainly used fr securing transactins and guaranteeing the integrity f electrnic dcuments. Over 80% f respndents cnsider egvernment and ebanking as the majr applicatin areas, emphasizing the imprtance f ensuring integrity and security in these dmains. esignatures tailred t face the challenges f the digital single market When examining hw the respndents perceived the impact and rle f esignatures n the Digital Single Market, almst 80% f respndents estimated that take-up was lw, characterising it as marginal r mderate. The mst frequently indicated causes fr this relatively lw success rate were (1) the limited number f services requiring esignatures; (2) insufficient user friendliness; (3) crss-brder interperability issues. As the main interperability challenges t be fixed by future initiatives, respndents refer t the hetergeneus apprach t security requirements in different Member States, unclear terminlgy (bth in the esignatures Directive and in natinal implementatins), and insufficient harmnisatin f prfiles f qualified certificates. Generally, respndents suggested that future regulatins culd imprve interperability by eliminating ambiguities and reducing natinal divergences. In particular, 87% f respndents replied that EU legislatin shuld als address ancillary services like certified e-dcuments, time stamping, mandates, e-seals, certified dcument delivery r archiving, whereas nly 5% entirely ppsed new 61 Cntributins can be accessed nline at: http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/eu_legislatin/revisin/pub_cns/index_ en.htm 98
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) regulatry initiatives. Finally, 61% favured the intrductin f ecnsent as a building blck in EU esignature legislatin. Frm a technical pint f view, when analysing the ptins fr addressing esignature challenges, pinins are less clear. Only 32% f respndents are in favur f a creating a central EU signature validatin service. Similarly, 50% f respndents believe that a cmmn Eurpean esignature security classificatin scheme wuld be useful. Other tpics fund mre universal supprt, such as supprting mbile devices as IAS tls (favured by 82% f the respndents), and maintaining r keeping the EU s high qualified signatures security, as expressed by 66% f respndents (as ppsed t the 16% wh wuld prefer relaxed requirements). Principles fr future e-identificatin and authenticatin legislatin and plicy The cnsultatin gauged pinin n the perceived need fr legislative measures t address e-identificatin and e-authenticatin in particular, including the fundamental principles f such legislatin, expected effects n the Digital Single Market, ptential benefits fr users, crss-sectr interperability and any lessns learned. A large majrity f 65% f respndents favured EU legislatin fr electrnic identificatin, whereas nly 23% was against. Key areas t be cvered by such legislatin accrding t the respndents are ntably data prtectin and privacy (78%), transparency (65%), and liability f the eid prvider (59%). Affrdability and crss-sectr usability were cnsidered imprtant by 39%. Identity federatin saw significantly mre supprt (44%) than a centralised apprach (23%). Respndents thus clearly favured an pen, trustwrthy and interperable eid envirnment. Lking at the expected impact f legislative measures addressing mutual recgnitin and acceptance f eid acrss brders n the Digital Single Market, the main expected effects were an imprvement f legal certainty (62,2%), a reductin f administrative burdens (60,8%), and the increase f crss-brder mbility (59,1%). Ecnmically, respndents expect that increased ecnmies f scale (49%) will have a strng psitive impact as eids wuld becme useful f an increased number f applicatins. Finally, respndents frequently stressed the imprtance f internatinal standardizatin, if pssible supprted thrugh internatinal agreements t use the same standards in internatinal transactins. IAS services are seen as an inherently internatinal phenmenn, and Eurpean initiatives shuld be attuned t this reality. On the practical side, in the cntext f the Services Directive (2006/123/EC) that bliges Member States t make sure that service prviders (businesses) can cmplete the prcedures and frmalities that are necessary t start r carry ut their activities with Member States' administratins via Pints f Single Cntact and by electrnic means, including acrss brders, and in rder t facilitate in practice the 99
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) crss-brder use f e-prcedures and in particular f e-signatures that can be required in the prcess f cmpleting prcedures, three Cmmissin Decisins have been adpted: Cmmissin Decisin 2009/767/EC, amended by Decisin 2010/425/EU and Decisin 2011/130/EU. The first tw CD's blige Member States t accept certain esignatures (if these are required) and establish a cmmn template and set f specificatins fr the establishment, maintenance and publicatin f Trusted List (TLs) indicating the supervisin/accreditatin status infrmatin n certificatin services issuing qualified certificates and n a vluntary basis n ther supervised / accredited ancillary services t esignatures. CD 2011/130/EU bliges Member States by August 2011 t be able t technically prcess certain frmats f advanced electrnic signatures (AdES) when they verify dcuments signed electrnically by public authrities in ther Member States. This latter Decisin cnstitutes a further step n the Eurpean level t facilitate the verificatin f esignatures in the cntext f dcuments that service prviders may be required t sign r have signed t cmplete prcedures thrugh the Pints f Single Cntact. In rder t implement Article 8 f the Services and the three implementing Decisins abve, the Cmmissin has already prvided and is still prviding sme assistance t Member States via sme practical tls and pen surce sftware, available thrugh the OSOR platfrm, related t Trusted Lists and t advanced e- signature creatin/validatin. Such signature and verificatin signature tls are cnsidered t be used by Large Scale Pilts such as SPOCS and ecdex. The Eurpean Cmmissin is als wrking n an Electrnic Signature Service Infrastructure (ESSI) and related Applicatin Platfrm t facilitate the intrductin f electrnic signatures in its wn internal and external exchanges. 4.2.2 Use f esignatures in Large Scale Pilts: scpe, impact and lessns learned Large Scale Pilt prjects launched by the Cmmissin and sme Member States as part f the ICT PSP Prgramme are making use r are likely t make use f esignatures, namely PEPPOL, SPOCS and ecdex. A federated apprach t crss-brder validatin f esignature is currently tested within PEPPOL 62, the large-scale crss-brder eprcurement pilt prject launched in 2008. In rder t avid multiple validatin effrts in all Member States which are 62 PEPPOL website, www.peppl.eu. 100
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) the main bstacle t crss-brder interperability, it may be an ptin t delegate verificatin tasks t a centralised r distributed validatin service mechanism. WP 1 f PEPPOL addresses a specific crss-brder esignature validatin tl r, t be mre precise, a validatin infrastructure fr eprcurement applicatins, mstly relying n a cmmercial service currently. Hwever sustainability f the prject is in questin and althugh the EFVS Study did nt preselect PEPPOL as a key slutin because it perated as a mere pilt prject withut a functining implementatin at that time and was unlikely t implement a definitive liability mdel, the results f EFVS study shuld als feed int a further ptimisatin f PEPPOL. SPOCS 63, anther LSP prject launched in May 2009, aims at imprving the cmpetitiveness f Eurpean businesses and particularly small and medium sized enterprises by enabling natinal and Eurpean businesses t benefit frm available efficient and interperable electrnic prcedures. SPOCS is expected t build the next generatin Pints f Single Cntact within the meaning f the Services Directive fr businesses acrss Eurpe. It will prvide seamless electrnic prcedures by building crss brder interperability based n existing systems and slutins. The prject has presented several deliverables n specificatins f a Eurpean interperability layer fr egvernment services which are currently underging review frm the Eurpean Cmmissin. Envisaging the rle f standardisatin bdies and the use f EC prvided tls fr creatin and verificatin f electrnic signatures during a jint SPOCS, ETSI and Eurpean Cmmissin wrkshp in September 2011, it was cnfirmed that a jint cllabratin is likely t prduce a win-win apprach benefiting frm each ther s experiences and lessns learned prvided that such a jint cllabratin culd be extended as a standard way fr EC prjects t cnsult the standardizatin bdies and t reuse existing standards/tl in particular with regards t esignatures. In particular ETSI will evaluate hw t extend the Assciated Signature Cntainer (ASiC-E) standard t cver the SPOCS defined Omnifarius Cntainer fr e-dcuments (OCD) frmat and future cntacts regarding the full standardizatin f OCDs will be kicked ff within ETSI. On the ther hand it was recgnised that the OSS signature creatin/verificatin tls develped n behalf f the Eurpean Cmmissin in the cntext f Services Directive wuld be cnsidered t be used by SPOCS and by e- CODEX. e-codex 64 is an e-justice prject t imprve the crss-brder access f citizens and businesses t legal means in Eurpe as well as t imprve the interperability 63 SPOCS (Simple Prcedures Online fr Crss-brder Services) website: www.eu-spcs.eu 64 e-codex website: www.ecdex.eu. 101
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) between legal principals. a functinality which prvides an easier (digital) way t exchange legal infrmatin between EU-cuntries. The aim f the prject is: Cntributing t the implementatin f the EU legal framewrk and the e- Justice actin plan, in due respect f subsidiarity; Achieving interperability between existing natinal judicial systems; Enabling all Member States t wrk tgether twards a mre effective judicial system in Eurpe; Imprving the effectiveness and efficiency f the prcessing f the increasing number f crss-brder prceedings, especially in civil, criminal and cmmercial matters; Cntributing t a safer envirnment fr citizens inside the EU; Mdernizing the judicial systems in Eurpe; Increasing cllabratin and exchange between judicial systems f the Member States. 4.2.3 Eurpean sectr specific initiatives Eurpean wrk n esignature and eid is particularly relevant in judicial matters, where the authenticatin f acts is essential. Therefre, the Cuncil f Bars and Law Scieties f Eurpe (CCBE) 65 seeks t assist the develpment f a safe and practical electrnic envirnment fr legal prfessinals thrughut Eurpe. In rder t enable interperable ecmmunicatin fr lawyers, CCBE has prpsed a Eurpean Framewrk System fr electrnic ID cards fr lawyers with pssibly ptinal ES functinality. With this system, the CCBE aims at supprting its member bars in the implementatin f electrnic ID card schemes and at the same time t make these schemes interperable fr lawyers thrughut Eurpe. 65 www.ccbe.rg 102
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) 5. Cnclusins While far frm exhaustive, the verview f initiatives abve cmprising legal texts, standardisatin initiatives, pilt prjects, reference implementatins and sectr specific plicies shws that the IAS dmain has far utgrwn the scpe f past Eurpean IAS initiatives, as principally embdied in the esignatures Directive. These initiatives are indicative f the state f the art with respect t electrnic identificatin, authenticatin and signatures, and illustrate that there is a need t mve beynd the current principal fcus n electrnic signatures. With respect t legislative initiatives, this can be seen mst clearly in the number f acts that address varieties f esignatures (ntably esignatures created by legal entities r public administratins), as well as time stamping, electrnic registered mail and electrnic archiving. Regulatin f electrnic identificatin was hwever seen much less frequently; it is clear that this is still an area in full develpment, fr which a need fr regulatry interventin is much less manifest, and where such interventin will thus need t be mre clearly justified. These legal framewrks als ffer sme supprt t the bservatin made in the first reprt f this study that the issues and pssible slutins fr each f these areas are nt t different frm thse fr electrnic signatures. In sme cases, definitins (e.g. f time stamping) were nly minr variatins f the Eurpean esignature vcabulary. In ther areas t, the links were frequently clear, e.g. by the integratin f esignatures and time stamping in a single act, r by subjecting varius types f service prviders (esignatures, time stamping, registered mail, archiving, ) t the supervisin f the same supervisry authrity. These are all examples f the clse links between varius IAS services, and f the pssibility f streamlining the legislative apprach fr all f them by applying the same legal and supervisry mdel. It is thus wrth nting that these natinal laws ffer a great deal f inspiratin fr any future Eurpean legislative initiatives: the descriptins in this reprt cntain references t definitins f services, lists f bligatins, liabilities and legal effects, which culd be re-used (smetimes virtually withut changes) fr a similar Eurpean regulatry framewrk. Perhaps mst imprtantly, the existence f multiple such laws shws that in a significant number f Member States, there is a perceptin f a regulatry gap that is currently nt addressed at the Eurpean level. The creatin f natinal framewrks fr IAS services withut Eurpean crdinatin (ther than, bviusly, fr electrnic signatures) risks creating new barriers fr service prviders in this area, wh will have t explre n a case by case basis (1) whether laws exist, and (2) whether they (are able t) cmply with them. Thus, the risk f distrtins f the internal market is very real. Furthermre, the prliferatin 103
Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b) f natinal laws n IAS services in cuntries utside the Eurpean Unin, prviding legal certainty t thse cmpanies ffering and using IAS-related services, may have an impact n the cmpetitiveness f Eurpean cmpanies nt enjying similar legal cmfrt. Apart frm the legal perspective, the verview in this reprt als examines the state f the art with respect t technical issues, including ntably standardisatin wrk. Nt surprisingly, we can see that standardisatin effrts have never been restricted t e-signatures as emphasized by the esignatures Directive, and that relevant standards have been created fr all types f IAS services. This is unsurprising, as the mere existence and use f these services even utside the cntext f any (shared) legal framewrk wuld present interperability challenges that culd nly be addressed thrugh technical standardizatin. Current standardizatin effrts (including at the Eurpean level thrugh mandate M460) therefre fcus n ratinalizing i.e. streamlining, updating and aligning the existing standardizatin framewrk, t ensure its cmpleteness, relevance and practical applicability. Standards are thus als mving t match a mre cmprehensive perspective n IAS services. It is wrth nting that here t, there is a risk f creating a discnnect between laws and standards when laws d nt recgnize existing standards in any way. Indeed, this presents a real interperability risk, as the verview abve has shwn that natinal laws (r mre typically decrees and decisins issued n the basis f these laws) ften reference existing standards as being required. Thus, the verview abve supprts the cntentin that the current ratinalizatin exercise is necessary, but als that it will at sme pint require a clearer legal grunding, preferably at the Eurpean level, t supprt its impact in practice. Finally, this reprt als examined a number f key nging pilt initiatives, prjects and reference implementatins (including ntably the large scale pilts). The verview shwed that these initiatives shw great ptential, and have ften been successful in building wrkable slutins t real-life prblems. What is hwever lacking, is a Eurpean plicy framewrk thrugh which they can be given a clear legal basis and further supprt fr their sustainability and uptake in practice. Glbally, the picture ffered by this verview is admittedly nt cmprehensive, but nne the less persuasive. It shws that IAS services cver a much wider range f activities, in which legislatins, standards and pilt prjects have evlved beynd what the current EU legal framewrk can viably supprt. In rder t avid internal market barriers and t ensure that IAS services can get brader plicy supprt in Eurpe, an update and expansin f the plicy framewrk that cvers these services including esignatures, time stamping, electrnic registered mail, e-archiving, and electrnic identificatin will be necessary. 104
105 Final Reprt - IAS in Eurpe: An verview f the state f the art (D.2.2.b)
Feasibility Study n an electrnic identificatin, authenticatin and signature plicy (IAS) SMART 2010/0008 Prpsal fr a Eurpean IAS plicy framewrk Final Versin (D3, Versin 2b (final)) 20 February 2013
Deliverable D3, Versin 2b (final) This study was cmmissined by the Eurpean Cmmissin's Infrmatin Sciety and Media Directrate-General, in respnse t the general invitatin t tender f the Directrate-General Infrmatin Sciety and Media, n SMART N 2010/008. The study des nt, hwever, express the Cmmissin's fficial views. The views expressed and all recmmendatins made are thse f the authrs. 2
Deliverable D3, Versin 2b (final) Table f cntents 1. SUMMARY OF THE STUDY GOALS AND SCOPE... 9 1.1 Backgrund f the Study... 9 1.2 Scpe f the Study... 9 1.3 Rle f this dcument in the Study... 10 2. BUILDING BLOCKS FOR A FUTURE IAS POLICY FRAMEWORK... 12 2.1 Building blcks fr designing the future IAS Plicy framewrk... 12 2.1.1 Frm a legal pint f view...13 2.1.2 Frm a technical pint f view...14 2.1.3 Frm a trust pint f view...15 2.1.4 Frm a practical and cmmercial pint f view...15 3. RECOMMENDATIONS FOR BUILDING AN IAS REGULATION... 17 3.1 Recmmendatins fr an IAS Regulatin... 17 3.2 Ad-hc supprt prvided t the Cmmissin... 17 4. SUPERVISION ISSUES... 19 4.1 Intrductin... 19 4.1.1 Trust services as key enablers in bsting use f nline envirnment...19 4.1.2 Supervisin and Trusted Lists as essential building blcks...23 4.1.3 Objectives fr a sund Supervisin system and Trusted Lists...25 4.2 Supervisin in the prpsal fr Regulatin... 26 4.2.1 Supervisry bdy...26 4.2.2 Mutual assistance...27 4.2.3 Security requirements applicable t trust service prviders...28 4.2.4 Supervisin f qualified trust service prviders...29 4.2.5 Initiatin f a qualified trust service...30 4.2.6 Trusted Lists...31 4.2.7 Requirements fr qualified trust service prviders...31 4.3 A mdel fr supervisin f qualified trust service prviders and qualified trust services they prvide... 33 4.3.1 Intrductin...33 4.3.2 The ISO Cnfrmity Assessment apprach...33 4.3.3 The ISAE 3000 apprach...36 4.3.4 The AICPA apprach...37 4.3.5 The ISAE 3402 apprach...39 4.3.6 The IFAC/IAASB/ISRS 4400 apprach n Agreed upn prcedures...39 3
Deliverable D3, Versin 2b (final) 4.3.7 Our prpsal fr a Eurpean Supervisin Scheme fr qualified trust service prviders and qualified trust services they prvide...39 4.4 Cnclusins... 44 5. IAS IN THE CLOUD... 46 5.1 IAS in the Clud, pprtunities and challenges.... 46 5.2 The Clud s need fr security is supprted by IAS... 47 5.2.1 Clud service mdels...47 5.2.2 End user perspective...48 5.2.3 Management perspective...49 5.3 Clud as an effective IAS services deplyment mdel... 50 5.3.1 Need fr trust...50 5.3.2 Ptential f an IASaaS mdel...50 5.4 Mving IAS int the clud: legal issues... 51 5.4.1 Data prtectin...52 5.4.2 Applicable laws...53 5.4.3 esignature laws cmpliance...54 6. OVERVIEW OF DELEGATING AND IMPLEMENTING ACTS WITHIN THE REGULATION... 55 6.1 Ntificatin... 55 6.2 Crdinatin... 56 6.3 Supervisry bdy... 58 6.4 Mutual assistance... 60 6.5 Security requirements applicable t trust service prviders... 61 6.6 Supervisin f QTSPs... 63 6.7 Initiatin f a QTS... 66 6.8 Trusted lists... 67 6.9 Requirements fr QTSPs... 68 6.10 Legal effects and acceptance f electrnic signatures... 69 6.11 QCs fr electrnic signature... 70 6.12 Requirements fr QSCDs... 72 6.13 Certificatin f QSCDs... 73 6.14 Publicatin f a list f certified QSCDs... 74 6.15 Requirements fr the validatin f QeSs... 75 6.16 Qualified validatin service fr QeSs... 79 6.17 Preservatin f QeSs... 79 6.18 Legal effects f electrnic seals... 80 6.19 Requirements fr QCs fr electrnic seal... 81 6.20 Qualified electrnic seal creatin devices... 83 6.21 Validatin and preservatin f qualified electrnic seals... 86 4
Deliverable D3, Versin 2b (final) 6.22 Requirements fr qualified electrnic time stamps... 92 6.23 Legal effects and acceptance f the electrnic dcuments... 92 6.24 Legal effect f an electrnic delivery service... 93 6.25 Requirements fr qualified electrnic delivery services... 94 6.26 Requirements fr QCs fr website authenticatin... 95 7. ECONOMIC, SOCIAL AND ENVIRONMENTAL IMPACT OF A EUROPEAN FRAMEWORK FOR ANCILLARY SERVICES... 98 7.1 Intrductin... 98 7.1.1 Cntext and bjectives f the study...98 7.1.2 Overview f ancillary services...98 7.2 Drawing up the cnceptual framewrk fr REA... 101 7.2.1 REA-questin...101 7.2.2 Search prcess...101 7.2.3 Research findings...104 7.3 Discussin... 127 7.4 References... 129 7.4.1 Studies included in the Rapid Evidence Assessment...129 7.4.2 Other references...130 8. DISCUSSION ON A PAN-EUROPEAN EID SYSTEM, CHALLENGES AND OPPORTUNITIES... 131 8.1 Intrductin... 131 8.1.1 Why d we need IAS fr the infrmatin sciety - trusted cmmunicatin and transactins...131 8.1.2 Current Eurpean legal framewrk...134 8.1.3 Existing IAS systems...136 8.1.4 Preliminary cnclusin...141 8.2 Requirements fr a pan-eurpean eauthenticatin system... 142 8.2.1 User friendliness...142 8.2.2 Technlgically neutral, interperable, crss-applicable...143 8.2.3 Secure and reliable...144 8.2.4 Legally predictable...144 8.2.5 Scalability...144 8.2.6 Trust...145 8.2.7 Obstacles...146 8.3 Lessns learnt frm.eutld... 148 8.3.1 Applicatin t eid...151 8.3.2 The principles f a pssible eid legal framewrk...152 8.4 Characteristics f a pssible pan-eurpean eauthenticatin system... 155 8.4.1 Inherent dilemma...155 5
Deliverable D3, Versin 2b (final) 8.4.2 Vluntary...155 8.4.3 User friendly...156 8.4.4 Secure...156 8.4.5 Privacy...157 8.4.6 Custm made...157 8.4.7 Prtability...157 8.4.8 Drawbacks f the system...158 8.5 Cnclusin... 160 8.6 References... 162 9. ANNEX A - RECOMMENDATIONS FOR AN IAS REGULATION... 165 9.1 Building blcks fr General Prvisins... 165 9.1.1 Pssible prvisins fr scpe...165 9.1.2 Pssible prvisins fr definitins...166 9.2 Building blcks fr Basic Principles... 168 9.2.1 Pssible prvisins fr market access...168 9.2.2 Pssible prvisins fr Internal market principles...168 9.2.3 Pssible prvisins fr nn-discriminatin principle...168 9.2.4 Pssible prvisins fr generic quality requirements fr trust service prviders prviding qualified trust services...169 9.2.5 Pssible prvisins fr liability f qualified trust service prviders...170 9.2.6 Pssible prvisins fr data prtectin...170 9.2.7 Pssible prvisins fr internatinal aspects...171 9.2.8 Pssible prvisins fr standardisatin and presumptin f cnfrmity...171 9.3 Building blcks fr the Supervisin f qualified services... 171 9.3.1 Pssible prvisins fr Supervisry authrities...171 9.3.2 Pssible prvisins fr independence and cnfidentiality...172 9.3.3 Pssible prvisins fr duties...173 9.4 Building blcks fr the establishment f a Eurpean Trust Services Cmmittee / EU level gvernance framewrk... 173 9.4.1 Pssible prvisins fr Eurpean trust services cmmittee...173 9.4.2 Pssible prvisins fr independence...173 9.4.3 Recmmendatin n the pssible tasks f the Eurpean trust services cmmittee...174 9.4.4 Recmmendatin fr internatinal c-peratin...175 9.4.5 Pssible prvisins fr prcedure...175 9.4.6 Pssible prvisins fr reprts...175 9.5 Building blcks fr the regulatin f Qualified trust services... 176 9.5.1 Pssible prvisins fr legal effects f electrnic signatures...176 9.5.2 Pssible prvisins fr legal effects f electrnic seals...176 6
Deliverable D3, Versin 2b (final) 9.5.3 Pssible prvisins fr quality requirements fr qualified electrnic signatures and qualified electrnic seals...177 9.5.4 Pssible prvisins fr legal effects f electrnic identity attestatins...178 9.5.5 Pssible prvisins fr Quality requirements fr qualified electrnic identity attestatins...178 9.5.6 Pssible prvisins fr additinal liability...179 9.5.7 Pssible prvisins fr legal effects f electrnic time stamps...180 9.5.8 Pssible prvisins fr quality requirements fr qualified electrnic time stamps 181 9.5.9 Pssible prvisins fr additinal liability...181 9.6 Building blcks fr the Regulatin f Ancillary services... 181 9.6.1 Pssible prvisins fr legal effects f registered electrnic mail...181 9.6.2 Pssible prvisins fr quality requirements fr qualified registered electrnic mail 182 9.6.3 Pssible prvisins fr requirements fr qualified certificates...183 9.6.4 Pssible prvisins fr secure signature verificatin...183 10. ANNEX B - ANNEXES TO CHAPTER ECONOMIC, SOCIAL AND ENVIRONMENTAL IMPACT OF A EUROPEAN FRAMEWORK FOR ANCILLARY SERVICES... 184 10.1 Sectin A Methdlgy used fr Systematic Review/REA... 184 Intrductin t Systematic Reviews...184 Backgrund t Rapid Evidence Assessments...185 10.2 Sectin B: Surces with indirect bearing n impact f Ancillary Services... 186 11. ANNEX C - RECOMMENDATIONS FOR A EUROPEAN SUPERVISION SCHEME: PROPOSAL FOR CONFORMITY ASSESSMENT GUIDANCE... 196 11.1 Intrductin... 198 11.2 Principles f the Supervisin Scheme... 198 11.3 Terminlgy, definitins and abbreviatins... 199 11.3.1 Terminlgy and definitins...199 11.3.2 Abbreviatins...201 11.4 References... 202 11.5 Cnfrmity assessment mdel... 202 11.5.1 Cntext...202 11.5.2 Descriptin f the Assessment mdel...202 11.6 Respnsibilities f the parties... 204 11.7 Supervisin prcess... 205 11.7.1 Supervisin prcess flw at a glance...205 11.7.2 Preparatin...209 11.7.3 Initiatin...210 7
Deliverable D3, Versin 2b (final) 11.7.4 Supervisin Review...212 11.8 Requirements n Cnfrmity Assessments... 213 11.8.1 Cnfrmity Assessment types...213 11.8.2 Cnfrmity Assessment prcess...214 11.8.3 Requirements n multisite sampling...217 11.9 Events triggering assessments (incl. ntificatin f changes, terminatin, incidents, cmplaints, at supervisry bdy sle's discretin, EC request)... 219 11.10 Cnfrmity Assessment Bdies... 219 11.10.1 Recgnitin f Cnfrmity Assessment Bdies - Requirements n NABs..219 11.10.2 Requirements n Cnfrmity Assessment Bdies...219 11.11 Crss-brder Assessment and Mutual Assistance... 222 8
Deliverable D3, Versin 2b (final) 1. Summary f the Study gals and scpe 1.1 Backgrund f the Study The purpse f the present prject, as described in the tender specificatins, is t study the feasibility f a cmprehensive EU legal framewrk that wuld apply t electrnic assertins needed t secure electrnic transactins as well as the ancillary services needed t use them: electrnic identificatin, authenticatin, signature, seals, certified delivery. The perspective wuld be t facilitate the smth wrking f electrnic transactins in the internal market. In ther wrds, it wuld be based n article 114 f the Treaty n the Functining f EU (TFEU). The Digital Agenda cnfirms that "Electrnic identity (eid) technlgies and authenticatin services are essential fr transactins n the internet bth in the private and public sectrs. Tday the mst cmmn way t authenticate is the use f passwrds. Fr many applicatins this may be sufficient, but mre secure slutins are increasingly needed. As there will be many slutins, industry, supprted by plicy actins in particular egvernment services - shuld ensure interperability based n standards and pen develpment platfrms." The Cmmissin, therefre, will "In 2011 prpse a revisin f the esignature Directive with a view t prvide a legal framewrk fr crss-brder recgnitin and interperability f secure eauthenticatin systems". This Study aims t prvide inputs fr this actin. 1.2 Scpe f the Study The scpe f this study is t determine if and hw a cmprehensive Eurpean IAS framewrk culd be frmed, including the legal, technical and trust cmpnents required fr such a framewrk. The study shuld include recmmendatins n hw a cmplete and functining legal, technical and trust framewrk fr IAS services culd be cnstructed. This recmmendatin shuld build n cnsultatins f selected experts thrugh direct discussins and wrkshps, as well as the feedback received thrugh the Cmmissin's 2011 public cnsultatin n electrnic identificatin, authenticatin and signatures. 9
Deliverable D3, Versin 2b (final) 1.3 Rle f this dcument in the Study The present Study mainly cnsists f three tasks that crrespnd t a lgical phase in the study. The phases and tasks can be graphically summarized as fllws: Figure 1: IAS study phases The current dcument is Deliverable 3, v.2b - IAS in Eurpe: Prpsal fr a Eurpean IAS plicy framewrk and crrespnds t Phase 3 in the verview abve. The gal f this reprt is t define specific building blcks fr a cmprehensive IAS apprach, and t prpse n hw thse building blcks shuld be cmbined int a cmplete and functining legal, technical and trust framewrk. The first aspect f this task (defining building blcks) invlves the identificatin and definitin f all elements that a cmprehensive IAS apprach wuld need t address, including ntably: 10 An unambiguus understanding f IAS services and ancillary services, including definitins f these services and an verview f hw they relate t
Deliverable D3, Versin 2b (final) each ther (i.e. hw electrnic delivery services can depend n eid, esignatures r time stamping). Input fr the plicy gals that an IAS apprach shuld cver, including such aspects as the enabling f the internal market, technlgical neutrality and legal reliability. Input fr the legal translatin f these plicy gals and requirements, such as draft recitals t be included in Eurpean legal texts, and draft prpsals f legal prvisins f a future regulatry framewrk. Input fr the trust framewrk needed t supprt a cmprehensive IAS apprach, including any required supervisry/accreditatin bdies at the Eurpean r natinal level, and including the ptential rle f private sectr cnfrmity assessment bdies. Input fr the technical framewrk required t enable the cmprehensive IAS apprach, including an verview f standardisatin needs and ptential gaps. In the secnd stage f this task (IAS plicy prpsal) the study team als prvides its wn prpsal t the Cmmissin n hw thse building blcks shuld be cmbined int an IAS huse, based n its wn analysis. This dcument therefre cntains recmmendatins f the study team n the future legal, technical and trust framewrk fr IAS services. The varius inputs f this dcument were drafted and develped in crdinatin with the Eurpean Cmmissin, in the timeframe leading up t the publicatin f the Cmmissin s Prpsal fr a Regulatin n electrnic identificatin and trust services fr electrnic transactins in the internal market 1. Fr this reasn, sme f the inputs f this deliverable have been taken int accunt by the Cmmissin, whereas thers have been superseded by further plicy develpments since their prductin. 1 http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/dcs/regulatin/cm_2012_2038_en.pdf 11 See
Deliverable D3, Versin 2b (final) 2. Building blcks fr a future IAS Plicy framewrk 2.1 Building blcks fr designing the future IAS Plicy framewrk The esignature Directive 1999/93/EC has established a legal framewrk fr the use f electrnic signatures and certificatin services. Legal prvisins were limited t an essential minimum in rder t leave rm fr technical develpment ptentialities. While all Member States have implemented the general principles f the Directive, an analysis f the practical usage f esignatures reveals a quite significant number f issues that tday limit their interperability and crss-brder use. They have resulted in very lw level f high-vlume market implementatins, and current implementatins f esignatures are mainly experienced in a small number f egvernment and islated ebusiness sectrs, mainly due t the fact that in such islands legal and technical uncertainties can be relatively easily reduced by impsing cmmn rules. The legal and administrative, as well as the technical and trust related barriers t the interperability and crss-brder use f esignatures have been thrughly synthesised in the September 2011 published "Digital Internal Market Study frm the Eurpean Parliament 2. It is nt the purpse f the present dcument t restate all such barriers and their cnsequences; hwever the present sectin aims t list the varius resulting actins that wuld be needed t vercme thse barriers in terms f elements t be taken int accunt when designing the future IAS Plicy framewrk. 2.1.1 Frm a legal pint f view Frm a legal perspective, the fllwing needs have been identified and described: 2 See "Digital Internal Market" paper frm the Eurpean Parliament prviding a gd summary an verview f issues with regards t the internal market aspects and the interperability and crssbrder use f esignatures as identified in CROBIES, EFVS, Study n Standardisatin Aspects f esignatures, and ther relevant studies and papers. (Directrate General fr Internal Plicies, Plicy Department Ecnmic and Scientific Plicy A: Digital Internal Market, IMCO, 2011, http://www.eurparl.eurpa.eu/activities/cmmittees/studies/dwnlad.d?language=en&file=417 11#search=%20Digital%20Internal%20Market%20). 12
Deliverable D3, Versin 2b (final) (1) Establish cmmn and specific requirements, bligatins and liabilities fr ther esignature ancillary services 3 while reducing the level f interpretatin f specific definitins r legal prvisins fr thse very specific set f services. (2) Reviewed set f cnsistent definitins (e.g. signatry being a natural r legal persn, authenticatin versus esignature, supervisin versus vluntary accreditatin, SSCD and related cnfrmity assessment). (3) Establish a clear mapping between the legal prvisins twards the (future) Eurpean standardisatin dcuments n esignatures fr all types f esignatures cmpnents and related ancillary services. (4) Analyse the legal effect f cmpliance t standards frm a presumptin f cmpliance with legal requirements up t a mandatry cmpliance. (5) Reduce the legal uncertainty and pave the way twards a mre cnclusive trust framewrk fr AdES and ther ES which are nt based n QC in rder t increase their use in practice. (6) Reduce the legal uncertainties relating t the cnfrmity assessments fr SSCDs and facilitate the identificatin f devices assessed as cnfrm t the requirements (e.g. thrugh harmnised publicly available lists f SSCD benefitting frm a determinatin f cnfrmity) and EU cverage f such assessments. (7) Reducing the current diversity f natinal esignature legal systems by reducing the current wide scpe f discretin in implementing the current legal prvisins related t esignatures (e.g. using a Regulatin instead f a Directive as legislative tl). (8) Establish cmmn minimum requirements fr supervisin systems f Trust Service Prviders 4 supprting r built n electrnic signatures (e.g. TSPs issuing certificates whether qualified r nt, TSPs prviding time-stamping services, TSPs prviding Signature Generatin Services, TSPs prviding Signature Validatin Services, TSPs prviding Registered Delivery Services, TSPs prviding esignature lng term preservatin services) and ensuring mre efficient mutual recgnitin and trustwrthiness f such services. In particular the prvisin f freely available nline certificate validity services withut prir authenticatin r signed requests as well as 3 Time-stamping services, (lng term) preservatin, signature validatin services, signature generatin services (als called signing servers). 4 Trust Service Prvider is used by preference against Certificatin Service Prvider, see IAS Deliverable 1.1 fr a full set f prpsed definitins with regards t IAS cncepts. 13
Deliverable D3, Versin 2b (final) prmpt ntificatin f changes r cmprmises that culd jepardise the supervisin/accreditatin status f a TSP shuld be cnsidered as requirements. (9) Imprve the mapping between legal prvisins fr reliable identificatin f signatry and t reliable identity management schemes thrugh cmmn minimum requirements ensuring interperability, crss-brder use and (persnal) data privacy. 2.1.2 Frm a technical pint f view Frm a technical perspective, the fllwing needs have been identified and described: (1) Ensure the develpment f cmmn, accepted and widely available true standards n esignatures characterised by: as little as pssible interpretatin that may lead t divergent technical implementatins jepardising interperability and crss-brder use; as business riented as pssible rather than fcusing n hypthetic and academic scenaris; the prvisin f sufficient guidelines and implementatin supprt in particular fr the creatin and the validatin f electrnic signatures. (2) The prfiling f certificate fields and cntent shuld nt allw divergent semantic interpretatins f such fields and their cntent, in particular with regards t the signatry identity and the fact that it acts n its wn behalf r n behalf f a legal r third entity, as well as t ensure specific minimum requirements with regards t their interperability and validatin. (3) Cmplete the EU esignature standardisatin framewrk with regards t the prvisin by TSPs f ther services than issuing certificates and in particular the Signature Creatin Services and Signature Validatin Services in a similar way t the cnsiderable wrk dne recently t standardise Registered Delivery Services f electrnic dcument and messages. (4) Eliminate barriers preventing specific sectrs r dmains f applicatins (e.g. ebanking) t make use f QES, in particular in cnnectin with eid cards 5. 5 These include the lack f crss-brder PKI interperability, the lack f cntrl n the issuance f eid cards deplyed t the citizens by public authrities and ther liability issues and the c-existence f Eurpean ES 14
Deliverable D3, Versin 2b (final) 2.1.3 Frm a trust pint f view Frm a trust perspective, the fllwing needs have been identified and described: (1) Leveraging n the existing Trusted Lists mdel as per CD 2009/767/EC amended by CD 2010/425/EU, fr prviding a cmmn and harmnised way f prviding trust related infrmatin n supervised trust services frm TSPs while nt being limited t issuance f QC. This will result frm the establishment f cmmn legal prvisins and technical requirements n the prvisin f such services and the standardisatin f thse trust services types and related utputs (tkens). 2.1.4 Frm a practical and cmmercial pint f view Frm a practical and cmmercial perspective, the fllwing needs have been identified and described: Fcusing n the existence f interperability barriers n the crss-brder level, there are still actins t be implemented in rder t increase a wider and mre practical use f esignatures, and this f curse in parallel t the legal, technical and trust riented actins listed previusly. (1) Reduce r eliminate the pssibility t nt accept the presentatin f electrnic dcuments signed with esignatures. Making such an acceptance bligatry culd drastically increase the effective usage f esignatures, in particular f QES (and ptentially AdES QC ) in a crss-brder cntext. (2) Simplificatin t end-users and apprpriate guidance fr electrnic signature implementatin is required nce legal, technical and trust framewrks will be made simpler and mre cnsistent. In particular business driven guidance fr use f electrnic signatures shuld be made accessible t nn-technical and business managers. (3) Mrever, a real cnsistency and mapping between the legal, standardisatin and trust framewrk. Tgether with a significant effrt in awareness, educatin and marketing activities fr ES as well as prmtin regarding their crss-brder use wuld be beneficial t the market, effective use f electrnic signatures and lead t a safer digital sciety. In particular, users are als ften nt aware f the risks f unprtected electrnic transactins and inadequate electrnic evidence. standards and the Banking sectr s standards that all need t be fllwed, see Study n Standardisatin Aspects f esignature, 2007, Final Reprt, p. 57ff., 60. 15
Deliverable D3, Versin 2b (final) (4) Increase attractiveness f ES applicatins with clearly identifiable benefit in particular fr private users f ES. The existence f egvernment ES applicatins alne will nt sufficiently leverage the use f ES, as individuals generally d nt have t cnsult public authrities very ften. Thus additinal attractive ES applicatins are necessary. 16
Deliverable D3, Versin 2b (final) 3. Recmmendatins fr building an IAS Regulatin 3.1 Recmmendatins fr an IAS Regulatin The Tender Specificatins required the cntractr t elabrate building blcks fr a legal framewrk n electrnic identificatin-related credentials (e-identificatin, e- authenticatin, e-signature and ancillary credentials and services) with a view t remving interperability barriers and facilitating the usage f these credentials. Mre specifically, the cntractr is expected t frmulate prpsals fr plicy ptins n electrnic identificatin and authenticatin plicy expanding apprpriate existing prvisins f the e-signature legal framewrk. The expansin f existing prvisins may als include, where necessary, imprving these prvisins t create mre legal certainty and t avid crss-brder interperability barriers. Fr a number f IAS services, n prvisins currently exist (e.g. with respect t time stamping), r existing prvisins need t be clarified (e.g. with respect t the pssibility fr attributing electrnic signatures directly t legal entities). In such cases, the cntractr shuld frmulate prpsals fr new (riginal) prvisins. The text in Annex: "Annex A - Recmmendatins fr an IAS Regulatin" cntains a set f recmmendatins fr building blcks and pssible prvisins fr an IAS related legal framewrk. As nted in the intrductin abve, sme f the inputs f this deliverable have been taken int accunt by the Cmmissin, whereas thers have been superseded by further plicy develpments since their prductin. 3.2 Ad-hc supprt prvided t the Cmmissin Thrughut the duratin f the prject, the Study Team supprted the Eurpean Cmmissin in its drafting f a prpsal fr a Regulatin n Trust Services. The supprt essentially relates t the fllwing tpics: - Validatin f qualified electrnic signatures, - Internatinal aspects (Art.8), - Article 14 - Supervisin (13.1. and 15.5), - Definitins in Regulatin, 17 - Review f SME Panel questinnaire,
Deliverable D3, Versin 2b (final) - Identificatin and authenticatin f rganizatin and rganizatin's websites, - esignature classificatin, - Secure Signature Creatin Device issues, - Interpretatin f article 20.1 f the prpsed eias regulatin. 18
Deliverable D3, Versin 2b (final) 4. Supervisin issues 4.1 Intrductin 4.1.1 Trust services as key enablers in bsting use f nline envirnment Building trust in the nline envirnment is key t ecnmic develpment. Lack f trust makes cnsumers, business and administratins hesitate t carry ut transactins electrnically and t adpt new services. Enabling secure and seamless electrnic interactins between businesses, citizens and public authrities, thereby increasing the effectiveness f public and private nline services, e-business and e-cmmerce in the EU will nly be pssible thrugh the adequate and efficient cmbinatin f sund legal, technical and trust framewrks fr prducts and trust services supprting electrnic identificatin, authenticatin and signatures. Such prducts and trust services are nt limited t the issuance and management f certificates, but als encmpass any ther ancillary services and prducts such as registratin services, time-stamping services, directry services, electrnic delivery services, cmputing services r cnsultancy services related t electrnic signatures. The prpsal fr a 'Regulatin f the Eurpean Parliament and f the Cuncil n electrnic identificatin and trust services fr electrnic transactins in the internal market' 6 adpted by the Eurpean Cmmissin enhances Directive 1999/93/EC 7 and expands it t cver mutual recgnitin, acceptance at EU level and EU-crss brder and crss-sectr use f ntified electrnic identificatin and ther essential related electrnic trust services, fcusing namely n "any electrnic service cnsisting in the creatin, verificatin, validatin, handling and preservatin f electrnic signatures, electrnic seals, electrnic time stamps, electrnic dcuments, electrnic delivery services, website authenticatin, and electrnic certificates, including certificates fr electrnic signatures and fr electrnic seals". 8 Having cnfidence in thse utputs f trust services, ne needs t have cnfidence in the related trust services and that their prviders have prperly established and adequately implemented prcedures as well as quality, security and prtective measures in rder t minimize the peratinal and financial threats and risk assciated t prvisin f such 6 COM(2012) 238 f 04.06.2012. 7 OJ L 13, 19.1.2000, p. 12. 8 Fr definitins f such utputs f trust service, refer t COM(2012) 238. 19
Deliverable D3, Versin 2b (final) services and in rder t meet the applicable legal requirements. It is nly nce having cnfidence in the sundness f the peratinal and technical implementatin f such trust services, in their cnfrmance t the legal requirements and in the fact that all this will lead t legal certainty that thse trust services can be widely adpted t bst electrnic transactins hence stimulating ecnmic develpment. T enhance peple s trust in the internal market and t prmte the use f trust services and prducts, the ntins f qualified trust services and qualified trust service prvider have been intrduced in the Prpsal fr a Regulatin n electrnic identificatin and trust services fr electrnic transactins in the internal market (COM(2012) 238) 9, with a view t indicating requirements and bligatins t ensure high-level security f whatever qualified trust services and prducts are used r prvided. The Prpsal prvides the fllwing definitins: Article 3 Definitins (12) trust service means any electrnic service cnsisting in the creatin, verificatin, validatin, handling and preservatin f electrnic signatures, electrnic seals, electrnic time stamps, electrnic dcuments, electrnic delivery services, website authenticatin, and electrnic certificates, including certificates fr electrnic signature and fr electrnic seals; (13) qualified trust service means a trust service that meets the applicable requirements prvided fr in this Regulatin; (14) trust service prvider means a natural r a legal persn wh prvides ne r mre trust services; (15) qualified trust service prvider means a trust service prvider wh meets the requirements laid dwn in this Regulatin; Cmment: the use f the wrding "qualified trust service prvider" may be interpreted in tw ways when the adjective "qualified" applies t "trust service" r t "prvider". It is expected that t be cnsidered as a qualified trust service prvider a trust service prvider needs t prvide ne r mre trust services that are either expressly freseen by Regulatin as qualified, r that a Member State has deemed t be qualified (like it has already happened with electrnic delivery, time stamps and lng term preservatin, that have been regulated by single Member States as qualified services, and subsequently subsumed as qualified trust services in the Regulatin. The 9 http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/dcs/regulatin/cm_2012_2038_en.pdf 20 See
Deliverable D3, Versin 2b (final) Regulatin shall nt stifle innvatin and the creatin f new (and pssibly mre sphisticated) qualified trust services, that eventually will arise fllwing the needs f a specific natinal legislatin. When such a (natinal) qualified service des nt arise mutual recgnitin issues, because it is used within ne r mre islated single markets, there will be n need fr interventin at EU level. But if (like it happens tday with registered emails and time stamps) there will be lack f mutual recgnitin f services that are used in several member states, then the Cmmissin, using the delegated pwers and issuing implementing acts, shall intervene and disslve the internal market barriers, transfrming a natinal qualified trusted service int an EU qualified trusted service. Semantically this is nt ensured by the abve definitin. It is suggested t update the definitin as fllws: (15) qualified trust service prvider means a trust service prvider wh prvides ne r mre qualified trust services (accrding t the supervisin scheme f at least ne Member State) and meets the requirements laid dwn in this Regulatin; It is nt expected that a trust service prvider can get a 'qualified' status and becme a qualified trust service prvider withut prviding any qualified trust service: there will be qualified trust services that are supervised nly by ne r mre single member states (where issues f mutual recgnitin may arise), and qualified trust services that are expressly recgnised by the Regulatin r its delegated acts, where mutual recgnitin is mandatry fr all member states. N identified set f requirements that culd be cnsidered fr such purpse is defined in the prpsal fr Regulatin COM(2012) 238 as all related requirements (in particular in Article 19) assume the prvisin f qualified trust services. Hwever cnsideratin (37) deals abut "the qualified status f the service prvider at the time f supervisin", art. 16.4 states that a qualified trust service prvider "shall lse its qualified status when it des nt remedy t any failure t meet the Regulatin requirements n them and n the qualified trust services they prvide", and art.17.3. 2 states that "the supervisry bdy shall indicate the qualified status f the qualified service prviders and the qualified trust services they prvide in the trusted lists after the psitive cnclusin f the verificatin [...]". Currently Trusted Lists as they are defined in CD 2009/767/EC amended by CD 2010/425/EU give infrmatin nly n the supervisin/accreditatin status f trust services including trust services issuing qualified certificates. N status is given t the trust service prvider itself. Subsequently the supervisry bdy that wants t supervise a 21
Deliverable D3, Versin 2b (final) new type f qualified trust service, shall prvide a taxnmy f the service, t be included in the Trusted List as a natinal qualified trust service. Any different slutin, that privileges simple and straight classificatin f qualified trust services, t be prvided tp dwn by the Cmmissin, will transfrm qualified trust services in a clsed number, which will ttally stifle innvatin in the creatin f new services in the EU: in practice it will mean, that in the future f the evlutin f the qualified trust services, inputs fr new services will cme nly frm abrad the EU internal market. Tday new qualified trust services have been created by natinal legislatin (as it has happened at least in Germany, Austria and Italy, with registered emails, time stamps and lng term preservatin). In the current prpsal fr Regulatin COM(2012) 238: A trust service prvider cannt be cnsidered as a qualified trust service prvider unless it prvides a qualified trust service (accrding at least t ne natinal supervisry bdy) and meet the requirements f the Regulatin n bth the prvided qualified trust service and n itself, namely Art.19.2 requirements. In the Trusted List, qualified status infrmatin will be given n a per qualified trust service basis and with regards t the trust service prvider itself will either prvide an explicit infrmatin n its qualified status r such infrmatin can be deterministically deduced frm the status f its qualified trust services. A qualified trust service prvider that fails t cmply with requirements n Art.19.2 while prviding ne r mre qualified trust services will lse the qualified status fr itself and de fact fr all its prvided qualified trust services. Impacts n the current Trusted Lists frmat and prcedures resulting frm the prpsal fr Regulatin COM(2012) 238 will be further discussed in the present dcument. The prpsed Regulatin gives t such qualified trust services and their specific utputs a specific legal effect enhancing their legal certainty and admissibility ver the EU, e.g. Art.20.2, a qualified electrnic signature shall have the equivalent legal effect f a handwritten signature and, Art20.3, shall be recgnised and accepted in all Member States; Art.28.2, a qualified electrnic seal shall enjy the legal presumptin f ensuring the rigin and integrity f the data t which it is linked and, Art28.3, shall be recgnised and accepted in all Member States; 22
Deliverable D3, Versin 2b (final) Art.32.2, a qualified electrnic time stamp shall enjy the legal presumptin f ensuring the time it indicates and the integrity f the data t which the time is bund, and, Art32.3, shall be recgnised and accepted in all Member States; etc. In general, it has t be clear, that a qualified trust service in rder t be cnsidered qualified, des nt need t have any legal effect recgnised: the added value f a qualified trust service is the creatin f trust and cnfidence. 4.1.2 Supervisin and Trusted Lists as essential building blcks The cncept f supervisin f qualified trust services (e.g. issuing qualified certificates) is an essential building blck f the current (Directive 1999/93/EC) and the future Regulatin, r the future legal framewrk whatever shape it will take, as it allws implementatin f a trust mdel f qualified trust services and f their utputs, e.g. thse qualified electrnic signatures benefiting f an autmatic equivalence t hand written signatures. As further cnfirmed in Cnsideratin (37) f COM(2012) 238, "trusted lists are essential elements t build trust amng market peratrs as they indicate the qualified status f the service prvider at the time f supervisin" and the qualified status f the qualified trust service they prvide. While Cnsideratin (37) f COM(2012) 238 cntinues by stating that "n the ther hand they are nt a prerequisite fr achieving the qualified status and prviding qualified trust services which results frm respecting the requirements f this Regulatin", relying n Trusted Lists is the nly practical way fr any relying party t ascertain the qualified status f a trust service and f its related utput. In the cntext f a qualified electrnic signature, withut any cnfirmatin f the qualified status f the supprting qualified trust service (i.e. CA/QC certificatin service issuing qualified certificate fr which the private key resides r nt in a qualified signature creatin device, SSCD in the current Directive), as being supervised by the MS Supervisry Bdy in charge f its supervisin, the relying party can nly rely n the claim frm the trust service prvider having issued the signatry's certificate. Withut such cnfirmatin, a relying party cannt make any decisin n the fact that the received electrnic signature is indeed supprted by a qualified certificate and/r by a qualified (secure) signature creatin device. Nt having such cnfirmatin des nt imply that the received signature is nt a QES r nt an AdES QC, as it may well be a QES r an AdES QC, but nly that n infrmed decisin can be made n the basis f available infrmatin, at least nt withut substantive and likely disprprtinate effrts f the relying party. When a QES r an AdES QC is required (e.g. in the cntext f article 1.1 f CD 2009/767//EC amended by CD 2010/425/EU), in practice an electrnic signature cannt be accepted unless such Trusted List based cnfirmatin is 23
Deliverable D3, Versin 2b (final) available. Having a cnfirmatin f the qualified r nn-qualified status f the supprting trust service (e.g. "supervisinrevked" r "supervisinceased" status fr a qualified trust service in the Trusted List) wuld be the nly practical way t determine whether r nt the electrnic signature is a QES r an AdES QC. Issues with the current mdel The cncept f supervisin f service prviders issuing qualified certificates is an essential building blck f the current Directive 1999/93/EC as it allws implementatin f a trust mdel f thse qualified electrnic signatures benefiting f an autmatic equivalence t hand written signatures. Hwever the implementatin in practice f such a cncept has led t several issues: the c-existence and differences between the interpretatin f an 'apprpriate system that allws fr supervisin' (as intrduced by Art 3.3 f the Directive) and f 'vluntary accreditatin' (as defined in Art.2.13 f the Directive) are nt always, if ever, understd clearly, even by thse wh are in charge f such systems; the terms and definitins used are ften verlapping r cnflicting with the terminlgy used in the audit and assessment wrld; the divergence f implementatin in practice f the cncept f "apprpriate [...] supervisin" by Member States has led t significant differences in the effective implementatin f the cntrls underlying such a supervisin ranging frm very basic cntrls up t frmal certificatin. The recent Digintar case has, if nthing else, shwn that there is a clear need fr sufficiently effective supervisin, since security risks can have a very serius impact n the trustwrthiness f CAs and n their ecnmic utility. Given the imprtance f supervisin as a tl fr establishing and maintaining trust in trust service prviders, it is ur strng belief that ne must strengthen significantly the supervisin mdel related t qualified trust service prviders and t the qualified trust services they prvide. This strengthening will aim t ensure the credibility and viability f the whle cncept f qualified trust service prvisining aiming t enhance trust and cnfidence in electrnic transactins and hence t ensure the security f the whle digital sciety. This strengthening requires defining a single supervisin mdel cmmn t all MS based n a mre structured and specified system allwing effective, systematic, independent and dcumented supervisin fr btaining evidence and evaluating such evidence bjectively, in rder t determine the extent t which the criteria a qualified trust service shuld meet are indeed fulfilled. Such a cmmn supervisin mdel based n a cmmn set f rules including cmmn cnfrmity criteria and cmmn cnfrmity assessment prcess rules, established n a 24
Deliverable D3, Versin 2b (final) standardised basis (i.e. in the cntext f mandate M460 10 ), specified per type f qualified trust service and based n a standardised cntrl prcess (i.e. based n well-established audit practices), tgether with the inclusin f cnfrmity statements f qualified trust services in natinal Trusted Lists will ensure a mre efficient and safer market than it is tday. 4.1.3 Objectives fr a sund Supervisin system and Trusted Lists The minimal bjectives and plicy gals fr setting up a sund supervisin system based n a set f minimum requirements applicable t all MS Supervisry Bdies in charge f supervisin f qualified trust service prviders are the fllwing: Transparency: As the rules and prvisins EU supervisin scheme fr IAS trust services/prducts are t be made publicly available, this will make the EU supervisin scheme and its related prcesses transparent. Equality: As the main gal is t prve/ensure that the EU Regulatin is abided, the supervisin scheme, including the (minimum) reference criteria and assessment prcess, have identical basis (are identical) t every (qualified) trust service prvider, regardless the prvider's gals and regardless the assessr. Minimum level f security assurance: This is achieved thrugh the intrductin f minimal criteria that need t be met. Better preparatin f qualified trust service prviders: By making public the supervisin scheme, including the (minimum) reference criteria and assessment prcess, (qualified) trust service prviders have the pprtunity t better understand the cntent and purpse f the supervisin, prepare themselves in advance t make wise decisins and investments when design its systems t meet the criteria and pass the supervisin. Trust establishment: The supervisin scheme is the basis t assure stakehlders and relying parties that supervised qualified trust service prvider cmplies with it and that its supervised services are trustwrthy. Trust recgnitin: The abve gals and principles will facilitate internatinal recgnitin f the EU MS supervisin f qualified trust services and qualified trust service prviders. Qualified trust services supervisin status infrmatin: The actual status f supervisin f a supervised qualified trust service frm a qualified trust service prvider shall be disclsed in the Trusted List f the Member State which is cmpetent fr such a supervisin. 10 http://ec.eurpa.eu/infrmatin_sciety/plicy/esignature/eu_legislatin/standardisatin/index_en. htm 25 See
Deliverable D3, Versin 2b (final) 4.2 Supervisin in the prpsal fr Regulatin 4.2.1 Supervisry bdy In its Sectin 2 n "Supervisin", Article 13 bliges Member States t establish supervisry bdies, based n Article 3(3) f Directive 1999/93/EC, clarifying and enlarging their remit with regard t bth trust service prviders and qualified trust service prviders. Article 13 Supervisry bdy 1. Member States shall designate an apprpriate bdy established in their territry r, upn mutual agreement, in anther Member State under the respnsibility f the designating Member State. Supervisry bdies shall be given all supervisry and investigatry pwers that are necessary fr the exercise f their tasks. 2. The supervisry bdy shall be respnsible fr the perfrmance f the fllwing tasks: (a) mnitring trust service prviders established in the territry f the designating Member State t ensure that they fulfil the requirements laid dwn in Article 15; (b) undertaking supervisin f qualified trust service prviders established in the territry f the designating Member State and f the qualified trust services they prvide in rder t ensure that they and the qualified trust services prvided by them meet the applicable requirements laid dwn in this Regulatin; (c) ensuring that relevant infrmatin and data referred t in pint (g) f Article 19(2), and recrded by qualified trust service prviders are preserved and kept accessible after the activities f a qualified trust service prvider have ceased, fr an apprpriate time with a view t guaranteeing cntinuity f the service. 3. Each supervisry bdy shall submit a yearly reprt n the last calendar year s supervisry activities t the Cmmissin and Member States by the end f the first quarter f the fllwing year. It shall include at least: (a) infrmatin n its supervisry activities; (b) a summary f breach ntificatins received frm trust service prviders in accrdance with Article 15(2); (c) statistics n the market and usage f qualified trust services, including infrmatin n qualified trust service prviders themselves, the qualified trust services they prvide, the prducts they use and the general descriptin f their custmers. 4. Member States shall ntify t the Cmmissin and ther Member States the names and the addresses f their respective designated supervisry bdies. 5. The Cmmissin shall be empwered t adpt delegated acts, in accrdance with Article 38, cncerning the definitin f prcedures applicable t the tasks referred t in paragraph 2. 26
Deliverable D3, Versin 2b (final) 6. The Cmmissin may, by means f implementing acts, define the circumstances, frmats and prcedures fr the reprt referred t in paragraph 3. Thse implementing acts shall be adpted in accrdance with the examinatin prcedure referred t in Article 39(2). 4.2.2 Mutual assistance Article 14 intrduces an explicit mechanism f mutual assistance between supervisry bdies in Member States t facilitate the crss-brder supervisin f trust service prviders. It intrduces rules n jint peratins and supervisry authrities right t participate in such peratins. Article 14 - Mutual assistance 1. Supervisry bdies shall cperate with a view t exchange gd practice and prvide each ther, within the shrtest pssible time, with relevant infrmatin and mutual assistance s that activities can be carried ut in a cnsistent manner. Mutual assistance shall cver, in particular, infrmatin requests and supervisry measures, such as requests t carry ut inspectins related t the security audits as referred t in Articles 15, 16 and 17. 2. A supervisry bdy t which a request fr assistance is addressed may nt refuse t cmply with it unless: (a) it is nt cmpetent t deal with the request; r (b) cmpliance with the request wuld be incmpatible with this Regulatin. 3. Where apprpriate, supervisry bdies may carry ut jint investigatins in which staff frm ther Member States supervisry bdies is invlved. The supervisry bdy f the Member State where the investigatin is t take place, in cmpliance with its wn natinal law, may devlve investigative tasks t the assisted supervisry bdy s staff. Such pwers may be exercised nly under the guidance and in the presence f staff frm the hst supervisry bdy. The assisted supervisry bdy s staff shall be subject t the hst supervisry bdy s natinal law. The hst supervisry bdy shall assume respnsibility fr the assisted supervisry bdy staff s actins. 4. The Cmmissin may, by means f implementing acts, specify the frmats and prcedures fr the mutual assistance prvided fr in this Article. Thse implementing acts shall be adpted in accrdance with the examinatin prcedure referred t in Article 39(2). 4.2.3 Security requirements applicable t trust service prviders Article 15 intrduces an bligatin fr bth qualified and nn-qualified trust service prviders t implement apprpriate technical and rganisatinal measures fr the security f their activities. Furthermre, the cmpetent supervisry bdies and ther relevant authrities 27
Deliverable D3, Versin 2b (final) must be infrmed f any security breaches. If apprpriate, they will in turn infrm ther Member States supervisry bdies and will, directly r via the trust service prvider cncerned, infrm the public. Article 15 Security requirements applicable t trust service prviders 1. Trust service prviders wh are established in the territry f the Unin shall take apprpriate technical and rganisatinal measures t manage the risks psed t the security f the trust services they prvide. Having regard t state f the art, these measures shall ensure that the level f security is apprpriate t the degree f risk. In particular, measures shall be taken t prevent and minimise the impact f security incidents and infrm stakehlders f adverse effects f any incidents. Withut prejudice t Article 16(1), any trust service prvider may submit the reprt f a security audit carried ut by a recgnised independent bdy t the supervisry bdy t cnfirm that apprpriate security measures have been taken. 2. Trust service prviders shall, withut undue delay and where feasible nt later than 24 hurs after having becme aware f it, ntify the cmpetent supervisry bdy, the cmpetent natinal bdy fr infrmatin security and ther relevant third parties such as data prtectin authrities f any breach f security r lss f integrity that has a significant impact n the trust service prvided and n the persnal data maintained therein. Where apprpriate, in particular if a breach f security r lss f integrity cncerns tw r mre Member States, the supervisry bdy cncerned shall infrm supervisry bdies in ther Member States and the Eurpean Netwrk and Infrmatin Security Agency (ENISA). The supervisry bdy cncerned may als infrm the public r require the trust service prvider t d s, where it determines that disclsure f the breach is in the public interest. 3. The supervisry bdy shall prvide t ENISA and t the Cmmissin nce a year with a summary f breach ntificatins received frm trust service prviders. 4. In rder t implement paragraphs 1 and 2, the cmpetent supervisry bdy shall have the pwer t issue binding instructins t trust service prviders. 5. The Cmmissin shall be empwered t adpt delegated acts, in accrdance with Article 38, cncerning the further specificatin f the measures referred t in paragraph 1. 6. The Cmmissin may, by means f implementing acts, define the circumstances, frmats and prcedures, including deadlines, applicable fr the purpse f paragraphs 1 t 3. Thse implementing acts shall be adpted in accrdance with the examinatin prcedure referred t in Article 39(2). 28
Deliverable D3, Versin 2b (final) 4.2.4 Supervisin f qualified trust service prviders Article 16 sets ut the cnditins fr the supervisin f qualified trust service prviders and qualified trust services prvided by them. It bliges qualified trust service prviders t be audited n a yearly basis by a recgnised independent bdy t cnfirm t the supervisry bdy that they fulfil the bligatins laid dwn in the Regulatin. Mrever, Article 16(2) gives the supervisry bdy the right t carry ut n-the-spt audits f the qualified trust service prviders at any time. The supervisry bdy is als empwered t issue binding instructins t qualified trust service prviders t remedy, in a prprtinate manner, any failure t meet an bligatin revealed by a security audit. Article 16 Supervisin f qualified trust service prviders 1. Qualified trust service prviders shall be audited by a recgnised independent bdy nce a year t cnfirm that they and the qualified trust services prvided by them fulfil the requirements set ut in this Regulatin, and shall submit the resulting security audit reprt t the supervisry bdy. 2. Withut prejudice t paragraph 1, the supervisry bdy may at any time audit the qualified trust service prviders t cnfirm that they and the qualified trust services prvided by them still meet the cnditins set ut in this Regulatin, either n its wn initiative r in respnse t a request frm the Cmmissin. The supervisry bdy shall infrm the data prtectin authrities f the results f its audits, in case persnal data prtectin rules appear t have been breached. 3. The supervisry bdy shall have the pwer t issue binding instructins t qualified trust service prviders t remedy any failure t fulfil the requirements indicated in the security audit reprt. 4. With reference t paragraph 3, if the qualified trust service prvider des nt remedy any such failure within a time limit set by the supervisry bdy, it shall lse its qualified status and be infrmed by the supervisry bdy that its status will be changed accrdingly in the trusted lists referred t in Article 18. 5. The Cmmissin shall be empwered t adpt delegated acts in accrdance with Article 38 cncerning the specificatin f the cnditins under which the independent bdy carrying ut the audit referred t in paragraph 1 f this Article and in Article 15(1) and in Article 17(1) shall be recgnised. 6. The Cmmissin may, by means f implementing acts, define the circumstances, prcedures and frmats applicable fr the purpse f paragraphs 1, 2 and 4. Thse implementing acts shall be adpted in accrdance with the examinatin prcedure referred t in Article 39(2). 29
Deliverable D3, Versin 2b (final) 4.2.5 Initiatin f a qualified trust service Article 17 cncerns the activity carried ut by the supervisry bdy at the request f a trust service prvider wishing t initiate a qualified trust service. Article 17 Initiatin f a qualified trust service 1. Qualified trust service prviders shall ntify the supervisry bdy f their intentin t start prviding a qualified trust service and shall submit t the supervisry bdy a security audit reprt carried ut by a recgnised independent bdy, as prvided fr in Article 16(1). Qualified trust service prviders may start t prvide the qualified trust service after they have submitted the ntificatin and security audit reprt t the supervisry bdy. 2. Once the relevant dcuments are submitted t the supervisry bdy accrding t paragraph 1, the qualified service prviders shall be included in the trusted lists referred t in Article 18 indicating that the ntificatin has been submitted. 3. The supervisry bdy shall verify the cmpliance f the qualified trust service prvider and f the qualified trust services prvided by it with the requirements f the Regulatin. The supervisry bdy shall indicate the qualified status f the qualified service prviders and the qualified trust services they prvide in the trusted lists after the psitive cnclusin f the verificatin, nt later than ne mnth after the ntificatin has been dne in accrdance with paragraph 1. If the verificatin is nt cncluded within ne mnth, the supervisry bdy shall infrm the qualified trust service prvider specifying the reasns f the delay and the perid by which the verificatin shall be cncluded. 4. A qualified trust service which has been subject t the ntificatin referred t in paragraph 1 cannt be refused fr the fulfilment f an administrative prcedure r frmality by the cncerned public sectr bdy fr nt being included in the lists referred t in paragraph 3. 5. The Cmmissin may, by means f implementing acts, define the circumstances, frmats and prcedures fr the purpse f paragraphs 1, 2 and.3 Thse implementing acts shall be adpted in accrdance with the examinatin prcedure referred t in Article 39(2). 4.2.6 Trusted Lists Article 18 prvides fr the establishment f trusted lists cntaining infrmatin n qualified trust service prviders wh are subject t supervisin and t the qualified services they 30
Deliverable D3, Versin 2b (final) ffer. This infrmatin must be made publicly available thrugh a cmmn template in rder t facilitate its autmated use and ensure an apprpriate level f detail. Article 18 Trusted lists 1. Each Member State shall establish, maintain and publish trusted lists with infrmatin related t the qualified trust service prviders fr which it is cmpetent tgether with infrmatin related t the qualified trust services prvided by them. 2. Member States shall establish, maintain and publish, in a secure manner, electrnically signed r sealed trusted lists prvided fr in paragraph 1 in a frm suitable fr autmated prcessing. 3. Member States shall ntify t the Cmmissin, withut undue delay, infrmatin n the bdy respnsible fr establishing, maintaining and publishing natinal trusted lists, and details f where such lists are published, the certificate used t sign r seal the trusted lists and any changes theret. 4. The Cmmissin shall make available t the public, thrugh a secure channel, the infrmatin, referred t in paragraph 3 in electrnically signed r sealed frm suitable fr autmated prcessing. 5. The Cmmissin shall be empwered t adpt delegated acts in accrdance with Article 38 cncerning the definitin f the infrmatin referred t in paragraph 1. 6. The Cmmissin may, by means f implementing acts, define the technical specificatins and frmats fr trusted lists applicable fr the purpses f paragraphs 1 t 4. Thse implementing acts shall be adpted in accrdance with the examinatin prcedure referred t in Article 39(2). 4.2.7 Requirements fr qualified trust service prviders Article 19 sets ut the requirements the qualified trust service prviders must meet in rder t be recgnised as such. It draws frm Annex II f Directive 1999/93/EC. Article 19 Requirements fr qualified trust service prviders 1. When issuing a qualified certificate, a qualified trust service prvider shall verify, by apprpriate means and in accrdance with natinal law, the identity and, if applicable, any specific attributes f the natural r legal persn t whm a qualified certificate is issued. Such infrmatin shall be verified by the qualified service prvider r by an authrised third party acting under the respnsibility f the qualified service prvider: (a) by a physical appearance f the natural persn r f an authrised representative f the legal persn, r 31
Deliverable D3, Versin 2b (final) (b) remtely, using electrnic identificatin means under a ntified scheme issued in cmpliance with pint (a). 2. Qualified trust service prviders prviding qualified trust services shall: (a) emply staff wh pssess the necessary expertise, experience, and qualificatins and apply administrative and management prcedures which crrespnd t Eurpean r internatinal standards and have received apprpriate training regarding security and persnal data prtectin rules; (b) bear the risk f liability fr damages by maintaining sufficient financial resurces r by an apprpriate liability insurance scheme; (c) befre entering int a cntractual relatinship, infrm any persn seeking t use a qualified trust service f the precise terms and cnditins regarding the use f that service; (d) use trustwrthy systems and prducts which are prtected against mdificatin and guarantee the technical security and reliability f the prcess supprted by them; (e) use trustwrthy systems t stre data prvided t them, in a verifiable frm s that: they are publicly available fr retrieval nly where the cnsent f the persn t whm the data has been issued has been btained, nly authrised persns can make entries and changes, infrmatin can be checked fr authenticity; (f) take measures against frgery and theft f data; (g) recrd fr an apprpriate perid f time all relevant infrmatin cncerning data issued and received by the qualified trust service prvider, in particular fr the purpse f prviding evidence in legal prceedings. Such recrding may be dne electrnically; (h) have an up-t-date terminatin plan t ensure cntinuity f service in accrdance with arrangements issued by the supervisry bdy under pint (c) f Article 13(2); (i) ensure lawful prcessing f persnal data in accrdance with Article 11. 3. Qualified trust service prviders issuing qualified certificates shall register in their certificate database the revcatin f the certificate within ten minutes after such revcatin has taken effect. 4. With regard t paragraph 3, qualified trust service prviders issuing qualified certificates shall prvide t any relying party infrmatin n the validity r revcatin status f qualified certificates issued by them. This infrmatin shall be made available at any time at least n a certificate basis in an autmated manner which is reliable, free f charge and efficient. 5. The Cmmissin may, by means f implementing acts, establish reference numbers f standards fr trustwrthy systems and prducts. Cmpliance with the requirements laid dwn in Article 19 shall be presumed where trustwrthy systems 32
Deliverable D3, Versin 2b (final) and prducts meet thse standards. Thse implementing acts shall be adpted in accrdance with the examinatin prcedure referred t in Article 39(2). The Cmmissin shall publish thse acts in the Official Jurnal f the Eurpean Unin. 4.3 A mdel fr supervisin f qualified trust service prviders and qualified trust services they prvide 4.3.1 Intrductin The mnitring and supervisin as mdel prpsed in COM (2012) 238 aims t inspire trust. Taking a helicpter perspective, we see at least the fllwing alternative appraches t inspire such trust, which are: The ISO Cnfrmity Assessment apprach; The ISAE 3000 apprach; The ISAE 3402 apprach; The AICPA apprach; The ISRS 4400 apprach n Agreed upn prcedures. 4.3.2 The ISO Cnfrmity Assessment apprach Within ISO, the cnfrmity assessment plicy develpment cmmittee ISO/CASCO is bth respnsible fr develping and making recmmendatins n cnfrmity assessment plicy t the ISO/CASCO membership and fr develping cnfrmity assessment standards and guides. Particularly relevant ISO standards include: ISO 17021 Cnfrmity assessment: Requirements fr bdies prviding audit and certificatin f management systems (where the ISO 17000 series replaces EN 45000) ISO 27006 Requirements fr bdies prviding audit and certificatin f infrmatin security management systems. It shuld be nted there was histrically quite sme cnfusin with regards t the related terminlgy. 33
Deliverable D3, Versin 2b (final) The term Accreditatin is used in cnfrmity assessment regulatins / standards t refer t checking capability f Cnfrmity Assessment Bdy is used in Directive 1999/93 as a frm f cnfrmity assessment is nt used in COM(2012) 238 The term Certificatin is used in cnfrmity assessment t mean certificatin f cnfrmity. is used in Directive 1999/93 t relate t Certificatin Service Prviders is used in COM(2012) 238 with regards t the certificatin f Qualified Electrnic Signature/Seal Devices t determine their cnfrmity with applicable security requirements. We will align ur terminlgy n ISO/IEC 17000 which defines cnfrmity assessment as: demnstratin that specified requirements relating t a prduct, prcess, system, persn, r bdy are fulfilled. Certificatin f an entity (e.g. f a trust service prvider) against a specific set f requirements r standard (e.g. ISO 27001) is perfrmed by a certificatin bdy accredited fr perfrming cnfrmity assessments against such a specific set f requirements r standard (e.g. such as ISO 27001) by an Accreditatin Bdy. Such an accreditatin means that the accredited certificatin bdy has the authrity, expertise and knwhw t g int rganisatins and assess them against the target requirements (e.g. f ISO27001). Only certificatin bdies can be accredited fr a standard. It is a cmmn miscnceptin that rganisatins think that they can becme e.g. ISO 27001 accredited. Accredited certificatin bdies underg peridic assessments by their accreditatin bdies, usually their Natinal Accreditatin Bdy. Within Eurpe, the Eurpean cperatin fr Accreditatin (EA) 11 is the main institutin that versees the interactins and interperability between the different Eurpean players, 11 EA members: AUSTRIA BMWFJ, BELGIUM BELAC, BULGARIA BAS, CROATIA HAA, CYPRUS CYS-CYSAB, CZECH REPUBLIC - CAI, DENMARK DANAK, ESTONIA EAK, FINLAND FINAS, FRANCE COFRACFYROM IARM, GERMANY DakkS, GREECE - ESYD HUNGARY - NAT, IRELAND - INAB, ITALY - ACCREDIA, LATVIA - LATAK, LITHUANIA - LA, LUXEMBURG OLAS, MALTA NAB-MALTA, NETHERLANDS - RvA, NORWAY - NA, POLAND - PCA, PORTUGAL IPAC, ROMANIA RENAR, SERBIA ATS, SLOVAKIA SNAS, SLOVENIA SA, SPAIN ENAC, SWEDEN SWEDAC, SWITZERLAND SAS, TURKEY TURKAK, UNITED KINGDOM - UKAS. 34
Deliverable D3, Versin 2b (final) mainly the natinal accreditatin bdies. This netwrk is well established, in particular in the area f ISO 27001. The applicatin f the ISO/CASCO mdel thrugh EA nt the TSP universe can be depicted as the fllwing generic mdel: Figure 2 We cnsider this mdel as particularly relevant and the preferred apprach t supprt the cnfrmity assessment mdel underlying ur prpsed EU Supervisin Scheme fr qualified trust service prviders and the qualified trust services they prvide building up n the ETSI TS 119 403 generic mdel as well aligned t such ISO/CASCO mdel. With regards t the cnfrmity assessments determining that "apprpriate Art.15.1 security measures" have been implemented by trust service prviders with regards t the trust services they prvide, the exact same mdel can apply. 35
Deliverable D3, Versin 2b (final) 4.3.3 The ISAE 3000 apprach The Internatinal Federatin f Accuntants (IFAC) perates a standards bard, the Internatinal Auditing and Assurance Standards Bard (IAASB). This IAASB issued the Internatinal Standard n Assurance Engagements (ISAE) N. 3000, Assurance Reprts n Cntrls at a Service Organizatin riginally in June 2000. The current versin is ISAE 3000 (Revised), Assurance Engagements Other Than Audits r Reviews f Histrical Financial Infrmatin - Prpsed Internatinal Standard n Assurance Engagements (ISAE), which is a 2011 expsure draft which will be finalised after all cmments have been received and prcessed. ISAE 3000 s cre part fcuses n the requirements that allw a practitiner (i.e. an auditr) t express a degree f assurance ver a subject matter. These requirements are structured as fllws: Cnduct f an Assurance Engagement in Accrdance with ISAEs Ethical Requirements Acceptance and Cntinuance Quality Cntrl Prfessinal Skepticism and Prfessinal Judgment Planning and Perfrming the Engagement Obtaining Evidence Cnsidering Subsequent Events Other Infrmatin Descriptin f Applicable Criteria Frming the Assurance Cnclusin Preparing the Assurance Reprt Unmdified and Mdified Cnclusins Other Cmmunicatin Respnsibilities Dcumentatin Much attentin is devted t selecting the apprpriate criteria t audit the subject matter (the tpic f the audit), and t btaining and evaluating evidence. ISAE 3000 ffers the state-fthe-art framewrk in auditing, based n wrldwide cnsensus. 36
Deliverable D3, Versin 2b (final) Fr this reasn we cnsider it relevant fr ur prpsal. 4.3.4 The AICPA apprach Histrically, the AICPA's "Statement n Auditing Standards N. 70: Service Organizatins", cmmnly abbreviated as SAS 70 was a ppular auditing statement issued by the Auditing Standards Bard f the American Institute f Certified Public Accuntants (AICPA) with its cntent cdified as AU 324. SAS 70 prvided guidance t service auditrs when assessing the internal cntrl f a service rganizatin and issuing a service auditr s reprt. SAS 70 als prvides guidance t auditrs f financial statements f an entity that uses ne r mre service rganizatins. Service rganizatins (als referred t as service prviders) are typically entities that prvide utsurcing services that impact the cntrl envirnment f their custmers. Examples f service rganizatins are insurance and medical claims prcessrs, trust cmpanies, hsted data centers, applicatin service prviders (ASPs), managed security prviders, credit prcessing rganizatins and clearinghuses. SAS 70 distinguished tw types f service auditr reprts: A Type I ("A reprt n cntrls placed in peratin") service auditr s reprt includes the service auditr's pinin n the fairness f the presentatin f the service rganizatin's descriptin f cntrls that had been placed in peratin and the suitability f the design f the cntrls t achieve the specified cntrl bjectives. A Type II ("A reprt n cntrls placed in peratin and tests f perating effectiveness") service auditr s reprt includes the infrmatin cntained in a Type I service auditr's reprt and als includes the service auditr's pinin n whether the specific cntrls were perating effectively during the perid under review. The AICPA mved the guidance fr Service Auditrs t the "Statements n Standards fr Attestatin Engagements" (SSAE), naming the standard Reprting n Cntrls at a Service Organizatin. The "Statements n Standards fr Attestatin Engagements N. 16" (SSAE 16) was frmally issued in June 2010 and became effective n 15 June 2011, taking ver frm SAS 70. SAS 70 was replaced by tw standards: ISAE 3402: Internatinal Standard n Assurance Engagements N. 3402, Assurance Reprts n Cntrls at a Service Organizatin. ISAE 3402 is the internatinal standard adpted by the Internatinal Auditing and Assurance Standards Bard (IAASB). 37
Deliverable D3, Versin 2b (final) SSAE 16: Statement n Standards fr Attestatin Engagements N. 16, Reprting n Cntrls at a Service Organizatin. SSAE 16 is the "lcal" standard adpted by the Auditing Standards Bard (ASB) f the American Institute f Certified Public Accuntants (AICPA). T help CPAs (Certified Public Accuntants) selecting the apprpriate standard fr a particular engagement, the AICPA has intrduced the SOC (SERVICE ORGANIZATION CONTROL) reprting cncept, and identified 3 different engagements (SOC 1, SOC 2 and SOC 3). Service Organizatin Cntrl (SOC) reprts are internal cntrl reprts n the services prvided by a service rganizatin prviding infrmatin that users need t assess and address the risks assciated with an utsurced service. The "SOC" dimensin distinguishes between reprts n cntrls at a service prvider that are: SOC 1 relevant t user entities' internal cntrl ver financial reprting SOC 2 relevant t nn-financial cntrls SOC 3 fcussed n security, availability, prcessing integrity, cnfidentiality, r privacy. SOC 3 is based n the AICPA/CICA (Canadian Institute f Chartered Accuntants) "Trust Services Principles" and Webtrust/Systrust. Furthermre SSAE 16 carried ver the distinctin between Type I and Type II frm the SAS 70 definitins. If a Service Organisatin perfrms utsurced services that affect the financial statements f anther Cmpany (the User Organizatin ), it is cmmnly requested t prvide an SSAE16 Type II Reprt, especially if the User Organizatin is publicly traded. S with regard t the AICPA/SAS70/SSAE 16 apprach, the mst relevant cntributin culd cme frm the SSAE 16 SOC 3 cmpnents. Hwever, as they are rather geared twards the existing WebTrust/Systrust schemes, there wuld be significant effrts required t either adapt existing audit and cntrl bjectives r create thse in such a way they wuld reflect the requirements f COM (2012) 238 Fr this reasn we cnsider it less relevant fr ur prpsal. 4.3.5 The ISAE 3402 apprach The Internatinal Federatin f Accuntants (IFAC) perates a standards bard, the Internatinal Auditing and Assurance Standards Bard (IAASB). This IAASB issued in 38
Deliverable D3, Versin 2b (final) December 2009 the Internatinal Standard n Assurance Engagements (ISAE) N. 3402, Assurance Reprts n Cntrls at a Service Organizatin. ISAE 3402 was develped t prvide an internatinal assurance standard t allw public accuntants t issue a reprt fr use by user rganizatins and their auditrs n the cntrls at a service prvider that are likely t impact r be a part f the user rganizatin s system f internal cntrl ver financial reprting. As ppsed t the AICPA s brader SSAE 16, its fcus is n financial reprting. It lacks the SSAE 16 s cncepts f SOC 1, 2 and 3, which are the AICPA s extensins t accmmdate technlgical aspects. Fr this reasn we cnsider it less relevant fr ur prpsal. 4.3.6 The IFAC/IAASB/ISRS 4400 apprach n Agreed upn prcedures Finally, an apprach can be based upn prcedures agreed between the service prvider and the auditr. Such an apprach allws fine-tuning f scpe and audit bjectives t the largest extent pssible. It is typically used t prvide cmfrt t the service prvider internally. It is less suitable t prvide assurance twards external parties. Fr this reasn we cnsider it less relevant fr ur prpsal. 4.3.7 Our prpsal fr a Eurpean Supervisin Scheme fr qualified trust service prviders and qualified trust services they prvide Frm the way the COM(2012) 238 prpsal fr Regulatin is prpsing t rganise thse delegated acts and implementing acts, it is pssible t establish a cmmn Eurpean Scheme fr supervisin f qualified trust service prviders and the qualified trust services they prvide. The present sectin prpses a cncrete mdel fr such a cmmn "Eurpean Scheme fr supervisin f qualified trust service prviders and the qualified trust services they prvide", in accrdance with the relevant articles frm COM(2012) 238 12. The same mdel may be 12 Thse relevant articles are the fllwing: COM(2012) 238, Art. 13.5 referring t delegated acts cncerning the definitin f prcedures applicable t the supervisry tasks referred t in Art.15.2; COM(2012) 238, Art. 13.6 referring t implementing acts cncerning the definitin f the circumstances, frmats and prcedures fr the reprt n the last calendar year's supervisry activities f each supervisry bdy, as referred t in Art.15.3; COM(2012) 238, Art. 14.4 referring t implementing acts cncerning the specificatin f the frmats and prcedures fr the mutual assistance prvide in Art.14; 39
Deliverable D3, Versin 2b (final) used t cver mnitring f trust service prviders and in particular the verificatin f the cmpliance f trust service prviders with Art.15 requirements frm COM(2012) 238. The prpsed mdel builds upn wrk dne in ETSI ESI with regards t general requirements and guidance fr cnfrmity assessment f trust service prviders (ETSI TS 119 403), natinal supervisin schemes, the COM(2012) 238 prpsal fr Regulatin and the preferred ISO/CASCO apprach described in Sectin 4.3.2. The prpsed cmplete scheme may be integrated as such in an apprpriate delegated r implementing act, r be included in the ETSI standardisatin framewrk as an instantiatin f ETSI TS 119 403 13. It is believed that the establishment f such a cmmn basis fr supervisin f qualified trust service prviders and the qualified trust services they prvide will nt nly serve t raise the level f cnfidence in these prviders and services within the EU bundaries but will als serve as a benchmarking reference fr the mutual recgnitin between EU services and thse "qualified" trust services frm 3rd cuntries r internatinal rganisatins. Recgnitin f "qualified" trust services and trust service prviders frm 3rd cuntry r internatinal rganisatins that wuld be certified against the EU cmmn supervisin scheme r against an equivalent scheme by a cnfrmity assessment bdy accredited by a natinal COM(2012) 238, Art. 15.5 referring t delegated acts cncerning the further specificatin f the apprpriate technical and rganisatinal measures t manage the risks psed t the security f the trust services they prvide as referred t in Art.15.1; COM(2012) 238, Art. 15.6 referring t implementing acts cncerning the definitin f the circumstances, frmats and prcedures, including deadlines, applicable fr the purpse f Art.15.1 t 3; COM(2012) 238, Art. 16.5 referring t delegated acts cncerning the specificatin f the cnditins under which the independent bdy carrying ut the audit referred t in Art.15.1 and in Art.16.1, and in Art.17.1 shall be recgnised; COM(2012) 238, Art. 16.6 referring t implementing acts cncerning the definitin f the circumstances, frmats and prcedures applicable fr the purpse f Art.15.1, Art.15.2 and Art.15.4; COM(2012) 238, Art. 17.5 referring t implementing acts cncerning the definitin f the circumstances, frmats and prcedures applicable fr the purpse f Art.15.1 t 3; COM(2012) 238, Art. 18.5 referring t delegated acts cncerning the definitin f the infrmatin referred t in Art.18.1; COM(2012) 238, Art. 18.6 referring t implementing acts cncerning the definitin f the technical specificatins and frmats fr trusted lists applicable fr the purpse f Art.18.1 t 4; COM(2012) 238, Art. 19.5 referred implementing acts cncerning the establishment f reference numbers f standards fr trustwrthy systems and prducts enabling presumptin f cmpliance with requirements laid dwn in Art.19 where trustwrthy systems and prducts meet thse standards. 13 ETSI TS 119 403 prvides a general framewrk fr the establishment f trust service prvider assessment scheme whatever type f trust service and trust service prvider, qualified r nt, and nt limited t the ne cvered by COM(2012) 238 prpsal fr Regulatin. The prpsed "Eurpean scheme fr the supervisin f qualified trust service prviders and the qualified trust services they prvide" is (as) cmpliant (as pssible) with ETSI TS 119 403. 40
6. Evaluatin f Audit reprt 1. Cmplaints r bservatin f nn-cnfrmity r regular r randm cntrl nce accredited QPKI Plicy Management Authrity acting as CSP Supervisry & Accreditatin Bdy 2. Designatin & Missin allcatin (r acceptance/refusal) Accredited Cnfrmity Assessment Bdy (CAB) 5. Audit (incl. Auditrs) reprt 4. Audit 3. Designatin (Cnfrmity acceptance/ Assessment) refusal CSP and related certificatin service 7. Audit reprt cnclusins and accreditatin status ntified 1. Request fr accreditatin + related applicatin infrmatin Deliverable D3, Versin 2b (final) accreditatin bdy participating t the Eurpean cperatin fr Accreditatin (and/r the Internatinal Accreditatin Frum (IAF) 14 ) t carry ut such assessments wuld be facilitated. Figure 3 illustrates the mdel fr the Eurpean Supervisin Scheme fr the cnfrmity assessment f qualified trust service prviders and the qualified trust service they prvide against the prvisins and requirements laid dwn in the Regulatin [ref.1]. Figure 4 illustrates the same mdel fr the Eurpean Supervisin Scheme applied fr the cnfirmatin f cmpliance thrugh cnfrmity assessment f trust service prviders and the trust service they prvide against the prvisins and requirements laid dwn in the Regulatin [ref.1 - in particular Art.15.1]. EU Supervisin Scheme fr QTS(P)s - Supervisin Prcess Flw List f Trusted Lists (LTL) Trusted List Eurpean cperatin fr Accreditatin (EA) Internatinal Accreditatin Frum (IAF) - Supervisin Cnfrmity Criteria CRIT Supervisin status - Supervisin Cnfrmity Assessment Guidance (CAG) CAG Member State Supervisry Bdy Natinal Accreditatin Bdy Assessment reprt Accreditatin Accredited Cnfrmity Assessment Bdy (CAB) Evaluatrs Evaluatrs Assessrs Assessment & Supervisin cnclusins Ntificatin fr Supervisin Cnfrmity Assessment (Audit) against Qualified trust service prvider & qualified trust services CRIT CAG Figure 3: Mdel fr Eurpean Supervisin Scheme and related assessments - QTS(P)s 14 The IAF is the wrld assciatin f Natinal (Cnfrmance Assessment) Accreditatin Bdies and ther bdies interested in cnfrmance assessment in the fields f management systems, prducts, services, persnnel and ther similar prgrams f cnfrmance assessment. 41
Deliverable D3, Versin 2b (final) EU Mnitring Scheme fr TSPs - ISO/IEC 27001 certificatin by CAB accredited by (natinal) accreditatin bdy fr ISO/IEC 27001 with SOA crrespnding t the trust services prvided by the trust service prvider in accrdance with REG - Alternative apprpriate cnfirmatin f meeting requirements frm the REG List f Cmpliance Lists Art.15.1 Cmpliance List Art.15.1 cmpliance status status Member State Supervisry Bdy Assessment reprt Eurpean cperatin fr Accreditatin (EA) Natinal Accreditatin Bdy Accreditatin Internatinal Accreditatin Frum (IAF) Art.15.1 cmpliance status status Accredited Cnfrmity Assessment Bdy (CAB) Art.15.1 Cmpliance cnfirmatin (incl. ISO/IEC 27001 certificate Evaluatrs Evaluatrs Assessrs Trust Service Prviders Cnfrmity Assessment (Audit) against ISO/IEC 27001 Figure 4: Mdel fr Eurpean Supervisin Scheme and related assessments - TSPs Within the abve described cntext and within each EU Member State, the Eurpean Supervisin Scheme rely n the fllwing elements: The Natinal Accreditatin Bdy (NAB): This is the sle bdy in a Member State that shall perfrm, with authrity derived frm the State, accreditatin f cnfrmity assessment bdies in the cntext f the Supervisin Scheme. Such accreditatin shall assess the cmpetency f the accredited cnfrmity assessment bdies t carry ut assessments under the requirements identified in the Supervisin Scheme. 15 Cnfrmity Assessment Bdies (CAB): A cnfrmity assessment bdy is an independent bdy f assessrs which carries ut the assessment f a qualified trust service prvider and f the qualified trust services it prvides against the requirements established in the Supervisin Scheme, in particular against its cnfrmity criteria and in accrdance with its cnfrmity assessment guidance. The cmpetence f Cnfrmity Assessment Bdy t carry ut such an assessment is accredited by a Natinal Accreditatin Bdy. One r mre Cnfrmity Assessment Bdies may be accredited and hence recgnised under the Supervisin Scheme. The results f a cnfrmity assessment executed by a cnfrmity assessment bdy is ntified t the Supervisry Bdy f the Member State in which the assessed qualified trust service prvider is established. Cnfrmity assessment bdies refer t 15 The ptin has been made here t nt allw, in the cntext f the present Supervisin Scheme, Supervisry Bdies t play the equivalent rle f the natinal accreditatin bdy fr evaluating the cmpetence f a cnfrmity assessment bdy t carry ut a cnfrmity assessment in line with the present Eurpean Supervisin Scheme. 42
Deliverable D3, Versin 2b (final) recgnised independent bdies as referred t in Art.15.1, Art.16.1 and Art.17.1 f the Regulatin [ref.1]. The Supervisry Bdy: This is the bdy established in accrdance with Art.13.1 f the Regulatin and that are given all supervisry and investigatry pwers that are necessary fr the exercise f their task in accrdance with the Regulatin [ref.1]. With regards t qualified trust services and qualified trust service prviders, the supervisry bdy shall be respnsible fr undertaking supervisin f thse qualified trust service prviders established in their territry, and/r in the MS having designated this bdy t undertake supervisin f qualified trust service prviders established in the designating MS under the respnsibility f the designating MS, and f the qualified trust services thse qualified trust service prviders prvide. This supervisin shall ensure that thse qualified trust service prviders and the qualified trust services they prvide meet the applicable requirements laid dwn in the Regulatin. All supervisry bdies frm the EU shall abide by the Supervisin Scheme fr this purpse. Trusted Lists: The supervisry bdy shall als be the bdy respnsible fr the ntificatin f the qualified status f the qualified trust service prviders and the qualified trust services they prvide in their natinal Trusted List in accrdance with the Regulatin [ref.1 - Art.18] and the present dcument. Qualified status result frm the verificatin by the supervisry bdy f the cmpliance f the qualified trust service prviders and the qualified trust services they prvide with the requirements f the Regulatin, such a verificatin being based n, e.g., the results f a cnfrmity assessment perfrmed by an accredited cnfrmity assessment bdy. Similarly t the Trusted Lists, s-called "Art.15.1 Cmpliance Lists" culd be used fr the ntificatin f the cmpliance status f the trust service prviders with the Regulatin [ref.1 - Art.15]. The List f the Trusted Lists (LOTL) is an additinal imprtant element in the Supervisin Scheme. In rder t allw access t the trusted lists f all Member States in an easy manner, the Eurpean Cmmissin publishes a central cmpiled list that includes the lcatins where the Trusted Lists are published and the certificate t be used t verify the authenticity and integrity f the MS trusted lists, as ntified by Member States. This cmpiled List f the Trusted Lists (LOTL) is available publicly. The authenticity and integrity f the machine prcessable versin f this cmpiled list is ensured thrugh an electrnic signature supprted by a digital certificate. The certificate can be authenticated thrugh ne f the digests published n the Official Jurnal f the Eurpean Unin. Similarly t the LOTL, a cmpiled List f the Member States Art.15.1 Cmpliance Lists culd be published by the EC t allw access t the lists f all Member States in an easy manner and t enfrce the trust mdel underlying the verificatin f the authenticity and integrity f the MS lists. The Supervisin Scheme assessment mdel relies n a cmmn set f cnfrmity criteria, a cmmn assessment prcess based n a cmmn cnfrmity assessment guidance and n a cmmn understanding f the respnsibilities f the qualified trust service prviders. The Cnfrmity Criteria (CRIT) fr qualified trust service prviders and the qualified trust services they prvide refers t the criteria (incl. requirements) against which cnfrmity assessment will be undertaken by EU MS supervisry bdies in the cntext f the Regulatin. Thse criteria take int accunt specificities f the type f trust service t be 43
Deliverable D3, Versin 2b (final) assessed. They can be rganised under the frm f a check-list aiming t facilitate the tasks f bth the assessrs and the qualified trust service prvider t be assessed. They are made publicly available and based n standards. The cnfrmity criteria applicable in the cntext f the Supervisin Scheme are prvided in a cmpanin dcument f the present dcument. The Cnfrmity Assessment Guidance (CAG) fr Eurpean Unin Member States supervisry bdies refers t the way cnfrmity assessment bdies carry ut an assessment in the cntext f the Supervisin Scheme, i.e. t the way cmpliance f qualified trust service prviders and the qualified trust services they prvide is assessed against the requirements laid dwn in the Regulatin [ref.1]. This cvers: The cnfrmity assessment prcess and the specific characteristics with regards t the cnfrmity assessment prcess, including the frequency and depth f the assessments, the assciated fees, the cmplaint related prcedures, etc; The requirements n the cnfrmity assessment bdies and the rules t be bserved by such bdies when cnducting assessments; The specificatins fr crss-brder assessment and related mutual assistance; and The respnsibilities f the parties. The dcument entitled "Recmmendatins fr a Eurpean Supervisin Scheme: Prpsal fr Cnfrmity Assessment Guidance" (See Annex) fcuses n the descriptin f (i) the prcess flw fr the supervisin f qualified trust service prviders and the qualified trust services they prvide and (ii) n the Cnfrmity Assessment Guidance (CAG) specifying hw t assess cmpliance f thse prviders and their qualified trust services against the "Supervisin Cnfrmity Assessment Criteria". These latter "Supervisin Criteria", against which the cnfrmity f the qualified trust service prviders and the qualified trust services they prvide will be assessed, are suggested t be develped n the basis f the mapping between the prpsal fr Regulatin COM(2012) 238 related delegated and implementing acts and the technical requirements and/r standards as prvided in Sectin 6. 4.4 Cnclusins The current prpsal fr a 'Regulatin f the Eurpean Parliament and f the Cuncil n electrnic identificatin and trust services fr electrnic transactins in the internal market' 16 paves the way t the establishment f a single supervisin scheme cmmn t all EU MS supervisry bdies. We recmmend delegated acts and implementing acts t be adpted in 16 COM(2012) 238 f 04.06.2012. 44
Deliverable D3, Versin 2b (final) the cntext f the supervisin related articles f the future Regulatin t effectively set up such a cmmn basis fr supervisin f qualified trust service prviders and the qualified trust services they prvide. Sectin 4.3 and "Annex C - Recmmendatins fr a Eurpean Supervisin Scheme: Prpsal fr Cnfrmity Assessment Guidance" f the present dcument prpse a cncrete basis fr such a cmmn supervisin scheme. It is believed that the establishment f such a cmmn basis fr supervisin f qualified trust service prviders and the qualified trust services they prvide will nt nly serve t raise the level f cnfidence in these prviders and services within the EU bundaries but will als serve as a benchmarking reference fr the mutual recgnitin between EU services and thse "qualified" trust services frm 3rd cuntries r internatinal rganisatins. Recgnitin f "Qualified" trust services and trust service prviders frm 3rd cuntry r internatinal rganisatins that wuld be certified against the EU cmmn supervisin scheme r against an equivalent scheme by a cnfrmity assessment bdy accredited by an accreditatin bdy participating t IAF t carry ut such assessments wuld be facilitated. The prpsed initiatin phase in the current prpsal fr a Regulatin creates sme legal uncertainties, un-equality between relying parties and un-necessary cmplexity and shuld be simplified in a clear prir-authrisatin mdel. It is further recmmended that Secndary EU wide legislatin (e.g. delegated acts as per Art.13.5) shuld establish and maintain (incl. additin mechanism) an exhaustive list f EU wide, meaningful and precise categries f activities t be cnsidered as trust services. Nt having such a mechanism will nt allw clear determinatin whether a service prvider is t be cnsidered as a trust service prvider r nt and may lead t discriminatin between trust service prviders. 45
Deliverable D3, Versin 2b (final) 5. IAS in the Clud 5.1 IAS in the Clud, pprtunities and challenges. Electrnic Identificatin, Authenticatin and Signatures (IAS) is the expressin that refers t the new legal framewrk prpsed by the Eurpean Cmmissin as successr t the esignature directive (1999/93/EC). The Digital Agenda fr Eurpe includes Key Actin 3 t prpse a revisin f the esignature Directive in 2011 with a view t prvide a legal framewrk fr crss-brder recgnitin and interperability f secure eauthenticatin systems. While the riginal Directive established a legal framewrk fr electrnic signatures and Certificatin Service Prviders, the new versin aims bth at imprving the signature aspects and at bradening the scpe f the framewrk t include aspects f identificatin and authenticatin as well. On the ther hand we witness the arrival f Clud cmputing, which is and will likely remain an evlving paradigm, ging frward and gaining ftprint. It can be infrmally defined as A 'Clud' implementatin is an elastic executin envirnment f resurces invlving multiple stakehlders and prviding a metered service at multiple granularities fr a specified level f quality (f service). 17 Its attractiveness stems frm its characteristics t allw a cnsumer t unilaterally prvisin cmputing capabilities ( n demand self-service ), whilst allwing lcatin independent resurce pling. This leads t rapid elasticity f services t align demand and supply, while supplied services are mnitred and measured, s billing can be highly transparent. Hwever, security and data privacy cncerns are typically seen as the tw critical barriers t adpting it. The bjective f this Psitin Paper is t briefly utline the ptential fr mutual psitive enfrcement between the IAS framewrk and Clud cmputing. We argue that the Clud s eminent need t achieve trust is greatly facilitated and supprted by IAS. Furthermre, we equally argue that the Clud s ptential fr delivering largescale elastic and cst-effective services is a deplyment mdel that is required by IAS t deliver what its users are expecting. This can lead t an IASaaS mdel 17 Eurpean Cmmissin, The future f clud cmputing. Opprtunities fr Eurpean clud cmputing beynd 2010, Expert Grup Reprt, Public Versin 1.0, 2010, page 8. See: http://crdis.eurpa.eu/fp7/ict/ssai/dcs/clud-reprt-final.pdf. 46
Deliverable D3, Versin 2b (final) (Identificatin, Authenticatin and Signature as a Service). IAS in the Clud may invke legal challenges relating t applicable law, data prtectin and current e- Signature laws. A future legal framewrk n IAS shuld take int accunt the specificities f new mdels like IASaaS, ensuring that clud based IAS services wuld be recgnized as legally valid and cmpliant acrss the EU. 5.2 The Clud s need fr security is supprted by IAS 5.2.1 Clud service mdels Clud is embraced as a way t build mre cst effective infrastructures. We briefly recall the Clud Service Mdels that include SaaS, PaaS and IaaS. In the case f Sftware as a Service (SaaS) the cnsumer uses the prvider s applicatins running n a clud infrastructure. In the case f Platfrm as a Service (PaaS), the prvided capability is t deply nt the clud infrastructure cnsumer-created r acquired applicatins. Prgramming languages, libraries, services, and tls are supprted by the prvider. Finally, in the case f Infrastructure as a Service (IaaS), prcessing, strage, netwrks, and ther fundamental cmputing resurces are prvisined where the cnsumer is able t deply and run arbitrary sftware, which can include perating systems and applicatins. In each f thse cases, the cnsumer des nt manage r cntrl the underlying clud infrastructure but may have limited cntrl ver selected aspects. We recall that the mst cmmn deplyment mdels include Private Clud, Cmmunity Clud, Public Clud and Hybrid Clud. In the case f Private clud, the infrastructure is prvisined fr exclusive use by a single rganizatin cmprising multiple cnsumers (e.g., business units). In the case f a Cmmunity clud, the infrastructure is prvisined fr exclusive use by a specific cmmunity f cnsumers frm rganizatins that have shared cncerns (e.g., missin, security requirements, plicy, and cmpliance cnsideratins). In the case f Public clud, prvisining is fr pen use by the general public. Finally, in the case f a Hybrid clud, there is typically a mixture invlved f public and private actrs. Clud allws t ptimize resurce sharing in nvel ways nt fund in a traditinal datacentre. It is recgnised in the Digital Agenda which states: Eurpe shuld als build its innvative advantage in key areas thrugh reinfrced einfrastructures and thrugh the targeted develpment f innvatin clusters in key 47
Deliverable D3, Versin 2b (final) fields. It shuld develp an EU-wide strategy n "clud cmputing" ntably fr gvernment and science. 18 Hwever, security and data privacy cncerns are typically seen as the tw critical barriers t adpting it. This is clearly expressed in messages such as thse given last year by the Industry Wrking Grup 19 t Vice President Kres. Key aspects that need t be addressed include trust, multi-tenancy, encryptin, and cmpliance. Different stakehlders emphasize different aspects thugh. When cnsidering the barriers frm a user perspective, the cncepts f security, reliability, data privacy and legal cncerns are cmmnly raised. When cnsidering frm a vendr perspective, mainly the different natinal regulatry framewrks are mentined. The IAS regulatin hlds great ptential t lwer thse barriers fr thse tw stakehlders and fr many thers alike. T benefit frm Clud-based slutins, ne is quickly frced t make chices with regard t many technical aspects. 5.2.2 End user perspective Let us first cnsider the end user perspective. Imagine an rganisatin that decides t deply its Human Resurces ICT as SaaS (Sftware as a Service). This means the different HR mdules (rganisatin planning, hiring, evaluatin, retentin, timesheets, payments, training, pensin etc) will be available in the clud. Managing the Identity, Authenticatin and Signature (IAS) aspects f internal emplyees, cntractrs, service prviders, candidates etc is fundamental t achieving the required trust, but it is als a cmplex challenge. The mst cmmn apprach is t call upn an Identity and Access Management (IAM) slutin. Such an applicatin supprts the lifecycle f Identities (users and managers), which may include the management f attributes (that can be relevant fr authenticatin purpses), as well as the accesses f these Identities nce authenticated. In a Clud cntext, userid/passwrd authenticatin is mstly 18 Cmmunicatin frm the Cmmissin t the Eurpean Parliament, the Cuncil, the Eurpean Ecnmic and Scial Cmmittee and the Cmmittee f the Regins, COM(2010) 245, 23. 19 Industry recmmendatins t Vice President Neelie Kres n the rientatin f a Eurpean clud cmputing strategy, Nvember 2011. See http://ec.eurpa.eu/infrmatin_sciety/activities/cludcmputing/dcs/industryrecmmendatinsccstrategy-nv2011.pdf. 48
Deliverable D3, Versin 2b (final) replaced by sme frm f strng authenticatin 20. T pass authenticatin acrss rganisatinal brders, Identity federatin 21 cncepts allw rganisatins t trust ne anther s identity assertins, e.g. using SSO (Single Sign-On). Entitlement management 22 then supprts the lifecycle f the accesses f the managed identities. What cnsumers f clud services can actually d is usually gverned via a grup based access plicy. Fr such access cntrl t functin, Identificatin and Authenticatin are prerequisites. In many Use Cases (e.g. the creatin f a new emplyee within the rganisatin), the identities f the varius actrs as well as their activities needs t be authenticated. The mst reliable way t d this is thrugh electrnic identificatin, authenticatin and signatures. In practise this is achieved thrugh varius Internetstyle prtcls 23. Furthermre, fr the purpse f cnfidentiality and data prtectin, Clud slutins have a need t supprt data encryptin (data-at-rest, data-in-flight) and crrespnding key management 24. 5.2.3 Management perspective Let us nw cnsider a management perspective. Clud Cmputing resurces are handled thrugh cntrl interfaces. It is thrugh these interfaces that the new machine images can be added, existing nes can be mdified, and instances can be started r ceased. A successful attack n a Clud cntrl interface grants the attacker pwer ver the victim's accunt, with all the stred data included. As a cnsequence, the prtectin f these cntrl interfaces is paramunt t the security f the Clud resurces. The business mdel f Clud service prviders includes a significant amunt f self-service, als fr varius management aspects. As the cntractr/self-service manager f the Clud service will by definitin have t 20 Strng authenticatin standards include e.g. OATH Event-based (HOTP), Time-based (TOTP) and Challenge-Respnse (OCRA) Sftware Tkens. 21 A federated identity in infrmatin technlgy is the means f linking a persn's electrnic identity and attributes, stred acrss multiple distinct identity management systems Fr example using technlgies such as SAML, WS-Federatin, Liberty ID-FF. 22 Fr example XACML. 23 As Clud slutins are typically based n SOAP r Web Services, such activities are mdelled in prtcls that are encded in XML. 24 Leading t appraches such as the OASIS Enterprise Key Management Infrastructure EKMI. 49
Deliverable D3, Versin 2b (final) cnnect remtely, available and trusted IAS-cmpnents and services will cntribute t his security 25. 5.3 Clud as an effective IAS services deplyment mdel 5.3.1 Need fr trust As Clud cmputing is highly dependent n the trust a cnsumer has in his prvider, IAS has a clear cntributin t make t Clud cmputing. Custmers must trust their clud prviders with respect t the cnfidentiality and integrity f their data, as well as cmputatin crrectness. Hwever, the ther way arund equally hlds. Fr applicatins prviding IAS functinality, the advantages f running in the Clud can be significant. Let us first cnsider a Certificatin Service Prvider. While sme aspects f his service such as his trustwrthy cre systems (e.g. thse that manage his rt key) cannt easily be prted int the clud, directry services and services prviding status infrmatin (OCSP/CRL) can. Let us nw re-imagine the rganisatin that decides t deply its HR ICT as SaaS. Managing the IAS aspects f internal emplyees, cntractrs, service prviders, candidates etc is fundamental t achieving the required trust, but it is als a cmplex challenge with regard t perfrmance. A Clud mdel can significantly cntribute t the cst effective deplyment f IAS services, ptentially leading t an IASaaS mdel (Identificatin, Authenticatin and Signature as a Service). 5.3.2 Ptential f an IASaaS mdel If ne cnsiders what ges n behind the scenes when a user accesses a prtected applicatin, it is bvius t identify the ptential f an IASaaS mdel. 25 Technically, the clud cntrl interface are typically realized either as a SOAP-based Web Service, r as a Web applicatin. If the interface is SOAP-based, then WS-Security can be applied. Security tkens such as X.509 certificates and XML Signature are cmmnly used. If the cntrl interface is a Web applicatin, security relies n SSL/TLS cmbined with sme client authenticatin mechanisms. It is well knwn that username/passwrd based client authenticatin are highly vulnerable t attacks such as XSS (Crss-Site Scripting), thus ther methds shuld take preference (e.g.tls client certificates). In either case, IAS will facilitate imprved prtectin f the clud management interfaces. 50
Deliverable D3, Versin 2b (final) Assuming an unidentified/unauthenticated user presents himself at the applicatin, the applicatin invites the user t select his Identity Prvider (IdP), by returning a list f acceptable IdP s. The user selects his IdP f chice, is redirected there, authenticates there and will then return t the target applicatin with a tken, typically a signed XML data structure e.g. in the frmat f a SAML-tken. The selected IdP is slicited by many users, and as applicatins supprt a cntinuusly brader range f users e.g. acrss brders, the imprtance f peaks such as n Mnday mrnings, r prir t a submissin deadline will nly increase. Fr such purpse, the IdP needs t be scalable and rbust. This extends beynd the initial authenticatin exchange, since applicatins may later challenge the user n supplying particular attributes. The user will turn again t his IdP, r t separate Attribute Prviders (AP s). These will equally be returned t the target applicatin in the frm f a tken such as a signed XML data structure. S there is a clear need fr scalable and cst-effective perfrmance f authenticatin and attribute service prvisins, which can be seen as Clud candidates. After the creatin f such a signed XML data structure, there needs t be its validatin by its cnsumer. Fr example an authenticatin tken will be cnsumed by the applicatin (r the security cmpnent prtecting that applicatin). This will include the validatin f the electrnic signature ver the data structure (which may include sub-elements with their wn signatures), and the lgical evaluatin whether the cntent prvided cnvinces the security cmpnent t let the user perfrm his actin n the applicatin. The same peaks (e.g. Mnday mrning, prir t a submissin deadline) are applicable here, but they are even mre cncentrated. Users may decide t rely upn different IdP s, but the applicatin will mst likely rely upn a single security cmpnent fr prcessing the IAS tkens. This cmpnent has t handle thse aggregated peaks. Again, a Clud mdel has great ptential here. Obviusly, given the sensitivity f the services prvided, a private clud seems a mre lgical mdel than a public clud fr the prvisin f such services. 5.4 Mving IAS int the clud: legal issues The legal issues linked t the deplyment f clud services have been studied in previus initiatives 26, and the primary challenges are well understd. Principally, 26 See e.g. The Clud: Understanding the Security, Privacy and Trust Challenges, N. Rbinsn, L. Valeri. 51
Deliverable D3, Versin 2b (final) they relate t ensuring cmpliance with data prtectin rules, btaining acceptable guarantees with respect t security, availability, perfrmance, transparency and cntingency planning, as well as data prtability (including exit mdalities). When IAS services are applied thrugh a clud mdel, all f these challenges need t be apprpriately addressed, and a number f additinal cmplexities can present themselves as a result f the very specific nature and gals f IAS services. Hwever, if these barriers can be vercme, the immediate cnsequence is that a fully cmpliant IAS service can be ffered n a ptentially very large scale. Clearly, the general benefits f clud services als apply t IAS services. 5.4.1 Data prtectin Arguably the mst significant legal cncern with respect t clud cmputing is data prtectin, fr service prviders and custmers alike. When IAS services are ffered via a clud mdel, this cncern is further amplified, as legally prtected persnal data will almst inevitably 27 be entrusted t a clud prvider. This cmplicates legal cmpliance, as an IAS clud prvider ffering its services in the EU will have t cmply with all applicable data prtectin laws, even if they are established utside f the EU, in accrdance with Article 4 f the Data Prtectin Directive. This places a significant burden n clud service prviders, wh will need t cmply with multiple natinal laws: as service prviders t their custmers, it will inevitably be the natinal data prtectin laws f their custmers that gvern their cntracts, rather than the data prtectin laws f the cuntries in which the prvider are established. Each natinal data prtectin law may impse specific requirements r restrictins n clud cmputing services, either directly via natinal legislatin, r mre likely thrugh pinins issued by natinal data prtectin authrities, r even by pinins frm Wrker s Cuncil r ther rganised labur representatives. Such requirements may relate t the lcatin where data centres may be established, the cntractual relatinship that the clud prvider may have with its subcntractrs, auditing rights, security guarantees and the pssibility fr data subjects t exercise their rights. The exprt f persnal data t a destinatin utside f the Eurpean Ecnmic Area which is almst inevitable in a clud cmputing mdel, given the necessity f perating multiple data centres in gegraphically spread ut regins t ensure J. Cave, T.Starkey, H. Graux, S. and P. Hpkins, ENISA, 2010; http://crdis.eurpa.eu/fp7/ict/security/dcs/the-clud-understanding-security-privacy-trustchallenges-2010_en.pdf, p.53 and fllwing 27 With the exceptin f purely pseudnymus IAS services and IAS services that exclude natural persns frm their scpe, such as e.g. cmpany seals in the clud. 52
Deliverable D3, Versin 2b (final) stability and scalability is additinally subjected t strict legal requirements, and will ften require the cnclusin f very specific cntracts that cmply with EU data prtectin principles. In shrt, there is a significant cmpliance burden fr clud prviders as a result f the current Eurpean regulatry apprach t data prtectin. Hwever, it is wrth nting that these cmpliance challenges are nt unique t IAS services r even t clud cmputing, and that sme slutins have been develped ver the past years. Ntable examples include the Safe Harbur arrangements, which allw US based data prcessrs t self-certify their cmpliance with Eurpean data prtectin principles 28, and the use f Standard Cntractual Clauses which have the Eurpean Cmmissin s frmal apprval 29. By integrating these Clauses int clud service cntracts, internatinal exchanges f persnal data can be legitimized with a reasnable degree f assurance. Perhaps mst imprtantly, the nging review f the Data Prtectin Directive pints t a significant awareness with plicy makers f certain impracticalities within the current legislatin (such as the cumulative applicability f multiple natinal laws), and t a willingness t remedy these. Thus, imprvements can be expected n this pint in the future. 5.4.2 Applicable laws As a secnd challenge, it is clear that IAS clud services as a whle will nt necessarily be subject t Eurpean laws. Under the current esignatures Directive (as with the ecmmerce Directive), CSPs are largely subject t the natinal laws f the cuntries in which they are established. This means that an IAS prvider established in the EU will have t cmply with the esignatures/ecmmerce legislatin in its wn cuntry, next t the data prtectin laws f all f its custmers. Prviders established utside f the EU will typically apply their wn natinal laws (again, next t ptentially all Eurpean data prtectin laws), leading t a regulatry landscape which is fragmented. This reality further emphasizes the need fr mre strngly harmnised legislatin, as e.g. prpsed by the draft IAS Regulatin and the draft Data Prtectin Regulatin. In that respect, clud cmputing (including clud based IAS services) may prve t be a ptent stimulus t these harmnizatin effrts, as the need fr universally valid services will becme ever clearer. 28 See http://exprt.gv/safeharbr/ 29 See http://ec.eurpa.eu/justice/data-prtectin/dcument/internatinal-transfers/index_en.htm 53
Deliverable D3, Versin 2b (final) 5.4.3 esignature laws cmpliance Finally, it is wrth nting that IAS clud prviders are likely t have sme difficulty in ensuring cmpliance with the current esignatures Directive n a number f pints, especially if they aspire t ffering qualified service levels. Typical challenges will include the assurance f sle cntrl ver signing slutins, which is traditinally judged mre harshly with respect t remtely cntrlled facilities than fr lcally kept devices, and btaining an affirmative cmpliance decisin f the secure-signaturecreatin device in cuntries that require this. Such issues will likely be alleviated by the upcming update f the legal framewrk, and the accmpanying revisin f the standardisatin framewrk and supervisry mdel. Clarificatins n these aspects will ensure that clud based IAS services wuld be recgnized as legally valid and cmpliant acrss the EU. 54
6. Overview f delegating and implementing acts within the Regulatin The table belw prvides an verview f the prvisins f the Prpsal calling fr delegated acts r implementing acts. It als cntains recmmendatins f the IAS study team fr the cntent f such acts, shuld the Cmmissin cnsider mving frward in their preparatin. Fr each envisaged act, the table briefly describes its scpe and cntent, and references any standards related t it. The table can be used as a first input fr the drafting f the acts and fr integrating the required links t standardisatin effrts. The fllwing tpics have been identified: 6.1 Ntificatin Article Text within the Article and general cntext Scpe / Cntent / Standard t be included in the delegated / implementing act Ntificatin Implementing act(s) defining the circumstances, Scpe: Ntificatin f eid schemes 7 (4) frmats and prcedures f the ntificatin referred t in art. 7.1 [ ]. Cntent: 7.1: MS which ntify an electrnic identificatin scheme shall frward t EC the fllwing infrmatin and withut undue delay, any subsequent changes theref: a descriptin f the ntified electrnic identificatin scheme; the authrities respnsible fr the ntified electrnic identificatin scheme; infrmatin n by whm the registratin f the unambiguus persn identifiers is managed; a descriptin f the authenticatin pssibility; arrangements fr suspensin r revcatin f either the ntified identificatin scheme r authenticatin pssibility r the cmprmised parts cncerned. Definitin f a frm (including template fr art 7.1.a and 7.1.b), specifying: Details n the ntifying MS (administratin, cntact details); Descriptin n the scheme: nature, eid means currently cvered, requirements and prcesses fr the issuance and management f the eids under the scheme, gvernance (including management and maintenance) f the scheme itself; Identificatin f any relevant entities in the scheme, including their rle, cmpetences, respnsibilities and nature (gvernmental vs nngvernmental, nt fr prfit r fr Act number 1 Pririty: H Ease: M Scheduling: ASAP Iteratin: 1
Deliverable D3, Versin 2b (final) prfit); Descriptin f the current scpe f the prject in terms f user base (eid means hlders) and use cases, alng with plans and prgnses fr future develpments and changes; Explanatin/justificatin f hw the scheme and means meet the requirements f the Regulatin, including its link t the MS (issued by, n behalf f r under the respnsibility f the MS). Definitin f a prcedure: Letter frm PermRep t CONNECT Directr-General Review fr cmpleteness, including right t request additinal infrmatin Terms and timescales fr respnses Updates and revisins measures, including an bligatin fr the ntifying entity t keep the ntified infrmatin accurate and up t date at all times. Standard: Need fr standard: N. Standards will be required t make ntified data available in a useful frmat t the public (ex. via a Trust List), but this is a separate issue dealt with belw. 6.2 Crdinatin Crdinatin 8 (2) act(s) establishing the necessary mdalities t facilitate the cperatin between the MS referred t in 8.1 with a view t fstering a high level f trust Scpe: MS crdinatin n eid 2 56
Deliverable D3, Versin 2b (final) Crdinatin 8 (3) and security apprpriate t the degree f risk. Thse implementing acts shall cncern, in particular, the exchange f infrmatin, experiences and gd practice n electrnic identificatin schemes, the peer review f ntified electrnic identificatin schemes and the examinatin f relevant develpments arising in the electrnic identificatin sectr by the cmpetent authrities f the MS. 8.1: MS shall cperate in rder t ensure the interperability f electrnic identificatin means falling under a ntified scheme and t enhance their security. act(s) cncerning the facilitatin f crss brder interperability f electrnic identificatin means by setting f minimum technical requirements. Cntent: Set-up f a frmal expert grup n eid (level: Directrs-General f cmpetent natinal administratins) Missin f the grup: exchange f infrmatin, experiences and gd practice n e-identificatin schemes, the peer review f ntified e- identificatin schemes and the examinatin f relevant develpments arising in the e- identificatin Standard: need fr standard: N Scpe: Specificatin f min technical requirements fr ntified eid schemes crss-brder interperability Pririty: M Ease: E Scheduling: <12 Iteratin: >1 3 Cntent: - (Set f) specificatins - Interperability requirements shuld als address security, either thrugh a single minimum security threshld, r thrugh a multilevel quality plicy (such as the QAA in STORK) - Intrducing the specificatin in frmal standardisatin prcess (via a standardisatin mandate t ESOs). - Interperability will require the Cmmissin t cmmunicate the ntified schemes t the public. A Trusted List may be advisable; in this case, the basic apprach and standards used with respect t esignatures and (in the future) ther Trust Services can be used. Hwever, specific prfiles f the applicable standards wuld be needed: - EN 19 602 Trust Service Status Lists Frmat - EN 19 612 Trusted List Frmat Pririty: L Ease: M Scheduling: >12 / av. STD Iteratin: 2 (1: spec., 2: standard) 57
Deliverable D3, Versin 2b (final) Standard: Need fr standard: Y (lw) Standard available: N, when: TBD Standard ref: ESO Technical Reprt (TR) Standard cntent: same as specificatin(s) 6.3 Supervisry bdy Supervisry bdy 13 (5) act(s) cncerning the definitin f prcedures applicable t the tasks referred t in art. 13.2. 13.2: The SB shall be respnsible fr the perfrmance f the fllwing tasks: mnitring TSPs established in the territry f the designating MS t ensure that they fulfil the requirements laid dwn in Art. 15; undertaking supervisin f QTSPs established in the territry f the designating MS and f the QTSs they prvide in rder t ensure that they and the QTSs prvided by them meet the applicable requirements laid dwn in this Regulatin; ensuring that relevant infrmatin and data referred t in 19.2.g, and recrded by QTSPs are preserved and kept accessible after the activities f a QTSP have ceased, fr an apprpriate time with a view t guaranteeing cntinuity f the service. 19.2.g: 15: Security requirements applicable t TSPs QTSPs prviding QTSs shall recrd fr an apprpriate perid f time all relevant infrmatin cncerning data issued and received by the QTSP, in particular fr the purpse f prviding evidence in legal prceedings. Such recrding Scpe: Cmmn supervisin prcedures Cntent: Cmpilatin f the requirements related t r relevant fr supervisin and mnitring as established in the Regulatin. Supervisin prcedure Specificatin n data preservatin ( 13.2.c) Definitin f apprpriate time in 13.2.c Standard: Need fr standard: Y (the supervisin prcedure shuld be standardised). Standard available: Y: EN 19 403 General requirements and guidance fr Cnfrmity Assessment f TSPs Supprting Electrnic Signatures EN 19 413 Cnfrmity Assessment fr TSPs Issuing Certificates EN 19 423 Cnfrmity Assessment fr TSPs prviding Time-Stamping Services EN 19 433 Cnfrmity Assessment fr TSPs prviding Signature Generatin Services EN 19 513 Cnfrmity Assessment f Registered Electrnic Mail Service Prviders 4 related: 13.6 Pririty: H Ease: M Scheduling: ASAP Iteratin: 2 (1: spec, 2: STD) 58
Deliverable D3, Versin 2b (final) may be dne electrnically. EN 19 523 Cnfrmity Assessment f Data Preservatin Service Prviders EN 19 613 Cnfrmity Assessment f Trusted List Prviders Standard cntent: - STD shuld build n TS 101456, Crbies Deliverable 1, IAS study deliverable D3. Supervisry bdy 13 (6) act(s) defining the circumstances, frmats and prcedures fr the reprt referred t in 13.3. 13.3: Each SB shall submit a yearly reprt n the last calendar year s supervisry activities t EC and MSs by the end f the first quarter f the fllwing year. It shall include at least: infrmatin n its supervisry activities; a summary f breach ntificatins received frm TSPs in accrdance with Art. 15(2); statistics n the market and usage f QTSs, including infrmatin n QTSPs themselves, the QTSs they prvide, the prducts they use and the general descriptin f their custmers. 15.2: TSPs shall [ ] ntify the cmpetent SB [ ] f any breach f security r lss f integrity that has a significant impact n the TS prvided and n the persnal data maintained therein. [ ] Scpe: Cmmn supervisin prcedure (c td): yearly reprt Cntent: Template f the reprt t be submitted t EC under art 13.3 with all the relevant infrmatinal features the reprt shuld cntain Reprt cntent: (a) infrmatin n its supervisry activities; (b) a summary f breach ntificatins; (c) statistics n the market and usage Submissin prcedure (delivery date, t wh, hw, frmat) Standard: Need fr standard: N: Standard available: N, when: TBD; Standard ref: TBD Standard cntent: Preparatry wrk is currently underway under an ENISA public tender (ref. ENISA P/09/12/TCD). The resulting study will prvide recmmendatins n breach ntificatin frmats, prcedures, and reprting bligatins, including specific templates. These shuld be the basis fr legislative wrk in this area. 4 Related t: 13.5 Scheduling: ASAP Iteratin: 2 (1: ENISA recmme ndatin, 2: Impleme nting act) 59
Deliverable D3, Versin 2b (final) 6.4 Mutual assistance Mutual assistance 14 (4) act(s) specifying the frmats and prcedures fr the mutual assistance prvided fr in Art. 14. 14.1: SBs shall cperate with a view t exchange gd practice and prvide each ther, within the shrtest pssible time, with relevant infrmatin and mutual assistance s that activities can be carried ut in a cnsistent manner. Mutual assistance shall cver, in particular, infrmatin requests and supervisry measures, such as requests t carry ut inspectins related t the security audits as referred t in Art. 15, 16 and 17. 14.2: A SB t which a request fr assistance is addressed may nt refuse t cmply with it unless: it is nt cmpetent t deal with the request; r cmpliance with the request wuld be incmpatible with this Regulatin. 14.3: Where apprpriate, SBs may carry ut jint investigatins in which staff frm ther MS SBs is invlved. The SB f the MS where the investigatin is t take place, in cmpliance with its wn natinal law, may devlve investigative tasks t the assisted SB s staff. Such pwers may be exercised nly under the guidance and in the presence f staff frm the hst SB. The assisted SB s staff shall be subject t the hst SB s natinal law. The hst SB shall assume respnsibility fr the assisted SB staff s actins. 15.1: Withut prejudice t Art. 16(1), any TSP may submit the reprt f a security audit carried ut by a recgnised independent bdy t the SB t cnfirm that apprpriate security measures have been taken. Scpe: Prcedure defining SB mutual assistance Cntent: Set-up f a frmal expert grup n trusted services, cnsisting f SB representatives frm all MS; Establishing crdinatin mechanisms, including peridic meetings and gvernance f the expert grup; Elabrating cmmunicatin and respnse mechanisms, including assistance bligatins thrugh definitin f incidents r issues where assistance is mandatry. Respnse cnditins (respnse times and availability) shuld be defined. Jint investigative prcedures shuld be defined, including prcesses fr the identificatin f a lead investigatr, which shuld be based n the cuntry f establishment f the investigated target, r f the largest/ecnmically mst significant target in case f targets in multiple cuntries; Investigative pwers must be further defined in case f emergencies, including auditing requirements and prcedures (prir ntice, duratin, seizure, cpying f equipment, including thrugh cllabratin with law enfrcement authrities where necessary). Standard: need fr standard: N 2 Related articles: Pririty: M Ease: M Scheduling: <12 Iteratin: 1 60
Deliverable D3, Versin 2b (final) 16.1: QTSPs shall be audited by a recgnised independent bdy nce a year t cnfirm that they and the QTSs prvided by them fulfil the requirements set ut in this Regulatin, and shall submit the resulting security audit reprt t the supervisry bdy. 17 (1) QTSPs shall ntify the supervisry bdy f their intentin t start prviding a QTS and shall submit t the supervisry bdy a security audit reprt carried ut by a recgnised independent bdy, as prvided fr in Art. 16(1). QTSPs may start t prvide the QTS after they have submitted the ntificatin and security audit reprt t the supervisry bdy. 6.5 Security requirements applicable t trust service prviders Security requirements applicable t trust service prviders 15 (5) act(s) cncerning the further specificatin f the measures referred t in articles 15.1. 15.1: TSPs wh are established in the territry f the Unin shall take apprpriate technical and rganisatinal measures t manage the risks psed t the security f the TSs they prvide. Having regard t state f the art, these measures shall ensure that the level f security is apprpriate t the degree f risk. In particular, measures shall be taken t prevent and minimise the impact f security incidents and infrm stakehlders f adverse effects f any incidents. Withut prejudice t Art. 16.1, any TS prvider may submit the reprt f a security audit carried ut by a recgnised independent bdy t the SB t cnfirm Scpe: Defining apprpriate security requirements fr TSPs. Nte that any delegated act shuld take int accunt that 15(5) applies t trust services in general (including nnqualified nes). Thus, if the Cmmissin adpts a delegated act, then this distinctin shuld be made. Cntent: Plicy and security requirements can be based n the existing Directive fr qualified service prviders, as well as n existing standards. Standard: Need fr standard: Y 5 Related articles: related: 13.5 (supervis in criteria) Pririty: ptinal Ease: M Scheduling: ptinal Iteratin: 2 61
Deliverable D3, Versin 2b (final) that apprpriate security measures have been taken. 16.1: QTSPs shall be audited by a recgnised independent bdy nce a year t cnfirm that they and the QTSs prvided by them fulfil the requirements set ut in this Regulatin, and shall submit the resulting security audit reprt t the SB. Standard available: Y, when: Standard ref: EN 19 401 General Plicy Requirements fr TSPs Supprting Electrnic Signatures EN 19 431 Plicy & Security Requirements fr TSPs prviding Signature Generatin Services EN 19 511 Plicy & Security Requirements fr Registered Electrnic Mail (REM) Service Prviders EN 19 521 Plicy & Security Requirements fr Data Preservatin Service Prviders (DPSPs) (1: spec., 2: standard) Security requirements applicable t TS prviders 15 (6) act(s) defining the circumstances, frmats and prcedures, including deadlines, applicable fr the purpse f articles 15.1 t 15.3. 15 (1) TSPs wh are established in the territry f the Unin shall take apprpriate technical and rganisatinal measures t manage the risks psed t the security f the TSs they prvide. Having regard t state f the art, these measures shall ensure that the level f security is apprpriate t the degree f risk. In particular, measures shall be taken t prevent and minimise the impact f security incidents and infrm stakehlders f adverse effects f any incidents. Withut prejudice t Art. 16(1), any TS prvider may submit the reprt f a security audit carried ut by a recgnised independent bdy t the SB t cnfirm that apprpriate security measures have been taken. 15 (2) TSPs shall, withut undue delay and where feasible nt later than 24 hurs after having becme aware f it, ntify the cmpetent SB, the cmpetent natinal bdy fr infrmatin security and ther Template f the summary f the breach ntificatins received t be submitted t the ENISA [template fr submitting the infrmatin t EC is dne under 13 (6) with reference t 13 (3) (b)] with all the relevant infrmatinal features the summary shuld cntain Cntent: Template f the reprt t be submitted t SB under art 15.2 with all the relevant infrmatinal features the reprt shuld cntain Reprt cntent: (a) identificatin f the service prvider; (b) descriptin f the nature f the breach; (c) descriptin f the expected impact f the breach (ptential victims, severity, ptential csts); (d) ptential measures that can be taken by the supervisry bdy, SB, ther third parties and ptential victims t mitigate the ptential damage damage Submissin prcedure (delivery timing requirements, template, cmmunicatins channels) Template f the reprts t be used by SB in their 4 Related t: 15.5 and 13.3 Scheduling: <12 Iteratin: 2 (1: ENISA recmme ndatin, 2: Impleme nting act) 62
Deliverable D3, Versin 2b (final) relevant third parties such as data prtectin authrities f any breach f security r lss f integrity that has a significant impact n the TS prvided and n the persnal data maintained therein. Where apprpriate, in particular if a breach f security r lss f integrity cncerns tw r mre MS, the SB cncerned shall infrm SBs in ther MS and the Eurpean Netwrk and Infrmatin Security Agency (ENISA). The SB cncerned may als infrm the public r require the TS prvider t d s, where it determines that disclsure f the breach is in the public interest. reprting t ENISA and EC cf art 15.3 (t be integrated under the art.13.3 implementatin effrts) Standard: Need fr standard: N: Standard available: N, when: TBD; Standard ref: TBD Standard cntent: Preparatry wrk is currently underway under an ENISA public tender (ref. ENISA P/09/12/TCD). The resulting study will prvide recmmendatins n breach ntificatin frmats, prcedures, and reprting bligatins, including specific templates. These shuld be the basis fr legislative wrk in this area. 15 (3) The SB shall prvide t ENISA and t EC nce a year with a summary f breach ntificatins received frm TS prviders. 16 (1) QTSPs shall be audited by a recgnised independent bdy nce a year t cnfirm that they and the QTSs prvided by them fulfil the requirements set ut in this Regulatin, and shall submit the resulting security audit reprt t the supervisry bdy. 6.6 Supervisin f QTSPs Supervisin f QTSPs 16 (5) 63 act(s) cncerning the specificatin f the cnditins under which the independent bdy carrying ut the audit referred t in Art. 16(1) and in Art. 15(1) and Scpe: definitin f recgnitin requirements and prcedures fr recgnised independent bdies 4 related:
Deliverable D3, Versin 2b (final) 17(1) shall be recgnised. Cntent: Required cmpetences and assurances fr independent bdies; Requirements and prcedures fr the recgnitin f independent bdies; T be aligned with IAF (Internatinal Accreditatin Frum) membership requirements, t facilitate internatinal crss brder interperability. 13.5 16 (1) QTSPs shall be audited by a recgnised independent bdy nce a year t cnfirm that they and the QTSs prvided by them fulfil the requirements set ut in this Regulatin, and shall submit the resulting security audit reprt t the SB. 15 (1) TSPs wh are established in the territry f the Unin shall take apprpriate technical and rganisatinal measures t manage the risks psed t the security f the TSs they prvide. Having regard t state f the art, these measures shall ensure that the level f security is apprpriate t the degree f risk. In particular, measures shall be taken t prevent and minimise the impact f security incidents and infrm stakehlders f adverse effects f any incidents. Withut prejudice t Art. 16(1), any TSP may submit the reprt f a security audit carried ut by a recgnised independent bdy t the SB t cnfirm that apprpriate security measures have been taken. Standard: Need fr standard: N Pririty: H Ease: M Scheduling: ASAP Iteratin: 1 Supervisin f QTSPs 16 (6) 17 (1) QTSPs shall ntify the SB f their intentin t start prviding a QTS and shall submit t the SB a security audit reprt carried ut by a recgnised independent bdy, as prvided fr in Art. 16(1). QTSPs may start t prvide the QTS after they have submitted the ntificatin and security audit reprt t the SB. act(s) defining the circumstances, prcedures and frmats applicable fr the purpse f paragraphs 1, 2 and 4. 16 (1) QTSPs shall be audited by a recgnised independent bdy nce a year t cnfirm that they and the QTSs prvided by them fulfil the Scpe: Circumstances, prcedures and frmats fr auditing QTSPs, including trusted list impacts Cntent: Definitin f prcesses fr annual audits via 4 related: 13.5 Pririty: H Ease: M 64
Deliverable D3, Versin 2b (final) requirements set ut in this Regulatin, and shall submit the resulting security audit reprt t the SB. 16 (2) Withut prejudice t paragraph 1, the SB may at any time audit the QTSPs t cnfirm that they and the QTSs prvided by them still meet the cnditins set ut in this Regulatin, either n its wn initiative r in respnse t a request frm EC. The SB shall infrm the data prtectin authrities f the results f its audits, in case persnal data prtectin rules appear t have been breached. 16 (4) With reference t paragraph 3, if the QTSP des nt remedy any such failure within a time limit set by the SB, it shall lse its qualified status and be infrmed by the SB that its status will be changed accrdingly in the trusted lists referred t in Art. 18. 16 (3) The SB shall have the pwer t issue binding instructins t QTSPs t remedy any failure t fulfil the requirements indicated in the security audit reprt. 18 Trusted lists references t standards; Definitin f reprting requirements including retentin f reprts; Definitin f cnditins under which SBs may initiate r cnduct audits, and circumstances under which data prtectin authrities must be infrmed, and t what extent; Definitin f impacts f all f the abve n the publicatin status f the QTSP in the trusted list Standard: Need fr standard: Y Standard available: Y: Standard ref: EN 19 403 General requirements and guidance fr Cnfrmity Assessment f TSPs Supprting Electrnic Signatures EN 19 413 Cnfrmity Assessment fr TSPs Issuing Certificates EN 19 423 Cnfrmity Assessment fr TSPs prviding Time-Stamping Services EN 19 433 Cnfrmity Assessment fr TSPs prviding Signature Generatin Services EN 19 513 Cnfrmity Assessment f Registered Electrnic Mail Service Prviders EN 19 523 Cnfrmity Assessment f Data Preservatin Service Prviders EN 19 613 Cnfrmity Assessment f Trusted List Prviders Scheduling: ASAP Iteratin: 1 65
Deliverable D3, Versin 2b (final) 6.7 Initiatin f a QTS Initiatin f a QTS 17 (5) act(s) defining the circumstances, frmats and prcedures fr the purpse f paragraphs 1, 2 and 3. 17 (1) QTSPs shall ntify the SB f their intentin t start prviding a QTS and shall submit t the SB a security audit reprt carried ut by a recgnised independent bdy, as prvided fr in Art. 16(1). QTSPs may start t prvide the QTS after they have submitted the ntificatin and security audit reprt t the SB. 17 (2) Once the relevant dcuments are submitted t the SB accrding t paragraph 1, the qualified service prviders shall be included in the trusted lists referred t in Art. 18 indicating that the ntificatin has been submitted. 17 (3) The SB shall verify the cmpliance f the QTSP and f the QTSs prvided by it with the requirements f the Regulatin. The SB shall indicate the qualified status f the qualified service prviders and the QTSs they prvide in the trusted lists after the psitive cnclusin f the verificatin, nt later than ne mnth after the ntificatin has been dne in accrdance with paragraph 1. Scpe: Circumstances, prcedures and frmats fr initiating QTSP services Cntent: Definitin f a template with infrmatin t be ntified t SB, including identificatin, cntact details, scpe f services, requested inclusin in trusted list, chsen independent bdy, and full reprt f the independent bdy alng with the date f the assessment (reprt may nt be lder than 1 mnth); Definitin f prcesses t be fllwed by SBs fr the verificatin f the ntificatin prir t the inclusin in the trusted lists, including specifically further investigatin and auditing rights prir t inclusin, and the right t btain further infrmatin frm the recgnised independent bdy; Cnsequences f delays shuld be clearly specified. Standard: Need fr standard: N 4 related: 13.5 Pririty: H Ease: M Scheduling: ASAP Iteratin: 1 16 (1) QTSPs shall be audited by a recgnised independent bdy nce a year t cnfirm that they and the QTSs prvided by them fulfil the requirements set ut in this Regulatin, and shall submit the resulting security audit reprt t the SB. 18 Trusted lists 66
Deliverable D3, Versin 2b (final) 6.8 Trusted lists Trusted lists 18 (5) act(s) cncerning the definitin f the infrmatin referred t in paragraph 1. 18 (1) Each MS shall establish, maintain and publish trusted lists with infrmatin related t the QTSPs fr which it is cmpetent tgether with infrmatin related t the QTSs prvided by them. Scpe: Definitin f the cntent f trusted lists, based n the existing wrk f Cmmissin Decisin 2010/425/EU f 28 July 2010 amending Decisin 2009/767/EC Cntent: As per Cmmissin Decisin 2010/425/EU f 28 July 2010 amending Decisin 2009/767/EC (althugh generalised t cver ther types f TSPs; minr changes can be expected); 4 related: 13.5 Pririty: H Ease: E Scheduling: ASAP Iteratin: 1 Standard: See belw Scpe: Definitin f the technical specs, frmats and maintenance bligatins f natinal trusted lists, based n the existing wrk f Cmmissin Decisin 2010/425/EU f 28 July 2010 amending Decisin 2009/767/EC Trusted lists 18 (6) act(s) defining the technical specificatins and frmats fr trusted lists applicable fr the purpses f paragraphs 1 t 4. 18 (1) Each MS shall establish, maintain and publish trusted lists with infrmatin related t the QTSPs fr which it is cmpetent tgether with infrmatin related t the QTSs prvided by them. 18 (2) MS shall establish, maintain and publish, in a secure manner, electrnically signed r sealed trusted lists prvided fr in paragraph 1 in a frm suitable fr autmated prcessing. Cntent: As per Cmmissin Decisin 2010/425/EU f 28 July 2010 amending Decisin 2009/767/EC (althugh generalised t cver ther types f TSPs; minr changes can be expected). 4 related: 13.5 Pririty: H Ease: E Scheduling: ASAP Iteratin: 1 18 (3) MS shall ntify t EC, withut undue delay, infrmatin n the bdy respnsible fr establishing, maintaining and publishing natinal trusted lists, and Standard: Need fr standard: Y 67
Deliverable D3, Versin 2b (final) details f where such lists are published, the certificate used t sign r seal the trusted lists and any changes theret. 18 (4) The Cmmissin shall make available t the public, thrugh a secure channel, the infrmatin, referred t in paragraph 3 in electrnically signed r sealed frm suitable fr autmated prcessing. Standard available: Y, when: Standard ref: EN 19 602 Trust Service Status Lists Frmat EN 19 612 Trusted List Frmat Fr histrical reference: ETSI TS 102 231, implemented as thrugh the Decisins abve (deprecated by the new ENs) 6.9 Requirements fr QTSPs Requirements fr QTSPs 19 (5) act(s) establishing reference numbers f standards fr trustwrthy systems and prducts (cmpliance with Art. 19). 19 (2) QTSPs prviding QTSs shall: use trustwrthy systems and prducts which are prtected against mdificatin and guarantee the technical security and reliability f the prcess supprted by them; use trustwrthy systems t stre data prvided t them, in a verifiable frm s that: they are publicly available fr retrieval nly where the cnsent f the persn t whm the data has been issued has been btained, nly authrised persns can make entries and changes, infrmatin can be checked fr authenticity; Scpe: References t applicable standards, as per the apprach under the esignatures Directive Cntent: As per 2003/511/EC f 14 July 2003 (althugh generalised t cver ther types f TSPs; minr changes can be expected). Standards: EN 19 401 General Plicy Requirements fr TSPs Supprting Electrnic Signatures EN 19 411 Plicy & Security Requirements fr TSPs Issuing Certificates 5 Related articles: related: 13.5 (supervis in criteria) Pririty: H Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 68
Deliverable D3, Versin 2b (final) 6.10 Legal effects and acceptance f electrnic signatures Legal effects and acceptance f electrnic signatures 20 (6) act(s) cncerning the definitin f the different security levels f electrnic signature referred t in paragraph 4. 20 (4) If an electrnic signature with a security assurance level belw QeS is required, in particular by a MS fr accessing a service nline ffered by a public sectr bdy n the basis f an apprpriate assessment f the risks invlved in such a service, all electrnic signatures matching at least the same security assurance level shall be recgnised and accepted. Scpe: Definitin f security levels Cntent: Definitin f security levels, in general terms f criteria; Shuld be linked back t trusted lists, t ensure that security levels can be validated by relying parties. Standards: See belw 6 Related articles: related: - Pririty: L Ease: E Scheduling: ptinal Iteratin: 2 (1: spec., 2: standard) Legal effects and acceptance f electrnic signatures 20 (7) act(s) establishing reference numbers f standards fr the security levels f electrnic signature (cmpliance with paragraph 6). 20 (6) The Cmmissin shall be empwered t adpt delegated acts in accrdance with Art. 38 cncerning the definitin f the different security levels f electrnic signature referred t in paragraph 4. 20 (4) If an electrnic signature with a security assurance level belw QeS is required, in particular by a MS fr accessing a service nline ffered by a public sectr bdy n the basis f an apprpriate assessment f the risks invlved in such a service, all electrnic signatures matching at least the same security assurance level shall be recgnised and accepted. Scpe: References t applicable standard specifying security levels Cntent: Definitin f security levels; Shuld be linked back t trusted lists, t ensure that security levels can be validated by relying parties. Standards: Nt available yet; shuld be develped under the M460 6 Related articles: related: - Pririty: L Ease: E Scheduling: ptinal Iteratin: 2 (1: spec., 2: standard) 69
Deliverable D3, Versin 2b (final) 6.11 QCs fr electrnic signature QCs fr electrnic signature 21 (4) act(s) cncerning the further specificatin f the requirements laid dwn in Annex I. Annex I QCs fr electrnic signatures shall cntain: an indicatin, at least in a frm suitable fr autmated prcessing, that the certificate has been issued as a QC fr electrnic signature; a set f data unambiguusly representing the QTSP issuing the QCs including at least, the MS in which that prvider is established and fr a legal persn: the name and registratin number as stated in the fficial recrds, fr a natural persn: the persn s name; a set f data unambiguusly representing the signatry t whm the certificate is issued including at least the name f the signatry r a pseudnym, which shall be identified as such; electrnic signature validatin data which crrespnd t the electrnic signature creatin data; details f the beginning and end f the certificate s perid f validity; the certificate identity cde which must be unique fr the QTSP; the AeS r advanced electrnic seal f the issuing QTSP; the lcatin where the certificate supprting the AeS r advanced electrnic seal referred t in pint (g) is available free f charge; the lcatin f the certificate validity status services that can be used t enquire abut the validity status f the QC; where the electrnic signature creatin data related t the electrnic signature validatin data are lcated in a QSCD, an apprpriate indicatin f Scpe: Definitin f requirements thrugh references t standards updated thrugh M460 Cntent: Definitin f requirements, in general terms f criteria; cf Decisin 2003/511/EC. Standards: See belw 6 Related articles: related: - Pririty: H Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 70
Deliverable D3, Versin 2b (final) QCs fr electrnic signature 21 (5) this, at least in a frm suitable fr autmated prcessing. act(s) establishing reference numbers f standards fr QCs fr electrnic signature (cmpliance with Annex I). Annex I QCs fr electrnic signatures shall cntain: an indicatin, at least in a frm suitable fr autmated prcessing, that the certificate has been issued as a QC fr electrnic signature; a set f data unambiguusly representing the QTSP issuing the QCs including at least, the MS in which that prvider is established and fr a legal persn: the name and registratin number as stated in the fficial recrds, fr a natural persn: the persn s name; a set f data unambiguusly representing the signatry t whm the certificate is issued including at least the name f the signatry r a pseudnym, which shall be identified as such; electrnic signature validatin data which crrespnd t the electrnic signature creatin data; details f the beginning and end f the certificate s perid f validity; the certificate identity cde which must be unique fr the QTSP; the AeS r advanced electrnic seal f the issuing QTSP; the lcatin where the certificate supprting the AeS r advanced electrnic seal referred t in pint (g) is available free f charge; the lcatin f the certificate validity status services that can be used t enquire abut the validity status f the QC; where the electrnic signature creatin data related t the electrnic signature validatin data are lcated in a QSCD, an apprpriate indicatin f Scpe: Reference numbers fr QCs Cntent: Fllwing the template f Decisin 2003/511/EC. Standard: Need fr standard: Y Standard available: Y, when: Standard ref: EN 19 411 Plicy & Security Requirements fr TSPs Issuing Certificates EN 19 412 Prfiles fr TSPs issuing Certificates EN 19 432 Prfiles fr TSPs prviding Signature Generatin Services 6 Related articles: related: - Pririty: H Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 71
this, at least in a frm suitable fr autmated prcessing. Deliverable D3, Versin 2b (final) 6.12 Requirements fr QSCDs Requirements fr QSCDs 22 (2) act(s) establishing reference numbers f standards fr QSCDs (cmpliance with Annex II). Annex II (1) QeS creatin devices shall ensure, by apprpriate technical and prcedural means, that at least: the secrecy f the electrnic signature creatin data used fr electrnic signature generatin is assured; the electrnic signature creatin data used fr electrnic signature generatin can ccur nly nce; the electrnic signature creatin data used fr electrnic signature generatin cannt, with reasnable assurance, be derived and the electrnic signature is prtected against frgery using currently available technlgy; the electrnic signature creatin data used fr electrnic signature generatin can be reliably prtected by the legitimate signatry against use by thers. Scpe: Reference numbers fr QCs Cntent: Fllwing the template f Decisin 2003/511/EC. Standard: Need fr standard: Y Standard available: Y, when: Standard ref: EN 19 211 Prtectin Prfiles fr Secure Signature Creatin Devices EN 19 212 Applicatin Interfaces fr Secure Signature Creatin Devices EN 19 221 Security Requirements fr Trustwrthy Systems Managing Certificates fr Electrnic SignaturesEN 19 241: Security requirements fr trustwrthy systems supprting Server Signing (Signature Generatin services) 6 Related articles: related: - Pririty: H Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) Annex II (2) QeS creatin devices shall nt alter the data t be signed r prevent such data frm being presented t the signatry prir t signing. Annex II (3) Generating r managing electrnic signature creatin data n behalf f the signatry shall be dne by a QTSP. 72
Deliverable D3, Versin 2b (final) Annex II (4) QTSPs managing electrnic signature creatin data n behalf f the signatry may duplicate the electrnic signature creatin data fr back-up purpses prvided the fllwing requirements are met: the security f the duplicated datasets must be at the same level as fr the riginal datasets; the number f duplicated datasets shall nt exceed the minimum needed t ensure cntinuity f the service. 6.13 Certificatin f QSCDs Certificatin f QSCDs 23 (1) QeS creatin devices may be certified by apprpriate public r private bdies designated by MS prvided that they have been submitted t a security evaluatin prcess carried ut in accrdance with ne f the standards fr the security assessment f infrmatin technlgy prducts included in a list that shall be established by EC by means f implementing acts. Scpe: identificatin f standards fr security evaluatin f QSCDs Cntent: Fllwing the template f Decisin 2003/511/EC. Standard: See belw 6 Related articles: related: - Pririty: H Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) Certificatin f QSCDs 23 (3) act(s) cncerning the establishment f specific criteria t be met by the designated bdies referred t in paragraph 1. 23 (1) QeS creatin devices may be certified by apprpriate public r private bdies designated by MS prvided that they have been submitted t a Scpe: references t standards fr security evaluatin f QSCDs Cntent: Fllwing the template f Decisin 2003/511/EC. 6 Related articles: related: - 73
Deliverable D3, Versin 2b (final) security evaluatin prcess carried ut in accrdance with ne f the standards fr the security assessment f infrmatin technlgy prducts included in a list that shall be established by EC by means f implementing acts. Standard: Need fr standard: Y Standard available: Y, when: Standard ref: EN 19 203: Cnfrmity Assessment f Secure Devices and Trustwrthy systems Pririty: H Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 6.14 Publicatin f a list f certified QSCDs Publicatin f a list f certified QSCDs 24 (3) act(s) defining circumstances, frmats and prcedures applicable fr the purpse f paragraph 1. 24 (1) MS shall ntify t EC withut undue delay, infrmatin n QSCDs which have been certified by the bdies referred t in Art. 23. They shall als ntify t EC, withut undue delay, infrmatin n electrnic signature creatin devices that wuld n lnger be certified. Scpe: circumstances, frmats and prcedures fr the publicatin f lists f certified QSCDs. Cntent: As per Cmmissin Decisin 2010/425/EU f 28 July 2010 amending Decisin 2009/767/EC, mdified t be applied t QSCDs, rather than TSPs; 4 related: 13.5 Pririty: H Ease: E Scheduling: ASAP Iteratin: 1 23 (1) QeS creatin devices may be certified by apprpriate public r private bdies designated by MS prvided that they have been submitted t a security evaluatin prcess carried ut in accrdance with ne f the standards fr the security assessment f infrmatin technlgy prducts included in a list that shall be established by EC by means f implementing acts. Standard: Need fr standard: Y, if machine prcessable lists are desired (as recmmended by CROBIES) Standard available: N. The basic trusted list standard can be used, but a specific prfile fr QSCDs wuld need t be develped under M460. CROBIES inputs can be used as a starting pint fr this wrk, building n: EN 19 602 Trust Service Status Lists Frmat EN 19 612 Trusted List Frmat Fr histrical reference: ETSI TS 102 231, 74
Deliverable D3, Versin 2b (final) implemented as thrugh the Decisins abve 6.15 Requirements fr the validatin f QeSs Requirements fr the validatin f QeSs 25 (2) act(s) cncerning the further specificatin f the requirements laid in dwn in paragraph 1. 25 (1) A QeS shall be cnsidered as valid prvided that it can be established with a high level f certainty, that at the time f signing: the certificate, that supprts the signature, is a QeS certificate cmplying with the prvisins laid dwn in Annex I; the QC required is authentic and valid; the signature validatin data crrespnd t the data prvided t the relying party; the set f data unambiguusly representing the signatry is crrectly prvided t the relying party; the use f any pseudnym is clearly indicated t the relying party if a pseudnym is used; the electrnic signature was created by a QSCD; the integrity f the signed data has nt been cmprmised; the requirements prvided fr in Art. 3 pint 7 are met; the system used fr validating the signature prvides t the relying party the crrect result f the validatin prcess and allws the relying party t detect any security relevant issues. Scpe: Definitin f validatin requirements, including references t applicable standards. Cntent: Primarily reference t eligible standards. Standard: See belw 6 Related articles: related: - Pririty: M Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) Annex I QCs fr electrnic signatures shall cntain: an indicatin, at least in a frm suitable fr autmated prcessing, that the certificate has been issued as a QC fr electrnic signature; 75
Deliverable D3, Versin 2b (final) a set f data unambiguusly representing the QTSP issuing the QCs including at least, the MS in which that prvider is established and fr a legal persn: the name and registratin number as stated in the fficial recrds, fr a natural persn: the persn s name; a set f data unambiguusly representing the signatry t whm the certificate is issued including at least the name f the signatry r a pseudnym, which shall be identified as such; electrnic signature validatin data which crrespnd t the electrnic signature creatin data; details f the beginning and end f the certificate s perid f validity; the certificate identity cde which must be unique fr the QTSP; the AeS r advanced electrnic seal f the issuing QTSP; the lcatin where the certificate supprting the AeS r advanced electrnic seal referred t in pint (g) is available free f charge; the lcatin f the certificate validity status services that can be used t enquire abut the validity status f the QC; where the electrnic signature creatin data related t the electrnic signature validatin data are lcated in a QSCD, an apprpriate indicatin f this, at least in a frm suitable fr autmated prcessing. 3 (7) AeS means an electrnic signature which meets the fllwing requirements: (a) it is uniquely linked t the signatry; (b) it is capable f identifying the signatry; (c) it is created using electrnic signature creatin data that the signatry can, with high level f cnfidence, use under his sle 76
Deliverable D3, Versin 2b (final) Requirements fr the validatin f QeSs 25 (3) cntrl; and (d) it is linked t the data t which it relates in such a way that any subsequent change in the data is detectable; act(s) establishing reference numbers f standards fr the validatin f QeSs (cmpliance with paragraph 1). 25 (1) A QeS shall be cnsidered as valid prvided that it can be established with a high level f certainty, that at the time f signing: the certificate, that supprts the signature, is a QeS certificate cmplying with the prvisins laid dwn in Annex I; the QC required is authentic and valid; the signature validatin data crrespnd t the data prvided t the relying party; the set f data unambiguusly representing the signatry is crrectly prvided t the relying party; the use f any pseudnym is clearly indicated t the relying party if a pseudnym is used; the electrnic signature was created by a QSCD; the integrity f the signed data has nt been cmprmised; the requirements prvided fr in Art. 3 pint 7 are met; the system used fr validating the signature prvides t the relying party the crrect result f the validatin prcess and allws the relying party t detect any security relevant issues. Scpe: Reference t applicable standards Cntent: Reference t eligible standards. Standard: EN 19 101: Plicy and Security Requirements fr Electrnic Signature Creatin and Validatin EN 19 102: Prcedures fr Signature Creatin and Validatin EN 19 111:Prtectin Prfiles fr Signature Creatin & Validatin Applicatins 6 Related articles: related: - Pririty: M Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) Annex I QCs fr electrnic signatures shall cntain: an indicatin, at least in a frm suitable fr autmated prcessing, that the certificate has been issued as a QC fr electrnic signature; a set f data unambiguusly representing the QTSP issuing the QCs including at least, the MS in which that prvider is established and 77
Deliverable D3, Versin 2b (final) fr a legal persn: the name and registratin number as stated in the fficial recrds, fr a natural persn: the persn s name; a set f data unambiguusly representing the signatry t whm the certificate is issued including at least the name f the signatry r a pseudnym, which shall be identified as such; electrnic signature validatin data which crrespnd t the electrnic signature creatin data; details f the beginning and end f the certificate s perid f validity; the certificate identity cde which must be unique fr the QTSP; the AeS r advanced electrnic seal f the issuing QTSP; the lcatin where the certificate supprting the AeS r advanced electrnic seal referred t in pint (g) is available free f charge; the lcatin f the certificate validity status services that can be used t enquire abut the validity status f the QC; where the electrnic signature creatin data related t the electrnic signature validatin data are lcated in a QSCD, an apprpriate indicatin f this, at least in a frm suitable fr autmated prcessing. 3 (7) AeS means an electrnic signature which meets the fllwing requirements: (a) it is uniquely linked t the signatry; (b) it is capable f identifying the signatry; (c) it is created using electrnic signature creatin data that the signatry can, with high level f cnfidence, use under his sle cntrl; and (d) it is linked t the data t which it relates in such a way that any subsequent change in 78
Deliverable D3, Versin 2b (final) the data is detectable; 6.16 Qualified validatin service fr QeSs Qualified validatin service fr QeSs 26 (2) act(s) establishing reference numbers f standards fr qualified validatin service referred t in paragraph 1 (cmpliance with pint (b) f paragraph 1). 26 (1) (b) A qualified validatin service fr QeSs shall be prvided by a QTSP wh: allws relying parties t receive the result f the validatin prcess in an autmated manner which is reliable, efficient and bearing the AeS r advanced electrnic seal f the prvider f the qualified validatin service. Scpe: Reference t applicable standards Cntent: Reference t eligible standards. Standard: EN 19 441 Plicy & Security Requirements fr TSPs prviding Signature Validatin Services EN 19 442 Prfiles fr TSPs prviding Signature Validatin Services EN 19 111:Prtectin Prfiles fr Signature Creatin & Validatin Applicatins 6 Related articles: related: - Pririty: M Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 6.17 Preservatin f QeSs Preservatin f QeSs 27 (2) act(s) cncerning the further specificatin f the requirements laid dwn in paragraph 1. 27 (1) A QeS preservatin service shall be prvided by a QTSP wh uses prcedures and technlgies capable f extending the trustwrthiness f the QeS validatin data beynd the technlgical validity perid. Scpe: Definitin f preservatin requirements, including references t applicable standards. Cntent: Primarily reference t eligible standards. Standard: 6 Related articles: related: - Pririty: M Ease: M Scheduling: 79
Deliverable D3, Versin 2b (final) See belw <12 Iteratin: 2 (1: spec., 2: standard) Preservatin f QeSs 27 (3) act(s) establishing reference numbers f standards fr the preservatin f QeSs (cmpliance with paragraph 1). 27 (1) A QeS preservatin service shall be prvided by a QTSP wh uses prcedures and technlgies capable f extending the trustwrthiness f the QeS validatin data beynd the technlgical validity perid. Scpe: Reference t applicable standards Cntent: Reference t eligible standards. Standard: SR 19 522 Data Preservatin Services thrugh signing 6 Related articles: related: - Pririty: M Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 6.18 Legal effects f electrnic seals Legal effects f electrnic seals 28 (6) act(s) cncerning the definitin f different security assurance levels f electrnic seals referred t in paragraph 4. 28 (4) If an electrnic seal security assurance level belw the qualified electrnic seal is required, in particular by a MS fr accessing a service nline ffered by a public sectr bdy n the basis f an apprpriate assessment f the risks invlved in such a service, all electrnic seals matching at a Scpe: Definitin f security levels Cntent: Definitin f security levels, in general terms f criteria; Shuld be linked back t trusted lists, t ensure that security levels can be validated by relying parties. 6 Related articles: related: - Pririty: L Ease: E Scheduling: 80
Deliverable D3, Versin 2b (final) minimum the same security assurance level shall be accepted. Standards: See belw ptinal Iteratin: 2 (1: spec., 2: standard) Legal effects f electrnic seal 28 (7) act(s) establishing reference numbers f standards fr the security assurance levels f electrnic seals (cmpliance with paragraph 6). 28 (6) The Cmmissin shall be empwered t adpt delegated acts in accrdance with Art. 38 cncerning the definitin f different security assurance levels f electrnic seals referred t in paragraph 4. 28 (4) If an electrnic seal security assurance level belw the qualified electrnic seal is required, in particular by a MS fr accessing a service nline ffered by a public sectr bdy n the basis f an apprpriate assessment f the risks invlved in such a service, all electrnic seals matching at a minimum the same security assurance level shall be accepted. Scpe: References t applicable standard specifying security levels Cntent: Definitin f security levels; Shuld be linked back t trusted lists, t ensure that security levels can be validated by relying parties. Standards: Nt available yet; shuld be develped under the M460 6 Related articles: related: - Pririty: L Ease: E Scheduling: ptinal Iteratin: 2 (1: spec., 2: standard) 6.19 Requirements fr QCs fr electrnic seal Requirements fr QCs fr electrnic seal 29 (4) act(s) cncerning the further specificatin f the requirements laid dwn in Annex III. Annex III QCs fr electrnic seals shall cntain: an indicatin, at least in a frm suitable fr autmated prcessing, that the certificate has been issued as a QC fr electrnic seal; a set f data unambiguusly representing the Scpe: Definitin f requirements thrugh references t standards updated thrugh M460 Cntent: Definitin f requirements, in general terms f criteria; cf Decisin 2003/511/EC. 6 Related articles: related: 21.4 Pririty: H 81
Deliverable D3, Versin 2b (final) Requirements fr QCs fr electrnic seal 29 (5) QTSP issuing the QCs including at least the MS in which that prvider is established and fr a legal persn: the name and registratin number as stated in the fficial recrds, fr a natural persn: persn s name; a set f data unambiguusly representing the legal persn t whm the certificate is issued, including at least name and registratin number as stated in the fficial recrds; electrnic seal validatin data which crrespnd t the electrnic seal creatin data; details f the beginning and end f the certificate s perid f validity; the certificate identity cde which must be unique fr the QTSP; the AeS r advanced electrnic seal f the issuing QTSP; the lcatin where the certificate supprting the AeS r advanced electrnic seal referred t in pint (g) is available free f charge; the lcatin f the certificate validity status services that can be used t enquire the validity status f the QC; where the electrnic seal creatin data related t the electrnic seal validatin data are lcated in a qualified electrnic seal creatin device, an apprpriate indicatin f this, at least in a frm suitable fr autmated prcessing. act(s) establishing reference numbers f standards fr QCs fr electrnic seal (cmpliance with Annex III). Annex III QCs fr electrnic seals shall cntain: an indicatin, at least in a frm suitable fr autmated prcessing, that the certificate has been issued as a QC fr electrnic seal; a set f data unambiguusly representing the QTSP issuing the QCs including at least the MS in Standards: See belw Scpe: Reference numbers fr QCs fr electrnic seal Cntent: Fllwing the template f Decisin 2003/511/EC. Standard: Need fr standard: Y Standard available: N, when: Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 6 Related articles: related: 21.4. Pririty: H Ease: M Scheduling: 82
Deliverable D3, Versin 2b (final) which that prvider is established and fr a legal persn: the name and registratin number as stated in the fficial recrds, fr a natural persn: persn s name; a set f data unambiguusly representing the legal persn t whm the certificate is issued, including at least name and registratin number as stated in the fficial recrds; electrnic seal validatin data which crrespnd t the electrnic seal creatin data; details f the beginning and end f the certificate s perid f validity; the certificate identity cde which must be unique fr the QTSP; the AeS r advanced electrnic seal f the issuing QTSP; the lcatin where the certificate supprting the AeS r advanced electrnic seal referred t in pint (g) is available free f charge; the lcatin f the certificate validity status services that can be used t enquire the validity status f the QC; where the electrnic seal creatin data related t the electrnic seal validatin data are lcated in a qualified electrnic seal creatin device, an apprpriate indicatin f this, at least in a frm suitable fr autmated prcessing. Standard ref: EN 19 411 Plicy & Security Requirements fr TSPs Issuing Certificates; a prfile fr seals is needed EN 19 412 Prfiles fr TSPs issuing Certificates; a prfile fr seals is needed <12 Iteratin: 2 (1: spec., 2: standard) 6.20 Qualified electrnic seal creatin devices Qualified electrnic seal creatin devices 30 (1) act(s) establishing reference numbers f standards fr qualified electrnic seal creatin devices (cmpliance with Annex II). Annex II (1) QeS creatin devices shall ensure, by Scpe: Reference numbers fr QCs Cntent: Fllwing the template f Decisin 2003/511/EC. 6 Related articles: related: - 83
Deliverable D3, Versin 2b (final) - mutatis mutandis 22 (2) apprpriate technical and prcedural means, that at least: the secrecy f the electrnic signature creatin data used fr electrnic signature generatin is assured; the electrnic signature creatin data used fr electrnic signature generatin can ccur nly nce; the electrnic signature creatin data used fr electrnic signature generatin cannt, with reasnable assurance, be derived and the electrnic signature is prtected against frgery using currently available technlgy; the electrnic signature creatin data used fr electrnic signature generatin can be reliably prtected by the legitimate signatry against use by thers. Standard: Need fr standard: Y Standard available: Y; QSCD standards have been drafted t als cver QSealCD; hwever, a specific prfile will be needed. Standard ref: EN 19 211 Prtectin Prfiles fr Secure Signature Creatin Devices EN 19 221 Security Requirements fr Trustwrthy Systems Managing Certificates fr Electrnic Signatures EN 19 212 Applicatin Interfaces fr Secure Signature Creatin Devices Pririty: H Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) Annex II (2) QeS creatin devices shall nt alter the data t be signed r prevent such data frm being presented t the signatry prir t signing. Annex II (3) Generating r managing electrnic signature creatin data n behalf f the signatry shall be dne by a QTSP. Qualified electrnic seal Annex II (4) QTSPs managing electrnic signature creatin data n behalf f the signatry may duplicate the electrnic signature creatin data fr back-up purpses prvided the fllwing requirements are met: the security f the duplicated datasets must be at the same level as fr the riginal datasets; the number f duplicated datasets shall nt exceed the minimum needed t ensure cntinuity f the service. Qualified electrnic seal creatin devices may be certified by apprpriate public r private bdies Scpe: identificatin f standards fr security evaluatin f QSealCDs 6 84
Deliverable D3, Versin 2b (final) creatin devices 30 (2) - mutatis mutandis 23 (1) designated by MS prvided that they have been submitted t a security evaluatin prcess carried ut in accrdance with ne f the standards fr the security assessment f infrmatin technlgy prducts included in a list that shall be established by EC by means f implementing acts. Cntent: Fllwing the template f Decisin 2003/511/EC. Standard: See belw Related articles: related: - Pririty: H Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) Qualified electrnic seal creatin devices 30 (2) - mutatis mutandis 23 (3) act(s) cncerning the establishment f specific criteria t be met by the designated bdies referred t in paragraph 1. 23 (1) QeS creatin devices may be certified by apprpriate public r private bdies designated by MS prvided that they have been submitted t a security evaluatin prcess carried ut in accrdance with ne f the standards fr the security assessment f infrmatin technlgy prducts included in a list that shall be established by EC by means f implementing acts. Scpe: references t standards fr security evaluatin f QSealCDs Cntent: Fllwing the template f Decisin 2003/511/EC. Standard: Need fr standard: Y Standard available: Y. QSCD standards have been drafted t als cver QSealCD: Standard ref: EN 19 203: Cnfrmity Assessment f Secure Devices and Trustwrthy systems 6 Related articles: related: - Pririty: H Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) Qualified electrnic seal creatin devices 30 (3) - mutatis mutandis 24 (3) act(s) defining circumstances, frmats and prcedures applicable fr the purpse f paragraph 1. 24 (1) MS shall ntify t EC withut undue delay, infrmatin n QSCDs which have been certified by the bdies referred t in Art. 23. They shall als ntify t EC, withut undue delay, infrmatin n electrnic signature creatin devices that wuld n Scpe: circumstances, frmats and prcedures fr the publicatin f lists f certified QSealCDs. Cntent: As per Cmmissin Decisin 2010/425/EU f 28 July 2010 amending Decisin 2009/767/EC, mdified t be applied t QSealCDs, rather than 4 related: 13.5 Pririty: H Ease: E Scheduling: 85
Deliverable D3, Versin 2b (final) lnger be certified. 23 (1) QSCDs may be certified by apprpriate public r private bdies designated by MS prvided that they have been submitted t a security evaluatin prcess carried ut in accrdance with ne f the standards fr the security assessment f infrmatin technlgy prducts included in a list that shall be established by EC by means f implementing acts. TSPs; Standard: Need fr standard: Y, if machine prcessable lists are desired (as recmmended by CROBIES) Standard available: N. The basic trusted list standard can be used, but a specific prfile fr QSealCDs wuld need t be develped under M460. CROBIES inputs can be used as a starting pint fr this wrk, building n: EN 19 602 Trust Service Status Lists Frmat EN 19 612 Trusted List Frmat Fr histrical reference: ETSI TS 102 231, implemented as thrugh the Decisins abve ASAP Iteratin: 1 6.21 Validatin and preservatin f qualified electrnic seals Validatin and preservatin f qualified electrnic seals 31 - mutatis mutandis 25 (2) act(s) cncerning the further specificatin f the requirements laid in dwn in paragraph 1. 25 (1) A QeS shall be cnsidered as valid prvided that it can be established with a high level f certainty, that at the time f signing: the certificate, that supprts the signature, is a QeS certificate cmplying with the prvisins laid dwn in Annex III; the QC required is authentic and valid; the signature validatin data crrespnd t the data prvided t the relying party; the set f data unambiguusly representing the signatry is crrectly prvided t the relying party; the use f any pseudnym is clearly indicated t Scpe: Definitin f validatin requirements, including references t applicable standards. Cntent: Primarily reference t eligible standards. Standard: See belw 6 Related articles: related: 25.2 Pririty: M Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 86
Deliverable D3, Versin 2b (final) the relying party if a pseudnym is used; the electrnic signature was created by a QSCD; the integrity f the signed data has nt been cmprmised; the requirements prvided fr in Art. 3 pint 21 are met; the system used fr validating the signature prvides t the relying party the crrect result f the validatin prcess and allws the relying party t detect any security relevant issues. Annex III QCs fr electrnic seals shall cntain: an indicatin, at least in a frm suitable fr autmated prcessing, that the certificate has been issued as a QC fr electrnic seal; a set f data unambiguusly representing the QTSP issuing the QCs including at least the MS in which that prvider is established and fr a legal persn: the name and registratin number as stated in the fficial recrds, fr a natural persn: persn s name; a set f data unambiguusly representing the legal persn t whm the certificate is issued, including at least name and registratin number as stated in the fficial recrds; electrnic seal validatin data which crrespnd t the electrnic seal creatin data; details f the beginning and end f the certificate s perid f validity; the certificate identity cde which must be unique fr the QTSP; the AeS r advanced electrnic seal f the issuing QTSP; the lcatin where the certificate supprting the AeS r advanced electrnic seal referred t in pint (g) is available free f charge; the lcatin f the certificate validity status services that can be used t enquire the validity status f 87
Deliverable D3, Versin 2b (final) the QC; where the electrnic seal creatin data related t the electrnic seal validatin data are lcated in a qualified electrnic seal creatin device, an apprpriate indicatin f this, at least in a frm suitable fr autmated prcessing. Validatin and preservatin f qualified electrnic seals 31 - mutatis mutandis 25 (3) 3 (21) advanced electrnic seal means an electrnic seal which meets the fllwing requirements: (a) it is uniquely linked t the creatr f the seal; (b) it is capable f identifying the creatr f the seal; (c) it is created using electrnic seal creatin data that the creatr f the seal can, with a high level f cnfidence under its cntrl, use fr electrnic seal creatin; and (d) it is linked t the data t which it relates in such a way that any subsequent change in the data is detectable; act(s) establishing reference numbers f standards fr the validatin f qualified electrnic seals (cmpliance with paragraph 1). 25 (1) A QeS shall be cnsidered as valid prvided that it can be established with a high level f certainty, that at the time f signing: the certificate, that supprts the signature, is a QeS certificate cmplying with the prvisins laid dwn in Annex III; the QC required is authentic and valid; the signature validatin data crrespnd t the data prvided t the relying party; the set f data unambiguusly representing the signatry is crrectly prvided t the relying party; the use f any pseudnym is clearly indicated t the relying party if a pseudnym is used; the electrnic signature was created by a QSCD; Scpe: Reference t applicable standards Cntent: Reference t eligible standards. Standard: QS standards have been drafted t als cver QSeals: EN 19 101: Plicy and Security Requirements fr Electrnic Signature Creatin and Validatin EN 19 102: Prcedures fr Signature Creatin and Validatin EN 19 111:Prtectin Prfiles fr Signature Creatin & Validatin Applicatins 6 Related articles: related: 25.3 Pririty: M Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 88
Deliverable D3, Versin 2b (final) the integrity f the signed data has nt been cmprmised; the requirements prvided fr in Art. 3 pint 21 are met; the system used fr validating the signature prvides t the relying party the crrect result f the validatin prcess and allws the relying party t detect any security relevant issues. Annex III QCs fr electrnic seals shall cntain: an indicatin, at least in a frm suitable fr autmated prcessing, that the certificate has been issued as a QC fr electrnic seal; a set f data unambiguusly representing the QTSP issuing the QCs including at least the MS in which that prvider is established and fr a legal persn: the name and registratin number as stated in the fficial recrds, fr a natural persn: persn s name; a set f data unambiguusly representing the legal persn t whm the certificate is issued, including at least name and registratin number as stated in the fficial recrds; electrnic seal validatin data which crrespnd t the electrnic seal creatin data; details f the beginning and end f the certificate s perid f validity; the certificate identity cde which must be unique fr the QTSP; the AeS r advanced electrnic seal f the issuing QTSP; the lcatin where the certificate supprting the AeS r advanced electrnic seal referred t in pint (g) is available free f charge; the lcatin f the certificate validity status services that can be used t enquire the validity status f the QC; where the electrnic seal creatin data related t 89
the electrnic seal validatin data are lcated in a qualified electrnic seal creatin device, an apprpriate indicatin f this, at least in a frm suitable fr autmated prcessing. Deliverable D3, Versin 2b (final) Validatin and preservatin f qualified electrnic seals 31 - mutatis mutandis 26 (2) 3 (21) advanced electrnic seal means an electrnic seal which meets the fllwing requirements: (a) it is uniquely linked t the creatr f the seal; (b) it is capable f identifying the creatr f the seal; (c) it is created using electrnic seal creatin data that the creatr f the seal can, with a high level f cnfidence under its cntrl, use fr electrnic seal creatin; and (d) it is linked t the data t which it relates in such a way that any subsequent change in the data is detectable; act(s) establishing reference numbers f standards fr qualified validatin service referred t in paragraph 1 (cmpliance with pint (b) f paragraph 1). 26 (1) (b) A qualified validatin service fr qualified electrnic seals shall be prvided by a QTSP wh: allws relying parties t receive the result f the validatin prcess in an autmated manner which is reliable, efficient and bearing the AeS r advanced electrnic seal f the prvider f the qualified validatin service. Scpe: Reference t applicable standards Cntent: Reference t eligible standards. Standard: QS standards have been drafted t als cver QSeals: EN 19 441 Plicy & Security Requirements fr TSPs prviding Signature Validatin Services EN 19 442 Prfiles fr TSPs prviding Signature Validatin Services EN 19 111:Prtectin Prfiles fr Signature Creatin & Validatin Applicatins 6 Related articles: related: 26.2 Pririty: M Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 90
Deliverable D3, Versin 2b (final) Validatin and preservatin f qualified electrnic seals 31 - mutatis mutandis 27 (2) act(s) cncerning the further specificatin f the requirements laid dwn in paragraph 1. 27 (1) A qualified electrnic seal preservatin service shall be prvided by a QTSP wh uses prcedures and technlgies capable f extending the trustwrthiness f the qualified electrnic seal validatin data beynd the technlgical validity perid. Scpe: Definitin f preservatin requirements, including references t applicable standards. Cntent: Primarily reference t eligible standards. Standard: See abve 6 Related articles: related: 27.2 Pririty: M Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) Validatin and preservatin f qualified electrnic seals 31 - mutatis mutandis 27 (3) act(s) establishing reference numbers f standards fr the preservatin f qualified electrnic seals (cmpliance with paragraph 1). 27 (1) A QeS preservatin service shall be prvided by a QTSP wh uses prcedures and technlgies capable f extending the trustwrthiness f the QeS validatin data beynd the technlgical validity perid. Scpe: Reference t applicable standards Cntent: Reference t eligible standards. Standard: SR 19 522 Data Preservatin Services thrugh signing 6 ------------ ----- Related articles: related: 27.3 ------------ ----- Pririty: M Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 91
Deliverable D3, Versin 2b (final) 6.22 Requirements fr qualified electrnic time stamps Requirements fr qualified electrnic time stamps 33 (2) act(s) establishing reference numbers f standards fr the accurate linkage f time t data and an accurate time surce (cmpliance with paragraph 1). 33 (1) A qualified electrnic time stamp shall meet the fllwing requirements: it is accurately linked t Crdinated Universal Time (UTC) in such a manner as t preclude any pssibility f the data being changed undetectably; it is based n an accurate time surce; it is issued by a QTSP; it is signed using an AeS r an advanced electrnic seal f the QTSP, r by sme equivalent methd. Scpe: Reference numbers fr qualified time stamps Cntent: Fllwing the template f Decisin 2003/511/EC. Standard: Need fr standard: Y Standard available: Y, when: Standard ref: EN 19 231 Security requirements fr trustwrthy systems supprting time-stamping EN 19 421 Plicy & Security Requirements fr TSPs prviding Time-Stamping Services EN 19 422 Prfiles fr TSPs prviding Time- Stamping Services 6 Related articles: related: 22.2 Pririty: H Ease: M Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 6.23 Legal effects and acceptance f the electrnic dcuments Legal effects and acceptance f the electrnic dcuments 34 (4) act(s) defining frmats f electrnic signatures and seals that shall be accepted whenever a signed r sealed dcument is requested by a MS fr the prvisin f a service nline ffered by a public sectr bdy referred t in paragraph 2. 34 (2) A dcument bearing a QeS r a qualified electrnic seal f the persn wh is cmpetent t issue the relevant dcument, shall enjy legal Scpe: Definitin f signature frmats and seals that shuld mandatrily be accepted by public services, cmparable t the Decisin f 25 February 2011 2011/130/EU establishing minimum requirements fr the crss-brder prcessing f dcuments signed electrnically by cmpetent authrities 6 Related articles: related: - Pririty: H 92
Deliverable D3, Versin 2b (final) presumptin f its authenticity and integrity prvided the dcument des nt cntain any dynamic features capable f autmatically changing the dcument. Cntent: Can be large reprised frm Decisin 2011/130/EU, i.e. mainly a reference t the acceptable frmats Standard: Need fr standard: Y Standard available: Y Standard ref: EN 19 132: XML Advanced Electrnic Signatures (XAdES) EN 19 122: CMS Advanced Electrnic Signatures (CAdES) EN 19 142: PDF Advanced Electrnic Signatures (PAdES) EN 19 152: Advanced Electrnic Signatures in Mbile Envirnments EN 19 162: Assciated Signature Cntainers (ASiC) Ease: E Scheduling: <12 Iteratin: 2 (1: spec., 2: standard) 6.24 Legal effect f an electrnic delivery service Legal effect f an electrnic delivery service 35 (3) act(s) cncerning the specificatin f mechanisms fr sending r receiving data using electrnic delivery services, which shall be used with a view t fstering interperability between electrnic delivery services. Scpe: Definitin f mechanisms applicable t electrnic delivery services (EDS). Nte that this paragraph refers t all EDS, nt nly t QEDS Cntent: 7 Related articles: related: - Can be based n art. 36 (which relates t QEDS), Pririty: ptinal 93
Deliverable D3, Versin 2b (final) but shuld be technlgy neutral Prcedural requirements with respect t the cnfirmatin f the identity f the sender and recipient Prcedural requirements with respect t the cnfirmatin f the time f sending and receipt f the paylad Lgging/retentin bligatins in relatin t the cmmunicatin stream Data prtectin cmpliance (data minimizatin, privacy by design, n lgging f paylad) High level requirements Respnsibilities/liabilities f EDS Legal effect/value, likely in terms f validity as prf f sending/receipt Ease: D Scheduling: ptinal Iteratin: 2 (1:act, 2:standar d, if any) Standard: Need fr standard: N, unless the delegated act wants t create interperability between a specific implementatin f EDSes in accrdance with a specific standard/frmat chice (e.g. certain signatures, timestamps, cmmunicatin prtcals, etc.); in this case, references t applicable standards may be inevitable. 6.25 Requirements fr qualified electrnic delivery services Requirements fr qualified electrnic delivery act(s) establishing reference numbers f standards fr prcesses fr sending and receiving data (cmpliance with paragraph 1). Scpe: Reference numbers fr QEDS Cntent: 7 Related articles: 94
Deliverable D3, Versin 2b (final) services 36 (2) 36 (1) Qualified electrnic delivery services shall meet the fllwing requirements: they must be prvided by ne r mre QTSP(s); they must allw the unambiguus identificatin f the sender and if apprpriate, the addressee; the prcess f sending r receiving f data must be secured by an AeS r an advanced electrnic seal f QTSP in such a manner as t preclude the pssibility f the data being changed undetectably; any change f the data needed fr the purpse f sending r receiving the data must be clearly indicated t the sender and addressee f the data; the date f sending, receipt and any change f data must be indicated by a qualified electrnic time stamp; in the event f the data being transferred between tw r mre QTSPs, the requirements in pints (a) t (e) shall apply t all the QTSPs. Reference t applicable standards. Standard: Need fr standard: Y Standard available: Y. Further study is currently n-ging via SR 19 530 Study n standardisatin requirements fr e-delivery services applying e- Signatures Standard ref: EN 19 511 Plicy & Security Requirements fr Registered Electrnic Mail (REM) Service Prviders related: 35 Pririty: ptinal Ease: D Scheduling: ptinal Iteratin: 2 (1: spec., 2: standard) 6.26 Requirements fr QCs fr website authenticatin Requirements fr QCs fr website authenticatin 37 (3) act(s) cncerning the further specificatin f the requirements laid dwn in Annex IV. Annex IV QCs fr website authenticatin shall cntain: an indicatin, at least in a frm suitable fr autmated prcessing, that the certificate has been issued as a QC fr website authenticatin; a set f data unambiguusly representing the QTSP issuing the QCs including at least the MS in which that prvider is established and fr a legal persn: the name and registratin number as stated in the fficial recrds, Scpe: Further details f QC fr website authenticatin Cntent: If adpted, the primary clarificatins relate t the cntents f the QC, ntably specifying mre explicitly which data shuld be used t unambiguusly represent the QTSP and the hlder f the QC (name and registratin number, address inf, etc). Standard: 7 Related articles: related: Pririty: ptinal Ease: M Scheduling: ptinal Iteratin: 2 95
Deliverable D3, Versin 2b (final) Requirements fr QCs fr website authenticatin 37 (4) fr a natural persn: persn s name; a set f data unambiguusly representing the legal persn t whm the certificate is issued, including at least name and registratin number as stated in the fficial recrds; elements f the address, including at least city and MS, f the legal persn t whm the certificate is issued as stated in the fficial recrds; the dmain name(s) perated by the legal persn t whm the certificate is issued; details f the beginning and end f the certificate s perid f validity; the certificate identity cde which must be unique fr the QTSP; the AeS r advanced electrnic seal f the issuing QTSP; the lcatin where the certificate supprting the AeS r advanced electrnic seal referred t in pint (h) is available free f charge; the lcatin f the certificate validity status services that can be used t enquire the validity status f the QC. act(s) establishing reference numbers f standards fr QCs fr website authenticatin (cmpliance with Annex IV). Annex IV QCs fr website authenticatin shall cntain: an indicatin, at least in a frm suitable fr autmated prcessing, that the certificate has been issued as a QC fr website authenticatin; a set f data unambiguusly representing the QTSP issuing the QCs including at least the MS in which that prvider is established and fr a legal persn: the name and registratin number as stated in the fficial recrds, fr a natural persn: persn s name; a set f data unambiguusly representing the legal Need fr standard: see belw Scpe: Reference numbers fr QC fr website authenticatin Cntent: Reference t applicable standards. Standard: Need fr standard: Y Standard available: Y, althugh further wrk might be required; cf. belw. Standard ref: EN 19 411 Plicy & Security Requirements fr TSPs Issuing Certificates (1: spec., 2: standard) 7 Related articles: related: 37.3 Pririty: ptinal Ease: D Scheduling: ptinal Iteratin: 2 (1: spec., 2: standard) 96
Deliverable D3, Versin 2b (final) persn t whm the certificate is issued, including at least name and registratin number as stated in the fficial recrds; elements f the address, including at least city and MS, f the legal persn t whm the certificate is issued as stated in the fficial recrds; the dmain name(s) perated by the legal persn t whm the certificate is issued; details f the beginning and end f the certificate s perid f validity; the certificate identity cde which must be unique fr the QTSP; the AeS r advanced electrnic seal f the issuing QTSP; the lcatin where the certificate supprting the AeS r advanced electrnic seal referred t in pint (h) is available free f charge; the lcatin f the certificate validity status services that can be used t enquire the validity status f the QC. EN 19 412 Prfiles fr TSPs issuing Certificates; hwever, a specific prfile fr website authenticatin under this standard wuld need t be develped Acrnyms: AeS Advanced electrnic Signature EC Eurpean Cmmissin MS Member State QC Qualified Certificate QeS Qualified electrnic Signature QSCD Qualified electrnic Signature Creatin Device QTS Qualified Electrnic Trust Service QTSP Qualified Electrnic Trust Service Prvider SB Supervisry Bdy SCD Electrnic Signature Creatin Device STD Standard TS Electrnic Trust Service TSP Electrnic Trust Service Prvider 97
7. Ecnmic, scial and envirnmental impact f a Eurpean framewrk fr ancillary services 7.1 Intrductin 7.1.1 Cntext and bjectives f the study Electrnic cmmunicatin and electrnic services, such as e-cmmerce and e-delivery, necessitate ancillary trust services allwing data authenticatin and infrmatin security. Netwrk and infrmatin security shuld be understd as ne f the crucial elements f the infrmatin sciety enabling smth develpment and deplyment f new systems, applicatins and electrnic services. Hwever, security prblems persist. The increasing use f the Internet and electrnic services are linked with fraud issues and cybercrime. At the mment, esignatures are recgnised thrugh the EU Directive 19999/93/EC f the Eurpean Parliament and f the Cuncil f 13 December 1999 n a cmmunity framewrk fr electrnic signatures, which aims t harmnise the internal market fr esignature services. The identificatin, authenticatin and signature (IAS) cmpnents related t identity and the ancillary services (time stamping, lng term preservatin f signatures, e-seal, admissibility f e-dcuments, registered e- delivery, legal persns website authenticatin and the I accept buttn) as such, have nt received the same treatment at the Eurpean Unin level. Divergent rules with respect t legal recgnitin f the ancillary services and the accreditatin f certificatin service prviders in the EU Member States may create a significant barrier t the use f electrnic cmmunicatin and ther electrnic services. A clear Eurpean framewrk regarding the cnditins applying t these ancillary services culd strengthen cnfidence in, and general acceptance f, new technlgies. Prmtin f interperability is seen as an essential requirement fr acceptance within the market. Against this backgrund, the Eurpean Cmmissin has asked the IAS Study Team in a meeting n Thursday 23 February 2012 t assess the ptential impact f the inclusin f the seven ancillary services in EU Directive 19999/93/EC f the Eurpean Parliament and f the Cuncil f 13 December 1999 n a cmmunity framewrk fr electrnic signatures (hereafter the Directive ). This assignment is part f the IAS study wrk. This dcument presents the results f ur wrk. 7.1.2 Overview f ancillary services We present a shrt verview f the seven ancillary services that are in scpe f this study.
Deliverable D3, Versin 2b (final) a. Time stamping An "electrnic time stamp" is data in electrnic frm which indicate the time when such data was created. A "qualified electrnic time stamp" is an electrnic time stamp, signed using an advanced electrnic signature r ther equivalent methds f authenticatin, linked t e.g. the Greenwich time in such a manner as t preclude the pssibility f changing the data undetectably. b. Lng term preservatin f signatures Lng term preservatin f signatures is the transfrmatin f the signature and if required the signed dcument in such a way that it can be validated after expiratin f riginal signature algrithms r certificates. This is required because electrnic signatures are ften used t sign dcuments such as cntracts that have an expiry date after the expiry date f the key with which the dcument is signed. Withut lng term preservatin f signatures, any attempt t validate the signatures after the expiry date f the key wuld nt be guaranteed. c. E-seals An "electrnic seal" is data in electrnic frm which are attached t r lgically assciated with ther electrnic data and which ensure the integrity f a dcument and link the legal persn t which the seal is issued t the dcument. A "qualified electrnic seal" is an electrnic seal which is based n a qualified certificate which is slely dedicated t the supprt f electrnic seal. d. Admissibility f native e-dcuments/ admissibility f e-dcuments resulting frm the scanning f paper dcuments There shuld be n discriminatin in the admissibility f native e-dcuments r e-dcuments resulting frm the scanning f dcuments that were riginally paper-based. In rder t permit such admissibility, it shuld be pssible t guarantee that the riginal dcument is functinally and semantically identical t the dcument submitted. e. Certified electrnic delivery A "certified electrnic delivery" is a service that enables t transmit data by electrnic means and prvides evidence relating t the handling f the data including prf f submissin and delivery and prtects transferred data against the risk f lss, theft, damage r any alteratins. f. Legal persns website authenticatin A legal persn s website authenticatin, r "web authenticatin certificate" implies a certificate which allws a website user t instantly ascertain that such website is secure and linked t a certain legal persn. 99
Deliverable D3, Versin 2b (final) We psitin ancillary services in the value chain f esignatures n the Supply Side, as illustrated in the figure belw. Figure 1 - Supply and Demand Side f esignatures (surce: EC DG INFSO) In the fllwing sectins f this dcument, we first present the methdlgy and prtcls that have guided ur research. Next, we present the results f ur research. 100
Deliverable D3, Versin 2b (final) 7.2 Drawing up the cnceptual framewrk fr REA 7.2.1 REA-questin We used the s-called PICO acrnym t cnfirm the research questin that guides the REA. 1. Ppulatin Businesses Public authrities Citizens 2. Interventin The inclusin f each f the seven ancillary services (time stamping, lng term preservatin f signatures, e-seal, admissibility f e-dcuments, registered e-delivery and legal persns website authenticatin) in EU Directive 19999/93/EC f the Eurpean Parliament and f the Cuncil f 13 December 1999 n a cmmunity framewrk fr electrnic signatures. 3. Cmparisn As is situatin: n inclusin f ancillary services in EU Directive 19999/93/EC f the Eurpean Parliament and f the Cuncil f 13 December 1999 n a cmmunity framewrk fr electrnic signatures. 4. Outcme Ecnmic impact, e.g. cmpliance cst and simplificatin ptential, fraud preventin, ecnmic grwth (including the fstering f innvatin and R&D) Scial impact, e.g. safety and security Envirnmental impact, e.g. raw materials (paper) Based n the PICO acrnym and the riginal briefing we received frm the Eurpean Cmmissin, the fllwing REA questin was established: What is the ecnmic, scial and envirnmental impact f an increased use f ancillary services n businesses, public authrities and citizens, as a cnsequence f the inclusin f such ancillary services in the successr regulatin f the EU Directive 19999/93/EC f the Eurpean Parliament and f the Cuncil f 13 December 1999 n a cmmunity framewrk fr electrnic signatures? 7.2.2 Search prcess a. Criteria fr excluding and including studies Gegraphic scpe: All develped cuntries (OECD cuntries with fcus n Eurpean Member States (27), the United States and Australia) 101
Deliverable D3, Versin 2b (final) Date f publicatin: Published after 2006 Language f publicatin: Fcus n English dcumentatin which is publicly available Research methds: All methds with equal attentin t empirical (academic) studies and plicy evaluatin / impact studies b. Terms fr searching fr relevant literature A list f search terms was develped in rder t search the relevant databases in an efficient manner: Ancillary services: time stamping, lng term preservatin f signatures, e-seal, admissibility f e-dcuments, registered e-delivery and legal persns website authenticatin; and different variants fr each f the 7 services Digital signature(s) Security sftware ICT security Internet fraud Cybercrime Dematerializatin Digital ecnmy Ecnmic/scial/envirnmental impact, effectiveness, efficiency, evaluatin c. Surces that will be searched We included a number f imprtant electrnic databases and ther surces: Large scale pilt prjects: These prjects are largely run with and/r by EU Member States. The pilt prjects typically develp practical slutins fr crss-brder gvernment services, which are tested in real gvernment service cases acrss Eurpe. Eurpean Cmmissin Impact Assessments. Publicatins f Agria (the technlgy federatin f Belgium). Academic library and electrnic databases (thrugh University f Ghent) LibHub, the search interface t mst e-articles available at Ghent University. It cntains articles f the mst imprtant schlarly jurnal publishers (Elsevier, Wiley, Taylr&Francis,...), aggregatrs (Highwire, Jstr, Prject Muse,...) and several pen access repsitries (arxiv, Citeseer, UGent bibli,...). Electrnic databases: IEEE Xplre: Database f technical literature in engineering and technlgy Elsevier: Prvider f science and health infrmatin Citeseer: Scientific literature digital library Springer: Internatinal publisher f science, technlgy and medicine Scilgical Abstracts: Database with internatinal literature in scilgy and related disciplines in the scial and behaviural sciences EcnLit: Surce f references t ecnmic literature Web f Science Web f Knwledge: Research platfrm fr infrmatin in the sciences, scial sciences, arts and humanities OECD: Database with infrmatin in the envirnment, human health and safety 102
Deliverable D3, Versin 2b (final) Wrld bank dcumentatin and reprts: Database with peratinal dcuments (prject dcuments, analytical and advisry wrk, and evaluatins), frmal and infrmal research papers and mst Wrld Bank publicatins. Scial Science Research Netwrk (SSRN): Devted t the rapid wrldwide disseminatin f scial science research and is cmpsed f a number f specialized research netwrks in each f the scial sciences. PwC knwledge exchange: Internal, glbal PwC knwledge database fr infrmatin requests. d. Terms fr srting/describing literature The findings will be described and srted, using the fllwing structure: Title/ Authr/ Date/ Publicatin; Ppulatin (businesses, public authrities, citizens); Purpse f the study; Main findings; Critical rle f ancillary services. 103
Deliverable D3, Versin 2b (final) 7.2.3 Research findings a. Large Scale Pilts (LSPs) LSP Cnsrtium Date Surce Purpse f study Main findings Peppl (Pan Eurpean Public Prcurement Online) The PEPPOL cnsrtium is cmprised f seventeen partners (mstly leading public eprcurement agencies) within 11 cuntries: Austria, Denmark, Finland, France, Germany, Greece, Italy, Nrway, Prtugal, Sweden and the United Kingdm. 2008 currently running PEPPOL website 30 and additinal dcuments such as technical specificatins abut WebNtarius and factsheets fr ecnmic peratrs, cntracting authrities and ICT-industry Initiated in 2008, the Pan-Eurpean Public Prcurement Online (PEPPOL) prject has been develping and implementing the technlgy standards t align business prcesses fr electrnic prcurement acrss all gvernments within Eurpe, aiming t expand market cnnectivity and interperability between eprcurement cmmunities. Benefits fr cntracting authrities Imprved market access, particularly fr SMEs (small and medium enterprises), increases cmpetitin and lwers csts Greater transparency increases public accuntability and reduces ptential fr crruptin Autmated prcurement speeds up administrative activities and reduces csts Streamlined prcesses facilitate faster transitin t green, sustainable purchasing Enhanced exprts by natinal businesses increase the tax base Benefits fr ecnmic peratrs By breaking dwn barriers t allw seamless electrnic cmmunicatin acrss brders and cmmunities, PEPPOL ffers significant benefits t suppliers wishing t trade with the public sectr: Imprved access t tenders acrss brders increases business ptential 30 http://www.peppl.eu/ 104
Deliverable D3, Versin 2b (final) Greater transparency increases public accuntability Autmated prcurement speeds up administrative activities and reduces csts Electrnic cmmunicatin results in immediate prcessing f invices and imprved cash flw Once cnnected t PEPPOL s netwrk, suppliers can cmmunicate easily t everyne within the PEPPOL cmmunity thereby enhancing efficiency and business prspects Benefits fr IT industry As the sectr mst likely t use eprcurement fr public tenders tday, ICT slutins and service prviders (and ther industry sectrs in future) will realise further efficiency gains and cst savings as mre cntracting authrities mve t eprcurement. Thse firms wrking with PEPPOL will als be presented with a number f business pprtunities: Widespread PEPPOL adptin will create significant additinal demand fr mre advanced IT services and mre service transactins. First mvers will gain valuable experience with PEPPOL standards and will have an advantage in securing early implementatin cntracts. Expertise in PEPPOL standards will add capabilities t their prtfli f fferings. The PEPPOL esignature Validatin Infrastructure prvides cntracting authrities with the ability t validate digital signature certificates crss brder. Electrnic signatures based n electrnic certificates are in cmmn use already. They allw the secure identificatin f the sender f a dcument and ensure that a dcument has nt been mdified. PEPPOL aims t create interperability between the different natinal schemes, s that in practice a public sectr entity can validate certificates issued in ther member states, allwing fr electrnic submissin f tenders crss brders. Gvernment purchases in the Eurpean Unin accunt fr an estimated 19% f GDP, r 2.2B annually. Currently, less than 5% f ttal prcurement budgets are awarded electrnically, and nly 1.6% f cntracts are supplied by an entity in anther Member State. It is estimated that if eprcurement is adpted by all Eurpean cntracting authrities, annual savings culd exceed 50B. Critical rle f ancillary services The PEPPOL cmpnents supprt the eprcurement prcess frm esurcing t epayment. 105
Deliverable D3, Versin 2b (final) Figure 2 - PEPPOL cmpnents esignature is a cre cmpnent in the scheme. esignatures identify cmpanies r single persns, allwing the receiver f a dcument t cnfirm the identificatin f the sender (authenticity) and prvide assurance that the dcument has nt been mdified in transit (integrity). PEPPOL s visin is t create interperability between the different natinal schemes, s that a cntracting authrity can validate certificates issued in ther EU member states, enabling electrnic submissin f tenders acrss brders. This means that an ecnmic peratr (supplier) can use the esignature f its chice when submitting an ffer t any public sectr awarding entity. PEPPOL addresses specific prblems relating t the creatin, verificatin and acceptance f esignatures accmpanying eprcurement dcuments, t enable crss brder signature validatin. The PEPPOL validatin infrastructure cnsists f a netwrk f federated validatin services, able t validate qualified signature certificates frm trusted certificatin authrities accrding t the natinal Trusted Services List (TSL) and als nn-qualified certificates as lng as they are accepted in certain prcurement dmains. Use f the esignature validatin sftware is nt mandatry fr rganisatins pilting PEPPOL cmpnents. Hwever, it is a valuable add-n service and has applicatin beynd PEPPOL t any trust mdel that cmprises varius certificatin authrities. The esignature verificatin service is als independent f the PEPPOL transprt infrastructure. T realise this visin, the PEPPOL prject deliverables include a.. XKMS and OASIS DSS interface specificatins, architecture and trust mdels, and a trans-natinal verificatin system (prttype). Fr validatin, PEPPOL makes a.. use f WebNtarius fr an electrnically signed and time stamped cnfirmatin. WebNtarius supprts all ppular signature standards (PKCS 7, CMS, Sig, S/MIME, XML dsig, CAdES, Xades, PAdes), and uses the de-fact standards fr validatin (TSL, OCSP, CRL, deltacrl, ARL, DVCS, LDAP, SCVP, XKMS). The fllwing Infrmatin is prvided during the esignature verificatin prcess: verificatin result, the date and time f verificatin, name f the dcument under which the signature was verified, signatures related t the particular electrnic dcument, certificate r certificates verifying given electrnic signature, reasn, in case f incrrect verificatin and reasn fr signature/signatures verified as negative. 106
Deliverable D3, Versin 2b (final) As such it is bvius that ancillary services (time stamping, lng time preservatin) play a critical rle in the delivery f PEPPOL services and scenaris. 107
Deliverable D3, Versin 2b (final) LSP Cnsrtium e-cdex (e-justice Cmmunicatin via Online Data Exchange) Austria, Belgium, Czech Republic, Estnia, France, Germany, Greece, Hungary, Italy, Malta, The Netherlands, Prtugal, Rmania, Spain, Turkey, CCBE and CNUE Date December 2010 - December 2013 Surce E-CODEX website 31 and additinal dcuments such as deliverable 4.1 and e- Cdex newsletter 32 Purpse f study Main findings Imprving the crss-brder access f citizens and businesses t legal means in Eurpe as well as imprving the interperability between legal authrities within the EU Benefits fr citizens The prject will result in a smther crss-brder peratin f several judicial services. Benefits fr legal cmmunity A strng future cllabratin between the legal cmmunity and the e-codex prject will empwer the legal cmmunity in relatin t bth judicial authrities as well as EU citizens. By implementing the e-codex prject, the legal cmmunity will facilitate the spread and usage f the instruments adpted in the Eurpean judicial area fr all f Eurpe's citizens. This way the judicial services will nt be limited t a natinal level, but instead be able t perate all ver Eurpe. This will reinfrced the administrative and judicial cperatin in the field f Justice and Internal Affairs. Increasing claims by e-justice Nwadays nt very ften citizens and cmpanies take small crss-brder claims t curt fr the cmplexity and the inaccessibility. By digitalizing the legal crss-brder prcess, the way t file a claim will be simplified. Benefits fr IT industry The IT industry is an imprtant reference grup t cnsult fr e-codex in this Large Scale Prject. The IT industry is invited t supprt e-codex. This supprt can range frm business advice t helping t imprve prcesses r prviding technical supprt in delivering technlgy. Benefits fr standard bdies 31 www.e-cdex.eu/ 32 http://www.e-cdex.eu/index.php/cmpnent/acymailing/archive/view/mailid-12/key- 62868e9b0ad4fae911bc6bc640716d87/subid-3-47a0d68e35df6545004013ae54cedd52/tmpl-cmpnent#e- Signature 108
Deliverable D3, Versin 2b (final) There will be pprtunities fr bth parties t becme engaged in sharing experiences and develping different categries f services - including, but nt necessarily limited t, ptential e-justice services. Mre than that, the cntributin f the Standard Bdies will be seen as valuable since they will add legitimacy in setting up plicies in a specific field f activity. Critical rle f ancillary services The brader visin f the prject is that any citizen and/r legal prfessinal in the EU can cmmunicate electrnically with any legal authrity, including cmmunicatin f legal authrities with each ther. Services which will need t be develped are the nes which allw data exchange in the area f ejustice between the Member States. Time stamping is clearly indicated as a requirement, as specified in the e- CODEX deliverable D 4.1 e-identity: Inventry and requirements. As specified n the e-codex website, Security and privacy are f serius cncern fr the prject. T ensure these aspects and t prevent identity theft, e- CODEX des nt nly rely n and fllw the develpments within the currently knwn security- and transprtatin standards but invlves studies cmmissined by the Eurpean Cmmissin and the experience f apprved large scale prjects like STORK, SPOCS and PEPPOL. The bserved standards culd fr example be ebxml in case f transprtatin and WS-* and SAML in case f different security aspects. As such it is eminent that ancillary services (particularly time stamping, lng term preservatin and e-seals) are imprtant fr e-codex. 109
Deliverable D3, Versin 2b (final) LSP Cnsrtium SPOCS (Simple Prcedures fr Online Crss-Brder Services) Austria, France, Germany, Greece, Italy, Lithuania, Luxemburg, Malta, the Netherlands, Nrway, Pland, Prtugal, Rmania, Slvenia, Sweden, United Kingdm Date 2009-2012 Surce Purpse f study Main findings SPOCS website 33 and additinal dcuments such as factsheets Businesses seeking t expand int ther cuntries ften struggle t cmply with all the regulatins they need t fllw. Applying fr licences, permits and cmpleting ther administrative prcedures in anther cuntry can be cmplicated. SPOCS is a prject that aims t vercme thse bstacles Added value fr citizens SPOCS will cntribute t: Fstering cmpetitiveness Achieving greater interperability Streamlining electrnic prcedures Gaining efficiency in administrative simplificatin and mdernisatin Imprving usability and attractiveness f PSCs Increasing transparency and user-friendliness f prcedures fr service prviders and service recipients Increasing crss-brder activities Stimulating crss-brder cperatin between Member States Reducing misuse/ fraud Added value fr public administratins Administrative simplificatin and mdernisatin will enable yu t save mney and use yur resurces mre efficiently Imprve efficiency f crss brder cperatin between Member States Increase crss brder activities Increase user friendliness f public administratin and imprve administrative prcesses 33 www.eu-spcs.eu/ 110
Deliverable D3, Versin 2b (final) Imprve usability and attractiveness f PSC in yur cuntry Prmte grwth and cmpetitiveness f EU services and industry Achieve interperability Added value fr IT Creates demand fr IT Prducts and services by public authrities and pprtunities fr businesses. Prvides jintly develped, tested, scalable and quality assured sftware that can be re-used by everyne a free f license csts. Allws t create new sftware prducts r add value t existing nes by re-using SPOCS mdules withut license fees. Is stimulating the demand fr next generatin PSC slutins in a ptentially large market f 16 cuntries that participate in SPOCS. Will mtivate public authrities t invite private businesses t supprt them. This may range frm business advice like imprving prcesses and rganisatins t technical supprt e.g. delivering technlgy. Will encurage member states t imprve the e-gvernment capabilities f Pints f Single Cntact and cmpetent authrities thus increasing the demand fr IT prducts and services Supprts prduct develpment as it prduces specificatins and sftware cmpnents that private cmpanies can turn int cmmercial prducts, add value t and ffer custmers in the public sectr. All results f SPOCS are pen and available under EU Public License withut license fees. gives yu access t the latest infrmatin abut building blcks fr interperable e-gvernment services. Has set up a number f grups that bring ptential buyers and suppliers f ICT prducts and services tgether. Can create spill-ver effects that create additinal demand fr prducts and services beynd SPOCS. Added value fr business representatives SPOCS will prvide slutins that, amng thers, will allw: Infrmatin t be prvided t the service prvider that will cmbine infrmatin gathered frm different Member States i.e. prcesses in ne Member State related with dcuments frm anther. Submissin f electrnic dcuments frm different Member States that can be easily checked fr their validity and their suitability. Autmatic retrieval f dcuments frm a surce f authentic dcuments in anther Member State. 111
Deliverable D3, Versin 2b (final) Prvisin f a secure cmmunicatin channel frm the Pint f Single Cntact f ne Member State t the service prvider f anther Member State with all the acknwledgment receipts required by law. Availability f e-services frm yur wn cuntry s nline prtal thrugh the destinatin cuntry s prtal. Critical rle f ancillary services The building blcks f SPOCS are syndicatin, edcumentatin, edelivery, esafe and eservice. Fr each f these building blcks, identificatin, authenticatin and signature will be imprtant. Ancillary services, such as time stamping, will cntribute t this. Prject deliverables such as Specificatins fr interperable access t edelivery and esafe systems - Appendix 1: Security Architecture Develpment Prcess clearly indicate that timestamps are required fr making it bvius when the dcument was signed, as well as fr indicating the timing f events in audit lgs. Audit recrds shuld als have reliable timestamps t make chrnlgical recnstructin reliable. This is further supprted by Specificatins fr interperable access t e- Delivery and e-safe systems Appendix 2 Trust Service Status List Prfiling ("SPOCS-TSL"), as well as Appendix 6 Security Mdel. Furthermre, edelivery is explicitly specified as a building blck. As such it is bvius that ancillary services (particularly time stamping, certified electrnic delivery) are required fr cntinuing the successful deplyment f SPOCS. 112
Deliverable D3, Versin 2b (final) LSP Cnsrtium Date STORK The prject includes 18 cuntries, with a ttal f 35 cnsrtium partners. The cnsrtium is a mix f public and private sectr rganisatins. Currently running Surce STORK website 34 Purpse f study The aim f the STORK prject is t establish a Eurpean eid Interperability Platfrm that will allw citizens t establish new e-relatins acrss brders, just by presenting their natinal eid. Crss-brder user authenticatin fr such e-relatins will be applied and tested by the prject by means f five pilt prjects that will use existing gvernment services in EU Member States. In time hwever, additinal service prviders will als becme cnnected t the platfrm thereby increasing the number f crss-brder services available t Eurpean users. Main findings STORK has tested crss-brder services in six areas such as Crss-brder Electrnic Services, SaferChat, Student Mbility, Electrnic Delivery (secure nline delivery f dcuments), Change f Address and Eurpean Cmmissin Authenticatin Service (ECAS). Benefits fr citizens The STORK prject makes it easier fr citizens t access nline public services acrss brders by implementing Eurpe-wide interperable crss brder platfrms fr the mutual recgnitin f natinal electrnic identity (eid) between participating cuntries Benefits fr e-gvernment Peple will be able t authenticate themselves securely and easily t access nline Gvernment services acrss Eurpe, using their natinal eid system. The secure access t administrative frmalities will make easier t mve, live and wrk in different EU cuntries. Peple will be able t use crss-brder services ver the Internet withut the need t visit the cuntry in advance. The security f n-line transactins will be strengthened thrugh increased use f eid services t authenticate users. Secure interperable eid authenticatin will encurage the grwth f nline services. Cmmn specificatins at EU level will reduce the csts f 34 www.eid-strk.eu 113
Deliverable D3, Versin 2b (final) implementing eid services. Interperable eid authenticatin is a key enabler fr the EU Services Directive and Digital Agenda, helping Member States t set up single pints f cntact fr access t Gvernment services. Critical rle f ancillary services Tday, the Eurpean Cmmissin prvides varius A2A services with restricted access rights. Currently, these are ften handled by a rather insecure system using e-mails, usernames and PIN/passwrds. With the Service Directive in particular, Eurpe is facing a majr eid challenge. A2A services f cmmn interest that culd benefit frm an imprved IAS slutin include: Internal Market Infrmatin System (IMI) Cmmunicatin and infrmatin resurce centre fr administratins Business and Citizens (CIRCABC) Electrnic exchange f scial security infrmatin (EESSI) DG SANCO Reference Database System (SANREF) Cnsumer Prtectin Cperatin System (CPCS) LISFLOOD-Alert Eurpean Cmpetitin Netwrk Electrnic Transmissin (ECN-ET) Eurpean Database fr Medical Devices (EUDAMED) Secure Exchange and Strage f Agricultural Data (SESAD) This list f services des f curse nt pretend t be exhaustive. It is bvius that having an EU-wide STORK r STORK-like deplyed slutin, wuld help address the Eurpen eid challenge, particularly with regard t Identificatin and Authenticatin. Fr the implementatin, at the prtcl level, cmmunicatin will make use f prtcls such as the SAML (Security Assertins Mark-up Language) prtcl. SAML requests and respnses may be signed and encrypted. As per the SAML prtcl specificatins, time stamping is a required service (e.g. t help fight attacks such as replay). Furthermre, reliable identificatin f a cmpany website and e-seals are als cntributrs t STORK s services. 114
Deliverable D3, Versin 2b (final) LSP Cnsrtium epsos (Eurpean patients smart pen services) The prject team cnsists f 47 beneficiaries frm 20 Eurpean Unin (EU) member states and 3 nn-eu member states Date 2008-2013 Surce epsos website 35 Purpse f study Main findings epsos aims t design, build and evaluate a service infrastructure that demnstrates crss-brder interperability between electrnic health recrd systems in Eurpe Benefits fr patients The gal f the epsos large scale pilt prject is t develp and test ( pilt ) services that: Enable yu as a patient t receive medicatin (eprescriptins) when yu are in anther participating epsos pilt cuntry (the medicatin must initially be electrnically prescribed in yur hme cuntry). Prvide health prfessinals access t the relevant, translated clinical infrmatin stred in yur hme cuntry ( Patient Summary ). This data can nly be accessed by the health prfessinal where yu are seeking care and nly after yu have prvided yur explicit cnsent. Benefits fr health prfessinals As a health prfessinal, epsos helps yu t prvide better healthcare t freign patients by giving yu access t the necessary electrnic patient data. Access t a Patient Summary and the patient s currently active prescriptins t imprve the decisin making prcess in diagnsis, based n the relevant clinical data frm the patient s hme cuntry. Ability t identify the patient in the cuntry f rigin and cnsult the essential healthcare data using tls integrated in yur existing wrk statin r via the internet at the epsos prtal. All this is subject t strict security rules. Assistance in btaining patient cnsent fr healthcare services. Access t a leading service supprted by the Eurpean Cmmissin, while using yur familiar technical envirnment r the epsos prtal. Access t patient data and ehealth infrmatin in yur wn language with an riginal cpy. 35 www.epss.eu 115
Deliverable D3, Versin 2b (final) Better patient care thrugh crss-brder healthcare data exchange. Imprved use f resurces when prviding healthcare t freign patients. Increase f security by using a paperless electrnic patient data system. Critical rle f ancillary services Fr EPSOS, identificatin, authenticatin and signatures are imprtant requirements t guarantee the security f the healthcare data prcessing. Ancillary services are required t achieve this envirnment f trust. EPSOS uses a trust architecture that cmbines elements frm PKI and IdP mdels. It can be illustrated as: Figure 3 - EPSOS Trust Mdel Architecture - business view (surce: Smart Open Services fr Eurpean Patients - Open ehealth initiative fr a Eurpean large scale pilt f patient summary and electrnic prescriptin - Deliverable: Wrk Package Dcument WP3.7 D.3.7.2. Final Security Services Specificatin Definitin - Sectin II - Security Services) EPSOS specifies access cntrl security, data integrity, data cnfidentiality, data exchange, auditing and accunting security, nn-repudiatin, and PKI security as dmains. It is bvius that time stamping, lng term preservatin, e-seals, and certified e- delivery culd cntribute significantly t the efficiency and effectiveness f the electrnic services prpsed in EPSOS. 116
Deliverable D3, Versin 2b (final) b. Eurpean Cmmissin Impact Assessments Title Prpsal fr a regulatin f the EU parliament and f the cuncil - Amending Cuncil Regulatin N 3821/85 n recrding equipment in rad transprt and amending Regulatin N 561/2006 f the Eurpean Parliament and the Cuncil Authr Cmmissin Staff Wrking Paper Date 2011 Publicatin Purpse f study Methdlgy f study and analysis perfrmed Main findings Eurpean Cmmissin - 2011 impact assessment (IA) reprts Impact Assessment f measures enhancing the effectiveness and efficiency f the tachgraph system that accmpanies the frthcming revisin f Cuncil Regulatin N 3821/85 Executed in accrdance with EU Impact assessment guidelines Cst/benefit analysis but nt cmplete. Data cllectin frm stakehlders, Member States and literature. Regulatin will make fraud mre difficult and reduce the administrative burden, which is expected t save cmpanies 515 millin per year. By ensuring better cmpliance with rules n driving times and rest perids, drivers will be better prtected, rad safety will increase and fair cmpetitin will be assured. Critical rle f ancillary services The digital tachgraph is a device (referred t as VU - vehicle unit r OBU - nbard unit) that is built-in int the vehicle by an accredited wrkshp using a wrkshp card. A cable cnnects it with a mtin-sensr that captures the mvements f the vehicle. The mtin-sensr and the digital tachgraph are cryptgraphically authenticated. T lawfully perate the vehicle, a driver needs t use his driver card. The digital tachgraph card is a smartcard, replacing the lder paper-based cards. There are fur card types: driver (lgging all imprtant driver and vehicle events), cntrller (t allw cmpliance checks), transprt cmpany (infrmatin retrieval), and wrkplace (calibratin f the tachgraph device in the vehicle in an accredited wrkshp). In every Member State, a MSA (Member State Authrity) has been created fr its deplyment. The MSA takes respnsibility fr the three cre cmpnents in the Member State: CIA r Card Issuing Authrity, the frmal bdy issuing the cards; CP r Card Persnaliser, the prducer and persnaliser f the cards; 117
Deliverable D3, Versin 2b (final) CA r Certificatin Authrity, the prducer f cryptgraphic certificates. The system is typically linked t a Member State driving license register, t a natinal identity register, and t the EU-wide Tachnet. Tachnet has been created as the Eurpean netwrk fr intercnnecting the MSA's. XML messages are used fr infrmatin exchange between the CIA's. Cnnectivity is via TESTA. Security is achieved via a Public Key Infrastructure. A Eurpean PKI has been set-up with the ERCA (Eurpean Rt Certificatin Authrity) as its rt-ca. In the case f the Digital Tachgraph, the benefits cme frm the cmbinatin f dematerialisatin and trust. This wuld nt be pssible withut esignatures. While the system which is currently in prductin des nt rely n trusted timestamps r similar ancillary services, the annuncements that have been made fr the next generatin make it clear that ancillary services will be required. T facilitate secure cmmunicatins between the stakehlders and actrs are invlved in the transprtatin landscape, particularly time stamping and certified delivery (e.g. fr autmatic batch reprting f the actual driving times frm transprt cmpanies t the cntrllers) are the mst likely candidates. 118
Deliverable D3, Versin 2b (final) Title Authr Prtecting Eurpe frm large scale cyber-attacks and disruptins: enhancing preparedness, security and resilience Eurpean staff wrking dcument Date 2009 Publicatin Purpse f study Methdlgy f study and analysis perfrmed Eurpean Cmmissin - 2009 impact assessment (IA) reprts Impact assessment f EU legislatin t enhance the level f preparedness and respnse acrss Eurpe against cyber attacks Executed in accrdance with EU Impact assessment guidelines In summary, the methdlgy used thrughut the Study is based n prven appraches fr similar highly cnsequential advisry undertakings regarding critical infrastructures. The framewrk, range f experience and expertise, persnal interactin and recmmendatin prcess enabled the Study team t delve deeply int the issues facing Eurpe s future netwrks, draw upn the knwledge f thse mst familiar with it, and establish a mdel fr future interactin and sharing. Qualitative analysis f plicy ptins based n impact indicatrs magnitude and likelihd Main findings The vulnerability f CII expses sciety t high ecnmic cst nce incidents ccur. Fr example, the Wrld Ecnmic Frum estimated in 2008 that there is a 10 t 20% prbability f a majr CII (Critical Infrmatin Infrastructure) breakdwn in the next 10 years, with a ptential glbal ecnmic cst f apprximately $250 billin. Research cnducted fr Business Rundtable by Keybridge Assciates suggests that the ecnmic csts f a mnth-lng Internet disruptin t the United States alne culd be mre than $200 billin. A UK payment assciatin estimated that the direct lsses caused by malware t its member rganisatins grew frm 12.2 millin in 2004 t 33.5 millin in 2006. Accrding t the UK infrmatin security breaches survey, the wrst security incidents caused disruptin f service t small businesses fr 1-2 days at an average cst f 8,000-15,000 each, whereas large businesses suffered average interruptins f 1-2 days at an average cst f 80,000-130,000 each. The average ttal cst f the wrst incident (including direct financial cst and reputatin damage) fr large business is 90,000-170,000 and fr very large business is 1-2 millin. Ratinale fr EU actin: Natinal apprach t tackle the prblems may nt be sufficient; EU-wide apprach can cmplement and bring added value t natinal prgrams. Critical rle f ancillary services In rder t withstand cyber-attacks, varius Ancillary Services have a ptential fr significant cntributin. Mst cyber-attacks are based n the creatin and subsequent use f a btnet against a victim r victims. Such attacks start by seducing inncent Internet users t install sme frm f malware, turning them int an instrument f attack. Installing this malware will frce them t share their identity r cmputer platfrm with the Cmmand and Cntrl server f 119
Deliverable D3, Versin 2b (final) the attacker. As the seductin f the inncent users is ften based n r includes sme frm f phishing, e-seals, certified electrnic delivery and web authenticatin certificates all cntribute t prviding the end user trust mechanisms that will allw him t judge whether the infrmatin r transactin presented t him is genuine r nt. E-seals can be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. Certified electrnic delivery (assuming the sender needs t be registered) can equally be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. And a legal persn s website authenticatin (a " web authenticatin certificate ) will allw a website user t instantly ascertain that such website is secure and linked t a certain legal persn. 120
Deliverable D3, Versin 2b (final) c. Other dcumentatin Title Authr E-invicing: Final step f an efficient invicing prcess Heike Mai, Thmas Meyer Date 2010 Publicatin Purpse f study Methdlgy f study and analysis perfrmed Main findings Critical rle f ancillary services Deutsche Bank Research Reprt abut the current state f e-invicing N infrmatin abut the methdlgy used. E-invicing is creating great expectatins. Only integrated prcesses can yield cst savings hwever. The legal situatin and the lack f interperability are hlding back the rllut. Cnfidence in e-invicing can be increased by esignatures. The cnfidence in such esignatures can be increased by using Ancillary Services such as time stamping (terms f payment usually cntain a reference t the mment the invice was sent) and certified e-delivery (s a supplier can be sure his custmer did receive the invice). 121
Deliverable D3, Versin 2b (final) Title Authr Yung Peple and Emerging Digital Services - An Explratry Survey n Mtivatins, Perceptins and Acceptance f Risks Wainer Lusli, Carline Miltgen Date 2009 Publicatin Purpse f study Methdlgy f study and analysis perfrmed Main findings Institute fr Prspective Technlgical Studies The study aims t remedy the almst cmplete lack f EU evidence n eid services perceptins. The study cmprises desk research, fcus grups in fur cuntries, an expert wrkshp, a survey pre-test and an nline survey in fur cuntries (France, UK, Germany and Spain) Mst yung peple are sceptical f the Internet as an envirnment fr the exchange f persnal data. Majr dubts exist in relatin t the prtectin f persnal data, whereas views are mre balanced n infrastructure safety. Yung Eurpeans are significantly cncerned abut a range f pssible privacy cnsequences f the spreading f persnal data. They are mstly cncerned abut stealth use, imprper sharing and financial misuse f their persnal infrmatin. Only 27% f yung peple feels that their persnal infrmatin n the Internet is kept private (cmpared with 52% when asked t adults). Several elements wuld encurage the use f eid systems, such as assurance f respect f laws n data prtectin and infrmatin n the use f data. The verall message is that yung peple want sme degree f assurance that their nline transactins are technically safe and preserve their persnal data privacy. Critical rle f ancillary services In rder t prvide a degree f assurance that nline transactins are technically safe and preserve persnal data privacy, Ancillary Services culd cntribute. E-seals can be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. Certified electrnic delivery (assuming the sender needs t be registered) can equally be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. A legal persn s website authenticatin, r a " web authenticatin certificate will allw a website user t instantly ascertain that such website is secure and linked t a certain legal persn. 122
Deliverable D3, Versin 2b (final) Title Authr Lng-term verifiability f the electrnic healthcare recrds' authenticity Dimitris Lekkas, Dimitris Gritzalis Date 2007 Publicatin Internatinal jurnal f medical infrmatics 76 (2007) 441-448 Purpse f study Methdlgy f study and analysis perfrmed Main findings T investigate whether the lng-term preservatin f the authenticity f electrnic healthcare recrds (EHR) is pssible Analysis f requirements and restrictins fr lng-term digital signatures and develpment and analysis f slutin framewrk (assumptins, requirements and implementatin). Data authenticity is defined as the preservatin f the integrity f the data (i.e. data is nt mdified during strage r transmissin) plus the pssibility f rigin verificatin (i.e. the secure identificatin f the creatr r the wner f the data). Bth prperties are assured by means f digitally signing. Authenticity f EHR is crucial fr the trustwrthiness f a HIS, especially in distributed envirnments where data is transmitted ver insecure channels and stakehlders have never physically met. Summary pints: What was knwn befre the study: Digital signatures have shrt lifespan. Time-stamping and single ntarizatin partially slve the prblem. The lngevity f healthcare recrds is crucial. What the study has added t the bdy f knwledge: Trust can be successively transited t new entities, data and technlgies. The initial signature f the EHR is nt required t remain valid in the future. Cumulative ntarizatin adds imprtant security strengths and lngevity t a signed EHR. The prpsed pen, practical, XML-based framewrk gives an efficient slutin t the prblem f lng-term verifiability f healthcare recrds authenticity. Critical rle f ancillary services In the case f preservatin f the authenticity f electrnic healthcare recrds, Ancillary Services such as Time Stamping and lng term preservatin are explicitly mentined as cntributing factrs. 123
Deliverable D3, Versin 2b (final) Title Authr The web identity preventin: factrs t cnsider in the anti-phishing design Vijay Chaudhari, Mhd. Ilyas Khan, Bhupendra Verma Date 2010 Publicatin Internatinal Jurnal f Engineering Science and Technlgy Vl. 2(7), 2010, 2807-2812 Purpse f study Methdlgy f study and analysis perfrmed Main findings A few factrs that can be used t the web identity theft preventin are discussed, such as evaluatin f user psychlgy & educatinal effrts; surce identificatin, URLs, certificatin authrity, Mutual Authenticatin, Client & Server Side Security, recgnitin f phishing messages etc. The study is based n existing literature. Sme particulars f the Phishing Attack: Number f unique phishing email reprts received by APWG frm cnsumers in the year 2009: Octber -33254, Nvember - 30490 and December - 28897. Number f unique phishing web site detected in the year 2009: Octber - 46522, Nvember - 44907 and December - 46190. Number f brand hijacked by phishing campaigns in year 2009: Octber - 356, Nvember 306 - and December 249. In the United Kingdm lsses frm web banking fraud mstly frm phishing almst dubled t 23.2m in 2005, frm 12.2m in 2004. United States businesses lse an estimated US$2 billin per year as their clients becme victims. In 2007 phishing attacks escalated. 3.6 millin Citizens lst US $ 3.2 billin in the 12 mnths ending in August 2007. Sme appraches that are suppsed t be practical t mderate phishing attacks are discussed: 1. Public-key infrastructure: 2. Digital Signature 3. Authenticatins 4. HTTPS 5. Educatin & Training t Client Critical rle f ancillary In the cntext f fighting ff phishing attacks, Ancillary Services can play a rle. 124
Deliverable D3, Versin 2b (final) services E-seals can be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. Certified electrnic delivery (assuming the sender needs t be registered) can equally be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. A legal persn s website authenticatin, r a " web authenticatin certificate will allw a website user t instantly ascertain that such website is secure and linked t a certain legal persn. Title Authr Phishing Secrets: Histry, Effects, and Cuntermeasures Antni San Martin, Xavier Perramn Date 2010 Publicatin Internatinal Jurnal f Netwrk Security, Vl.11, N.3, PP.163 171, Nv. 2010 Purpse f study Methdlgy f study and analysis perfrmed Main findings This paper presents the results f a study perfrmed ver phishing threats and vulnerabilities present in nwadays authenticatin envirnments. The main gal f this paper is t present ur slutin, the anti-phishing mdel which can be applied t any web envirnment, and nt just t e-banking r the financial sectr, withut limitatins nr additinal requirements. Assessment f phishing histry and prpsitin and assessment f new authenticatin methd resistant t phishing attacks. Frm data reprted fr years 2006, 2007 and 2008 we can estimate an average f 15000 submissins reprted t PhishTank and arund 10000 valid phishing attempts. If the cst fr each phishing incident is arund 900$, as reprted by Gartner, we can calculate a direct mnetary lss f 90 millin dllars per mnth just cnsidering nly thse reprted t PhishTank. By addressing phishing threats it is pssible t save a lss f mney and in additin new businesses will be made thanks t the increment in the custmer trust and cnfidence and a cnsequent increment in the service demand. As presented in the previus paragraph, a huge number f phishing attempts exist, this implies a scial and ecnmical impact. The scial impact is reprted by Bajaj: Phishing has already taken its tll. Cnsumer cnfidence in email is at an all time lw. Sixty-seven percent, r 150 millin, U.S. cnsumers dn t use banking nline tday. And, ver 88 millin nline banking custmers wuld switch bank, r reduce nline banking usage. In additin t the indirect lsses prduced by the lw demand and usage f the e-banking services, there are direct lsses. The Cmputer Crime Research Centre (CCRC) is a nn-prfit, nn-gvernmental and scientific research rganizatin. CCRC reprted n 2004 an article entitled: The financial lsses f Russian businesses caused by carder reached $20,000,000. Carders are illegal rganizatins specialized n cunterfeiting plastic cards and t use Internet fr receiving infrmatin n card hlders and card numbers. Gartner reprts that the average dllar lss per incident in 2007 was $886 and the cst f phishing attacks is calculated n 3.2 billin dllars fr 2007 in US nly. 125
Deliverable D3, Versin 2b (final) Virus Bulletin, n 2007, reprts that Malware and Phishing cst mre than 7 billin dllars in tw years. In rder t shw an example f persnal lsses we reprt the case between the Bank f Ireland and a grup f custmers that fell victim t a phishing scam that drained 160,000 Eurs ($202,000) frm their accunts. Critical rle f ancillary services In the cntext f fighting ff phishing attacks, Ancillary Services can play a rle. E-seals can be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. Certified electrnic delivery (assuming the sender needs t be registered) can equally be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. A legal persn s website authenticatin, r a " web authenticatin certificate will allw a website user t instantly ascertain that such website is secure and linked t a certain legal persn. Title Authr Infrmatin security and cybercrime Ian Brwn, Lilian Edwards, Chris Mardsen Date 2009 Publicatin Purpse f study Methdlg y f study and analysis perfrmed Main findings Scial Science Research Netwrk (SSRN) This paper gives an verview f sme tls fr crime such as malware and btnets. It als gives a summary f natinal legislatin and Eurpean law implementing Netwrk Infrmatin Security (NIS). Sme specific legal prblem areas are discussed (e.g. phishing, buying zer day explits) This study is mre a literature verview. Legislatin, plicy, gvernment spending and crprate respnse in the field f infrmatin security have been examined by fr instance the Organisatin fr Ecnmic Cperatin and Develpment (OECD) and the Eurpean Cmmissin, which has identified three key risks fr Internet security: 1. Attackers are increasingly mtivated by prfit rather than the technical interest that drve earlier hackers with grwing interest frm rganised crime and a sphisticated undergrund ecnmy in stlen infrmatin and hacking tls 2. Mbile devices and netwrks present a significant new threat landscape, where security is s far less develped than n the persnal cmputer 3. Ubiquitus cmputing will mve cmputatin and netwrking int the fabric f buildings and everyday things (e.g. thrugh RFID and sensr netwrks), presenting new vulnerabilities. 126
Deliverable D3, Versin 2b (final) Security incentives f rganisatins, ISPs and users shuld be better aligned. End users rarely have the time r technical backgrund t shulder the respnsibility pushed nt them by the gvernment fr securing their wn nline activities. Financial services institutins, ISPs and sftware vendrs in particular are in a better psitin t manage sme security risks. The best way t encurage them t d this wuld be t carefully reallcate t them sme f the liability fr fraudulent payments, traffic frm infected machines and insecure sftware. Critical rle f ancillary services In the cntext f fighting cybercrime, Ancillary Services can play a rle. E-seals can be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. Certified electrnic delivery (assuming the sender needs t be registered) can equally be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. A legal persn s website authenticatin, r a " web authenticatin certificate will allw a website user t instantly ascertain that such website is secure and linked t a certain legal persn. 7.3 Discussin This REA has been undertaken in rder t cllect evidence n the relevance t include (sme f) the ancillary services in scpe f this study, in the new Eurpean IAS regulatin. Qualitative evidence n ptential impacts f particular ancillary services is available, but rbust quantitative evidence has nt been fund and prbably des nt exist at this time. Against this backgrund, it presents a cnsiderable challenge t assess in a precise manner the ptential cntributin / impact f ancillary services. Hwever, the qualitative evidence we retrieved, suggests there are gd arguments (in the absence f hard data) why sme f the ancillary services shuld be cnsidered fr inclusin in the Eurpean regulatin. We want t mentin that Identificatin and Authenticatin are prerequisites fr the implementatin f the Large Scale Pilt Prjects. These are nt further elabrated since they are nt Ancillary Services. We summarize the relatinship between selected research findings and ancillary services as per the table belw: Time Lng term e- Admissibility Certified Legal stamping preservatin Seals Of native electrnic persn s f e-dcs delivery website esignature authenticatin PEPPOL Y Y e-cdex Y Y Y SPOCS Y Y STORK Y Y Y epsos Y Y Y Y EC impact Y Y assessment 2011 Digitach EC impact Y Y Y assessment large scale cyberattacks e-invicing Y Y 127
Deliverable D3, Versin 2b (final) Yung peple Y Y Y LTV f EHR Y Y Web identity Y Y preventin Phising secrets Y Y Y Infrmatin security and cybercrime Y Y Y Table 1 - The relatinship between selected research findings and ancillary services Ancillary Services can be psitive cntributrs t achieve wider deplyment f electrnic IAS services. As such, inclusin f these Ancillary Services in the Eurpean regulatin may therefre help buttress the legal value and interperability f the LSP s utcmes, and f ther Use Cases f technlgy. This will result in benefits fr citizens, public authrities and businesses. A first set f Ancillary Services that appears t have a ptential t cntribute t the value f esignatures includes: time stamping, and lng-term preservatin f signatures. We bserve these tw services are bth clse t the typical services invlved when using esignatures in a basic way. A secnd set f Ancillary Services clusters arund their added value in the cntext f fighting Cybercrime. Cybercrime and fraud are ecnmically imprtant issues. An EU-wide apprach is needed t tackle these prblems. The number f phishing attacks is high and grwing. United States businesses have lst an estimated US$2 billin per year vertime. There is n reasn t think the situatin wuld be different in Eurpe. E-seals can be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. Certified electrnic delivery (assuming the sender needs t be registered) can equally be used t ensure the authenticity f the rigin f cmmunicatins r dcuments. A legal persn s website authenticatin, (r a web authenticatin certificate) will allw a website user t instantly ascertain that a website is linked t a certain legal persn. 128
Deliverable D3, Versin 2b (final) 7.4 References 7.4.1 Studies included in the Rapid Evidence Assessment Eurpean Cmmissin (2011) Prpsal fr a regulatin f the EU parliament and f the cuncil - Amending Cuncil Regulatin N 3821/85 n recrding equipment in rad transprt and amending Regulatin N 561/2006 f the Eurpean Parliament and the Cuncil Eurpean Cmmissin (2010) Impact assessment - Regulatin f the Eurpean parliament and the cuncil cncerning the Eurpean Netwrk and Infrmatin Security Agency Eurpean Cmmissin (2006) Impact assessment - A strategy fr a Secure Infrmatin Sciety - "Dialgue, partnership and empwerment" Eurpean Cmmissin (2009) Prtecting Eurpe frm large scale cyber attacks and disruptins: enhancing preparedness, security and resilience Jseph J. Crdes, Anthny Yezer, Garry Yung, Mary Catherine Freman,Charltte Kirschner (2006) Estimating ecnmic impacts f hmeland security measures Daniel Plhmann, Elmar Gerhards-Padilla, Felix Leder (2011) Btnets: Detectin, Measurement, Disinfectin and Defence Heike Mai, Thmas Meyer (2011) E-invicing: Final step f an efficient invicing prcess Wainer Lusli, Carline Miltgen (2009) Yung Peple and Emerging Digital Services - An Explratry Survey n Mtivatins, Perceptins and Acceptance f Risks Ralf Cimancer, Meik Hansen, Prf. Dr. Herbert Kubicek (2009) Electrnic Signatures as Obstacle fr Crss-Brder E-Prcurement in Eurpe Cmmittee fr infrmatin, cmputer and cmmunicatins plicy (2009) The rle f digital identity management in the internet ecnmy: a primer fr plicymakers Dimitris Lekkas, Dimitris Gritzalis (2007) Lng-term verifiability f the electrnic healthcare recrds' authenticity Tamas Szadeczky (2010) Prblems f digital sustainability Vijay Chaudhari, Mhd. Ilyas Khan, Bhupendra Verma (2010) The web identity preventin: factrs t cnsider in the anti-phishing design Antni San Martin, Xavier Perramn (2010) Phishing Secrets: Histry, Effects, and Cuntermeasures Aashish Srvastava (2011) Resistance t change: six reasns why businesses dn t use esignatures I-Chiu Chang, Hsin-Ginn Hwang, Ming-Chien Hung, Ming-Hui Lin, David C. Yen (2007) Factrs affecting the adptin f electrnic signature: Executives perspective f hspital infrmatin department Ian Brwn, Lilian Edwards, Chris Mardsen (2009) Infrmatin security and cybercrime Rbert D. Atkinsn and Andrew S. McKay (2007) Understanding the Ecnmic Benefit f the Infrmatin Technlgy Revlutin 129
Deliverable D3, Versin 2b (final) Tby Stevens, Jhn Ellitt, Anssi Hikkanen, Iannis Maghirs, Wainer Lusli (2011) The State f the Electrnic Identity Market: Technlgies, Infrastructure, Services and Plicies WebNtarius Service Cmmunicatins technical specificatin ver. 2.0. 7.4.2 Other references Davies P. (2003) The Magenta Bk. Guidance Ntes fr Plicy Evaluatin and Analysis. Chapter 2: What D We Already Knw? Lndn: Cabinet Office Butler G.,Hdgkinsn J., Hlmes E. and Marshall S.(2004) Evidence Based Appraches t Reducing Gang Vilence, A Rapid Evidence Assessment fr Astn and Handswrth Operatinal Grup 130
Deliverable D3, Versin 2b (final) 8. Discussin n a pan-eurpean eid system, challenges and pprtunities 8.1 Intrductin The purpses f this chapter are twfld: first, it tries t briefly asses the current state f the Eurpean legal framewrk relating t electrnic Identificatin, Authenticatin and Signatures (hereinafter IAS) mechanisms in an nline envirnment. We will identify the main ratinale behind the need fr these mechanisms in electrnic transactins and cmmunicatin. We will als examine the main Eurpean legislatin in place and we will try t identify the main requirements a successful IAS system shuld include. Secnd, the chapter utlines a pssible slutin fr a functinal pan-eurpean electrnic identificatin (eid) mdel, drawing inspiratin frm existing legal framewrks. We will argue that it culd be pssible t set up a pan-eurpean eid system, withut a direct need t engage in wide-scale harmnizatin and withut a cmprehensive legal framewrk in place. We will examine an existing pan-eurpean system and we will try t apply the same principles t a Eurpean eid system. Lastly, we will identify sme basic features the prpsed system shuld ffer, in rder t ffer additinal benefits cmpared t existing slutins, as well as pssible risks and bstacles assciated with such system. 8.1.1 Why d we need IAS fr the infrmatin sciety - trusted cmmunicatin and transactins Internet has always been built n trust and self-regulatin. But as is the case in an ffline wrld, with grwing number f entities in the cmmunity the level f trust starts t disslve quickly. Tday the internet is n lnger an nline village, where yu knew 'everyne', with nly 16 millin users in 1995, nr a small twn with 500 millin 'inhabitants' in 2001. Tday the internet is a vast system f 2 billin users (nearly a third f wrld ppulatin), grwing with several millins f users each mnth. 36 It cmes as n surprise that in such enrmus cmmunity, the level f trust is cnsiderably lwer than it used t be. At the same time, the grwing size f the Wrld Wide Web and 'Internet f things' prvides grwing pssibilities fr stakehlders and brings an increasing demand fr reliable verificatin f infrmatin rigin and identificatin f the entity 'n the ther side'. Mre and mre sensitive transactins are being cncluded nline. "The develpment f ubiquitus netwrks f electrnic cmmunicatins, and the general trends f glbalizatin and increasing human mbility give 36 Statistics at: http://www.internetwrldstats.cm 131
Deliverable D3, Versin 2b (final) rise t the need t ascertain 'wh is wh' n the internet, in the street, in the usage f services and in cmmercial transactins." 37 Withut sufficient trust in electrnic cmmunicatin, cnsumers will be reluctant t cnclude transactins ver the internet and enterprises will be reluctant t mve services nline. Digital cnfidence was identified as ne f the main bstacles fr further expansin f electrnic services. Amng the tp reasns why peple d nt rder gds and services nline are cncerns abut payment security, privacy and trust. "Cnsumers will nt shp nline if they d nt feel their rights are clear and prtected." 38 Thus, the lack f trust in the nline envirnment is seriusly hampering Eurpean's ecnmic develpment. The prblem is that the internet's riginal infrastructure by design lacks reliable means f identificatin. The cmmunicatin riginatr and its recipient can be identified (in the internet's default infrastructure) nly thrugh an IP address, the infrmatin designated t a device thrugh which the transactin is cncluded, rather than t any entity behind the transactin. In many, if nt mst, f the internet 'transactins' this will nt present any prblem, since there is n need fr strnger means f identificatin. In fact, annymity is still ne f the mst prminent beneficial features f the internet as a place f free speech and free expressin, which is extremely hard t cntrl and can even supprt a change f plitical regime, as witnessed in the recent events ften referred t as the 'Arab spring'. On the ther hand, the lack f an identificatin infrastructure als implies that it is nt pssible t reliably identify an entity behind a transactin even in cases where all the parties wuld wish t d s. Paradxically, this ften leads t a situatin where individuals are 'frced' t prvide mre infrmatin than wuld be inherently necessary t successfully cnclude a given transactin. A typical example wuld be an nline shp, where custmers are usually requested t prvide an extensive set f persnal details befre cncluding a simple sale f gds cntract, whereas the same cntract happens in an annymus fashin in real-wrld situatins. Service prviders ften use a 'take it r leave it' apprach t push ptential custmers t prvide all the infrmatin they want. 39 Thus, nt nly 'insufficient-identificatin', but als 'ver-identificatin' are assciated with the lack f apprpriate IAS infrastructure. A prper eid system shuld seek t address bth issues - reliability in terms f identificatin and privacy. 40 37 Andrade, N. N. G. d., Twards a Eurpean eid regulatry framewrk. The Legal Gaps, Barriers and Challenges f cnstructing a legal framewrk fr the prtectin and management f electrnic identities, (2012 - frthcming) Eurpean Cmmissin, Jint Research Center, p.4. 38 Ibid., p.12. 39 See: Ry, D.v., Bus, J., Trust and privacy in the future internet a research perspective, Identity in the Infrmatin Sciety (2010) Vl. 3, N.2, p.398. (available at: Springerlink.cm) 40 Andrade, p.cit., p.8. 132
Deliverable D3, Versin 2b (final) With a grwing number f nline service prviders and 'fficial' cmmunicatin transferred nline, a reliable identificatin is a prerequisite fr cncluding cntracts at a distance with electrnic means f cmmunicatin. As the Cmmissin recgnized in its' Digital Agenda fr Eurpe: "Electrnic identity (eid) technlgies and authenticatin services are essential fr transactins n the internet bth in the private and public sectrs. Tday the mst cmmn way t authenticate is the use f passwrds. Fr many applicatins this may be sufficient, but mre secure slutins are increasingly needed." 41 Reliable eid systems will help t prvide necessary trust value fr nline cmmunicatin, transactins and electrnic dcuments. These systems culd even imprve standards we are used t rely n in an ffline wrld. A digital signature which is linked t a specific eid will be far mre reliable than a traditinal hand written signature - the methd f authenticatin which is trusted mre fr the reasns f lng custmary practice than its actual reliability. Mrever, a reliable eid system wuld pen pssibilities fr certain (traditinally ffline) services t be ffered nline (e.g., gvernment services, legal prceedings, healthcare services, etc.) and therefre easily accessible, n demand and with 24/7 availability. Furthermre, a functinal eid system culd prvide new pprtunities fr new types f services (e.g., 'safe-chat' fr minrs, r reliable dating services - in a sense f persnal identificatin, nt the desired utcme). Tday, "when a large scale EU r glbal enterprise wants t manage the IAS aspects f emplyees, cntractrs and partners, it faces a highly diversified landscape in bth legal and technical terms. This is highly inefficient and cstly." 42 Cnsequently, the system wuld cut expenses, while preserving and even enhancing prductivity - the bjective that enterprises, gvernments and individuals are desperately trying t achieve in times f ecnmic stagnatin. After all, trustwrthy eid systems already exist, as will be discussed further in this chapter. Hwever, these are usually nt based as much n legal fundatins, but mre ften n technlgical nes. The legal framewrk is utdated and generally cannt keep up with the rapid technlgical develpments. As a result, stakehlders are trying t fill the legal gap with mre r less imprvised slutins, building rather n practical measures than n legal plicies. With an emergence f new authenticatin systems, such as varius scial netwrk sites, and their extensive implementatin with ther services, the need t 'set up new standards' and crrespnding legal framewrk is even mre pressing, since these systems may sn becme a de-fact standard in an nline cmmunity. In rder t realize the gals set up in the Digital Agenda fr Eurpe - "a flurishing digital ecnmy by 2020" - Eurpe will certainly need a predictable and reliable legal framewrk fr infrmatin sciety. 41 Eurpean Cmmissin, A Digital Agenda fr Eurpe, COM(2010) 245 final/2 (Digital Agenda). 42 Quted frm: IAS Deliverable D1, page 30. 133
Deliverable D3, Versin 2b (final) 8.1.2 Current Eurpean legal framewrk There are three key legal texts n Eurpean level regarding identity management: the e- Signature Directive, 43 the Privacy Directive 44 and the Services Directive. 45 The current framewrk is therefre based n a cmbinatin f different directives, implementing laws at natinal level and technlgical standards. It is nt the purpse f this chapter, nr in its scpe, t examine these instruments in much detail, 46 but it is necessary t briefly mentin their rle in an IAS framewrk. The Privacy Directive established rules cncerning prcessing and handling f persnal data within the Unin and pssible transfer f these data utside the Unin. The Directive was successfully implemented in all Member States and tday the basic principles are the same thrughut the Unin. In the prcess f implementatin, sme imprtant issues fr interperability were left in the cmpetence f the Member States. In this regard, it is wrth mentining that the Privacy Directive expressly states that the "Member States shall determine the cnditins under which a natinal identificatin number r any ther identifier f general applicatin may be prcessed". 47 Cnsequently, althugh the Directive harmnized cnditins that have t be met when handling persnal data within the Unin, it als left sme interperability fr IAS systems unreslved. The Service Directive sught t remve barriers within the internal market and, strictly speaking, is nt directly relevant fr the IAS framewrk. Nevertheless, it prvides an imprtant bligatin fr Member States t make all prcedures and frmalities, relating t access t a service activity, available thrugh electrnic means. 48 This implies a de-fact bligatin fr a functinal crss-brder authenticatin system. 43 Directive 1999/93/EC n a cmmunity framewrk fr electrnic signatures; OJ L 13 (2000), p.12. 44 Directive 95/46/EC n the prtectin f individuals with regard t the prcessing f persnal data and n the free mvement f such data; OJ L 281 (1995), p.31. 45 Directive 2006/123/EC n services in the internal market; OJ L 376 (2006), p.36. 46 Fr a mre cmprehensive verview f Eurpean as well as natinal legal framewrks in place, see e.g.: Leenes et al., Strk - Twards Pan-Eurpean Recgnitin f Electrnic IDs (eids) - D2.2 - Reprt n Legal Interperability, (2010) STORK, available at: https://www.eid-strk.eu/; r Graux, H., Majava, J., and Meyvis, E., Study n eid Interperability fr PEGS - Update f Cuntry Prfiles - Analysis & Assessment Reprt, (2009) IDABC prgramme (available at: http://ec.eurpa.eu/idabc/servlets/ Dcb482.pdf?id=32522, accessed n 26.September 2011). 47 Article 8.7 f the Privacy Directive. 48 Art.8.1 f the Service Directive prvides: "Member States shall ensure that all prcedures and frmalities relating t access t a service activity and t the exercise theref may be easily cmpleted, at a distance and by electrnic means, thrugh the relevant pint f single cntact and with the relevant cmpetent authrities." 134
Deliverable D3, Versin 2b (final) The e-signature Directive is the main surce f rules cncerning electrnic certificates and certificatin services. The Directive seems t address nly ne aspect f the IAS, but as Public Key Infrastructure (PKI) systems are becming a standard fr identity management systems in general, the Directive prvides an imprtant basis als fr remaining IAS aspects. The exact scpe f the e-signature Directive is a subject f cnstant debate. It is either seen as prviding a legal basis nly fr electrnic signatures t be used in the same manner and with the same legal value as hand written signatures; r mre bradly as prviding a general set f rules fr using electrnic signatures as a technlgy in general, cvering any pssible use f such technlgy and thus als entity identificatin and authenticatin. 49 The first psitin is supprted by the fact that the e-signature Directive des nt prvide a material legal framewrk fr the use f e-signatures in different situatins than as an alternative t a hand written signature. The latter psitin builds n the wrding f the Directive, where the electrnic signature is defined as "a methd f authenticatin"; and where a "certificatin-service-prvider" is bradly characterized as "an entity r a legal r natural persn wh issues certificates r prvides ther services related t electrnic signatures"[emphasis added]. 50 Mrever, imprtant issues fr a functinal IAS framewrk remain unreslved in the Directive. The e-signature Directive tk as ne f its building blcks the cncept f identificatin. It described certificate as "an electrnic attestatin which links signatureverificatin data t a persn and cnfirms the identity f that persn". 51 It als impsed n CSPs the bligatin t "verify, by apprpriate means in accrdance with natinal law, the identity and, if applicable, any specific attributes f the persn t which a qualified certificate is issued". 52 But withut a necessary plicy framewrk fr identificatin and authenticatin prcedures n EU level, Member States and CSPs were left t chse apprpriate measures accrding t their lcal traditins and business/plicy preferences. Rules and prcedures fr establishing an identity are thus subject t natinal legislatin and differ thrughut the Unin. While this may seem reasnable, taking int accunt the sensitive nature f Member States' cmpetence in this area, it creates further bstacles fr crssbrder recgnitin and implementatin f a cmmn Eurpean IAS framewrk. Overall, e-signatures have been in the centre f legislative attentin fr several years. They were suppsed t prvide electrnic dcuments with the same legal value as the paper versins enjy in an ffline wrld. The e-signature Directive partially achieved the said gal, 49 Graux, Majava, and Meyvis, p.cit., pp.107-110. 50 Art. 2.1 and 2.11 f the e-signature Directive. See: Graux, H., Rethinking the e-signatures Directive: Mving twards a cmprehensive legal framewrk fr eid, (2011) IPTS wrkshp - Electrnic identity fr Eurpe, pp.3-6. 51 Article 2.9 f the e-signature Directive. 52 Anex II, Ibid. 135
Deliverable D3, Versin 2b (final) but e-signatures are still nt a cmmn tl fr an average user in day-t-day electrnic cmmunicatins and transactins. Thugh the e-signature Directive prvided an imprtant kick-start fr the Unin's plicy in the area f IAS, its ambitius gals ( facilitate the use f electrnic signatures and cntribute t their legal recgnitin 53 ), seem tday smehw incmplete and insufficient. The Cmmissin is aware f this and prpsed a revisin f the e-signature Directive in its Digital Agenda fr Eurpe. It is interesting t nte here the phrasing chsen by the Cmmissin in its prpsal: the revisin f the Directive shuld result in a legal framewrk fr secure eauthenticatin systems. 54 This might suggest, that the interest f Unin's legislatr is finally shifting frm just 'signature' aspect t the whle picture f IAS framewrk. Issues f Identificatin, Authenticatin and Signatures are intercnnected and cannt fully perate withut addressing all f them. As nted by the Cmmissin: "Electrnic Identity Management is a key element fr the delivery f any e- services." 55 8.1.3 Existing IAS systems There are f curse a number f electrnic IAS systems already in place and we all use at least sme f these n a regular basis (e.g., email, mbile phnes using a SIM card, ebanking, etc.). Fr an easier explanatin, we will divide these mdels int fur main categries: Gvernmentally cntrlled, Open private, Clsed Private and Hybrid private mdel. We will examine each mdel's strengths, weaknesses and suitable applicatins. Finally we will cnclude, that there is a place fr a different system that wuld accmmdate sme f the features missing in existing mdels. a. Gvernmentally Cntrlled Mdel (natinal eid) Varius eid authenticatin systems have been built and deplyed acrss the Member States and mre are under way. Tday, all Member States either already have sme kind f gvernmentally cntrlled IAS system (r at least part f it) in place, r are currently preparing t intrduce ne in the near future. 56 These systems enjy the highest trust value frm the security and legal certainty pint f view (within the given Member State), and they are usually built n a lcal implementatin f the e-signature Directive. Gvernment authrities generally act as trust issuers and systems thus enjy a high trust value. 53 Art.1 f the e-signature Directive. 54 Key actin 3 f the Digital Agenda, p.11. 55 Cmmissin, Actin Plan n e-signatures and e-identificatin t facilitate the prvisin f crss-brder public services in the Single Market, COM (2008) 798 final, p.10. 56 See e.g.: Graux, H., Majava, J., and Meyvis, E., p.cit. 136
Deliverable D3, Versin 2b (final) The identificatin prcess is based n tw-factr r three-factr authenticatin, ensuring a high level f security. Systems are typically designed primarily fr cmmunicatin directly with the trust issuer (gvernment) and are based n a centralised identity mdel. 57 Althugh they might be pened als fr ther relying parties, they usually act as clsed systems. Typically, PKI certificates are issued n a smart card (as a part f a natinal ID card r n a separate card) and additinal device (a card reader) is usually required in rder t use the system. Systems enjy full legal recgnitin within their (lcal) legal framewrk. The use f the system is ften hwever very limited, since gvernments are being cautius abut wider deplyment. Systems are als gegraphically limited and designed fr dmestic use nly. Depending n the pint f view, the gegraphic limitatins f a gvernmentally cntrlled mdel can be cnsidered its main strength r weakness. Frm a Member States' perspective, the limited scpe f the system ensures its full legal recgnitin within the lcal jurisdictin, since it fully cmplies with relevant lcal legislatin (registratin, eligibility, privacy plicy, identity requirements, etc.). Furthermre, since these systems may ffer an equivalent t traditinal identificatin dcuments (paper-based ID cards, passprts, drivers licence, etc.), gvernments are nt eager t 'share' these systems with the private sectr, and even less with any kind f 'freign' entity in crss-brder situatins. Gvernments want t be in full cntrl ver the system, since they include sensitive persnal data abut their citizens and 'sharing' such infrmatin with ther states culd hinder the states traditinal svereignty in this field. Frm the users' pint f view, the system will be sufficient as far as they nly deal with dmestic services (be it in the public r private sectr). This might very well be the case fr the majrity f individual users, but it will mst likely prve insufficient when it cmes t middle-sized businesses and large enterprises, which are active in crss-brder trade in the internal market. Fr these entities (as well as fr an increasing number f individuals wh benefit frm the free mvement within the Unin fr purpses f wrk, study r simply travel), the strict gegraphic scpe f these systems will cnstitute the greatest disadvantage, since they will nly be able t use the system, after they fulfil lcal criteria and underg a (mre r less) burdensme prcess f registratin; r wrse, they might nt be eligible t use the system at all. An evident slutin wuld be t make these existing lcal systems interperable. A number f initiatives were launched in this respect, 58 which have identified a number f bstacles 57 Fr cmparisn f different identity management mdels, see e.g.: OECD, The Rle f Digital Identity Management in the Internet Ecnmy: A Primer fr Plicy Makers, DSTI/ICCP/REG(2008) 10/FINAL, Annex 1, p.16 (available at: http://www.ecd.rg/dataecd/23/38/43195291.pdf, accessed n 26.September 2011). 58 T name but a few: STORK, PRIME, CROBIES, SPOCS; fr a mre cmplete list f research initiatives and prjects devted t eid and interperability see: Andrade, p.cit., p.7; see als a list f currently 137
Deliverable D3, Versin 2b (final) and are trying t find ways t vercme them. 59 But this prcess may prve t be t difficult, taking int accunt the fact that these systems are established thrugh natinal legislatin and their interperability ften requires a cmplicated prcess f legislative changes and amendments. b. Open Private Mdel (CertiPst, OpenID, Entrust, DigiNtar) In the Open Private Mdel, trusted credentials are issued by a private rganizatin - a prfessinal identity prvider. Usually, the identity prvider des nt act itself as a relying party. The emplyed technlgy mstly applies high security standards, and the identificatin prcess invlves tw-factr r three-factr identificatin. Typically, the identity prvider has t be accredited as the Certificatin Authrity (CA) accrding t its dmestic legislatin and will have a (higher r lwer) level f liability twards its clients. The interperability f identity management systems in this mdel is based n a 'federated identity mdel' 60 (linking varius and even previusly created accunts tgether), r n a 'centralised' identity system. Services are usually prvided in exchange fr remuneratin. Cntrary t the gvernmentally cntrlled systems, identity prviders in the Open Private Mdel are cmpeting with ther prviders in a free market. Therefre, identity prviders will be trying t cnnect as many services and relying parties t their system as pssible. Users are free t chse an identity prvider and can decide between a variety f services, trust levels, security levels, etc. There are n gegraphic limitatins, and the scpe will depend n prvider's business mdel and ability t engage relying parties in its system. Thus, the use f the system is limited t the prvider's netwrk f relying parties and will be mainly used fr transactins in the private sectr, althugh the public sectr may als take part in the system. An Open Private Mdel may ffer legal recgnitin and liability assurance, but these will depend n lcal legislatin and any cntractual limitatins impsed by the service prvider, and may nt be sufficiently clear fr an average user. Hwever, the systems are ften suitable nly fr enterprises, r individual users with abve average technical skills and knwledge. The lack f a legal framewrk requires identity prviders t cmpensate legal certainty with cntractual terms, which might nt be sufficiently clear and relevant fr an average user. running prjects funded by ICT Plicy Supprt Prgramme in the area f e-gvernment, available at: http://ec.eurpa.eu/infrmatin_sciety/ 59 See e.g.: Hartmann, D., Körting, S., Security issues in crss-brder electrnic authenticatin, (2010) The Eurpean Netwrk and Infrmatin Security Agency; r Leenes et al., p.cit. 60 See e.g.: Smedinghff, T.J., Federated Identity Management: Balancing Privacy Rights, Liability Risks, and the Duty t Authenticate, (2009) available at: http://papers.ssrn.cm/sl3/papers. cfm?abstract_id=1471599 (accessed n 23.September 2011). 138
Deliverable D3, Versin 2b (final) Systems might be t cumbersme t be deplyed in mre cmmn transactins and will therefre have nly a limited scpe f use. c. Clsed Private Mdel (e-banking, mbile peratrs, e-shp accunt, AppleID, email) The clsed private mdel is by far the mst cmmnly used identificatin system nline. Every internet user wns at least ne accunt within sme kind f a clsed private netwrk. These range frm e-mail accunts r e-banking services, thrugh mbile peratrs, t simple e-shp accunts and varius nline prfiles (e.g., AppleID, NikeID), but include als small-scale slutins such as crprate ID systems. In this mdel, identity prviders are private rganizatins but, unlike in the pen private mdel, they d nt act as prfessinal identity service prviders. Instead, they use authenticatin system fr ne purpse nly - cmmunicatin between prvider and user. The identity prvider thus als acts as the nly relying party f the system. The clsed private mdel is designed t perate independently, with n frmal cnnectins t ther systems. Therefre, the term 'sil mdel' is ften used, since each such system represents a clsed sil f identities that can be used nly inside the sil. 61 Frm a security pint f view, these systems range frm very elabrated and strng nes with tw r three-factr authenticatin (e-banking), t systems with relatively lw security standards and ne-factr identificatin (e-mail, e-shp accunt). As already nted, it is nt pssible t intercnnect 'siled' systems and link ne prfile t different services. Hence, users have t create a new accunt with each service prvider. Sn, users will end up with multiple accunts with many different prviders. This culd theretically bring a security benefit fr the user in case f security breach. While ne system may be cmprmised and user's data stlen, the cmprmised system will have n inherent links with ther systems (sils), and cnsequently, user's prfiles stred in ther systems will remain unaffected. On the ther hand, with multiple accunts, users have t manage multiple accunts, lgin names and passwrds. Typically, this will nt lead t a higher level f security, as users are cnfrnted with t much infrmatin t remember, they usually decide t use the same lgin details (name and passwrd) fr mst, if nt all, their accunts. Cmbined with lwer authenticatin standards in mst f these systems (ne-factr authenticatin), after acquiring user's passwrd fr ne system, ptential cybercriminals will mst likely gain access t several remaining accunts. The legal predictability f these systems is diverse. While sme systems (like e-banking) may ffer similar legal effects as traditinal face-t-face transactins; mst f these systems will be gverned by cntractual terms and cnditins and might therefre ffer different levels f legal certainty and liability limitatins. Taking int accunt the knwn fact that users 61 See: OECD, p.cit., Annex 1, p.16. 139
Deliverable D3, Versin 2b (final) hardly ever read thrugh these terms, their awareness abut pssible risks will be mderate at best. d. Hybrid Private Mdel (scial cnnect - Facebk, Ggle, Twitter) Recently, this new type f authenticatin mdel is gaining ppularity n the web. With the rapid grwth and success f scial netwrking sites (namely Facebk, Twitter and the recently publicly lunched Ggle+), users are creating mre and mre detailed electrnic identities and fill their scial netwrk prfiles with mre and mre persnal infrmatin. Users may nt be aware f the fact that their scial netwrking site can, ver time, acquire a much mre detailed prfile f their identity, than they intended t share. The infrmatin individuals wuld nt be willing t share even with trusted parties in the real wrld (such as ur lcatin, relatinship status, health cncerns, etc.) are being upladed t their electrnic identities and made (mre r less) publically available n a daily basis. All this with a 'vluntary' cnsent f the data subject. Nt nly individuals, but als businesses and rganizatins are increasingly making use f scial netwrking prfiles. With mre than 800 millin active users, 62 Facebk is by far the largest publicly accessible eid database in the wrld. Hence, scial netwrking sites sn recgnized an pprtunity t act as quasi-prfessinal identity prviders. The system lies between clsed and pen private mdels and culd therefre be called a 'Hybrid Private Mdel'. The eid is issued by a private rganizatin, which is nt a prfessinal identity prvider. The identity prvider is then als a primary relying party f the system (unlike in the pen private mdel), but makes it als pssible fr ther relying parties t use its authenticatin system and link users' prfiles with ther service prviders (unlike the clsed private mdel). The system thus basically wrks as a federated identity mdel. 63 Fr users, this is a cnvenient way f setting up an accunt with different service prviders. Time management certainly plays a part in the ppularity f this authenticatin mdel. The user simply lgs in t her scial netwrk prfile and cnfirms that a third party can access infrmatin stred in that prfile. T cmply with data prtectin regulatins, the infrmatin accessed by a third party is indicated t users, wh must give their prir cnsent. The system has practically n gegraphical bundaries and can be used acrss a variety f websites and services, as lng as all parties are cmfrtable with such use. The legal aspects f this authenticatin methd are hwever very limited. Since the 'riginal' identity prvider (scial netwrk) des nt require any kind f reliable identity authenticatin prir t 62 http://www.facebk.cm/press/inf.php?statistics 63 See: Smedinghff, T.J., p.cit. 140
Deliverable D3, Versin 2b (final) setting up users prfile, the factual identity f a user cannt be determined. 64 A Hybrid Private Mdel may therefre nly be suitable fr transactins and cmmunicatin with a relatively lw-trust value. The legal recgnitin and certainty f such eid is practically nnexistent. It will be gverned by the cntractual terms agreed upn between user, identity prvider and third parties. Applicable law is als selected in the agreement. 65 While this kind f identity management system is cnvenient fr many users and may be the best slutin in certain situatins, it is imprtant t acknwledge that this methd will nt be perceived as a standard by individual users. In case a dispute will arise between tw parties relying n such system, the legal means available will sn prve insufficient, because the system des nt prvide fr any guarantees. Mrever, individuals may nt be fully aware f pssible trade-ffs with their privacy when using such system. The privacy cncerns are a frequent surce f criticism when it cmes t scial netwrking sites. Privacy setting pssibilities may be cnstantly develping, but an average user usually relies n the default values set by the identity prvider. Users' 'infrmed cnsent' 66 that is needed in rder t transfer infrmatin t a third party can theretically be legally valid, but actual 'infrmed' value f such cnsent is nrmally disputable. In practice, the infrmatin that users are abut t make available is described in vague and general terms, rather than simply displaying all the infrmatin t be shared with the third party. In additin, it is nt nly a third party which acquires infrmatin abut the user. The identity prvider (scial netwrk) als gains additinal infrmatin abut user's behaviur vis-à-vis third party services. Cnsequently, users may end up with mre persnal infrmatin stred with an identity prvider than they intended t. 8.1.4 Preliminary cnclusin All the abve mentined systems are successfully deplyed in an nline envirnment. They are mre suitable in certain situatins and less in thers. Mre imprtantly, users knw hw t use them and are used t relying n these methds in their electrnic cmmunicatin and transactins. It shuld therefre nt be ur aim t supplant r replace these systems with sme kind f new state-f-the-art authenticatin system. The existing systems all have their ideal way f use and they will prvide the best slutin in certain situatins, therefre they all certainly have a place in an IAS framewrk. As in the real wrld situatins, "[t]he need t 64 It shuld be nted, that Terms and Cnditins f a service usually require users t prvide nly real, accurate, crrect and up t date infrmatin necessary fr registratin (althugh this is nt always the case, e.g., Twitter). See e.g.: http://www.facebk.cm/terms.php; r http://www.ggle.cm/ accunts/tos. Hwever, this cannt be cnsidered a reliable identity authenticatin methd. 65 Mst likely, the agreement will prvide fr the laws f the State f Califrnia. 66 Article 2(h) f the Privacy Directive. 141
Deliverable D3, Versin 2b (final) identify smene differs and has different aims, when it is dne by the immigratin cntrl, by the highway patrl, by the bartender, by the bank clerk etc." 67 The same is valid fr an nline wrld. Varius means f identificatin shuld therefre be preserved. Hwever, the existing framewrk leaves many gaps pen. The evlving technlgy tries t answer the demand fr sme kind f a slutin and is naturally trying t fill in these gaps. "As a result, technlgy seems t be prviding the values f certainty and predictability in the regulatin f relatinships that law shuld prvide." 68 This might be practical and effective, but will nt bring a slutin in the lng term. Thus, there is clearly a space, and mrever a need, fr a better alternative t existing systems. The necessary precnditins fr this alternative will be discussed in the next sectin. 8.2 Requirements fr a pan-eurpean eauthenticatin system In the sectin belw, we will briefly examine the high level requirements that wuld need t be met by a pan-eurpean eauthenticatin system, irrespective f technical implementatin chices. 8.2.1 User friendliness If we want t create a system that will be accepted by an average user, it must be abve all user-friendly, easy-t-use and understandable. Users shuld embrace the system, rather than be required t use the system. It shuld be recgnized as an advantageus slutin cmpared t traditinal systems. Hwever, it is necessary t strike a right balance between user friendliness and security requirements. On the ne hand, identificatin based n a single-factr authenticatin will certainly prvide a higher level f 'friendliness', but will be much vulnerable t security attacks. On the ther hand, system with a perfect security infrastructure and three-factr authenticatin will by definitin require number f steps t cmplete the prcess and will clearly be mre incnvenient. Hence, it wuld seem reasnable t prvide multi-level authenticatin within the same system. While a 'basic' single-factr authenticatin culd be used in rdinary transactins and cmmunicatin, a secnd mre cmplex 'advanced' authenticatin culd be emplyed whenever there wuld be a need fr a higher trust value, even within the transactin that started with a 'basic' authenticatin. The idea is nt new and the methd f tw-stage identificatin is ften being 67 Myhr, T., Regulating a Eurpean eid: A preliminary study n a regulatry framewrk fr entity authenticatin and a pan Eurpean Electrnic ID, (2005) The Prv e-id Grup, p. 8. 68 Andrade, p.cit., p.15. 142
Deliverable D3, Versin 2b (final) used with e-banking services, where an accunt infrmatin can be accessed with a 'basic' tw-factr authenticatin (e.g., certificate and passwrd), whereas payment has t be cmpleted with an 'advanced' three-factr authenticatin (e.g., certificate, passwrd and cde received via mbile phne). While the final slutin and technical implementatin f the system might be cnsidered premature in the stage f merely drafting a legal framewrk, it shuld als be brn in mind, that these are the factrs which may influence end-users' decisins the mst. The system's interface as well as the practical slutins regarding the authenticatin tkens (smart card, certificate n USB memry stick, mbile phne implementatin, etc.) will have a majr impact n the system's utilisatin. Withut these criteria in mind already in the stage f preparing a legal framewrk, the system may very well turn up as yet anther slutin suitable nly fr specific user grups (e.g., lawyers, healthcare practitiners r accuntants, wh are by the nature f their prfessin required t interact frequently with the public sectr and ther parties in a frmal way) r large enterprises with specialized IT departments. 69 Ntwithstanding results and prgress achieved in these sectrs, "the usability f authenticatin slutins in private sectr applicatins is cnsidered t be f key imprtance". 70 8.2.2 Technlgically neutral, interperable, crss-applicable In an ever develping field f technlgy, it is extremely difficult t create a system that wuld be able t keep up with innvatin requirements and a user's needs. The legal framewrk must nt pse further bstacles. Basic rules must therefre be technlgyneutral. That is nt t say that technical standards shuld nt be addressed at all. On the cntrary, legal rules shuld ensure that a technical infrastructure will nt hamper interperability and crss-applicatin f the system. Minimal technical standards shuld be regulated n a central level by the means f functinal criteria fr all stakehlders. These standards have t be easily 'upgradable' t match with the current state f technlgy and, therefre, shuld nt depend directly n the legal framewrk. The system shuld be suitable fr a wide scale utilisatin and crss-applicable ver brad range f services. Relying parties shuld be able t implement the system easily with their services. Likewise, the system must be able t cmmunicate with multiple end-user platfrms and devices. 69 Tday, already mre than 50% f enterprises in the Unin are making use f e-gvernment services by sending filled frms electrnically, whereas fr individuals the number is nly 13%. (Eurstat - http://epp.eurstat.ec.eurpa.eu/statistics_explained/index.php/e-gvernment_statistics) 70 Graux, Majava, and Meyvis, p.cit., p.121. 143
Deliverable D3, Versin 2b (final) 8.2.3 Secure and reliable An increasing number f nline pssibilities, brings abut an equivalent increase in ptential misuse and cybercrime. "Eurpeans will nt engage in ever mre sphisticated nline activities, unless they feel that they, r their children, can fully rely upn their netwrks." 71 A reliable eid system has t prevent pssible security threats and take apprpriate steps t prevent any kind f misuse. A system has t be able t functin 24/7, s that users and relying parties knw that the system will be available whenever they will need it. Reliable cmmunicatin between different parts f the system has t be secured. Inaccurate infrmatin r lss f data culd have severe cnsequences and must be prevented. A system shuld prvide a technicalsupprt centre t help reslve difficulties f any party using the system. 8.2.4 Legally predictable Mutual recgnitin and legal acceptance thrughut the Member States shuld be cnsidered as the main benefit f the system cmpared t existing systems. Users culd finally rely n ne system thrughut the Unin, with clear and predictable legal cnsequences in all Member States. This central feature is als the majr bstacle fr setting up such a system, since EU is lacking the necessary harmnizatin in this field. Nevertheless, it is nt necessary in rder fr a system t wrk t be entrusted with the same legal value in every Member State. As a start, it wuld be sufficient t assign at least certain minimal legal value t the system and prvide users with a clear guidance ver applicability and pssible use in each Member State. Ntwithstanding these assumptins, the final bjective f the system shuld be full legal recgnitin as a valid means f identificatin thrughut all Member States. The legal predictability culd attract a number f stakehlders t take part in the system. Withut this feature, the system will nt be much different frm already existing slutins. Legal acceptance and mutual recgnitin wuld bring a necessary trust level, and wuld enable utilisatin f the system in wide areas, since parties relying n such system wuld have a similar legal certainty in their transactins as if dealing face-t-face. 8.2.5 Scalability The system must be able t accmmdate the grwing demand and its wn grwth. It shuld be 'simple' enugh t enable swift cmmunicatin and functining thrughut its 71 Digital Agenda, p.cit., p.5. 144
Deliverable D3, Versin 2b (final) infrastructure, yet it must be secure enugh t prevent misuse and avert security threats. This is a rather technical issue which can be slved with the system's implementatin, but the imprtant cnstraints shuld be brn in mind when drafting necessary framewrk. The system's additinal services, ther than identificatin, shuld als be taken int accunt. Identity authenticatin is nly ne feature f functinal IAS system. Other services like e-signing, time stamping r e-archiving culd als be included in the same system. 8.2.6 Trust All f the afrementined requirements shuld cntribute t the mst imprtant prerequisite f the system - trust. As already mentined abve, insufficient trust has been identified as ne f the main ratinales fr individuals nt t get invlved in electrnic transactins. "In a transfrmatin t digital functins, it is vital t understand hw the mechanisms f trust and identificatin can be maintained. Trust effectively facilitates human transactins and ecnmic activities by reducing risks." 72 It is therefre essential t vercme this bstacle. A stakehlders' engagement in the prcess f drafting and implementing necessary legal framewrk culd help t address main issues and facilitate a successful start f the system. It shuld be remembered, that the system will be ffered n vluntary basis and that it shuld nt replace n-ging initiatives and existing slutins, but rather ffer a better alternative r pssibility t make these systems interperable. Therefre, sufficient trust in the system will be crucial fr stakehlders t take part in the system. The level f trust will be directly cnnected with the identity prviders. The mre strict criteria will be set up fr the identity authenticatin f an entity befre issuance f its eid, the higher trust will be enjyed within the system. On the ther hand, criteria set up t strictly culd hamper stakehlders ability t participate in the system. Cnversely, an pen system withut trusted mechanisms fr establishing eid's wuld nt be useful either, since parties wuld nt have a sufficient trust in issued identity credentials. A prper balance has t be achieved between these principles. Users must have sufficient trust in the ability f identity prviders t keep their persnal data safe and will nt reveal mre than necessary. Similarly, relying parties must have sufficient trust in issued eids, prcesses emplyed t establish these eids, as well as an assurance f liability in case 'things g wrng'. An imprtant rle f supervising mechanisms shuld be bserved in this respect. Impartial authrities at lcal, as well as Unin's level shuld be entrusted with supervising pwers ver relevant parts f the system. Cmpliance with 72 Van Ry, D., Bus, J., Trust and privacy in the future internet a research perspective, Identity in the Infrmatin Sciety (2010) Vl. 3, N.2, p.398. (available at: Springerlink.cm) 145
Deliverable D3, Versin 2b (final) applicable legislatin and plicy in the fields f privacy and data prtectin shuld be under clse scrutiny by existing Member States' authrities. 73 8.2.7 Obstacles The creatin f a pan-eurpean IAS system with characteristics utlined abve will be faced with many challenges and bstacles. The main issues are briefly identified in this sectin. a. N ffline legal framewrk fr IAS The cmplexity f the current Eurpean legal framewrk and the absence f clear rules cncerning entity authenticatin at the Eurpean level were already discussed in the chapter abve. In additin, there is the lack f any legal framewrk at the dmestic level. A study carried ut within the "eid Interperability fr PEGS" 74 shwed, that in 25 Member States there is n "legal definitin f the cncept f an identity, and mre imprtantly, hw an identity can be established in an electrnic envirnment". 75 Only tw Member States (namely Austria and Finland) have the cncept f identificatin legally defined. Having said that, it is nly natural that the cmmn taxnmy is als absent at Eurpean level. This might be quite striking, but cnsidering the traditinal way f entity authenticatin in real wrld situatins (physical appearance and demnstratin f fficial dcuments), and the fact that "in a histric perspective up until nt very lng ag a persn had n need fr an identity card"; 76 the cnclusin is nt that surprising. Cnsequently, it might be even harder t set up an apprpriate legal framewrk fr IAS in electrnic envirnment, when there is n express legal basis neither in an ffline envirnment, and prcedures used in a real wrld derive mainly frm custmary practice. Furthermre, this 'custmary practice' differs thrughut the Member States and the attributes necessary fr establishing ne s identity are diverse. Whereas the majrity f Member States issues their citizens with sme kind f physical ID dcument (such as paperbased ID card) and assciated identity number, there are sme exceptins t this rule. 77 Besides, attributes cntained in these dcuments differ greatly, which can be demnstrated 73 Accrding t Article 3.3 f the e-signatures directive, Member States already have an bligatin t set up an "apprpriate system that allws fr supervisin f certificatin-service-prviders which are established n its territry ( )" 74 Graux, Majava, and Meyvis, p.cit. 75 Ibid., p.118. 76 Myhr, p.cit., p.7. 77 United Kingdm and Ireland d nt issue any generally applicable ID cards nr general identity numbers. The intrductin f identity cards in UK was reversed by the Identity Dcuments Act 2010 (c. 40). 146
Deliverable D3, Versin 2b (final) with the infrmatin cntained within varius eid cards issued by Member States. These range frm a single identifier t an exhaustive list f identity attributes. 78 Finally, in sme Member States legal persns can be issued with their wn eid, whereas in ther Member States nly natural persns can btain an eid and a legal persn has t act thrugh its 'natural' representatives. Taking all f this int accunt, ne can easily cnclude that sme kind f cmmn standard has t be fund in rder t set up an interperable and crssbrder applicable IAS system. b. Plitical issues and sensitive nature f natinal and Eurpean cmpetence Managing citizens' identity and crrespnding databases is a field f traditinally natinal cmpetence which tuches sensitive issues f state svereignty. Issuance f unique identifiers usually has t deal with cnstitutinal restrictins and privacy plicy regulatins at natinal level. In sme cuntries (ntably Germany and Hungary), the cnstitutinal curts already declared issuance f generalised unique identifiers t be in cntradictin with their respective cnstitutins, and multiple 'sectral' identifiers had t be used instead. 79 Natinal gvernments may be reluctant t submit infrmatin abut their citizens utside their (natinal) cntrl and jurisdictin. Imprtant privacy issues will be at stake, since the cncept f privacy and accmpanying standards will differ fr each Member State, and the level f prtectin can be set up higher r lwer. Authenticatin requirements are defined at natinal level and hld a little relevance in crss-brder situatins. 80 Furthermre, with an intrductin f a Eurpean-wide eid system a number f 'big-brther' cnspiracy theries will certainly emerge. The security and reliability f the system will thus be ever mre crucial. This will be hard t cntrl, given that the system will be spread thrughut the Member States with different infrastructure and security standards. Finally, the Unin's cmpetence in the given field is smehw unclear. Since the ptential use f eid ranges acrss different fields, frm 'internal market' (shared cmpetence) t 78 As nted in the STORK reprt: "The eid's in the varius Member States differ in the amunt and nature f the attributes they cntain. On the ne extreme we have the Dutch DigiD, which nly cntains the identifier BSN. On the ther extreme we have eids, such as the Prtuguese Cartã de Cidadã which cntains name, date and place f birth, date and place f issuance f the card, validity perid f the card, parents, marital status, title and number f the card, picture and handwritten signature, residence, and Natinal register number, the hlder s address and tw digital certificates, ne fr identificatin and authenticatin and ne fr a qualified electrnic signature." (Leenes et al., p.cit. p.41) 79 Graux, Majava, and Meyvis, p.cit., pp.122-123. 80 Althugh it shuld be nted, that the e-signature Directive created an exceptin fr CSPs issuing PKI based certificates, since even freign entities can be accredited after meeting requirements, which are the same fr natinal and freign prviders. 147
Deliverable D3, Versin 2b (final) administrative cperatin (supprting actin) it will be difficult t chse (and sustain) the mst suitable area f Unin's actin. In this regard, the already mentined paragraph 7 f article 8 f the Privacy Directive shuld be brn in mind. 81 With the Lisbn Treaty, thrugh Article 77 (3) TFEU, 82 the Unin was granted new cmpetence in the field f identity cards, but the heading f this article - brder checks and immigratin plicies - suggests that it wuld nt prvide an apprpriate legal basis fr a fully functinal eid. Having said that, ne might wnder, whether we shuld even try t establish a pan- Eurpean eid system, befre we first reslve all the mentined issues at the natinal level? The answer is quite ptimistic: yes we shuld, because we have dne it befre! Earlier examples shw that pan-eurpean initiatives may prve t be successful alternatives living side by side with lcal initiatives. In the next sectin we will explre ne f these initiatives a bit further in detail, the.eu TLD system and make an analgy with a pssible intrductin f a.eu ID system. 8.3 Lessns learnt frm.eutld In this sectin, we will explain the basic characteristics f the.eu dmain name system and utline the way it wrks. We will further try t apply principles identified within this system t utline a similar way fr establishing a pan-eurpean eid system. We will nly cnsider features which might be relevant fr such an eid system and we will therefre nt g int much detail n ther features. The.eu Tp Level Dmain (TLD) was established as a vluntary dmain name system (DNS), with the aim t prmte the use f and access t the Internet netwrks and virtual markets, and cnsequently increase chice and cmpetitin. 83 On the basis f Art.171 TFEU tw regulatins were adpted. First, Regulatin 733/2002 n the implementatin f the.eu Tp Level Dmain, and secnd, Regulatin 874/2004 84 which laid dwn mre specific public 81 Article 8.7 f the Privacy Directive: "Member States shall determine the cnditins under which a natinal identificatin number r any ther identifier f general applicatin may be prcessed" 82 Article 77 (3) TFEU: If actin by the Unin shuld prve necessary t facilitate the exercise f the right referred t in Article 20(2)(a), and if the Treaties have nt prvided the necessary pwers, the Cuncil, acting in accrdance with a special legislative prcedure, may adpt prvisins cncerning passprts, identity cards, residence permits r any ther such dcument. The Cuncil shall act unanimusly after cnsulting the Eurpean Parliament. 83 Recital (4) f the Regulatin (EC) N 733/2002 f the Eurpean Parliament and f the Cuncil f 22 April 2002 n the implementatin f the.eu Tp Level Dmain, OJ L 113, 30.4.2002, p.1 (Regulatin 733/2002). 84 Cmmissin Regulatin (EC) N 874/2004 f 28 April 2004 laying dwn public plicy rules cncerning the implementatin and functins f the.eu Tp Level Dmain and the principles gverning registratin, OJ L 162, 30.4.2004, p.40 (Regulatin 874/2004). 148
Deliverable D3, Versin 2b (final) plicy rules and principles gverning registratin. The registratin was pened t the public in April 2006 and since then the.eutld grw quickly t the present number f nearly 3.5 millin registered dmains. 85 Registry EURid.euTLD WHOIS Registrar Registrar Registrar Registrant Registrant Figure 1:.euTLD system The whle system is rganized in a rather simple way (see figure 1). On the basis f Regulatin 733/2002 a central Registry was selected thrugh public prcurement. The Registry had t be "a nn-prfit rganizatin, frmed in accrdance with the law f a Member State and having its registered ffice, central administratin and principal place f business within the Cmmunity" 86. The 'call fr expressins f interest' was published in the Official Jurnal and subsequently the Cmmissin entered int cntract with the selected rganizatin - EURid. The cntract specifies the cnditins f administratin and management f the.eutld by the Registry, and prvides the Cmmissin with supervising pwers. 87 The Registry is respnsible fr the accreditatin f registrars and is nt itself invlved in registering dmain names with the registrants, instead it merely apprves r rejects registratin requests submitted by registrars. This is an imprtant feature f the system, since it reslves any ptential language requirements and lcal identificatin issues. The prcess f accreditatin "shuld be bjective, transparent, and nn-discriminatry", and 85 http://www.eurid.eu/ (accessed n 23.September 2011). 86 Art. 3.2, Regulatin 733/2002. 87 Ibid., Art.3.1(c). 149
Deliverable D3, Versin 2b (final) "nly parties wh meet certain basic technical requirements t be determined by the Registry shuld be eligible fr accreditatin". 88 A Registrar is "a persn r entity that, via cntract with the Registry, prvides dmain name registratin services t registrants" 89. It is imprtant t pint ut, that the term 'entity' means any entity and nt nly Eurpean based natural r legal persns. Hence, the system is pen t free cmpetitin f registrars that cmply with relevant dmestic legislatin and additinal minimum requirements. These requirements are stipulated in the mdel agreement 90 that the Registry cncludes with registrars and include mainly minimum technical requirements 91 and privacy plicy cncerns 92. The agreement is cncluded fr a perid f ne year and is autmatically renewable, but the Registry can terminate the agreement in case the registrar breaches its bligatins. In additin, registrars may vluntarily chse t subscribe t the Cde f Cnduct, 93 in rder t distinguish themselves frm ther cmpetitrs and t gain a pssible market advantage. The Cde f Cnduct is a vluntary instrument f self-regulatin, which prmtes accuntability within the registrar cmmunity and regulates issues that wuld be difficult t address thrugh a legal framewrk. It prvides fr a cmplaint prcedure t deal with custmers cmplaints and thus creates an additinal layer f supervisin. A Registrant eligible fr.eutld is an entity (undertaking, rganisatin r natural persn) 94 residing within the Unin. Registrants are free t chse (and change) registrars which they enter int cntract with. At the same time, registrants have t agree t general Terms and Cnditins 95 issued by the Registry, and prvide the registrar with certain necessary infrmatin. 96 The registratin f dmain names is gverned by the first-cme, first-served principle. 88 Recital 3, Regulatin 874/2004. 89 Art.2(b), Regulatin 733/2002. 90 Available at: http://www.eurid.eu/en/becme-registrar (accessed n 23.September 2011). 91 As als required under recital 3 f the Regulatin 874/2004, and in mre cncrete terms in Article 2.5 f the EURid Agreement. 92 These are expressed in Art.9 f the EURid Agreement and basically refer t relevant Eurpean rules (especially directive 95/46/EC - Data Prtectin Directive, Cmmissin Decisin 2002/16/EC and Safe Harbur Privacy Principles). 93 Available at: http://www.cc.eu/ (accessed n 23.September 2011). 94 Art.4.2(b), Regulatin 733/2002. 95 Available at: http://www.eurid.eu/en/eu-dmain-names (accessed n 23.September 2011) 96 Art.3, Regulatin 874/2004. 150
Deliverable D3, Versin 2b (final) The.euTLD system prvides als fr a central WHOIS database 97 and an Alternative Dispute Reslutin (ADR) mechanism, cnducted by an independent bdy selected by the Registry. 98 8.3.1 Applicatin t eid Applying the.eutld system utlined abve t the Eurpean eid cntext, ne shuld in the first place stress the imprtance f the chsen regulatry instrument. The successful establishment and swift implementatin f.eutld system was (partly) caused by the decisin t emply a Regulatin as a basis fr its legal framewrk. It allwed the creatin f a system that relies in its peratin n lcal legislatin (thrugh registrars); nevertheless its main infrastructure is independent frm Member States' diverse legal envirnments. There was n need fr extensive harmnizatin, since the system nly impsed sme minimum standards fr interperability and left all the practical issues with Member States. The same apprach will be crucial fr setting up a Eurpean eid system with a similar simplicity. Drawing inspiratin frm.eutld system, it is pssible t imagine the whle system as a kind f federated identity management system, 99 where the eid (IP address f the website) is stred in a central database (Dmain Name Server) and prvided upn request t a cmpetent party. A Eurpean eid framewrk culd be based n the same TFEU articles as.eutld regulatins (Art.170-172), since the scpe f these articles prvides the necessary legal basis, as already suggested in their Title - 'Trans-Eurpean netwrks'. Art.170 prvides: "T help achieve the bjectives referred t in Articles 26 [internal market] and 174 [ecnmic, scial and territrial chesin] and t enable citizens f the Unin, ecnmic peratrs and reginal and lcal cmmunities t derive full benefit frm the setting-up f an area withut internal frntiers, the Unin shall cntribute t the establishment and develpment f trans-eurpean netwrks in the areas f transprt, telecmmunicatins and energy infrastructures." [emphasis added] Art.171 further prvides that in achieving these bjectives, the Unin: 97 WHOIS database features infrmatin abut the registered dmain names wners (registrants) and abut managing registrars. This infrmatin is submitted by the registrars and the bligatin t prvide necessary data is prvided fr in the cntract with the Registry. Anyne can access the WHOIS database thrugh EURid website and check the status, the wner and the registrant f any.eu dmain. See als: Art.16, Regulatin 874/2004. 98 Art.22, Ibid.; ADRs are currently handled nly by the Czech Arbitratin Curt (http://eu.adr.eu/). 99 See: Smedinghff, p.cit. 151
Deliverable D3, Versin 2b (final) "(...) shall implement any measures that may prve necessary t ensure the interperability f the netwrks, in particular in the field f technical standardisatin, ( )" 8.3.2 The principles f a pssible eid legal framewrk The eid Registry wuld be selected thrugh public prcurement after publishing a 'call fr expressins f interest' in the Official Jurnal. The Registry wuld have t be a nn-prfit rganisatin, frmed in accrdance with the law f a Member State, and have its registered ffice, central administratin and principal place f business within the Unin. In this way, an impartial and mst suitable chice culd be made, and entities frm all Member States culd take part in the tender. After the Registry is established, it wuld authrise all registrars (identity prviders r certificatin service prviders [CSP]) thrugh the cnclusin f a mdel agreement and act as a supervising authrity. Therefre, it culd nt itself act as an identity prvider r a certificatin authrity. The Registry wuld further establish the central database f the system, manage the infrmatin submitted by registrars and ensure the interperability f the system, thrugh designating necessary standards with a regular review accrding t evlving technlgical standards. The Registrars wuld act as identity prviders r Certificatin Service Prviders (hereinafter referred t as identity prviders). They wuld have t cmply with dmestic legal rules, and, if utside the Unin, with relevant Eurpean legislatin (Data Prtectin, etc.). Identity prviders wuld apply lcal registratin requirements. This wuld be an imprtant feature f the system, since it slves the cnflict between different natinal framewrks. In additin, there wuld be n need t address language requirements in the regulatin, since all prcedures regarding end-users' registratin wuld be cnducted at dmestic levels, accrding t dmestic rules and thrugh identity prviders registered with cmpetent dmestic authrities. On the ther hand, identity prviders wuld have t adhere t cmmn rules and cmply with minimum standards set up by the Registry. This wuld slve the prblem f interperability and diverse technical standards. Finally, identity prviders wuld have a pssibility t accede t vluntary self-regulatin instruments (e.g. Cde f Cnduct), demnstrating their cmmitment t prvide services f a higher standard. The key feature f the abve utlined system is, that in rder t wrk it des nt require a cmprehensive IAS Eurpean framewrk t be put in place. First, the prcess f identificatin and establishment f eid is left with lcal identity prviders, wh must ensure cmpliance with lcal legislatin. In this way, sensitive issues f natinal identificatin plicy are left with the Member States. The Registry thus acts as a mere recipient f standardised eid credentials, after the identity prvider carried ut a prcess f identificatin at lcal level and accrding t lcal rules. Secnd, by delegating identificatin prcess t lcal identity prviders, the language requirements and lcal identificatin issues will be slved n the dmestic level and will nt create cumbersme barriers fr the whle system. This is 152
Deliverable D3, Versin 2b (final) certainly nt t say, that there is n need fr an elabrated IAS framewrk at Eurpean level, but the prpsed system culd prvide an imprtant kick-start fr further develpment, as well as fill-in the gap in the current framewrk. Mrever, the system wuld ensure supervisin n multiple levels. First n dmestic level, cmpetent authrities wuld carry ut supervisin ver identity prviders perating within their jurisdictin, the same identity prvider wuld further be under supervisin f the Registry, which wuld ensure that cmmn standards are cmplied with in all Member States. Finally, the Registry itself wuld be under scrutiny f cmpetent Eurpean authrities (the Cmmissin), which are als already mnitring Member States' authrities. T clse the circle, Eurpean authrities are reviewed by Eurpean citizens thrugh Eurpean Parliament and by Member States thrugh the Cuncil. The system wuld perate as a 'user-centric' identity management mdel. In user-centric systems users have greater cntrl ver their persnal infrmatin. As nted abve, users will be free t chse their identity prvider, independently frm service prviders (relying party) in rder t receive their services. Users thus d nt cmmunicate their persnal details directly with the relying party, instead identity prviders act as trusted third parties that authenticate and stre user's infrmatin. The relying party then simply accepts identity assertin prvided by identity prviders. "In this mdel, users chse what infrmatin t disclse when dealing with service prviders in particular transactins althugh service prviders may still require certain infrmatin fr the transactin t take place." 100 Identity prviders in user-centric mdel are separated frm relying parties and shuld therefre perate in the interest f users (their custmers) rather than relying parties. This shuld gain cnsumers a greater 'bargaining' pwer in determining what infrmatin is necessary t disclse in each type f transactin. Mrever, users may chse several identity prviders s that the infrmatin is nt stred all in ne place. 101 Since the system will perate with a number f identity prviders acting as trusted third parties, it must be based n the Circle f Trust principle. This means that each participating identity prvider is trusted t accurately dcument the prcesses used t identify an entity, the type f authenticatin system used, and any plicies assciated with the resulting authenticatin credentials. 102 The 'mdel agreement' with the Registry culd serve as a necessary prerequisite fr the principle, since the agreement wuld be the same fr all 100 OECD, p.cit., p. 17. 101 Ibid. 102 Fr mre detailed explanatin f Circle f Trust cncept, see e.g.: The Liberty Alliance Prject, Liberty Alliance Cntractual Framewrk Outline fr Circles f Trust, available at: http://prjectliberty.rg/liberty/files/whitepapers/liberty_alliance_cntractual_framewrk_utline_fr_circles_ f_trust 153
Deliverable D3, Versin 2b (final) identity prviders. The rights and respnsibilities relating t identificatin requirements culd be defined as a separate set f standards maintained by the Registry and easily mdifiable in case f technlgical prgress r any ther need. Instead f a central WHOIS database featured in the.eutld system, 103 the eid system wuld prvide a central database with a list f trusted certificates. In this way, relying parties wuld be able t simply (and even autmatically) check the validity f a certificate prvided by a third party. The database wuld perate n the basis f established Online Certificate Status Prtcl (OCSP), 104 and wuld therefre enable simple, fast and fr the end-user fully autmatic verificatin f the certificate emplyed. T cmplete the cmparisn with the.eutld system the need fr Alternative Dispute Reslutin (ADR) mechanism in the presented eid system is nt evident. The ADR culd prve useful in disputes between the Registry, registrars (identity prviders) and relying parties, since these wuld therwise be gverned by different lcal jurisdictins. The ADR culd therefre facilitate a unifrm prcedure fr all identity prviders invlved in the system, creating an additinal layer f trust in relying party vis-à-vis identity prvider situatins. As fr the disputes between identity prviders and users (their custmers), the ADR wuld prbably nt be a suitable slutin, since pssible disputes wuld have t deal with lcal legislatin cncerning registratin, privacy plicy and data prtectin rules. T cnclude, drawing inspiratin frm the.eutld system, a pssible legal framewrk fr eid wuld be based n three main regulating instruments: (i) EU regulatin, (ii) cntractual agreements, and (iii) self-regulating instruments. (i) The regulatin wuld set up the basic legal framewrk, the system's central infrastructure, harmnize definitins and prvide a clear level-playing field fr stakehlders. (ii) Cntractual agreements wuld prvide mre detailed rules fr day-t-day peratin and wuld harmnize requirements fr stakehlders t take part in the system, cnsequently creating a circle f trusted parties. A cntractual basis wuld als allw fr further, relatively easy, changes t the system. Technical as well as plicy amendments culd be made easily, withut a need fr a lengthy and cumbersme legislative prcess. (iii) Lastly, (vluntary) self-regulating instruments such as Cdes f Cnduct (tgether with apprpriate rules and prcedures fr their enfrcement), culd psitively influence a cmpetitin n the market, help end-users t make an infrmed decisin and verall higher the level f services ffered. 103 See N.62 supra. 104 Fr a basic explanatin, see e.g.: Wikipedia, r SearchSecurity. 154
Deliverable D3, Versin 2b (final) 8.4 Characteristics f a pssible pan-eurpean eauthenticatin system 8.4.1 Inherent dilemma The system, as utlined in the sectin abve, hlds an inherent dilemma: the mre legal cnsequences will be linked t the mdel, the mre difficult it will be t have it accepted by the Member States. This is quite imprtant t realize, since we are trying t establish a functinal IAS mdel n the basis f nly very limited Eurpean legal fundatins in this area. We shuld keep in mind, that while sme Member States are in favur f such systems and will prbably supprt its wide utilisatin and legal acceptance, thers might be much mre cautius and restricted in their apprach. We will therefre set aside a discussin abut precise legal effects and services t be ffered within the system. Instead, we will nly examine the general requirements the prpsed mdel shuld have, in rder t distinguish itself frm already existing systems and thus ffer new benefits fr its users. The list is in n way fully cmprehensive nr exhaustive. It is recalled, that it will be firstly the Member States wh will determine the final utcme f the system utlined in this chapter. Their willingness t embrace the system and their ability t implement it within the natinal rules will be crucial fr its success, r failure. 8.4.2 Vluntary The prpsed system shuld be an alternative t already existing systems. It shuld be able t attract 'custmers' by prviding an added value, which ther services cannt ffer (mutual recgnitin, legal acceptance in crss-brder situatins, easy and secure way t identify neself and thers, etc.). As already stressed abve, existing systems will be withut dubt mre suitable fr many nline activities and the prpsed system will nt therefre aim t replace these. Clearly, sme users will nt even make use f the system and they shuld therefre nt be frced t embrace it. Existing systems and initiatives culd cperate with the system and prvide additinal services. Hence, the main ratinale fr a Eurpean eid system is ffering a missing service that culd facilitate new pprtunities fr internal market and make free mvement f gds, services, capital as well as persns within the Unin even mre pssible. Once necessary rules and infrastructure will be in place, businesses, gvernments, service prviders and individuals will be encuraged t implement the system n a vluntary basis. They shuld perceive the system as a reliable way t cnclude transactins and deal with cmmunicatin they were used t carry ut nly in an ffline fashin, due t the high trust-value requirements and need fr authenticatin f the claims. 155
Deliverable D3, Versin 2b (final) Identity prviders culd participate in the system after fulfilling sme minimal requirements and after acceding t the agreement with the Registry. Users will benefit frm the free cmpetitin n the market, since they will be able t chse the prvider that will be mst suitable fr their prfile. New as well as existing rganizatins can participate in the system as identity prviders - many entities already prvide similar services and this culd be additinal 'prduct' in their prtfli (e.g. banks, esignature CAs, gvernments, 'reginal' administratins, etc.). Mrever, the cmpeting envirnment shuld encurage new research and develpment, t prvide ptential custmers with the best slutin. In this way, stakehlders engaged in the system wuld be encuraged t keep up with the current technlgical develpment in the area, which is a very desirable feature in cnstantly develping area f technlgy. 8.4.3 User friendly Fr an average end-user, the easy-t-use interface and cnvenience will be crucial factrs fr her decisin t participate in the system. The existing pssibilities shuld be explred and existing end-user devices used as much as pssible. In first instance, the system shuld wrk with already widely emplyed PKI certificatin systems. This wuld enable identity prviders t 'install' necessary tkens fr users' eids n devices they already pssess (e.g. smart card, USB, mbile phne, etc.). Accrdingly, users wuld have a pssibility t chse slutins they prefer the mst. An additinal benefit f this apprach wuld be that users culd apply prcedures they are already familiar with. 8.4.4 Secure Security shuld be anther crucial aspect f the system. Apart frm technlgical requirements and the need t keep up with the latest develpment in the field, further bligatins wuld be impsed n participating parties. A strict cmpliance with relevant rules and especially data prtectin and privacy plicy must be bserved at all levels. The cmpetent natinal authrities shuld carry ut a rigrus supervisin ver identity prviders under their jurisdictin. Likewise, cmpetent Eurpean authrities wuld review the peratin f the Registry and make sure that unifrm rules apply t all identity prviders. Users wuld als have a certain level f respnsibility. They wuld be required t emply reasnable precautinary measures t prevent misuse f their eid, the same bligatin which they already have with regard t their bank cards. Thrugh agreement with the Registry, the identity prviders wuld be authrised t use the system and users culd be sure that these entities have t cmply with relevant EU and 156
Deliverable D3, Versin 2b (final) natinal legislatin. The system wuld therefre enhance the level f trust in nline services cnnected t the system, because users wuld knw that the entity behind the website was reviewed and authrized by cmpetent authrities. 8.4.5 Privacy Often an eid includes mre infrmatin than will usually be necessary fr mst transactins, therefre, the system shuld treat each authenticatin request n a case-by-case basis, r rather create categries f requests necessary fr a given transactin type. In this way, users wuld gain additinal privacy benefits when using the system. The users wuld n lnger be pushed t 'ver-identify' themselves in rder t gain access t a certain service. Only specific attributes related t the transactin shuld be crrbrated (e.g., t the questin: "Is the user lder than 18?" the system wuld prvide nly "yes/n" answer, and nt the user's whle birth date). Relying parties culd nt argue that users have t prvide them with extensive persnal infrmatin, s they can be sure they will be able t identify the user in case there is a legal need. Instead, the system wuld prvide them with nly limited infrmatin necessary fr the given transactin and mre cmplete infrmatin wuld be revealed nly in case there is a legitimate need (e.g., in case f legal dispute). Attribute authenticatin wuld therefre be a key feature in bringing mre privacy t users, wh culd be sure that they nly prvide infrmatin which is necessary. 8.4.6 Custm made The system culd als prvide fr certain adjustments t accmmdate individual needs. There culd be a pssibility t enable nly certain services (e.g., egvernment services and dcument signing) and t disable thers (e.g., ebanking, nline shpping). The issued eid's culd therefre ffer a wide variety f authenticatin 'levels' and functins. Fr example: minrs culd be issued with an eid that culd be used nly t authenticate themselves fr 'safe-chat' services; whereas their parents culd use their eid fr the whle range f services. This is certainly nt a new cncept (since even bank cards ffer a variety f ptins and assciated services), but having the pssibility t enable/disable a wide range f services using a simple system wuld bring mre cnvenience fr users, pen new pssibilities fr service prviders and businesses, as well as prvide slutin fr sme unreslved issues like safe-chat and safe nline activities fr children. 8.4.7 Prtability It has becme a grwing trend t base trust in sme nline situatins mainly n reputatin acquired ver the time in a certain nline cmmunity. A typical example wuld be the user's 157
Deliverable D3, Versin 2b (final) prfile n a discussin frum, where she, ver time, builds up a certain reputatin as a natural cnsequence f her activities. Thus, members f the frum will sn be divided in different categries assciated with different experience and trust levels. When a new user jins the frum, she will be able t immediately recgnize 'experienced cmmentatrs' and ascribe a higher trust value t their psts. Accrdingly, even users with high level f experience r trust frm an ffline wrld will have t firstly build up their reputatin within the given cmmunity, befre their cmments will be taken seriusly. 105 Increasingly, ther nline services are starting t apply the same mdel. The prminent example being nline auctin sites (such as ebay), where the necessary trust-level in individual-t-individual transactins is based n the individual's reputatin, built up n reviews prvided by ther users f the system. Online reputatin is thus becming an increasingly imprtant factr even in the curse f trade and cmmercial transactins. It is hwever difficult, if nt impssible, t transfer ne s reputatin acrss different websites and services, and users are required t start frm scratch each time they change a service prvider. The prpsed system culd prvide a slutin fr this prblem. The service prvider, with whm the user had already established his reputatin, wuld simply issue the user with a credential that culd be attached t the user's eid and culd then be used with ther service prviders. Mrever, as suggested in the PRIME white paper, 106 the whle prcess culd still be cnducted in an annymus fashin, s users wuld be able t use their pseudnyms and their real identity wuld remain hidden. The credential's validity culd be checked with the issuing service prvider, withut disclsing a link between user's pseudnym and identity; unless there wuld be a legitimate reasn fr disclsing it, e.g., in case a user wuld breach her cntractual bligatins. 107 In such case, under strict cnditins, the user's identity culd be revealed by linking the given credential with a specific pseudnym and the user's real identity. 8.4.8 Drawbacks f the prpsed system Even thugh the prpsed system wuld be relatively simple and based n an existing example (.eutld), the pssible drawbacks and weaknesses shuld als be nted. 105 This will nt always be the case, but the example prvides a clear explanatin f the issue. Fr a practical example, see e.g.: Leenes, R., Schallaböck, J., and Hansen, M., Prime (Privacy and Identity Management fr Eurpe) White Paper, (2008) Prime White paper, pp.10. 106 Ibid. 107 Ibid., pp.10-11. 158
Deliverable D3, Versin 2b (final) The main disadvantage f the eid system based n the example f.eutld is, that it wuld nt prvide a cmprehensive IAS framewrk. The issues identified in the abve sectins, such as the lack f cmmn taxnmy and identificatin standards, wuld remain mstly unreslved. The system wuld be a simple way t intercnnect natinal legal framewrks and make them mre r less interperable, but taking DNS as an inspiratin fr an IAS system may prve an inadequate chice, as the DNS system is far less cmplex. Further actins n Eurpean level wuld certainly be required t set up a fully peratinal IAS system fr the future. Furthermre, as already nted, the final result wuld be heavily dependent f the Member States' willingness t assciate the use with specific legal cnsequences and prvide fr a mutual recgnitin in crss-brder situatins. This will nt be an easy prcess, since the legal psitin f similar systems at natinal level is als quite cmplicated. Sme minimum legal effects culd be prescribed by the regulatin intrducing the prpsed system, hwever, these will have t be rather lw requirements in rder t gain sufficient supprt fr the legislative prcess. In the same time, withut at least minimum legal requirements, the system wuld nt prvide many additinal benefits cmpared t already existing mechanisms and culd therefre turn up useless. Besides, nce the necessary legislatin wuld be agreed upn, mre 'practical' risks assciated with the system shuld nt be underestimated. As the prpsed mdel wuld pssibly include a cnsiderable amunt f persnal infrmatin, the cnsequences in case f security breach might be quite severe. Therefre, a high technical reliability and security standards wuld have t be emplyed inside the system. This might nt be a great challenge at the beginning, but with a grwing size and utilisatin f the system the pssibility f security attacks wuld als be grwing. A vast amunt f persnal data in the system wuld be an invitatin fr hackers t 'test their skills' and wuld represent an attractive target. Mrever, the independent and impartial supervisin must ensure that the system wuld nt be abused by any stakehlder, be it in the private r public sectr. Since the prpsed mdel culd be used as a pwerful surce f infrmatin by bth enterprises and gvernments, users have t be sure that their data wuld nly be accessible when there is a legitimate need and under strict cnditins. The cntrl mechanisms wuld have t be arranged in a way that wuld be mst beneficial fr users and wuld limit access t the infrmatin nt nly fr private parties, but als fr public bdies. Lastly, it is nt guaranteed that end-users wuld spntaneusly embrace the new mdel, nce it wuld be available. It shuld be remembered, that an average internet user might nt be aware f risks (and benefits) assciated with the different types f IAS systems they use. Fr an average user, the main cncern is simply whether the system they are currently using wrks easily r nt. Issues f privacy and legal certainty might nt cme t their 159
Deliverable D3, Versin 2b (final) attentin. Fr advanced users, n the ther hand, existing systems might prvide sufficient means t cnclude transactins they need t. Thus, befre the intrductin f the system prpsed in this chapter, it might first be necessary t persuade users that these are qualities that actually matter. In this respect it is essential t raise users' awareness abut imprtant issues f privacy, legal certainty and accuntability in currently emplyed IAS systems. As with any ther prduct ffered n a vluntary basis, the prducer shuld first make sure, that there wuld be a sufficient demand fr its prduct. This chapter tried t make clear, that there is a need fr a mre reliable and legally predictable IAS mdel. Whether there is als a sufficient demand fr this new mdel, might be a different questin. 8.5 Cnclusin It was nt the purpse f this chapter t design a definitive and detailed slutin fr a cmplete and fully functinal pan-eurpean eauthenticatin system. Instead, it merely tries t pinpint a pssible directin n ur way t establishing a cmprehensive IAS legal framewrk. Like many thers, this chapter calls fr further harmnizatin and cmprehensive legal instruments n the Eurpean level. Hwever, it als tried t argue that there might be an easier and faster way t set up a functinal pan-eurpean eauthenticatin and even eias system. We tried t shw that Eurpe has already succeeded befre in establishing a similar system, in an area with different natinal plicies, definitins and legal framewrks. Drawing inspiratin frm the.eutld, we tried t demnstrate, that it is nt always necessary t emply wide-ranging and cmprehensive legal instruments t set up a pan-eurpean system. Instead, the same aim might be realized with relatively simple regulatins, intercnnecting, rather than adapting, existing natinal framewrks. Ntwithstanding the fact, that a functinal pan-eurpean eauthenticatin system, as prpsed in this chapter encmpasses much mre difficulties than the relatively simple.eutld dmain name system, we culd still draw an imprtant inspiratin frm its rganizatin and arrangement. This culd enable a swift and (cmpared t a mre cmprehensive apprach thrugh harmnizatin and directives) rather easy establishment f a Eurpean eauthenticatin system. In this regard, it shuld be pinted ut, that Eurpe indeed has t act withut much delay. With emerging quasi-identificatin systems, such as Facebk, Twitter r Ggle, the need t act quickly in this field is ever mre pressing, since these services may sn gain a status f de-fact standards in the infrmatin sciety, and it will becme difficult t subsequently replace them with a meaningful slutin based n a clearer and mre reliable legal fundatin. 160
Deliverable D3, Versin 2b (final) The main respnsibility will thus lie with the Member States, wh must decide hw fast they want t act (whether they want t act at all) and hw far they want t g. The slutin utlined in this chapter will nt be cmplete, nr permanent, but it culd prvide an imprtant kick-start fr further discussin in the IAS field and as a first patch t address sme gaps in the current legal framewrk. At any rate, Eurpe cannt affrd t wait fr lng, if it wants t keep up with the cnstant develpment in the infrmatin sciety. 161
Deliverable D3, Versin 2b (final) 8.6 References a. Publicatins - Andrade, N. N. G. d., Twards a Eurpean eid regulatry framewrk. The Legal Gaps, Barriers and Challenges f cnstructing a legal framewrk fr the prtectin and management f electrnic identities, (2012 - frthcming) Eurpean Cmmissin, Jint Research Center. - Graux, H., Rethinking the e-signatures Directive: Mving twards a cmprehensive legal framewrk fr eid, (2011) IPTS wrkshp - Electrnic identity fr Eurpe. - Graux, H., Majava, J., and Meyvis, E., Study n eid Interperability fr PEGS - Update f Cuntry Prfiles - Analysis & Assessment Reprt, (2009) IDABC prgramme (available at: http://ec.eurpa.eu/idabc/servlets/ Dcb482.pdf?id=32522, accessed n 26.September 2011). - Hartmann, D., Körting, S., Security issues in crss-brder electrnic authenticatin, (2010) The Eurpean Netwrk and Infrmatin Security Agency. - Leenes et al., Strk - Twards Pan-Eurpean Recgnitin f Electrnic IDs (eids) - D2.2 - Reprt n Legal Interperability, (2010) STORK, available at: https://www.eid-strk.eu/. - Leenes, R., Schallaböck, J., and Hansen, M., Prime (Privacy and Identity Management fr Eurpe) White Paper, (2008) Prime White paper. - Myhr, T., Regulating a Eurpean eid: A preliminary study n a regulatry framewrk fr entity authenticatin and a pan Eurpean Electrnic ID, (2005) The Prv e-id Grup. - OECD, The Rle f Digital Identity Management in the Internet Ecnmy: A Primer fr Plicy Makers, DSTI/ICCP/REG(2008) 10/FINAL. (available at: http://www.ecd.rg/dataecd/23/ 38/43195291.pdf, accessed n 26.September 2011). - Ry, D.v., Bus, J., Trust and privacy in the future internet a research perspective, Identity in the Infrmatin Sciety (2010) Vl. 3, N.2, (available at: Springerlink.cm). - Smedinghff, T.J., Federated Identity Management: Balancing Privacy Rights, Liability Risks, and the Duty t Authenticate, (2009) available at: http://papers.ssrn.cm/sl3/papers. cfm?abstract_id=1471599 (accessed n 23.September 2011). - Cmmissin, Eurpean, A Digital Agenda fr Eurpe, COM(2010) 245 final/2. 162
Deliverable D3, Versin 2b (final) - Cmmissin, Eurpean, Actin Plan n e-signatures and e-identificatin t facilitate the prvisin f crss-brder public services in the Single Market, COM (2008) 798 final. - Cmmissin, Eurpean, A Radmap fr a pan-eurpean eidm Framewrk by 2010, Infrmatin Sciety and Media Directrate-General, egvernment unit, v1.0. - Cmmissin, Eurpean, Twards interperability fr Eurpean public services, COM(2010) 744 final. - The Liberty Alliance Prject, Liberty Alliance Cntractual Framewrk Outline fr Circles f Trust, available at: http://prjectliberty.rg/liberty/files/whitepapers/liberty_alliance_cntractual_ framewrk_utline_fr_circles_f_trust (accessed n 23.September 2011). - Van Ry, D., Bus, J., Trust and privacy in the future internet a research perspective, Identity in the Infrmatin Sciety (2010) Vl. 3, N.2, (available at: Springerlink.cm). b. Legislatin - Directive 95/46/EC n the prtectin f individuals with regard t the prcessing f persnal data and n the free mvement f such data; OJ L 281 (1995). - Directive 1999/93/EC n a cmmunity framewrk fr electrnic signatures; OJ L 13 (2000). - Directive 2006/123/EC n services in the internal market; OJ L 376 (2006). - Regulatin (EC) N 733/2002 f the Eurpean Parliament and f the Cuncil f 22 April 2002 n the implementatin f the.eu Tp Level Dmain, OJ L 113, 30.4.2002. - Cmmissin Regulatin (EC) N 874/2004 f 28 April 2004 laying dwn public plicy rules cncerning the implementatin and functins f the.eu Tp Level Dmain and the principles gverning registratin, OJ L 162, 30.4.2004. c. Other surces: - http://www.facebk.cm/press/inf.php?statistics - http://www.facebk.cm/terms.php - http://www.ggle.cm/accunts/tos - http://twitter.cm/ts - http://epp.eurstat.ec.eurpa.eu/ 163
Deliverable D3, Versin 2b (final) - http://www.eurid.eu/ 164
Deliverable D3, Versin 2b (final) 9. Annex A - Recmmendatins fr an IAS Regulatin This Annex details a series f inputs, including definitins, basic principles, bligatins fr service prviders and a supervisin mechanism, which were ffered by the study team as an input t the Eurpean Cmmissin s legislative wrk n the IAS Regulatin. Sme f the inputs f this deliverable have been taken int accunt by the Cmmissin, whereas thers have been superseded by further plicy develpments since their prductin. 9.1 Building blcks fr General Prvisins 9.1.1 Pssible prvisins fr scpe 1. This Regulatin applies t the fllwing trust data: electrnic signatures electrnic seals electrnic time stamps electrnic identity attestatins, and electrnic attribute attestatins within the meaning f this Regulatin 2. This Regulatin applies t trust services supprting the creatin, validatin and preservatin f trust data 108, and the fllwing ancillary services: electrnic dcument delivery services electrnic archiving services digitalizatin services within the meaning f this Regulatin 3. This Regulatin des nt cver aspects related t the cnclusin and validity f cntracts r ther legal bligatins where there are requirements as regards frm prescribed by 108 Examples f supprting services: Certificatin Authrity, Signature Validatin Authrity, Time Stamping Authrities, Registratin Authrity, Identity Prviders (fficial/nn-fficial), Identity Attestatin Service Prviders 165
Deliverable D3, Versin 2b (final) natinal r Cmmunity law nr des it affect rules and limits, cntained in natinal r Cmmunity law, gverning the use f dcuments. 4. This Regulatin des nt impse any bligatins nr restrictins n the Member States in relatin t the issuance f identity dcuments, travel dcuments r any ther identifying dcuments issued t their citizens by public administratins r under their authrity. 5. N part f this Regulatin shall affect the rights f citizens, business r public administratins t cnclude cntractual arrangements gverning the issuance, validatin and legal effect f electrnic transactins. 9.1.2 Pssible prvisins fr definitins "trust data" means data in electrnic frm which are attached t r lgically assciated with ther electrnic data and which crrbrates [cnfirms] the rigin and the integrity f the assciated data 109 "qualified trust data" means trust data meeting the applicable quality requirements as laid dwn in this Regulatin. "trust services" means services supprting the creatin, validatin and preservatin f trust data, as well as ancillary services, specifically designed t enable the use f trust data. 110 "qualified trust services" means trust services meeting the applicable quality requirements as laid dwn in this Regulatin. "trust service prvider" means the natural r legal persn, public authrity, agency r any ther bdy which prvides ne r mre electrnic trust services. "electrnic signature" means trust data added by a signatry t the assciated data with the intent t sign n his wn behalf, n behalf f a legal persn r a public sectr bdy. 111 "electrnic seal" means trust data added by an entity t the assciated data n behalf f a legal persn r a public sectr bdy with the intent t seal r stamp. 109 Such trust data culd be created by an individual (eg signature) r by TTP (time stamp). The main bjective f this definitin is t create an equivalent t the cncept f 'authenticatin', which is nt stricter then the current definitin f anelectrnic signature in the esignatures Directive 110 Generic telecmmunicatin and ISP services are excluded frm this scpe 111 Nte that this des nt exclude simple "I agree buttns, (PIN) cdes, scanned signatures, etc/ 166
Deliverable D3, Versin 2b (final) "electrnic time stamp" means trust data establishing that assciated data existed at a particular time. "electrnic identity attestatin" means trust data establishing that assciated data is a cllectin f an entity s identity attributes uniquely representing that entity. "entity" means any natural r legal persn r any infrmatin system. "signatry" means any natural persn creating an electrnic signature "identity attribute" means a distinct, measurable, physical r abstract named prperty belnging t an entity. "electrnic identity attribute attestatin" means trust data establishing that assciated data is a cllectin f an entity s identity attributes. "qualified electrnic certificate" means a qualified electrnic identity attestatin linking an entity t unique data, such as cdes r private cryptgraphic keys. 112 "trust data prduct" means hardware r sftware, r relevant cmpnents theref, which are intended t be used fr the creatin, validatin r preservatin f trust data r are intended t be used by a trust service prvider fr the prvisin f trust services. "qualified trust data prduct" means a trust data prduct meeting the applicable quality requirements as laid dwn in this Regulatin. "cnfrmity assessment bdy" means a bdy that perfrms cnfrmity assessment activities within the meaning f article 2.13 f Regulatin 765/2008. "registered electrnic mail service" means any service prvided by a trust service prvider regarding the transfer f data whereby the sender upn his request, receives an acknwledgement f the submissin and/r f the delivery t the addressee. 9.2 Building blcks fr Basic Principles 9.2.1 Pssible prvisins fr market access 112 The definitin relates t bth nn-repudiatin (signature) certificates and authenticatin certificates. difference between identity attestatin and certificate is that certificate is linked t key (PKI based). 167
Deliverable D3, Versin 2b (final) 1. Member States shall nt make the prvisin f trust services and trust data prducts subject t prir authrisatin. Member States shall nt limit the number f trust service prviders r trust data prducts. 2. Each Member State shall ensure the establishment f an apprpriate system fr the supervisin f qualified trust services prvided by trust service prviders which are established n its territry and qualified trust data prducts that have undergne a cnfrmity assessment by an entity established n their territry. 3. The cnfrmity f qualified trust data prducts shall be assessed against the requirements laid dwn in this Regulatin by cnfrmity assessment bdies. 4. Withut prejudice t the prvisins f paragraph 1, 2 and 3, Member States may extend the scpe f their supervisin system t nn-qualified trust services prvided by trust service prviders established n its territry. All supervisin criteria related t such systems must be bjective, transparent, prprtinate and nn-discriminatry. 9.2.2 Pssible prvisins fr Internal market principles 1. Member States may nt restrict the prvisin f trust services riginating in anther Member State in the fields cvered by this Regulatin. 2. Member States shall ensure that trust data prducts which cmply with this Regulatin are permitted t circulate freely in the internal market. 9.2.3 Pssible prvisins fr nn-discriminatin principle Member States shall ensure that trust data is nt denied legal effectiveness and admissibility as evidence in legal prceedings slely n the grunds that it is in electrnic frm r it is nt qualified trust data. 9.2.4 Pssible prvisins fr generic quality requirements fr trust service prviders prviding qualified trust services Trust service prviders prviding qualified trust services must demnstrate the reliability necessary fr prviding trust services, by at least emplying persnnel wh pssess the expert knwledge, experience, and qualificatins necessary fr the services prvided, in particular cmpetence at managerial level, expertise in relevant technlgy and familiarity with prper security 168
Deliverable D3, Versin 2b (final) prcedures; they must als apply administrative and management prcedures which are adequate and crrespnd t recgnised standards; maintaining sufficient financial resurces t perate in cnfrmity with the requirements laid dwn in the Regulatin, in particular t bear the risk f liability fr damages, fr example, by btaining apprpriate insurance; befre entering int a cntractual relatinship with a persn seeking t use a trust service infrming that persn by a durable means f cmmunicatin f the precise terms and cnditins regarding the use f the trust service, including any limitatins n its use, the existence f a supervisin system and prcedures fr cmplaints and dispute settlement. Such infrmatin, which may be transmitted electrnically, must be in writing and in readily understandable language. Relevant parts f this infrmatin must als be made available n request t third-parties relying n the trust service; using trustwrthy systems and trust prducts which are prtected against mdificatin and ensure the technical and cryptgraphic security f the prcess supprted by them; taking measures against frgery f trust data prvided by the trust service prvider recrd all relevant infrmatin cncerning trust data issued by the trust service prvider fr an apprpriate perid f time, in particular fr the purpse f prviding evidence fr the purpses f legal prceedings. Such recrding may be dne electrnically; use trustwrthy systems t stre trust data prvided by the trust service prvider in a verifiable frm s that: they are publicly available fr retrieval in nly thse cases fr which the cnsent f the persn t whm the trust data has been issued, has been btained, nly authrised persns can make entries and changes, infrmatin can be checked fr authenticity, and any technical changes cmprmising these security requirements are apparent t the trust service prvider. 169
Deliverable D3, Versin 2b (final) 9.2.5 Pssible prvisins fr liability f qualified trust service prviders 1. As a minimum, by issuing qualified trust data r by guaranteeing such data a trust service prvider is liable fr damage caused t any entity r legal r natural persn wh reasnably relies n that trust data as regards the accuracy at the time f issuance f all infrmatin cntained in the trust data, and as regards the fact that the trust data cntains all the details prescribed fr being qualified trust data unless the trust service prvider prves that he has nt acted negligently. 2. A trust service prvider may indicate in qualified trust data it issues limitatins n the use f that trust data prvided that the limitatins are recgnisable t third parties. The trust service prvider shall nt be liable fr damage arising frm use f that trust data which exceeds the limitatins placed n it. 3. The prvisins f paragraphs 1 t 2 shall be withut prejudice t Cuncil Directive 93/ 13/EEC f 5 April 1993 n unfair terms in cnsumer cntracts. 9.2.6 Pssible prvisins fr data prtectin 1. Trust service prviders and natinal bdies respnsible fr supervisin shall cmply with the requirements laid dwn in Directive 95/46/EC f the Eurpean Parliament and f the Cuncil f 24 Octber 1995 n the prtectin f individuals with regard t the prcessing f persnal data and n the free mvement f such data. 2. A trust service prvider which issues trust data may cllect persnal data nly directly frm the data subject, r after the explicit cnsent f the data subject, and nly insfar as it is necessary fr the purpses f issuing and maintaining the trust data. The data may nt be cllected r prcessed fr any ther purpses withut the explicit cnsent f the data subject. 9.2.7 Pssible prvisins fr internatinal aspects Trust data which are issued as qualified trust data by a trust service prvider established in a third cuntry shall be recgnised as legally equivalent t trust data issued by a trust service prvider established within the Cmmunity a) if the trust service prvider is supervised, r 170
Deliverable D3, Versin 2b (final) b) if the trust service prvider is recgnised as prviding qualified trust services under a bilateral r multilateral agreement between the Cmmunity and third cuntries r internatinal rganisatins. 9.2.8 Pssible prvisins fr standardisatin and presumptin f cnfrmity The Cmmissin may, after cnsultatin f the Eurpean trust services cmmittee r n its recmmendatin, establish and publish reference numbers f standards r similar nrmative dcuments fr qualified trust data prducts in the Official Jurnal f the Eurpean Cmmunities. Cmpliance with the requirements laid dwn in this Regulatin shall be presumed fr trust data prducts meeting thse standards. 9.3 Building blcks fr the Supervisin f qualified services 9.3.1 Pssible prvisins fr Supervisry authrities 1. Each Member State shall prvide that ne public authrity is respnsible fr the supervisin f qualified trust services as laid dwn in article 113 Member States may prvide that the supervisin f ne r mre categries f qualified trust services is delegated t the Eurpean supervisry authrity. 2. A Eurpean supervisry authrity shall be designated by the Eurpean Cmmissin thrugh delegated acts. The Eurpean supervisry authrity shall be respnsible fr supervising trust service prviders established in a third cuntry prviding qualified trust services twards natural r legal persns residing r established in the Eurpean Unin; supervising trust service prviders established in a third cuntry prviding qualified trust services, at their request; supervising trust service prviders established in the Eurpean Unin fr which a Member State delegated the supervisin. 3. A supervisry authrity shall adpt its wn rules f prcedure and rganise its wn peratinal arrangements, including t prvide fr the cntinuatin f exercising duties when a member s term f ffice expires r a member resigns, the establishment f subgrups fr specific issues r sectrs and the appintment f a chair and secretariat. 113 This shuld reference the internal market article, and be aligned with it. 171
Deliverable D3, Versin 2b (final) 9.3.2 Pssible prvisins fr independence and cnfidentiality 1. The supervisry authrity shall act with cmplete independence in exercising the duties and pwers entrusted t it. 2. The members f the supervisry authrity shall, in the perfrmance f their duties, neither seek nr take instructins frm anybdy. 3. Members f the supervisry authrity shall refrain frm any actin incmpatible with the duties f the ffice and shall nt, during their term f ffice, engage in any incmpatible ccupatin, whether gainful r nt. 4. Members f the supervisry authrity shall behave, after their term f ffice, with integrity and discretin as regards the acceptance f appintments and benefits. 5. Each supervisry authrity shall be prvided with the adequate human, technical and financial resurces, premises and infrastructure necessary fr the effective perfrmance f its duties and pwers, including thse t be carried ut in the cntext f mutual assistance, c-peratin and active participatin in the Eurpean trust services cmmittee. 6. Each supervisry authrity shall be prvided with its wn staff which shall be appinted by and be subject t the directin f the head f the supervisry authrity. 7. The supervisry authrity shall nt be subject t financial cntrl which might affect its independence. The supervisry authrity shall have separate annual budgets. The budgets shall be made public. 8 The members and the staff f the supervisry authrity shall be subject, bth during and after their term f ffice, t a duty f prfessinal secrecy with regard t any cnfidential infrmatin which has cme t their knwledge in the curse f the perfrmance f their fficial duties. 9.3.3 Pssible prvisins fr duties 1. The supervisry authrity shall: 114 apprpriately supervise the prvisin f qualified trust services ensure the apprpriateness f cnfrmity assessments f qualified trust data prducts 114 Details n the exact cmpetences shuld be addressed by delegated acts, including ntably the pwer t manage/establish list f qualified service prviders, dealing with market cmplaints, sanctins, etc. 172
Deliverable D3, Versin 2b (final) publish the utcme f the supervisin activities in a harmnised way 2. The Cmmissin shall be empwered t adpt delegated acts in accrdance with Article... fr the purpse f further specifying the prcedures, requirements and frmalities fr perfrming these duties. 9.4 Building blcks fr the establishment f a Eurpean Trust Services Cmmittee / EU level gvernance framewrk 9.4.1 Pssible prvisins fr Eurpean trust services cmmittee 1. A Eurpean trust services cmmittee is hereby set up. 2. The Eurpean trust services cmmittee shall be cmpsed f the head f the supervisry authrity f each Member State and the head f the Eurpean supervisry authrity. 3. The Cmmissin shall have the right t participate in the activities and meetings f the Eurpean trust services cmmittee and shall designate a representative. The chair f the Eurpean trust services cmmittee shall, withut delay, infrm the Cmmissin n all activities f the Eurpean trust services cmmittee. 9.4.2 Pssible prvisins fr independence 1. The Eurpean trust services cmmittee shall act independently when exercising its tasks within the meaning f this Regulatin. 2. Withut prejudice t requests by the Cmmissin referred t in Articles [the cmmissin's right t ask fr standards, recmmendatins, etc].., the Eurpean trust services cmmittee shall, in the perfrmance f its tasks, neither seek nr take instructins frm anybdy. 9.4.3 Recmmendatin n the pssible tasks f the Eurpean trust services cmmittee 1. The Eurpean trust services cmmittee shall ensure the cnsistent applicatin f this Regulatin. T this effect, the Eurpean trust services cmmittee shall, n its wn initiative r at the request f the Cmmissin, in particular: 173
Deliverable D3, Versin 2b (final) advise the Cmmissin n any issue related t the prvisin f trust services in the Unin, including n any cntemplated amendment f this Regulatin, r n the adptin f delegated acts and implementing acts within the framewrk f this Regulatin and the cnclusin f agreements with third cuntries, r with respect t standards and similar nrmative dcuments, r plicies with respect t levels f assurance f trust services and trust data prducts 115 ; examine, n request f the Cmmissin r n its wn initiative r f ne f its members, any questin cvering the applicatin f this Regulatin and issue guidelines, recmmendatins and best practices addressed t the supervisry authrities in rder t encurage cnsistent applicatin f this Regulatin; review the practical applicatin f the guidelines, recmmendatins and best practices referred t in pint (b) and reprt regularly t the Cmmissin n these; prmte the c-peratin and the effective bilateral and multilateral exchange f infrmatin and practices between the supervisry authrities; prmte cmmn training prgrammes and facilitate persnnel exchanges between the supervisry authrities, as well as, where apprpriate, with the supervisry authrities f third cuntries r f internatinal rganisatins; prmte the exchange f knwledge and dcumentatin n trust services legislatin and practices wrldwide; 2. The Eurpean trust services cmmittee shall frward its pinins, guidelines, recmmendatins, and best practices t the Cmmissin and make them public. 3. The Cmmissin shall infrm the Eurpean trust services cmmittee f the actin it has taken fllwing the pinins, guidelines, recmmendatins and best practices issued by the Eurpean trust services cmmittee. 115 This relates t multilevel quality and assurance levels, such as the STORK QAA plicy levels 174
Deliverable D3, Versin 2b (final) 9.4.4 Recmmendatin fr internatinal c-peratin 1. In rder t facilitate crss-brder trust services with third cuntries and legal recgnitin f trust data riginating in third cuntries, the Eurpean trust services cmmittee shall engage in discussins in view f facilitating the cnclusin f bilateral and multilateral agreements with third cuntries and internatinal rganisatins. 2. Whenever the Eurpean trust services cmmittee is infrmed f any difficulties encuntered by Cmmunity undertakings with respect t market access in third cuntries, it may, if necessary, submit prpsals t the Cmmissin fr an apprpriate mandate fr the negtiatin f cmparable rights fr Cmmunity undertakings in these third cuntries. 9.4.5 Pssible prvisins fr prcedure 1. The Eurpean trust services cmmittee shall take decisins by a simple majrity f its members. 2. The Eurpean trust services cmmittee shall adpt its wn rules f prcedure and rganise its wn peratinal arrangements, including t prvide fr the cntinuatin f exercising duties when a member s term f ffice expires r a member resigns, the establishment f subgrups fr specific issues r sectrs and the appintment f a chair and secretariat. 9.4.6 Pssible prvisins fr reprts 1. The Eurpean trust services cmmittee shall regularly and timely infrm the Cmmissin abut the utcme f its activities. It shall draw up an annual reprt n the situatin regarding the prvisin f trust services and trust prducts in the Unin and in third cuntries. The reprt shall include the review f the practical applicatin f the guidelines, recmmendatins and best practices referred t in pint (c) f Article. 2. The reprt shall be made public and transmitted t the Eurpean Parliament, the Cuncil and the Cmmissin. 9.5 Building blcks fr the regulatin f Qualified trust services 175
Deliverable D3, Versin 2b (final) 9.5.1 Pssible prvisins fr legal effects f electrnic signatures 1. Where the law requires a signature, that requirement is met in relatin t assciated data if an electrnic signature is used which is as reliable as is apprpriate fr the purpse fr which the assciated data was generated r cmmunicated, in the light f all the circumstances. 2. A qualified electrnic signature shall satisfy the legal requirements f a signature in relatin t assciated data in the same manner as a handwritten signature satisfies thse requirements in relatin t paper-based data and be admissible as evidence in legal prceedings. 3. Paragraph (2) des nt limit the ability f any persn: (a) t establish in any ther way, fr the purpse f satisfying the requirement referred t in paragraph (1), the reliability f an electrnic signature; r (b) t adduce evidence f the nn-reliability f an electrnic signature. 9.5.2 Pssible prvisins fr legal effects f electrnic seals 1. Where the law requires a seal r stamp, that requirement is met in relatin t assciated data if an electrnic seal is used which is as reliable as is apprpriate fr the purpse fr which the assciated data was generated r cmmunicated, in the light f all the circumstances. 2. A qualified electrnic seal shall satisfy the legal requirements f a seal r stamp in relatin t assciated data in the same manner as a seal r stamp satisfies thse requirements in relatin t paper-based data and be admissible as evidence in legal prceedings. 3. Paragraph (2) des nt limit the ability f any persn: (a) t establish in any ther way, fr the purpse f satisfying the requirement referred t in paragraph (1), the reliability f an electrnic seal; r (b) t adduce evidence f the nn-reliability f an electrnic seal. 9.5.3 Pssible prvisins fr quality requirements fr qualified electrnic signatures and qualified electrnic seals A qualified electrnic signature is an electrnic signature which meets the fllwing requirements: 176
Deliverable D3, Versin 2b (final) a) it is uniquely linked t the signatry; 116 b) it is capable f identifying the signatry; c) it is linked t the data t which it relates in such a manner that any subsequent change f the data is detectable; d) it is created 117 a. using means [and/r prcesses] that the signatry can reasnably maintain under his sle cntrl 118 ; b. using ne r mre qualified trust data prducts and/r services cnfigured and used t implement unique data, such as cdes r private cryptgraphic keys, which are used by the signatry t create an electrnic signature 119, and meeting the requirements f c. ensuring, by apprpriate technical and prcedural means, that at the least: the signature-creatin-data used fr signature generatin can practically ccur nly nce, and that their secrecy is reasnably assured; the signature-creatin-data used fr signature generatin cannt, with reasnable assurance, be derived and the signature is prtected against frgery using currently available technlgy; the signature-creatin-data used fr signature generatin can be reliably prtected by the legitimate signatry against the use f thers. d. nt altering the data t be signed r prevent such data frm being presented t the signatry prir t the signature prcess. e) it can be validated fr a perid f time that is required [applicable, apprpriate] by the circumstances t which the electrnic signature applies. 120 116 a) and b) shuld still be included because they refer t the whle signature prcess and nt nly the identity attestatin (cfr. these requirements are als default requirements fr identity attestatins) 117 Standards mapping t be intrduced thrugh eg. delegated acts. 118 [Recitals shuld clarify and emphasise that sle cntrl is nt limited t hardware devices like smart cards but can als be achieved by prcedures, cntracts, etc 119 Alternatively, the prpsal culd als reintrduce the definitin f "signature creatin data", which wuld achieve the same result. 120 This can be dne by means f an apprpriate cmbinatin f Trust Data and/r Trust Services and/r prcedural means supprting the validatin and preservatin f electrnic signatures (e.g. very shrt term (befre revcatin f QC) by AdES-ST frm, shrt term (befre expiratin f QC) by AdES-T, lng term 177
Deliverable D3, Versin 2b (final) f) it is supprted by a qualified electrnic certificate, which is cmpliant with article and which is slely dedicated t the supprt f qualified electrnic signatures. 9.5.4 Pssible prvisins fr legal effects f electrnic identity attestatins 1. Where the law requires the validatin f the identity f an entity, that requirement is met in relatin t assciated data if an electrnic identity attestatin is used which is as reliable as is apprpriate fr the purpse fr which the assciated data was generated r cmmunicated, in the light f all the circumstances. 2. A qualified electrnic identity attestatin shall satisfy the legal requirements f an entity's identity validatin in the same manner as a physical identity dcument that wuld satisfy the legal requirements fr the validatin f the identity f the entity and be admissible as evidence in legal prceedings. 3. Paragraph (2) des nt limit the ability f any persn: (a) t establish in any ther way, fr the purpse f satisfying the requirement referred t in paragraph (1), the reliability f an electrnic identity attestatin; r (b) t adduce evidence f the nn-reliability f an electrnic identity attestatin. 4. Withut prejudice t the legal effect given t pseudnyms under natinal law, Member States shall nt prevent trust service prviders frm indicating in the trust data a pseudnym instead f the entity's name 9.5.5 Pssible prvisins fr Quality requirements fr qualified electrnic identity attestatins A qualified electrnic identity attestatin is an electrnic identity attestatin which meets the fllwing requirements: 1. The identity attestatin relies n evidence stemming frm trusted surces, such as: fr identity related infrmatin issued by the [Member States'] public administratins r under their respnsibility: identity dcuments, travel dcuments r any ther identifying dcuments issued t the citizens by these public administratins r under their authrity. AdES-LT, very lng term AdES-LTA). Making use f trustwrthy (qualified) Trust data r Trust services will increase assurance f meeting this requirement. 178
Deliverable D3, Versin 2b (final) fr any ther identity attribute: infrmatin issued and guaranteed by r under the authrity f the entitled entity 121. 2. The attestatin has been trustwrthy 122 verified by the trust service prvider, fr example by physical appearance f the entity and/r by validatin f the infrmatin by/with the entitled entity. 123 3. The trust service prvider issuing the qualified identity attestatin, must: ensure the peratin f a prmpt and secure directry and a secure and immediate revcatin service; ensure that the date and time when the qualified electrnic identity attestatin is issued r revked can be determined precisely; in case f issuance f a qualified electrnic certificate, ensure that the certificate meets the requirements laid dwn in [Annex I] ; guarantee cnfidentiality f the unique data, such as cdes r private cryptgraphic keys, during the prcess f generating such data; nt stre r cpy the unique data, such as cdes r private cryptgraphic keys f the persn t whm the trust service prvider prvided key management services. 9.5.6 Pssible prvisins fr additinal liability 1. Trust service prviders issuing qualified identity attestatins are, as a minimum, liable fr damage caused t any entity r legal r natural persn wh reasnably relies n that qualified electrnic identity attestatin fr assurance that at the time f the issuance f the electrnic identity attestatin, the accuracy f the identity attributes has been apprpriately verified; 2. Trust service prviders issuing qualified electrnic certificates are, as a minimum, liable fr damage caused t any entity r legal r natural persn wh reasnably relies n that qualified electrnic certificate 121 We shuld find gd wrding fr ensuring that this cvers prfessinal rganisatins (eg. Ordre des Medicins), private entities (eg. supermarket fr custmers r cmpany fr emplyees). 122 "trustwrthy verificatin" t be further specified by the Cmmittee. 123 Alternative wrding: verify, by apprpriate means in accrdance with natinal law, the identity and, if applicable, any specific attributes f the persn t which the qualified electrnic identity attestatin is issued; 179
Deliverable D3, Versin 2b (final) (a) fr assurance that at the time f the issuance f the qualified electrnic certificate, the signatry identified in the qualified electrnic certificate held the signature-creatin data crrespnding t the signature-verificatin data given r identified in the electrnic certificate; (b) fr assurance that the signature-creatin data and the signature-verificatin data can be used in a cmplementary manner in cases where the trust services prvider generates them bth; 3. As a minimum, a trust service prvider issuing qualified electrnic identity attestatins, is liable fr damage caused t any entity r legal r natural persn wh reasnably relies n the qualified electrnic identity attestatin fr failure t register revcatin f the qualified electrnic identity attestatin unless the trust service prvider prves that he has nt acted negligently. 9.5.7 Pssible prvisins fr legal effects f electrnic time stamps 1. Where the law requires prf that data existed at a particular time, including the requirement fr dating a dcument, that requirement is met in relatin t assciated data if an electrnic time stamp is used which is as reliable as is apprpriate fr the purpse fr which the assciated data was generated r cmmunicated, in the light f all the circumstances. 2. A qualified electrnic time stamp shall satisfy the legal requirements f a time stamp in relatin t assciated data in the same manner as a time stamp satisfies thse requirements in relatin t paper-based data and be admissible as evidence in legal prceedings. 3. Paragraph (2) des nt limit the ability f any persn: (a) t establish in any ther way, fr the purpse f satisfying the requirement referred t in paragraph (1), the reliability f an electrnic time stamp; r (b) t adduce evidence f the nn-reliability f an electrnic time stamp. 9.5.8 Pssible prvisins fr quality requirements fr qualified electrnic time stamps A qualified electrnic time stamp is an electrnic time stamp which meets the fllwing requirements: the verificatin f the date and/r time attribute based n the crdinated universal time each time the date and/r time must be determined; 180
Deliverable D3, Versin 2b (final) the electrnic time stamp is signed using a qualified electrnic signature r qualified electrnic seal [r any ther business cntrls achieving the same level f trustwrthiness 124 ]. 9.5.9 Pssible prvisins fr additinal liability In additin t the generic liability prvisins as laid dwn in article, trust service prviders within the meaning f article, are, as a minimum, liable fr damage caused t any entity r legal r natural persn wh reasnably relies n the accuracy f the time and date specified in the qualified time stamp. 125 9.6 Building blcks fr the Regulatin f Ancillary services 9.6.1 Pssible prvisins fr legal effects f registered electrnic mail 1. The explicit r implicit requirement f a registered mail can be met prvided that the sender used an electrnic registered mail service 126. 2. Subject t the applicatin f specific legal r regulatry requirements regarding registered mail, a qualified electrnic registered mail is cnsidered t meet the explicit r implicit requirement f a registered mail. 3. Paragraph (2) des nt limit the ability f any persn: (a) t establish in any ther way, fr the purpse f satisfying the requirement referred t in paragraph (1), the reliability f a registered electrnic mail; r (b) t adduce evidence f the nn-reliability f a registered electrnic mail. 9.6.2 Pssible prvisins fr quality requirements fr qualified registered electrnic mail A qualified registered electrnic mail is a registered electrnic mail which meets the fllwing requirements: The electrnic registered mail service is being delivered by a trust service prvider wh must: 124 Cmmittee will decide (publish) n trustwrthy business cntrls. 125 N need t include secnd paragraph n minimum liability as time stamp is just a signature. 126 Alternative (brader) wrding: "electrnic dcument delivery services" 181
Deliverable D3, Versin 2b (final) 1. Demnstrate impartiality twards the recipients f their services. 2. At the time f depsit f the message, prvide the prperly identified sender with an acknwledgement f depsit, a. signed by the trust service prvider with a qualified electrnic signature r a qualified electrnic seal, b. indicating the identificatin f the trust service prvider, the name f the addressee as reprted by the sender 127, and c. timestamped using a qualified time stamp. 3. Prir t the sending being delivered, with r withut prf f sending, apprpriately verify the identity f the addressee f the electrnic registered mail, r where apprpriate the identity f the prxy. 4. Upn request f the sender, deliver the acknwledgement f receipt r refusal f the message by the addressee, r the acknwledgment f nn-delivery, a. signed by the trust service prvider with a qualified electrnic signature r a qualified electrnic seal, 128 b. indicating the identificatin f the trust service prvider, the name f the addressee as reprted by the sender r the prxy 129, and c. timestamped using a qualified time stamp. 5. The acknwledgment f receipt, refusal r nn-delivery must be prvided after expiratin f a term f [fifteen days], starting frm the date f depsit f the message 9.6.3 Pssible prvisins fr requirements fr qualified certificates Qualified certificates must cntain: (a) an indicatin that the certificate is issued as a qualified certificate; (b) the identificatin f the certificatin-service-prvider and the State in which it is established; (c) the name f the signatry r a pseudnym, which shall be identified as such; 127 Include requirement fr "identificatin number f the message"? 128 T be discussed if signature als required frm recipient. 129 Include requirement fr "identificatin number f the message"? 182
Deliverable D3, Versin 2b (final) (d) prvisin fr a specific attribute f the signatry t be included if relevant, depending n the purpse fr which the certificate is intended; (e) signature-verificatin data which crrespnd t signature-creatin data under the cntrl f the signatry; (f) an indicatin f the beginning and end f the perid f validity f the certificate; (g) the identity cde f the certificate; (h) the advanced electrnic signature f the certificatin-service-prvider issuing it; (i) limitatins n the scpe f use f the certificate, if applicable; and (j) limits n the value f transactins fr which the certificate can be used, if applicable. 9.6.4 Pssible prvisins fr secure signature verificatin During the signature-verificatin prcess it shuld be ensured with reasnable certainty that: (a) the data used fr verifying the signature crrespnd t the data displayed t the verifier; (b) the signature is reliably verified and the result f that verificatin is crrectly displayed; (c) the verifier can, as necessary, reliably establish the cntents f the signed data; (d) the authenticity and validity f the certificate required at the time f signature verificatin are reliably verified; (e) the result f verificatin and the signatry's identity are crrectly displayed; (f) the use f a pseudnym is clearly indicated; and (g) any security-relevant changes can be detected. 183
Deliverable D3, Versin 2b (final) 10. Annex B - Annexes t Chapter Ecnmic, scial and envirnmental impact f a Eurpean framewrk fr ancillary services 10.1 Sectin A Methdlgy used fr Systematic Review/REA Intrductin t Systematic Reviews In rder t establish effective practices in dealing with a specific prblem, it is imprtant t determine what is knwn abut the issue in questin frm the full range f existing evidence. Traditinally, a narrative r literature review wuld be undertaken t search this evidence; hwever, there are limitatins with this apprach. Principally, they are susceptible t selectin and/r publicatin biases as literature reviews are ften pprtunistic in that they review nly literature and evidence that is readily available t the researcher. Systematic reviews f existing literature are increasingly being used as a valid and reliable means f harnessing existing research evidence. They differ frm literature reviews by (Davies, 2003:4): Being mre systematic and rigrus in the ways in which they search and find existing evidence. Having explicit and transparent criteria fr appraising the quality f existing research evidence, especially identifying and cntrlling fr different types f bias in existing studies. Having explicit ways f establishing the cmparability (r incmparability) f different studies and, thereby, f cmbining and establishing a cumulative effect f what the existing evidence is telling us. Systematic reviews invlve a systematic, rigrus and exhaustive search f all the relevant literature. Searches are cnducted using electrnic and print surces, hand searching and relevant grey literature (i.e. unpublished studies r wrk in prgress) is identified. This apprach helps t remve the prblems f bias assciated with traditinal literature reviews. The search criteria used in undertaking a systematic review and the criteria by which the literature is appraised and interpreted are clearly defined. This leads t greater transparency and allws future studies t be added t the review, enabling an interactive and cumulative bdy f sund evidence t be develped n a subject area. (Butler, 2004) 184
Deliverable D3, Versin 2b (final) Backgrund t Rapid Evidence Assessments Undertaking a systematic review takes time, typically arund six mnths t a year. Users f research and evaluatin evidence ften need quicker access t what the existing evidence is telling them. T this end, Rapid Evidence Assessments (REAs) have been develped fr use in public plicy research and impact evaluatin. REAs are based n the principles f a systematic review. The functins f a REA are t (Davies, 2003): Search the electrnic and print literature as cmprehensively as pssible within the cnstraints f a plicy r practice timetable. Cllate descriptive utlines f the available evidence n a tpic. Critically appraise the evidence (including an ecnmic appraisal). Sift ut studies f pr quality. Prvide an verview f what the evidence is saying. Like systematic reviews, they are based n cmprehensive electrnic searches f apprpriate databases and sme searching f print materials, but in rder t cmplete them in a shrter time frame cncessins are made. As a result, exhaustive database searching, hand searching f jurnals and textbks, r searches f grey literature is nt immediately undertaken. Hwever, searching may be cntinued beynd the time available fr a REA until a cmprehensive search f the available research literature has been cmpleted and a full-blwn systematic review is achieved. In such cases, a REA wuld be better described as an interim evidence assessment. (Butler, 2004) All REAs carry the caveat that their cnclusins may be subject t revisin nce mre systematic and cmprehensive reviews f the evidence base have been cmpleted. This is cnsistent with the imprtant principle that systematic reviews are nly as gd as their mst recent updating and revisin allws (Davies, 2003). 185
Deliverable D3, Versin 2b (final) 10.2 Sectin B: Surces with indirect bearing n impact f Ancillary Services This sectin lists a number f surces which were retrieved and cnsidered relevant, but nly have an indirect bearing upn the impact f ancillary services. Title The State f the Electrnic Identity Market: Technlgies, Infrastructure, Services and Plicies Authr Tby Stevens, Jhn Ellitt, Anssi Hikkanen, Iannis Maghirs, Wainer Lusli Date 2010 Publicatin JRC scientific and technical reprts Purpse f study This study gathers knwledge abut the strategies, prduct prtflis, financial infrmatin, dynamics between players and abut ther relevant factrs f eid market stakehlders in Eurpe. This knwledge cntributes t the verall analysis f the eid market and t a better understanding f the ecnmic factrs affecting the eid markets natinal level, the drivers and barriers that affect the uptake f electrnic identities, the business mdels likely t prevail and the ther factrs that cntribute t generating innvatin in the market. The fcus f the study includes privacy, security, and new business mdels enabled by develpment in eid. It is expected t reveal: the nature, structure, develpments and dynamics fr tday s Eurpean eid markets the key trends in the markets wh the key stakehlders in that market are the key differences between the Eurpean eid markets in terms f size, relative develpment and key drivers and barriers n what infrmatin cmpanies base their eid-related business decisins what external data surces they have at their dispsal Methdlg y f study and analysis perfrmed The scpe f wrk includes an accurate but nt exhaustive analysis f the eid market, f the key stakehlders within that market, and the data surces that are available. A number f Eurpean cuntries were chsen in light f their eid infrastructure: Belgium, Finland, France, Germany, Spain and Turkey. The prject methdlgy was light weight and explratry but theretically infrmed; it is sufficiently rbust t prvide the fundatin fr a pssible larger future prject. Specifically, it cmprmised: 186
Deliverable D3, Versin 2b (final) A review f past pan-eurpean analyses in the public and private sectrs An analysis f findings in view f mdelling the eid landscape An assessment f market and innvatin dynamics Main findings A number f general cnclusins were drawn: 1. The prtability f credentials, bth amngst and between public and business players, and the develpment f a wide chice f channels fr delivering eid wuld facilitate the embedding f eid int the existing infrastructure. 2. Further develpment f bimetrics wuld enable 3-factr authenticatin, which in turn culd a) ease the evlutin frm security-driven t citizen-centric eid and b) enhance trust s as t facilitate the transitin t eid as a service. 3. As market stakehlders are in stand-by mde in relatin t what infrastructure eid wuld be embedded in, much mre shuld be dne t try-ut federating prcesses and embedding eid int applicatins using pen standards. Mre infrmatin n successful business cases shuld be circulated freely t enable the use f eid acrss cntexts and public/private sectrs. 4. While we cannt predict the future evlutin twards an eid-enabled centrally verseen, public infrastructure and/r an affrdable and trusted private sectr eid-enabled, clud infrastructure, the rle f Gvernment bth as a legislatr and as a prmter f pen standards, (including its pwer as a first buyer f eid services), shuld be further explred. 5. Finally, in all circumstances, mre needs t be dne t prmte the wider use f existing standards and t versee the implementatin f the embedding f eid in the infrastructure, as well as t ffer a slutin t the prblem f user enrlment, currently a cstly and safety dependent prcedure. Title Impact assessment - Regulatin f the Eurpean parliament and the cuncil cncerning the Eurpean Netwrk and Infrmatin Security Agency. Authr Eurpean staff wrking dcument Date 2010 Publicatin Eurpean Cmmissin - 2010 impact assessment (IA) reprts Purpse f study Impact f different plicy ptins fr Netwrk Infrmatin Security 187
Deliverable D3, Versin 2b (final) Methdlg y f study and analysis perfrmed Executed in accrdance with EU Impact assessment guidelines Qualitative analysis f plicy ptins Cst effectiveness analysis Main findings The fllwing prblem drivers have been identified, amngst thers, which make stakehlders vulnerable t Netwrk Infrmatin Security (NIS) threats and NIS incidents. They all shw that there is a need fr a reliable structure at EU level t tackle the prblem and t be up t speed, thrughut Eurpe, with the cnstantly changing technlgy and market cnditins arund NIS. The diversity and fragmentatin f natinal appraches. NIS prblems are nt cnstrained by natinal bundaries and therefre cannt be effectively addressed at natinal level nly. At the same time, the prblem is dealt with in many different ways by public authrities in different Member States. The multiple security requirements in different Member States impses a cst burden n businesses which perate EU-wide, leading t fragmentatin and a lack f cmpetitiveness in the Eurpean internal market. The need fr mre efficient actin against cyber crime. NIS effrts have been predminantly rganised under the frmer first pillar, i.e. matters discussed amng the institutins. Hwever, with the entry int frce f the Lisbn Treaty, it is necessary t take int accunt a brader task package fr an NIS agency, als cvering secnd and third pillar areas, i.e. matters that were frmerly decided by the cuncil alne. Title Impact assessment - A strategy fr a Secure Infrmatin Sciety - "Dialgue, partnership and empwerment" Authr Eurpean staff wrking dcument Date 2006 Publicatin Eurpean Cmmissin - 2006 impact assessment (IA) reprts Purpse f study Ecnmic and scial impact f different plicy ptins fr a Secure Infrmatin Sciety Methdlg y f study and analysis perfrmed Executed in accrdance with EU Impact assessment guidelines Qualitative impact assessment f plicy ptins Main findings Ecnmic and scial impact f different plicy ptins. Mrever the imprtance f ICT and e- cmmunicatin services is assessed in quantitative terms. Infrmatin and Cmmunicatins Technlgies play a vital rle in Eurpe s cntinuing mdernisatin. The e-cmmunicatins services sectr cntinues t represent the largest segment f the verall ICT sectr, accunting fr 44,4% f the ttal value, up frm 43% last year. The sectr was wrth 640 billin in 2005, 273 billin f which derived frm e-cmmunicatin 188
Deliverable D3, Versin 2b (final) services. The prductin and use f ICT accunt fr arund 40% f prductivity grwth and ne quarter f verall grwth in Eurpe. Title Estimating ecnmic impacts f hmeland security measures Authr Jseph J. Crdes, Anthny Yezer, Garry Yung, Mary Catherine Freman,Charltte Kirschner Date 2006 Publicatin Gerge Washingtn Institue f Public Plicy (GWIPP) Purpse f study Ecnmic analysis f a hmeland security measures Methdlg y f study and analysis perfrmed Different mdels and measures f impacts are used t assess the impact f an increased level f hmeland security: Calculatin f grss and net csts f hmeland security, Cst/benefit analysis, Regulatry Impact Analysis, Cmputer General equilibrium mdels, Game thery Main findings A city s decisin t increase their Hmeland Security Advisry System implies a direct weighing f csts and benefits. Fr the city, csts include the price f increasing a security presence in areas f critical lcatins, increased waiting time at airprts and n highways, and ther scial csts such as private industry csts fr securing their facilities, and any pssible decrease in turism. The primary benefit frm a city s decisin is the pssibility f preventing a terrrist attack and reductin in crime as a result f the increased plice presence. Title Btnets: Detectin, Measurement, Disinfectin & Defence Authr Daniel Plhmann, Elmar Gerhards-Padilla, Felix Leder Date 2011 Publicatin ENISA Purpse f Discussin n the threat f btnets and best practices. 189
Deliverable D3, Versin 2b (final) study Methdlg y f study and analysis perfrmed Fr this study, a distinctin has been made between detectin and measurement n the ne hand and cuntermeasures n the ther. Hwever, accurate detectin and measurement can be interpreted as a prerequisite t efficient applicatin f cuntermeasures. Where pssible, interdependencies f the techniques examined have been utlined. Main findings The ttal annual glbal ecnmic lss attributed t malicius sftware activities is estimated at mre than US$ 10 billin. The current legal framewrks f varius EU Member States and their natinal diversity in the cntext f cybercrime are a key factr in the efficiency f the fight against btnets. The applicability f prmising detectin and mitigatin appraches is als limited thrugh certain cnflicts between data prtectin laws and laws that ensure a secure peratin f IT services. Finally, wrking prcesses increase the reactin time t the extent that they can be evaded with little effrt by criminal individuals, capitalising n the ease with which btnets can be cnfigured. The glbal btnet threat is best cuntered by clse internatinal cperatin between gvernments and technically-riented and legislative institutins. Fr an efficient supranatinal mitigatin strategy t wrk, cperatin between stakehlders must be intensified and strengthened by plitical will and supprt. Title Prblems f Digital Sustainability Authr Tamas Szadeczky Date 2010 Publicatin Acta Plytchnica Hungarica Purpse f study The aim f this research is t investigate the difference between cnventinal and digital cmmunicatin, especially as regards t the lng-term strage and usage f electrnic dcuments. Methdlg y f study and analysis perfrmed The research questin was analysed via bservatin, infrmatin gathering and empirical statements based n the persnal prfessinal practice f the authr. Main findings Prblems f digital sustainability 1. Excessive Velcity 190
Deliverable D3, Versin 2b (final) 2. Diversity f Frmats 3. On-Line Data Security 4. Offline Data Security 5. Authenticity f an Electrnic Signature During strage and prcessing f electrnic dcuments, an rganizatin faces serius difficulties. The risk stemming frm the utlined prblems is diverging in different cuntries. The faster that digital cmmunicatin develps, the harder it is t find time t slve prblems. Therefre the chance f a later escalating f trubles increases. Digital preservatin deals with the dangers stemming frm the abve-mentined prblems and with the prtectin against them. Title Resistance t change: Six reasns why businesses dn t use esignatures Authr Aashish Srivastava Date 2011 Publicatin Springer Science+Business Media, LCC 2011 Purpse f study Methdlg y f study and analysis perfrmed This paper presents the findings f an empirical study that examined factrs that have cntributed t the lw acceptance f electrnic signatures, in particular the digital signature, by the business cmmunity fr effecting cntracts and cmmercial transactins between each ther. The paper als makes sme useful suggestins that may encurage businesses t use electrnic signatures in rder t facilitate the grwth f e-cmmerce The research was cnfined nly t Australian businesses that had access t the Internet. A sampling list f 400 cmpanies was develped. A ttal f 27 face-t-face r telephnic interviews were cnducted. A five-stage framewrk fr analysis apprach designed by Ritchie and Spencer was adpted fr analysing the interview data (Familiarisatin, identifying a thematic framewrk, indexing, charting, mapping and interpretatin) Main findings Six main factrs that have been identified 1. The prevailing culture and custms assciated with manuscript signatures 2. Ignrance abut the electrnic signature technlgy 3. Legal cncerns 4. Security issues 191
Deliverable D3, Versin 2b (final) 5. The cst f using the technlgy 6. The cmplexity assciated with its setting up and usage. Mst imprtantly, there appears t be an verwhelming ignrance in the business cmmunity with regard t electrnic signatures and the legislatin gverning the technlgy. It is imprtant that the business cmmunity be adequately infrmed and educated abut the technlgy and the relevant legislatin. The business cmmunity has als expressed imprtant legal cncerns, including the absence f evidentiary rules and guidelines. Unless these issues are addressed in the legislatin, businesses wuld be fearful f the legal implicatins f using electrnic signatures. Businesses reluctance t integrate electrnic signatures int their business envirnment seems t be als driven by cncerns regarding their perceived lack f security. If electrnic signatures are prperly secured, their misuse can be minimised. Electrnic signatures stred n a PISD secured thrugh bimetric sensrs are likely t be a secure ptin. Nte that with recent advancements in the smart card technlgy it is nw pssible t have a fingerprint sensr n the smart card itself.. Title Factrs affecting the adptin f electrnic signature: Executives perspective f hspital infrmatin department Authr I-Chiu Chang, Hsin-Ginn Hwang, Ming-Chien Hung, Ming-Hui Lin, David C. Yen Date 2007 Publicatin Elsevier Purpse f study The healthcare industry is experiencing a majr transfrmatin twards e-healthcare, which delivers and enhances related infrmatin thrugh the Internet amng healthcare stakehlders and makes the electrnic signature (esignature) mre and mre imprtant. This paper identifies factrs that affect hspitals in adpting esignature. Based n the research findings, implicatins and limitatins are discussed. Methdlg y f study and analysis perfrmed This paper uses a mature framewrk, Technlgy Organizatin Envirnment (TEO), in infrmatin system discipline t identify factrs that affect hspitals in adpting esignature. A survey was cnducted n reginal hspitals and medical centres in Taiwan t verify the validity f the research framewrk. The results shwed that TEO framewrk is useful in distinguishing hspitals as adpters and nn-adpters f esignature. An expert panel helped t determine the apprpriateness f the research framewrk, check the cmpleteness and suitability f the questinnaire, and ffered guidance fr the research prgress whenever there was a need. Discriminant analysis was cnducted t distinguish between thse hspitals that adpted 192
Deliverable D3, Versin 2b (final) esignature and thse that did nt. A literature review was perfrmed. Main findings By the cmpletin time f this research, 70% f the research hspitals in Taiwan are delaying their adptin f esignature, which further delays the develpment f cmputerized medical recrds as planned by the Taiwan gvernment under its digital hspital prject. The future functins f a digital hspital can be listed as lng distance treatments, Internet virtual hspitals, and medical e-cmmerce. Withut esignature, the abve future functin may nt be easily achieved. The fur significant factrs in distinguishing signature adpters frm nn-adpters are hspital size, adequate resurces, vendr supprt, and gvernment plicy. This study suggests the gvernment take a strnger psitin t prvide financial aid and educate the nn-adpters. Reducing uncertainty f plicies, nt nly regulatins fr esignature but als the reimbursement related t the prmtin f esignature, is needed. Quality appraisal Findings: Findings are credible and have a cherent lgic. Design: Research design is clearly explained. An expert panel was invlved. Sample cmpsitin: Questinnaires were mailed ut t the executives and directrs f the infrmatin departments f 86 hspitals t cllect the needed infrmatin. Analysis: Discriminant analysis was cnducted t distinguish between thse hspitals that adpted esignature and thse that did nt. Reprting: Clear reprting, clear summary f results Title Understanding the Ecnmic Benefit f the Infrmatin Technlgy Revlutin Authr Rbert D. Atkinsn and Andrew S. McKay Date March 2007 Publicatin The Infrmatin Technlgy & Innvatin Fundatin (ITIF) Purpse f study Ntwithstanding the centrality f IT t ecnmic grwth, there have been surprisingly few attempts t catalgue what is knwn abut IT s impacts n the ecnmy. It is the aim f this study t d s. Methdlg y f study and analysis 193 The bjective f the study is reached by cllecting, rganizing, and surveying studies and examples f IT s impact in five key areas:
Deliverable D3, Versin 2b (final) perfrmed 1. Prductivity 2. Emplyment 3. Mre efficient markets 4. Higher quality gds and services 5. Innvatin and new prducts services Main findings Five key principles plicymakers arund the glbe shuld fllw if their natins are t fully benefit frm the digital revlutin: 1. Give the Digital Ecnmy Its Due: Ecnmic plicymakers need t view IT issues nt just as narrw IT plicy, but as the centerpiece f ecnmic plicy. This means putting issues f digital transfrmatin at the frnt and center f ecnmic plicy. 2. Actively Encurage Digital Innvatin and Transfrmatin f Ecnmic Sectrs: The private sectr will drive much f digital transfrmatin, but gvernment can play a supprtive rle. Gvernment shuld supprt research in emerging IT areas. IT shuld als use a wide array f plicy levers, including tax, regulatry, and prcurement plicies, t spur greater IT innvatin and transfrmatin, particularly in key sectrs like health care, educatin, transprtatin, and thers influenced by public plicy. Mrever, gvernment shuld lead by example by leveraging their wn IT effrts t achieve mre effective and prductive public sectr management and administratin. 3. Use the Tax Cde t Spur IT Investment: Investment is hw IT innvatins are diffused thrughut the ecnmy. Because IT seems have a much larger impact n prductivity, tax plicies shuld fcus n spurring additinal investment in newer generatins f IT. 4. Encurage Universal Digital Literacy and Digital Technlgy Adptin: Ensuring that scieties take full advantage f the IT revlutin will require that the large majrity f citizens participate in the digital ecnmy. Natinal gvernments need t wrk in partnership with the fr-prfit, nn-prfit, and state and lcal gvernment sectrs t help citizens use and access technlgy. 5. D N Harm: Making digital transfrmatin the centre f ecnmic plicy means nt just supprting IT, just as imprtantly it means aviding harming the digital engine f grwth. All t ften well-intentined plicymakers cnsider laws and regulatins that wuld slw digital transfrmatin. Bth benefits and dwnsides f IT are bradly discussed. Benefits: 194
Deliverable D3, Versin 2b (final) It drives prductivity and grwth IT bsts grwth indirectly IT ensures that the ecnmy runs at full capacity IT enables gds and services t be allcated mre efficiently IT enables higher quality prducts and services IT drives innvatin Dwnsides: Ecnmic csts Risks t privacy and cmmunity IT-enable dislcatins Quality appraisal Findings: Findings are credible and have a cherent lgic Design: Literature verview Sample cmpsitin: Nt applicable, this is a literature verview Analysis: N real analysis. Overview f existing infrmatin Reprting: clear and structured reprting 195
Deliverable D3, Versin 2b (final) 11. Annex C - Recmmendatins fr a Eurpean Supervisin Scheme: Prpsal fr Cnfrmity Assessment Guidance The current prpsal fr a 'Regulatin f the Eurpean Parliament and f the Cuncil n electrnic identificatin and trust services fr electrnic transactins in the internal market' paves the way t the establishment f a single supervisin scheme cmmn t all EU MS supervisry bdies. We recmmend delegated acts and implementing acts t be adpted in the cntext f the supervisin related articles f the future Regulatin t effectively set up such a cmmn basis fr supervisin f qualified trust service prviders and the qualified trust services they prvide. The present dcument prpses a cncrete prpsal fr such a cmmn "Eurpean Scheme fr supervisin f qualified trust service prviders and the qualified trust services they prvide", in accrdance with the relevant articles frm COM(2012) 238 130. Frm the way the COM(2012) 238 130 Thse relevant articles are the fllwing: COM(2012) 238, Art. 13.5 referring t delegated acts cncerning the definitin f prcedures applicable t the supervisry tasks referred t in Art.15.2; COM(2012) 238, Art. 13.6 referring t implementing acts cncerning the definitin f the circumstances, frmats and prcedures fr the reprt n the last calendar year's supervisry activities f each supervisry bdy, as referred t in Art.15.3; COM(2012) 238, Art. 14.4 referring t implementing acts cncerning the specificatin f the frmats and prcedures fr the mutual assistance prvide in Art.14; COM(2012) 238, Art. 15.5 referring t delegated acts cncerning the further specificatin f the apprpriate technical and rganisatinal measures t manage the risks psed t the security f the trust services they prvide as referred t in Art.15.1; COM(2012) 238, Art. 15.6 referring t implementing acts cncerning the definitin f the circumstances, frmats and prcedures, including deadlines, applicable fr the purpse f Art.15.1 t 3; COM(2012) 238, Art. 16.5 referring t delegated acts cncerning the specificatin f the cnditins under which the independent bdy carrying ut the audit referred t in Art.15.1 and in Art.16.1, and in Art.17.1 shall be recgnised; COM(2012) 238, Art. 16.6 referring t implementing acts cncerning the definitin f the circumstances, frmats and prcedures applicable fr the purpse f Art.15.1, Art.15.2 and Art.15.4; COM(2012) 238, Art. 17.5 referring t implementing acts cncerning the definitin f the circumstances, frmats and prcedures applicable fr the purpse f Art.15.1 t 3; COM(2012) 238, Art. 18.5 referring t delegated acts cncerning the definitin f the infrmatin referred t in Art.18.1; COM(2012) 238, Art. 18.6 referring t implementing acts cncerning the definitin f the technical specificatins and frmats fr trusted lists applicable fr the purpse f Art.18.1 t 4; COM(2012) 238, Art. 19.5 referred implementing acts cncerning the establishment f reference numbers f standards fr trustwrthy systems and 196
Deliverable D3, Versin 2b (final) prpsal fr Regulatin is prpsing t rganise thse delegated acts and implementing acts, it is pssible t establish a cmmn Eurpean Scheme fr supervisin f qualified trust service prviders and the qualified trust services they prvide. The present dcument fcuses n the descriptin f (i) the prcess flw fr the supervisin f qualified trust service prviders and the qualified trust services they prvide and (ii) n the Cnfrmity Assessment Guidance (CAG) specifying hw t assess cmpliance f thse prviders and their qualified trust services against the "Supervisin Cnfrmity Assessment Criteria". These latter "Supervisin Criteria", against which the cnfrmity f the qualified trust service prviders and the qualified trust services they prvide will be assessed, will be the tpic f a dcument that will be referenced by the present dcument. The prpsed cmplete scheme fr such a cmmn "Eurpean Scheme fr supervisin f qualified trust service prviders and the qualified trust services they prvide" builds upn wrk dne in ETSI ESI with regards t general requirements and guidance fr cnfrmity assessment f trust service prviders (ETSI TS 119 403), natinal supervisin schemes, the COM(2012) 238 prpsal fr Regulatin. The prpsed cmplete scheme may be integrated as such in an apprpriate delegated r implementing act, r be included in the ETSI standardisatin framewrk as an instantiatin f ETSI TS 119 403 131. It is believed that the establishment f such a cmmn basis fr supervisin f qualified trust service prviders and the qualified trust services they prvide will nt nly serve t raise the level f cnfidence in these prviders and services within the EU bundaries but will als serve as a benchmarking reference fr the mutual recgnitin between EU services and thse "qualified" trust services frm 3rd cuntries r internatinal rganisatins. Recgnitin f "qualified" trust services and trust service prviders frm 3rd cuntry r internatinal rganisatins that wuld be certified against the EU cmmn supervisin scheme r against an equivalent scheme by a cnfrmity assessment bdy accredited by a natinal accreditatin bdy participating t the Eurpean cperatin fr Accreditatin (and/r the Internatinal Accreditatin Frum (IAF) 132 ) t carry ut such assessments wuld be facilitated. prducts enabling presumptin f cmpliance with requirements laid dwn in Art.19 where trustwrthy systems and prducts meet thse standards. 131 ETSI TS 119 403 prvides a general framewrk fr the establishment f trust service prvider assessment scheme whatever type f trust service and trust service prvider, qualified r nt, and nt limited t the ne cvered by COM(2012) 238 prpsal fr Regulatin. The prpsed "Eurpean scheme fr the supervisin f qualified trust service prviders and the qualified trust services they prvide" is (as) cmpliant (as pssible) with ETSI TS 119 403. 132 The IAF is the wrld assciatin f Natinal (Cnfrmance Assessment) Accreditatin Bdies and ther bdies interested in cnfrmance assessment in the fields f management systems, prducts, services, persnnel and ther similar prgrams f cnfrmance assessment. 197
Deliverable D3, Versin 2b (final) It shuld be highlighted that the prpsed "initiatin phase" in the current prpsal fr a Regulatin creates sme legal uncertainties, un-equality between relying parties and un-necessary cmplexity and shuld be simplified in a clear prir-authrisatin mdel. In this case, the supervisin scheme flw can be simplified. Such simplificatins are depicted in Annex 1. It is further recmmended that Secndary EU wide legislatin (e.g. delegated acts as per Art.13.5) shuld establish and maintain (incl. additin mechanism) an exhaustive list f EU wide, meaningful and precise categries f activities t be cnsidered as trust services. Nt having such a mechanism will nt allw clear determinatin whether a service prvider is t be cnsidered as a trust service prvider r nt and may lead t discriminatin between trust service prviders. 11.1 Intrductin The "Eurpean Scheme fr supervisin f qualified trust service prviders and the qualified trust services they prvide", hereafter referred t as the Supervisin Scheme, prvides: Cmmn Cnfrmity Assessment Guidance fr Eurpean Unin Member States supervisry bdies n hw t assess cmpliance f qualified trust service prviders and the qualified trust services they prvide against the requirements laid dwn in the Regulatin 2013/xxx/EU f the Eurpean Parliament and f the Cuncil n electrnic identificatin and trust services fr electrnic transactins in the internal market [ref.1] hereafter referred t as the Regulatin; Cmmn Cnfrmity Criteria fr qualified trust service prviders and the qualified trust services they prvide, against which cnfrmity assessment will be undertaken by EU MS supervisry bdies r their designated assessrs in the cntext f the Regulatin. The present dcument is the Cnfrmity Assessment Guidance dcument f the Supervisin Scheme. 11.2 Principles f the Supervisin Scheme The fllwing principles underlie the Supervisin Scheme: Transparency: As the present dcument and the dcument n the cnfrmity assessment criteria are made publicly available, this will make the EU Supervisin Scheme and its related prcesses transparent. Equality: As the main gal is t prve/ensure that the EU Regulatin is abided by, the Supervisin Scheme, including the Cnfrmity Criteria, the Cnfrmity Assessment Guidance and assessment prcess, is identical t every qualified trust service prvider, regardless the gals f the trust service prviders and regardless the assessr. Minimum level f security assurance: This is reached thrugh the intrductin f minimal criteria that need t be met. Better preparatin f qualified trust service prviders: By making public the Supervisin Scheme, including the (minimum) cnfrmity criteria, assessment guidance and prcess, qualified trust service prviders have the pprtunity t better understand the cntent and 198
Deliverable D3, Versin 2b (final) purpse f the supervisin, prepare themselves in advance t make wise decisins and investments when designing their systems t meet the criteria and pass the supervisin. EU wide trust establishment: The Eurpean dimensin f the Supervisin Scheme is a sund basis t assure stakehlders and relying parties that supervised qualified trust service prviders cmply with it and that their supervised qualified trust services are trustwrthy. Facilitate internatinal recgnitin: The abve gals and principles will facilitate internatinal recgnitin f the EU Supervisin Scheme and hence the recgnitin and acceptance f the qualified trust service prviders and the qualified trust services they prvide. Disseminatin f qualified (supervisin) status infrmatin f qualified trust service prviders and their qualified trust services: The actual qualified status f any supervised qualified trust service prvider and f the qualified trust services it prvides shall be disclsed in the Trusted List f the Member State in which the qualified trust service prvider is established r fr which it is cmpetent. 11.3 Terminlgy, definitins and abbreviatins 11.3.1 Terminlgy and definitins Term assessr accreditatin cmpetence cnfrmity assessment cnfrmity assessment bdy natinal accreditatin bdy cntrl cntrl bjective infrmatin security management system Definitin Persn wh assesses cnfrmity t requirements as specified in a given plicy requirements dcument. An attestatin by a natinal accreditatin bdy that a cnfrmity assessment bdy meets the requirements set by harmnised standards and, where applicable, any additinal requirements including thse set ut in relevant sectral schemes, t carry ut a specific cnfrmity assessment activity [ref.2]. Ability t apply knwledge and skills t achieve intended results. The prcess demnstrating whether specified requirements relating t a prduct, prcess, service, system, persn r bdy have been fulfilled [ref.2]. An independent bdy f assessrs accredited by a Natinal Accreditatin Bdy as having the cmpetence t carry ut a cnfrmity assessment activities, including calibratin, testing, certificatin and inspectin, in line with the present Eurpean Supervisin Scheme. The sle bdy in a Member State that perfrms accreditatin with authrity derived frm the State [ref.2]. Means f managing risk, including plicies, prcedures, guidelines, practices r rganizatinal structures, which can be administrative, technical, management, r legal in nature. [ref.5] Statement describing what is t be achieved as a result f implementing cntrls. [ref.5] Part f the verall management system, based n a business risk apprach, t establish, implement, perate, mnitr, review, maintain and imprve infrmatin 199
Deliverable D3, Versin 2b (final) Term guideline plicy prcess trust service plicy trust service full practice statement technical expert trust service plicy trust service full practice statement risk analysis risk treatment statement f applicability trust service trust service utput Definitin security. [ref.5] Recmmendatin f what is expected t be dne t achieve an bjective. [ref.5] Overall intentin and directin as frmally expressed by management. [ref.5] Set f interrelated r interacting activities which transfrms inputs int utputs. [ref.5] Set f rules that indicate the applicability f the utput f a trust service t a particular cmmunity and/r class f applicatin with cmmn security requirements. The entire set f statements f the practices (tgether with the entire set f related dcumentatin, public and nn-public) that a trust service prvider emplys in prviding ne r mre trust services. Persn wh prvides specific knwledge r expertise t the assessr Set f rules that indicate the applicability f the utput f a trust service t a particular cmmunity and/r class f applicatin with cmmn security requirements. The entire set f statement f the practices (tgether with the entire set f related dcumentatin, public and nn-public) that a trust service prvider emplys in prviding ne r mre trust services. Systematic use f infrmatin t identify surces and t estimate risk (i.e. the cmbinatin f the prbability f the ccurrence f a particular set f circumstances and its cnsequence). [ref.5] Prcess f selectin and implementatin f measures t mdify risk. [ref.5] Dcumented statement describing the cntrl bjectives and cntrls that are relevant and applicable t the rganizatin's infrmatin security management system. [ref.5] Any electrnic service cnsisting in the creatin, verificatin, validatin, handling and preservatin f electrnic signatures, electrnic seals, electrnic time stamps, electrnic dcuments, electrnic delivery services, website authenticatin, and electrnic certificates, including certificates fr electrnic signature and fr electrnic seals [ref.1 - Art.3.12] A physical r binary (lgical) bject generated r issued as a result f the use f a trust service. Examples f binary trust service utputs are certificates, electrnic time-stamps [ref.1 - Art.3.25], CRLs, OCSP respnses, electrnic signatures, electrnic seals, electrnic dcuments, electrnic delivery, etc. qualified trust service A trust service that meets the applicable requirements prvided fr in this Regulatin [ref.1 - Art.3.13] trust service prvider A natural r a legal persn wh prvides ne r mre trust services [ref.1 - Art.3.14] qualified trust service prvider trusted list A trust service prvider wh meets the requirements laid dwn in this Regulatin [ref.1 - Art.13.15] Refers t a Eurpean Unin Member State's "Supervisin/Accreditatin Status 200
Deliverable D3, Versin 2b (final) Term Definitin List f certificatin services frm Certificatin Service Prviders, which are supervised/accredited by the referenced Member State fr cmpliance with the relevant prvisins laid dwn in Directive 1999/93/EC". Updated: Refers t a Eurpean Unin Member State's "supervisin status list f qualified trust service prviders and f the qualified trust services they prvide which are supervised by the referenced Member State fr cmpliance with the relevant prvisins laid dwn in Regulatin 201x/xxx/EU. certificate qualified certificate fr electrnic signature qualified certificate fr electrnic seal qualified certificate fr website authenticatin An electrnic attestatin which links electrnic signature r seal validatin data f a natural r a legal persn respectively t the certificate and cnfirms thse data f that persn [ref.1 - Art.3.10]. A certificate which is used t supprt electrnic signatures, is issued by a qualified trust service prvider and meets the requirements laid dwn in [ref.1 - Annex I]. A certificate which is used t supprt an electrnic seal, is issued by a qualified trust service prvider and meet the requirements laid dwn in [ref.1 - Annex III]. A certificate which makes it pssible t authenticate a website and links the website t the persn t whm the certificate is issued, which is issued by a qualified trust service prvider and meets the requirements laid dwn in [ref.1 - Annex IV]. All ther definitins frm the Regulatin are included by reference [ref.1]. 11.3.2 Abbreviatins CAB CAG CRIT EA EC IAF ISMS LOTL MLA MS NAB PKI SOA TL Cnfrmity Assessment Bdy Cnfrmity Assessment Guidance Cnfrmity Assessment Criteria Eurpean cperatin fr Accreditatin Eurpean Cmmissin Internatinal Accreditatin Frum Infrmatin Security Management System List Of the Trusted Lists Multi Lateral recgnitin Agreement Member State Natinal Accreditatin Bdy Public Key Infrastructure Statement Of Applicability Trusted List 201
Deliverable D3, Versin 2b (final) 11.4 References [ref.1] COM(2012) 238 Prpsal fr a Regulatin f the Eurpean Parliament and f the Cuncil n electrnic identificatin and trust services fr electrnic transactins in the internal market. [ref.2] Regulatin (EC) N 765/2008 f the Eurpean Parliament and f the Cuncil f 9 July 2008 setting ut the requirements fr accreditatin and market surveillance relating t the marketing f prducts and repealing Regulatin (EEC) N 339/93. OJ L 218, 13/08/2008 p.30-47. [ref.3] [ref.4] [ref.5] [ref.6] [ref.7] [ref.8] IAF Mandatry Dcument fr the Certificatin f Multiple Sites Based n Sampling. ISO/IEC 17021:2011: "Cnfrmity assessment - Requirements fr bdies prviding audit and certificatin f management systems". ISO/IEC 27000:2009: "Infrmatin technlgy - Security techniques - Infrmatin security management systems - Overview and vcabulary". ISO/IEC 27005:2011: "Infrmatin technlgy - Security techniques - Infrmatin security risk management". ISO/IEC 27006:2007 Infrmatin technlgy - Security techniques - Requirements fr bdies prviding audit and certificatin f infrmatin security management systems. ISO/FDIS 19011:2011(E) Guidelines fr auditing management systems. 11.5 Cnfrmity assessment mdel 11.5.1 Cntext The cnfrmity assessments f qualified trust service prvider and f the qualified trust services they prvide are t be carried ut in the cntext f the Regulatin [ref.1] cnferring EU wide recgnitin and acceptance f the assessments and with the additinal aim t prvide a basis fr internatinal crss-recgnitin f the assessments. This lies within pan Eurpean regulatins prvided fr the internatinal framewrk fr the accreditatin f cnfrmity assessment bdies thrugh the Eurpean Cperatin fr Accreditatin (EA) and beynd thrugh the Internatinal Accreditatin Frum (IAF). 11.5.2 Descriptin f the Assessment mdel Figure 1 illustrates the mdel fr the Eurpean Supervisin Scheme fr the cnfrmity assessment f qualified trust service prviders and the qualified trust service they prvide against the prvisins and requirements laid dwn in the Regulatin [ref.1]. 202
6. Evaluatin f Audit reprt 1. Cmplaints r bservatin f nn-cnfrmity r regular r randm cntrl nce accredited QPKI Plicy Management Authrity acting as CSP Supervisry & Accreditatin Bdy 2. Designatin & Missin allcatin (r acceptance/refusal) Accredited Cnfrmity Assessment Bdy (CAB) 5. Audit (incl. Auditrs) reprt 4. Audit 3. Designatin (Cnfrmity acceptance/ Assessment) refusal CSP and related certificatin service 7. Audit reprt cnclusins and accreditatin status ntified 1. Request fr accreditatin + related applicatin infrmatin Deliverable D3, Versin 2b (final) EU Supervisin Scheme fr QTS(P)s - Supervisin Cnfrmity Assessment Guidance (CAG) CAG List f Trusted Lists (LTL) Trusted List Eurpean cperatin fr Accreditatin (EA) Internatinal Accreditatin Frum (IAF) - Supervisin Prcess Flw Supervisin status - Supervisin Cnfrmity Criteria CRIT Member State Supervisry Bdy Natinal Accreditatin Bdy Accreditatin Assessment reprt Accredited Cnfrmity Assessment Bdy (CAB) Evaluatrs Evaluatrs Assessrs Supervisin cnclusins Ntificatin fr Supervisin Cnfrmity Assessment against Qualified trust service prvider & qualified trust services CRIT CAG Figure 1: Mdel fr Eurpean Supervisin Scheme and related assessments fr QTS(P)s Within the abve described cntext and within each EU Member State, the Eurpean Supervisin Scheme rely n the fllwing elements: The Natinal Accreditatin Bdy (NAB): This is the sle bdy in a Member State that shall perfrm, with authrity derived frm the State, accreditatin f cnfrmity assessment bdies in the cntext f the Supervisin Scheme. Such accreditatin shall assess the cmpetency f the accredited cnfrmity assessment bdies t carry ut assessments under the requirements identified in the Supervisin Scheme. 133 Cnfrmity Assessment Bdies (CAB): A cnfrmity assessment bdy is an independent bdy f assessrs which carries ut the assessment f a qualified trust service prvider and f the qualified trust services it prvides against the requirements established in the Supervisin Scheme, in particular against its cnfrmity criteria and in accrdance with its cnfrmity assessment guidance. The cmpetence f Cnfrmity Assessment Bdy t carry ut such an assessment is accredited by a Natinal Accreditatin Bdy. One r mre Cnfrmity Assessment Bdies may be accredited and hence recgnised under the Supervisin Scheme. The results f a cnfrmity assessment executed by a cnfrmity assessment bdy is ntified t the Supervisry Bdy f the Member State in which the assessed qualified trust service prvider is established. Cnfrmity assessment bdies refer t recgnised independent bdies as referred t in Art.15.1, Art.16.1 and Art.17.1 f the Regulatin [ref.1]. The Supervisry Bdy: This is the bdy established in accrdance with Art.13.1 f the Regulatin and that are given all supervisry and investigatry pwers that are necessary fr the exercise f their task in 133 The ptin has been made here t nt allw, in the cntext f the present Supervisin Scheme, Supervisry Bdies t play the equivalent rle f the natinal accreditatin bdy fr evaluating the cmpetence f a cnfrmity assessment bdy t carry ut a cnfrmity assessment in line with the present Eurpean Supervisin Scheme. 203
Deliverable D3, Versin 2b (final) accrdance with the Regulatin [ref.1]. With regards t qualified trust services and qualified trust service prviders, the supervisry bdy shall be respnsible fr undertaking supervisin f thse qualified trust service prviders established in their territry, and/r in the MS having designated this bdy t undertake supervisin f qualified trust service prviders established in the designating MS under the respnsibility f the designating MS, and f the qualified trust services thse qualified trust service prviders prvide. This supervisin shall ensure that thse qualified trust service prviders and the qualified trust services they prvide meet the applicable requirements laid dwn in the Regulatin. All supervisry bdies frm the EU shall abide by the Supervisin Scheme fr this purpse. Trusted Lists: The supervisry bdy shall als be the bdy respnsible fr the ntificatin f the qualified status f the qualified trust service prviders and the qualified trust services they prvide in their natinal Trusted List in accrdance with the Regulatin [ref.1 - Art.18] and the present dcument. Qualified status result frm the verificatin by the supervisry bdy f the cmpliance f the qualified trust service prviders and the qualified trust services they prvide with the requirements f the Regulatin, such a verificatin being based n, e.g., the results f a cnfrmity assessment perfrmed by an accredited cnfrmity assessment bdy. The List f the Trusted Lists (LOTL) is an additinal imprtant element in the Supervisin Scheme. In rder t allw access t the trusted lists f all Member States in an easy manner, the Eurpean Cmmissin publishes a central cmpiled list that includes the lcatins where the Trusted Lists are published and the certificate t be used t verify the authenticity and integrity f the MS trusted lists, as ntified by Member States. This cmpiled List f the Trusted Lists (LOTL) is available publicly. The authenticity and integrity f the machine prcessable versin f this cmpiled list is ensured thrugh an electrnic signature supprted by a digital certificate. The certificate can be authenticated thrugh ne f the digests published n the Official Jurnal f the Eurpean Unin. The Supervisin Scheme assessment mdel relies n a cmmn set f cnfrmity criteria, a cmmn assessment prcess based n a cmmn cnfrmity assessment guidance and n a cmmn understanding f the respnsibilities f the qualified trust service prviders. The Cnfrmity Criteria (CRIT) fr qualified trust service prviders and the qualified trust services they prvide refers t the criteria (incl. requirements) against which cnfrmity assessment will be undertaken by EU MS supervisry bdies in the cntext f the Regulatin. Thse criteria take int accunt specificities f the type f trust service t be assessed. They can be rganised under the frm f a check-list aiming t facilitate the tasks f bth the assessrs and the qualified trust service prvider t be assessed. They are made publicly available and based n standards. The cnfrmity criteria applicable in the cntext f the Supervisin Scheme are prvided in a cmpanin dcument f the present dcument. The Cnfrmity Assessment Guidance (CAG) fr Eurpean Unin Member States supervisry bdies refers t the way cnfrmity assessment bdies carry ut an assessment in the cntext f the Supervisin Scheme, i.e. t the way cmpliance f qualified trust service prviders and the qualified trust services they prvide is assessed against the requirements laid dwn in the Regulatin [ref.1]. This cvers: The cnfrmity assessment prcess and the specific characteristics with regards t the cnfrmity assessment prcess, including the frequency and depth f the assessments, the assciated fees, the cmplaint related prcedures, etc. The requirements n the cnfrmity assessment bdies and the rules t be bserved by such bdies when cnducting assessments. The specificatins fr crss-brder assessment and related mutual assistance. and the respnsibilities f the parties. 11.6 Respnsibilities f the parties Member States, thrugh the supervisry bdy they have designated in accrdance with the Regulatin [ref.1 - Art.13.1], shall ensure that cnfrmity assessment bdies cnducting assessments in the cntext f the Supervisin Scheme are accredited by a natinal accreditatin bdy fr its cmpetency t carry ut assessments fr the type f qualified trust services and qualified trust service prvider being assessed, where verifying the 204
Trusted List f supervised Trust Services Deliverable D3, Versin 2b (final) cmpliance f such qualified trust services and qualified trust service prvider with the prvisin laid dwn in the Regulatin n the basis f assessment reprts prvided by cnfrmity assessment bdies. The natinal accreditatin bdy shall ensure, thrugh apprpriate accreditatin prcess, that the cnfrmity assessment bdy is cmpetent t carry ut cnfrmity assessment fr the type f qualified trust services and qualified trust service prvider being assessed. The cnfrmity assessment bdy shall carry ut assessment f the qualified trust service prvider and f the qualified trust services they prvide using cnfrmity criteria relevant t the type f qualified trust service(s) being assessed. The qualified trust service prvider shall ensure that the qualified trust service it prvides is cnfrmant t the relevant cnfrmity criteria and assist the cnfrmity assessment bdy in carrying ut the assessment. The supervisry bdy shall ensure that a trusted list is made available t interested parties which reflects the latest qualified status f the qualified trust service prvider and f the qualified trust services they prvide, based n the latest cnfrmity assessment, within the scpe f the assessment scheme. The supervisry bdy shall als ensure that authenticity and integrity f the trusted list is maintained. 11.7 Supervisin prcess 11.7.1 Supervisin prcess flw at a glance The supervisin prcess flw is depicted in Figure 2. Preparatin TSP intends t prvide Qualified Trust Services subject t mandatry supervisin 205 Initiatin Ntificatin including Full Cnfrmity Assessment reprt Trusted List f supervised Trust Services SupervisinNtified Cmpliance Pending Cmpliance verificatin Trusted List f supervised Trust Services Cmpliance Nt OK One-year supervisin cycle based n: Full Cnfrmity Assessment every year (incl. at ntif ) r at request f the EC. Surveillance Cnfrmity Assessment at any time, at wn initiative f the Supervisry Bdy, frm event ntificatin. Statement f Cnfrmity is materialised by publicatin f the supervisin status in the cmpetent MS Trusted List and is valid until the TL next update. Legend: TSP Trust Service temprary state TSP Trust Service stable state and SupervisinRevked supervisin status in TL Transitin between states/statuses Verificatin f Cmpliance & f Cnfrmity Assessment Reprt Supervisin status is kept until next status assignment Cmpliance OK SupervisinRevked Trusted List f supervised Trust Services Supervisin InCessatin Terminatin request by TSP Trusted List f supervised Trust Services Under Supervisin Trusted List f supervised Trust Services SupervisinCeased Cmpliance OK Event ntificatin (by TSP, by 3 rd party incl. EC; cmplaints, incidents, terminatin f service) Supervisin review Cmpliance verificatin based n update f ntificatin infrmatin including reprt f peridic r event driven Cnfrmity Assessment (Full cnfrmity assessment r Surveillance cnfrmity assessment) Cmpliance Nt OK Trusted List f supervised Trust Services SupervisinRevked Cmpliance Pending
Deliverable D3, Versin 2b (final) Figure 2: Supervisin prcess flw f the Eurpean Supervisin Scheme - QTS(P)s The supervisin prcess f the Eurpean Supervisin Scheme is based n a [ne-year] 134 (re)assessment cycle with a Full Cnfrmity Assessment (FCA) t be perfrmed at the initiatin f the prcess and t be renewed within ne year after the previus FCA. Additinal Surveillance Cnfrmity Assessments (SCA) may r are t be perfrmed n the basis f triggering events as specified in Sectin 11.9 f the present Annex C. State transitins are assciated t the publicatin r updates in trusted lists f the actual qualified status f the qualified trust service that materialises the cmpliance f the qualified trust service and f the qualified trust service prvider as based n the cmpliance resulting frm the latest cnfrmity assessment by the CAB and the cmpliance verificatin by the Supervisry Bdy. 135 The fllwing activities can trigger the state transitins: Preparatin: This is a set f activities during which the qualified trust service prvider prepares himself t prvide qualified trust services and t cmply with the applicable requirements f the Regulatin and in particular f the Supervisin Scheme. During initial preparatin, there is nt yet a state assigned. Initiatin: The supervisin is initiated by the qualified trust service prvider ntifying the cmpetent supervisry bdy f its intentin t start prviding ne r mre qualified trust services in accrdance with the Regulatin [ref.1 - Art.17.1]. This ntificatin includes a Full Cnfrmity Assessment reprt that is verified tgether with ther ntified infrmatin t verify the cmpliance f the qualified trust service prvider and the qualified trust services it prvides against the requirements f the Regulatin. This verificatin leads t ne f the "cmpliance k", cmpliance nt k" r cmpliance pending" cmpliance verificatin utcmes. Cnfrmity Assessment: These activities can be perfrmed respectively: During the initial assessment in the cntext f the initiatin phase; During the yearly (re)assessment fllwing the latest cnfrmity assessment (starting with the ne fllwing the initial assessment); During the cnfrmity assessments triggered by the ntificatin f specific events as specified in Sectin 11.9 Depending f the actual state f the supervised qualified trust service prvider and f the qualified trust services it prvides, the level f the cnfrmity assessment may be identified as being either a full cnfrmity assessment r a surveillance cnfrmity assessment as specified in Sectin 11.7.1.a. Supervisin Review: The supervisin review is initiated by the yearly expiratin f the previus cnfrmity assessment r upn ntificatin f an event as specified in Sectin 11.9. This requires the ntificatin by the qualified trust service prvider f the update f the ntificatin infrmatin, including the reprt f a Full r Surveillance Cnfrmity Assessment (Full Cnfrmity Assessment every year and depending n the nature f the event ntificatin as per Sectin11.9, a Surveillance Cnfrmity Assessment may be 134 COM(2012) 238 prpsal fr Regulatin [ref.1] establishes a ne-year based (re)assessment cycle. This is t be balanced against a cycle f a full (re)assessment every three years including a yearly surveillance assessment as being defined in ETSI TS 119 403, and t a benchmarking f ther relevant (re)assessment cycles the Eurpean Supervisin Scheme wuld be crss-evaluated against in the cntext f mutual recgnitin with 3rd cuntries r internatinal rganisatins in accrdance with the Regulatin [ref.1 - Art.10]. 135 The here prpsed prcess flw is cmpliant with the prpsal fr Regulatin [ref.1] and is cmpliant and backward cmpatible with the current Trusted Lists mdel as defined in CD 2009/767/EC as amended by CD 2010/425/EU. Nte that the CD's descriptin f the "undersupervisin" status culd be updated as referring nt nly t being "currently under supervisin, fr cmpliance with the prvisins laid dwn in [the Regulatin]" but t being "currently supervised as cmpliant with the prvisins laid dwn in [the Regulatin] and under supervisin fr such cmpliance". 206
Deliverable D3, Versin 2b (final) requested at any time, at wn initiative f the Supervisry Bdy r frm event ntificatin ). This updated ntified infrmatin is evaluated t verify the cmpliance f the qualified trust service prvider and the qualified trust services it prvides against the requirements f the Regulatin. This verificatin leads t ne f the "cmpliance k", cmpliance nt k" r cmpliance pending" utcmes: Cmpliance OK: This cmpliance verificatin utcme expresses successful passing f the verificatin f the supervisin and f the cmpliance f the qualified trust service prvider and f the qualified trust services it prvides against the prvisins laid dwn in the Regulatin, including the successful passing f the cnfrmity assessment. Fllwing the verificatin f cmpliance f the qualified trust service prvider and f the qualified trust services it prvides, based n the result f the latest cnfrmity assessment and assciated reprt established by a cnfrmity assessment bdy, and if n nn-cnfrmities are utstanding, the Supervisry Bdy has cnfirmed the cnfrmity and decided that qualified trust service prvider and f the qualified trust services it prvides will gain the qualified status ("undersupervisin") r keep their actual "qualified status" ("undersupervisin" r "supervisinincessatin") and can cntinue t prvide thse qualified services. This cnfirmatin and the assciated qualified status shall be reflected r respectively maintained in the applicable trusted list. This will be in principle valid fr ne year unless changed therwise in accrdance t surveillance r full cnfrmity assessment triggered upn specific circumstances as specified in Sectin 11.9. A full cnfrmity (re)assessment shall be planned fr executin ne calendar year after the last executed planned full cnfrmity assessment. 136 In case f a limited number minr nn-cnfrmities, the supervisry bdy may cnfirm cmpliance with the prvisins laid dwn in the Regulatin and allw the qualified trust service prvider t take crrective actins which shall be verified at the next (peridic) surveillance cnfrmity assessment. The qualified trust service prvider can still decide t ntify its intentin t cease r terminate ne r mre f its supervised qualified trust services r its activities as qualified trust service prvider. Cmpliance Pending: Fllwing the verificatin f cmpliance f the qualified trust service prvider and f the qualified trust services it prvides, based n the result f the latest cnfrmity assessment and assciated reprt established by a cnfrmity assessment bdy, the Supervisry Bdy has decided that the qualified trust service prvider and the qualified trust services it prvides will keep their actual "qualified status" and that the qualified trust service prvider can cntinue t prvide such qualified trust services but needs t address the findings, including minr / majr 137 nn-cnfrmities within a specified timeframe, as cmmunicated by the supervisry bdy. Withdrawal f the qualified status (i.e. being mved t "supervisinrevked" r "supervisinceased") and/r sanctins are pssible as per the applicable law, in particular in case thse nn-cnfrmities are nt addressed satisfactrily r nt addressed in due time. The supervisry bdy shall require an additinal review t be executed in rder t make sure the findings are adequately addressed in the applicable timeframe. The supervisry bdy shall infrm the qualified trust service prvider f the nature f the additinal cnfrmity assessment (being a full cnfrmity assessment, a limited cnfrmity assessment r a dcument evidence) that will be needed t verify effective crrectin and crrective actins. Cmpliance Nt OK: As a cnsequence f the qualified trust service prvider and/r the qualified trust services it prvides failing t cmply with the prvisin laid dwn in the Regulatin, r failing t remedy t nn-cnfrmities ntified frm a previus cnfrmity assessment and supervisin cmpliance verificatin, r based n majr / critical nn-cnfrmities identified in the latest cnfrmity assessment r the latest supervisin cmpliance verificatin by the supervisry bdy, the qualified trust service 136 May be alternatively specified as "after the latest full cnfrmity assessment". 137 Only majr nn-cnfrmities fr which a (significant) imprvement r crrectin has been identified and assciated t a reasnable implementatin deadline may lead t a "cmpliance pending" utcme; ther majr nn-cnfrmities will lead t a "cmpliance nt k" utcme. A mre strict apprach wuld here cnsist in allwing nly minr nn-cnfrmities in the cntext f "cmpliance pending". 207
Deliverable D3, Versin 2b (final) prvider and/r its cncerned qualified trust services shall lse their qualified status (mving t "supervisinceased" r "supervisinrevked"). The supervisry bdy shall ntify and demand the qualified trust service prvider: t immediately stp the prvisin f any new utput f the cncerned qualified trust services, and t terminate the cncerned qualified trust services in accrdance t a terminatin plan validated by the supervisry bdy, t stp any advertisement abut the previus qualified status f the cncerned qualified trust services, and if applicable f its wn qualified status, and t cmmunicate adequately twards its stakehlders with regards t the lss f the qualified status f the cncerned qualified trust services and, when applicable, the lss f its wn qualified status. A nn-cnfrmity can be defined as a 138 : minr nn-cnfrmity which is an imperfectin r weakness in fulfilling a specified requirement r criteria; majr nn-cnfrmity which can be defined as a nn-fulfilment f a specified requirement r criteria; critical nn-cnfrmity which can be defined as a nn-fulfilment f a specified requirement r criteria, such nn-fulfilment implying by itself the need fr the cncerned qualified trust service prvider t immediately stp such activities and/r fr the cncerned qualified trust services t be stpped immediately. Ntificatin f the assessment cnclusins and qualified status ntificatin: based n the results and recmmendatins in the latest cnfrmity assessment reprt, and f its supervisin cmpliance verificatin the supervisry bdy will ntify the qualified trust service prvider f its decisins and update, when applicable, the qualified status f the qualified trust service prvider and/r f the cncerned qualified trust services it prvides. Event ntificatins as specified in Sectin 11.9 may result in the cnductin f a cnfrmity assessment. Requests frm qualified trust service prviders may als result in the change f the "qualified status" f the qualified trust services prvider and/r f the qualified trust services they prvide. The flw between the varius supervisin states is defined as illustrated in Figure 3 belw. 139 138 Classificatin f nn-cnfrmities culd als be defined/refined accrding t anther mdel (e.g. nncnfrmance, deficiency, bservatin n a per requirement basis). 139 This updates the "supervisin/accreditatin status flw" defined in CD 2009/767/EC as amended by CD 2010/425/EU. 208
Deliverable D3, Versin 2b (final) Start Trusted List f supervised Trust Services SupervisinNtified Trusted List f supervised Trust Services UnderSupervisin Trusted List f supervised Trust Services Supervisin InCessatin Trusted List f supervised Trust Services SupervisinCeased Trusted List f supervised Trust Services SupervisinRevked Figure 3: Qualified (supervisin) status flw in the cntext f the Eurpean Supervisin Scheme. 11.7.2 Preparatin This crrespnds t the activities the qualified trust service prvider undertakes t prvide qualified trust services and t cmply with the applicable requirements f the Regulatin and in particular with the requirements f the Supervisin Scheme. The activities and their results are t be dcumented and stred in an internal repsitry, managed by the qualified trust service prvider. During a supervisin review (cmpliance verificatin) r a cnfrmity assessment, the qualified trust service prvider will be required t make the cntents f this internal repsitry available t the reviewers/assessrs. The fllwing activities are required: Gain sufficient knwledge with regard t the applicable criteria (CRIT) t the qualified trust service prvider and t the qualified trust services it prvides. Frmulate a qualified trust service plicy and qualified trust service full practice statement as applicable with regards t the type f qualified trust service that is intended t be prvided. These may cver bth qualified and nn-qualified trust services. It is mandatry t make a clear distinctin between thse tw types f trust services fr any matter addressed in the qualified trust service plicy and qualified trust service practice statement r similar dcuments. Execute a high-level risk analysis and frmulate a draft statement f applicability (SOA). The high-level risk analysis will identify the mst imprtant assets, threats and risks, as well as the required safeguards. The SOA will identify the safeguards chsen fr the qualified trust service prvider envirnment and fr any ther envirnment used fr the prvisin f the qualified trust services, and explains hw and why they are apprpriate. The SOA is derived frm the utput f the risk assessment/ risk treatment plan. It is required that the SOA directly relates the selected safeguards t the riginal risks they are intended t mitigate. The SOA shuld make reference t the plicies, prcedures r ther dcumentatin r systems thrugh which 209
Deliverable D3, Versin 2b (final) the selected cntrl will actually manifest. It is als gd practice t dcument the justificatin f why thse cntrls nt selected were excluded. Frmulate detailed internal and external prcesses and prcedures. This shuld fcus particularly n all aspects f the lifecycle f the qualified trust services ffered by the qualified trust service prvider and f the related qualified trust service utputs. Draw up management system dcumentatin fr thse prcesses and prcedures. Implement thse prcesses and prcedures. Perfrm an internal audit. This shuld include prcesses and prcedures as well the rganisatinal and technlgy (applicatin, infrastructure) aspects. The qualified trust service prvider is free t chse his audit criteria but these shuld at least include r be equivalent t thse listed in the Supervisin Scheme criteria (CRIT). Execute a detailed Risk Analysis. This shuld be based n a well-established apprach such as defined in ISO 27005 [ref.6] r equivalent. Elabrate, implement and execute a Security Plicy and a Risk Treatment Plan. The latter shuld implement the selected safeguards. Thse risks nt mitigated but rather accepted as residual risk shuld als be dcumented frmally. Frmulate the final Statement f Applicability. This final SOA shuld include all elements and aspects f the qualified trust service prvider relevant t qualified trust service utputs and the delivery f the qualified trust services related t them. It will serve as guidance t determine the scpe f the qualified trust services ffered, as well as the scpe f supervisin reviews and/r cnfrmity assessments. Execute a self-assessment against the Supervisin Scheme criteria and dcuments the utcmes. Implement bth peratinal and risk mnitring f the safeguards. This shuld include bth day-t-day mnitring and an annual internal review. The annual internal review shuld evaluate whether there are any significant changes in the risk envirnment, whether such changes can be envisaged, as well as whether the selected and implemented safeguards perate satisfactry. The fllwing activities are required as mandated fr ntificatin twards the cmpetent supervisry bdy f the intentin t prvide qualified trust services: Undertake the executin, by an accredited cnfrmity assessment bdy (independent f the qualified trust service prvider) f a full cnfrmity assessment against the Supervisin Scheme (incl. criteria and cnfrmity assessment guidance). The cnfrmity assessment bdy shall be accredited by a natinal accreditatin bdy member f the Eurpean cperatin fr Accreditatin (EA) t carry ut assessment against the Supervisin Scheme. The resulting assessment reprt shall be dcumented and result in a frmal assessment reprt, explicitly listing any elements f nn-cnfrmity if applicable 11.7.3 Initiatin This crrespnds t the ntificatin f the qualified trust service prvider t the cmpetent supervisry bdy f its intentin t start prviding a qualified trust service and t the submissin t the cmpetent supervisry bdy f the required infrmatin. The qualified trust service prvider shall submit the fllwing ntificatin infrmatin t the cmpetent supervisry bdy: The administrative and identificatin infrmatin related t the qualified trust service prvider being either a public entity r a legal r natural persn, when it is established in accrdance with the natinal law. This includes but may nt be limited t the name f the qualified trust service prvider, cmpany infrmatin as registered in accrdance with natinal laws, rganisatin and cmpany structure, capital, balance sheet and annual reprts, cntact infrmatin, etc. The identificatin and the type f qualified trust services t be assessed. 210
Deliverable D3, Versin 2b (final) A summary f the preparatin dcumentatin resulting frm the expected and required preparatin activities as described in sectin 11.7.1 (this infrmatin shall be dcumented and stred in an internal repsitry f the qualified trust service prvider). Nte: This is deemed t include the "security audit reprts carried ut by a recgnised independent bdy" as per Art.15.1, 16.1 and 17.1 f the Regulatin. Any ther relevant infrmatin supprting the supervisin cmpliance verificatin. The abve ntificatin infrmatin must be submitted t the cmpetent supervisry bdy at least ne (1) mnth befre the effective ntificatin t the supervisry bdy f their intentin t start the qualified trust service activities. 140 Upn ntificatin f the abve listed dcuments, the supervisry bdy shall include the qualified trust service prvider and/r the applicable qualified trust services in the trusted list with a status indicating that the ntificatin has been submitted [ref.. Art.17.2], i.e. with the "SupervisinNtified" status. Upn ntificatin f the qualified trust services the qualified trust service prvider intends t start, the supervisry bdy shall verify the cmpliance f the qualified trust service prvider and the qualified trust services it prvides against the requirements f the Regulatin [ref.1], n the basis f the ntified infrmatin. The supervisry bdy is entitled t request additinal infrmatin deemed t supprt the verificatin f such a cmpliance and will infrm the qualified trust service prvider prmptly f the reasns fr such a request and the delay fr receiving such infrmatin. This initial supervisin cmpliance verificatin prcess may lead t ne f the fllwing utcmes: Cmpliance Pending: In such a case the Supervisry Bdy has decided that qualified trust service prvider and f the qualified trust services it prvides will keep their actual "SupervisinNtified" and that the qualified trust service prvider can cntinue t prvide such qualified trust services but needs t address the findings, including minr / majr 141 nn-cnfrmities, as cmmunicated by the supervisry bdy within the specified timeframe. The supervisry bdy shall require an additinal review t be executed in rder t make sure the findings are adequately addressed in the applicable timeframe. The supervisry bdy shall infrm the qualified trust service prvider f the nature f the additinal cnfrmity assessment (being a full cnfrmity assessment, a limited cnfrmity assessment r a dcument evidence) that will be needed t verify effective crrectin and crrective actins. The "SupervisinNtified" status may be mved t "supervisinrevked" and/r sanctins pssible as per the applicable law, in particular when thse nn-cnfrmities are nt addressed satisfactrily r nt addressed in due time. Cmpliance Nt OK: As a cnsequence f the qualified trust service prvider and/r the qualified trust services it prvides failing t cmply with the prvisin laid dwn in the Regulatin, r failing t remedy t nn-cnfrmities ntified frm a previus cnfrmity assessment and supervisin cmpliance verificatin (resulting frm a Cnfrmity Pending utcme btained after ntificatin), r based n majr / critical nn- 140 It shuld be highlighted that the prpsed "initiatin phase" in the current prpsal fr a Regulatin creates sme legal uncertainties, un-equality between relying parties and un-necessary cmplexity and shuld be simplified in a clear prir-authrisatin mdel. In this case, the supervisin scheme flw described in Figures 2 & 3 f Sectin 11.7.1 can be simplified as depicted in Annex 1, this sentence may be remved, and the present dcument updated in cnsequence. 141 Only majr nn-cnfrmities fr which a (significant) imprvement r crrectin has been identified and assciated t a reasnable implementatin deadline may lead t a "cmpliance pending" utcme; ther majr nn-cnfrmities will lead t a "cmpliance nt k" utcme. A mre strict apprach wuld here cnsist in allwing nly minr nn-cnfrmities in the cntext f "cmpliance pending". 211
Deliverable D3, Versin 2b (final) cnfrmities identified in the latest cnfrmity assessment r the latest supervisin cmpliance verificatin by the supervisry bdy, the qualified trust service prvider and/r its cncerned qualified trust services shall see its "supervisinntified" status mved t "supervisinrevked". The supervisry bdy shall ntify and demand the qualified trust service prvider: t immediately stp the prvisin f any new utput f the cncerned qualified trust services, and t terminate the cncerned qualified trust services in accrdance t a terminatin plan validated by the supervisry bdy, t stp any advertisement abut the previus qualified status f the cncerned qualified trust services, and if applicable f its wn qualified status, and t cmmunicate adequately twards its stakehlders with regards t the lss f the qualified status f the cncerned qualified trust services and, when applicable, the lss f its wn qualified status. Cmpliance OK: The Supervisry Bdy has cnfirmed the cnfrmity and decided that the qualified trust service prvider and the qualified trust services it prvides will gain the qualified status "undersupervisin" and that it can cntinue t prvide thse qualified services. This cnfirmatin and this assciated qualified status shall be reflected in the applicable trusted list. This will be in principle valid fr ne year unless changed therwise in accrdance t surveillance r full cnfrmity assessment triggered upn specific circumstances as specified in Sectin 11.9. A full cnfrmity (re)assessment shall be planned fr executin ne calendar year after the last executed planned full cnfrmity assessment. In case f a limited number f minr nn-cnfrmities, the supervisry bdy may cnfirm cmpliance with the prvisins laid dwn in the Regulatin and allw the qualified trust service prvider t take crrective actins which shall be verified at the next (peridic) surveillance cnfrmity assessment r the next full cnfrmity assessment. 11.7.4 Supervisin Review Once under the "UnderSupervisn" status, the qualified trust service prvider and the qualified trust services it prvides are under cntinuus supervisin and will enter int a "supervisin review" state as the result f an event ntificatin as specified in Sectin 11.9 and n a yearly basis implying a full cnfrmity assessment. The qualified trust service prvider shall review the utcme f the activities he was required t execute in "preparatin" and, where it cnsiders relevant, he shuld cmplement r refine its dcumentatin. It shall cnsequently submit such updated ntificatin infrmatin t the cmpetent supervisry bdy. The supervisry bdy shall verify the cmpliance f the qualified trust service prvider and the qualified trust services it prvides against the requirements f the Regulatin [ref.1], n the basis f the ntified updated infrmatin. The supervisry bdy is entitled t request additinal infrmatin deemed t supprt the verificatin f such a cmpliance and will infrm the qualified trust service prvider prmptly f the reasns fr such a request and the delay fr receiving such infrmatin. This supervisin cmpliance review prcess may lead t ne f the fllwing utcmes: Cmpliance Pending: In such a case the Supervisry Bdy has decided that the qualified trust service prvider and the qualified trust services it prvides will keep their actual qualified status and that the qualified trust service prvider can cntinue t prvide such qualified trust services but needs t address the findings, including minr / majr nn-cnfrmities, as cmmunicated t them by the supervisry bdy within the specified timeframe. The supervisry bdy shall require an additinal review t be executed in rder t make sure the findings are adequately addressed in the applicable timeframe. The supervisry bdy shall infrm the qualified trust service prvider f the nature f the additinal cnfrmity assessment (being a full cnfrmity assessment, a limited cnfrmity assessment r a dcument evidence that will be needed t verify effective crrectin and crrective actins. 212
Deliverable D3, Versin 2b (final) The actual qualified status may be mved t "supervisinrevked" and/r sanctins pssible as per the applicable law, in particular when thse nn-cnfrmities are nt addressed satisfactrily r nt in due time, Cmpliance Nt OK: As a cnsequence f the qualified trust service prvider and/r the qualified trust services it prvide failing t cmply with the prvisin laid dwn in the Regulatin, r failing t remedy t nn-cnfrmities ntified frm a previus cnfrmity assessment and supervisin cmpliance verificatin (resulting frm a Cnfrmity Pending state), r based n majr / critical nn-cnfrmities identified in the latest cnfrmity assessment r the latest supervisin cmpliance verificatin by the supervisry bdy, the qualified trust service prvider and/r its cncerned qualified trust services shall see its actual qualified status mved t "supervisinrevked". The supervisry bdy shall ntify and demand the qualified trust service prvider: t immediately stp the prvisin f any new utput f the cncerned qualified trust service, and t terminate the cncerned qualified trust services in accrdance t a terminatin plan validated by the supervisry bdy, t stp any advertisement abut the previus qualified status f the cncerned qualified trust services, and if applicable f its wn qualified status, and t cmmunicate adequately twards its stakehlders with regards t the lss f the qualified status f the cncerned qualified trust services and, when applicable, the lss f its wn qualified status. Cmpliance OK: The Supervisry Bdy has cnfirmed the cnfrmity and decided that the qualified trust service prvider and the qualified trust services it prvides will keep its actual qualified status and that it can cntinue t prvide thse qualified trust services. This cnfirmatin and the assciated qualified status shall be (kept) reflected in the applicable trusted list. This will be in principle valid fr ne year unless changed therwise in accrdance t surveillance r full cnfrmity assessment triggered upn specific circumstances as specified in Sectin 11.9. A full cnfrmity (re)assessment shall be planned fr executin ne calendar year after the last executed planned full cnfrmity assessment. In case f a limited number minr nn-cnfrmities, the supervisry bdy may cnfirm cmpliance with the prvisins laid dwn in the Regulatin and allw the qualified trust service prvider t take crrective actins which shall be verified at the next (peridic) surveillance cnfrmity assessment. 11.8 Requirements n Cnfrmity Assessments 11.8.1 Cnfrmity Assessment types We can distinguish between tw types f cnfrmity assessments: full cnfrmity assessments and surveillance cnfrmity assessments. a. Full Cnfrmity Assessment (incl. initial assessment and re-assessment) A full cnfrmity assessment is required n a yearly basis. A full cnfrmity assessment may als be initiated as a result f the ntificatin f a specific event as specified in Sectin 11.9. Depending n the criticality, the implicatins and nature f the ntified event, the MS Supervisry Bdy shall initiate either a full cnfrmity assessment r a surveillance assessment. A full cnfrmity assessment shall ccur whenever the ntified event includes the fllwing circumstances: whenever there is a majr change f the scpe; whenever there is a majr change n the qualified trust services prvided under the scpe; 213
Deliverable D3, Versin 2b (final) whenever there is a new service included in the scpe; when there is a majr change f IT systems r business prcesses used by the qualified trust service prvider t prvide its qualified trust services; r when there has been a significant event, incident r cmplaint requiring such a full reassessment f a qualified trust service subject t supervisin. At each full cnfrmity assessment (visit), the implementatin f the whle f the qualified trust service prvider s management system shuld be verified in each f the areas addressed by the Supervisin Criteria. In additin, a representative sample f recrds relating t the peratin f qualified trust service prviders ver the histrical perid since the previus assessment shuld be examined by the assessr. Cnfrmity assessment reprts shuld cntain assessment infrmatin n clearing f nn-cnfrmities reprted previusly. b. Surveillance Cnfrmity Assessment The supervisry bdy shall define a prgramme f peridic surveillance and reassessment at sufficiently clse intervals t verify that qualified trust service prviders and the qualified trust service they prvide cntinue t cmply with the requirements. There shall be a perid f n greater than [six] mnths fr peridic surveillance. Surveillance cnfrmity assessment may als be initiated as a result f the ntificatin f a specific event as specified in Sectin 11.9. At each surveillance cnfrmity assessment (visit), the implementatin f a part f the qualified trust service prvider s management system shuld be verified in each f the areas addressed in the Supervisin Criteria (e.g. fr qualified trust services issuing qualified certificates, the applicable standard(s) and/r requirements regarding Certificatin Practice Statement, key management life cycle, public key certificate management life cycle, CSP management and peratin, insurance cverage and rganisatinal requirements). In additin, a sample f recrds relating t the peratin f qualified trust service prviders ver the histrical perid since the previus assessment shuld be examined by the assessr. The reprts arising frm surveillance during the perid between the initial assessment and the reassessment shuld build up t cver in ttality that the qualified trust service prvider and the qualified trust services it prvides meet the requirements f the applicable cnfrmity assessment criteria (CRIT). Surveillance cnfrmity assessment reprts shuld cntain assessment infrmatin n clearing f nn-cnfrmities revealed previusly. 11.8.2 Cnfrmity Assessment prcess Once having been designated and accepted by the qualified trust service prvider, the assessrs team perfrms the cnfrmity assessment in accrdance t the qualified trust services t be assessed. The bjective f the assessment is t cnfirm that the qualified trust service prvider and the qualified trust services it prvides cnfrm t the applicable assessment criteria. This includes cnfirmatin that the implemented qualified trust service prvider system cnfrms t the requirements f the applicable legal prvisins, technical standard(s) and is achieving the qualified trust service prvider's plicy bjectives in cmpliance with the assessment criteria. This assessment must include visits t the site(s) the qualified trust service prvider is making use t prvide its qualified trust services, in accrdance with Sectin 11.8.3 n multi-site sampling. The cnfrmity assessment bdy and the qualified trust service prvider shall agree when and where assessment prcess is cnducted. 214
Deliverable D3, Versin 2b (final) The supervised qualified trust service prvider shall ntify the cmpetent supervisry bdy abut the fact that a cnfrmity assessment is t be cnducted, its date and lcatin, and n the identity f the cnfrmity assessment bdy at least [15] calendar days in advance. Assessrs shuld review, prir t cmmencement f the assessment that the qualified trust service prvider's (assessed qualified services) system is dcumented, implemented, and peratinal and can be shwn t be peratinal. Assessrs shuld perfrm their cnfrmity assessment f the qualified trust service prvider's system in at least tw stages: Assessment stage 1: This stage fcuses n the review f the qualified trust service prvider and its assessed qualified services system dcumentatin as it has been dcumented thrugh the assessment initiatin ntificatin and ptentially augmented by a specific set f elements specifically required at this stage. On the basis f the bservatins made at the qualified trust service prvider's site in this stage, assessrs shall draft a preliminary assessment reprt and a plan fr cnducting stage 2 (n-site) assessment. Assessment stage 2: This stage cnsists in an n-site assessment that aims t validate the preliminary assessment reprt findings and t cmplete the evaluatin/audit assessment f the qualified trust service prvider and its assessed qualified trust services against the assessment criteria. Assessment stage 1 In this stage f the assessment, assessrs shuld btain and review the dcumentatin including the selfassessment and risk analysis with regard t the qualified trust service prvider and its assessed qualified trust services system as ntified t the supervisry bdy (respectively during initiatin phase r as an update f such infrmatin nce under supervisin) and ptentially augmented with specific types f infrmatin as part f stage 1 initiatin. Assessrs shuld make the qualified trust service prvider aware f the further types f infrmatin and recrds that may be additinally required fr verificatin during assessment stage 1. The bjectives f assessment stage 1 are t prvide a fcus fr planning f assessment stage 2 by gaining an understanding f the structure and extent f the qualified trust service prvider and its assessed qualified trust services system. Assessment stage 1 includes but shuld nt be restricted t dcument review, review f the selfassessment, and review f the risk analysis. Other elements that culd be included in assessment stage 1 are verificatin f recrds regarding legal entity, arrangements t cver liability, cntractual relatinships between the qualified trust service prvider and ptential cntractrs perating r prviding sub-cmpnent services, internal/external audits r certificatins, management review, and further investigatins with regards t the preliminary assessment f the self-declared partial cnfrmance r nn cnfrmance. Assessrs and the qualified trust service prvider shuld agree when and where assessment stage 1 is cnducted. In rder t prvide a basis fr the decisin t cnfirm that the qualified trust service prvider meets the requirements f the applicable cnfrmity criteria (CRIT) fr prviding the assessed qualified trust services, assessrs shuld require clear reprts that prvide sufficient infrmatin t make that decisin. Reprts frm the assessment team t the supervisry bdy are required at stage 1 in the assessment prcess. In cmbinatin with infrmatin held n file, these reprts shuld at least cntain: a. A descriptin f wrk perfrmed, including scpe and bjectives, as well as the rganisatin f the assessr team and the timing. b. A descriptin f the rganisatinal structure f the qualified trust service prvider, including the use made and rganisatinal structure f ther parties (subcntractrs) that prvide parts f the assessed qualified trust services. c. An accunt f the assessment including a summary f the dcument review, as well as the review f the self-assessment. d. An accunt f the assessment f the qualified trust service prvider's infrmatin security risk analysis. 215
Deliverable D3, Versin 2b (final) e. An accunt f the assessment f the qualified trust service prvider's rganisatinal reliability. f. Assessment time used and detailed specificatin f time spent n dcument review and assessment f the implementatin f the qualified trust service prvider's management system. g. A cnclusin with regards t cnfrmance/nn-cnfrmance, and a descriptin f nncnfrmities (if any), including a clarificatin f them. h. Assessment enquiries that have been fllwed, ratinale fr their selectin, and the methdlgy emplyed. i. Recmmendatin by the assessment team cncerning the cnfirmatin n whether the qualified trust service prvider meets the requirements f the applicable cnfrmity criteria (CRIT) fr prviding its qualified trust services. Qualified trust service prviders shuld review prir t the assessment what recrds are cnsidered as cnfidential r sensitive by them such that the assessment team culd nt examine these recrds during their assessment. The qualified trust service prviders shuld cnsult with the assessrs t judge and jintly cnclude whether the recrds that can be examined are sufficient t perfrm an effective assessment. If the assessrs cnclude that an effective assessment is nt pssible, they shuld infrm the qualified trust service prvider that the assessment culd take place nly when the qualified trust service prvider has accepted apprpriate access arrangements t cnfidential r sensitive infrmatin. In every case, the dcument review shuld be cmpleted prir t the cmmencement f assessment stage 2. The results f assessment stage 1 shuld be dcumented in a written reprt including the detailed plan and planning fr cnductin f assessment stage 2. This reprt is submitted by the cnfrmity assessment bdy t the cmpetent supervisry bdy fr review, validatin and decisin n prceeding with assessment stage 2 and fr selecting assessment team members with the necessary cmpetence based n a prpsal frm the cnfrmity assessment bdy. Once validated by the supervisry bdy, assessrs shuld make the qualified trust service prvider aware f assessment stage 2 plan and planning, as well as f the further types f infrmatin and recrds that may be required fr detailed verificatin during assessment stage 2. 142 Assessment stage 2 This stage always takes place at the site(s) f the qualified trust service prvider (including sites f ptential subcntractrs). On the basis f bservatins dcumented in the reprt n assessment stage 1, assessrs execute the validated plan and planning fr the cnductin f assessment stage 2. The bjectives f assessment stage 2 are: (a) T cnfirm that the qualified trust service prvider adheres t its wn plicies, bjectives and prcedures. (b) T cnfirm that the implemented qualified trust service prvider's management system cnfrms t the requirements f the applicable cnfrmity criteria (CRIT) and is achieving the qualified trust service prvider 's plicy bjectives. Assessment reprt t the supervisry bdy 142 With regards t the cnductin f a cnfrmity assessment prir t the ntificatin t the supervisry bdy, i.e. prir its invlvement, the prir validatin by the supervisry bdy f stage 2 f the assessment may nt be required but will ccur a psteriri when validating the ntified infrmatin and cmpliance f the qualified trust service prvider and the qualified trust services it aims t prvide. 216
Deliverable D3, Versin 2b (final) After having ffered the qualified trust service prvider the pssibility t include his cmments (clearly marked as management s cmments ), the cnfrmity assessment reprt prduced by the assessrs is passed t the supervisry bdy. The assessment cnclusins can be f three natures: Passed: the assessed trust service is "certified cnfrmant". Failed with severe nn-cnfrmities: the assessed trust service is nt certified cnfrmant. Passed with pending nn-cnfrmities: successful assessment status is cnditined t the implementatin f crrective actins within a determined delay in functin f the type and criticality f the crrectin(s). The cnfrmity assessment bdy that assesses whether the qualified trust service prvider and the qualified trust services it prvides meet the requirements f the applicable cnfrmity assessment criteria (CRIT) shuld incrprate a level f knwledge and experience in all areas that is sufficient t evaluate the assessment prcesses and assciated recmmendatins made by the assessment team. Cnfirmatin that the qualified trust service prvider and the qualified trust services it prvides meet the requirements shuld nt be given in cases where unreslved nn-cnfrmities remain. The cnfrmity assessment bdy shuld have clear prcedures laying dwn the circumstances and cnditins in which the cnfirmatin that the qualified trust service prvider and the qualified trust services it prvides meet the requirements will be maintained. If n surveillance r reassessment nn-cnfrmities are fund t exist, the qualified trust service prvider shuld effectively crrect such nn-cnfrmities within a time agreed. If crrectin is nt made within the time agreed, cnfirmatin f cmpliance with the requirements shuld be reduced, suspended r withdrawn. The time allwed t implement crrective actin shuld be cnsistent with the severity f the nncnfrmity and the risk t the assurance f prducts r services meeting specified requirements. The dcumented statement cnfirming that the qualified trust service prvider and the qualified trust services it prvides meet the requirements shuld be cnfined t declared scpes, activities and lcatins and shuld prvide a shrt descriptin f the qualified trust service prvider's rganisatin including identificatin f the legal entity and, if applicable, identificatin f the part f the legal entity that prvides the qualified trust services. In additin, identificatin and lcatins shuld be prvided and scpe and activities shuld be described f ther parties (subcntractrs) that prvide parts f the services. Assessment cnclusins and assessment status ntificatin Assessment cnclusins and ptential recmmendatins and/r requests fr crrective actins are cmmunicated by the cnfrmity assessment bdy t the qualified trust service prvider fr implementatin. Assessed qualified trust service prviders may be permitted t keep details f their internal prcesses and infrmatin security measures cnfidential when applicable. 11.8.3 Requirements n multisite sampling The rganisatinal structure f the qualified trust service prvider, fr the prvisin f its qualified trust services, culd be such that the same activity is perfrmed at a number f sites r that similar r different activities are perfrmed at a number f sites perated by different legal entities. Assessrs undertaking the cnfrmity assessment may pt fr assessing a sample f these sites. In this case, assessrs shuld maintain prcedures that include the full range f issues belw in the building f their sampling prgramme. The requirements frm the IAF Mandatry Dcument fr the Certificatin f Multiple Sites Based n Sampling [ref.3] shall apply. Prir t undertaking their first assessment based n sampling, assessrs shuld publish the sampling methdlgy that they emply. The prcedures f assessrs shuld ensure that the initial review f the cnfrmity assessment cntract with r missin against the qualified trust service prvider and the qualified trust services it prvides, identifies, t the greatest extent pssible, the difference between sites such that an adequate level f sampling is determined in accrdance with the prvisins belw. Where a qualified trust service prvider has a number f similar sites that supprt the prvisin f the qualified trust services it prvides, the fllwing requirements shuld be fulfilled: 217
Deliverable D3, Versin 2b (final) a) All sites f the qualified trust service prvider are perating under the same r similar qualified trust service prvider's management system that is centrally administered and audited and subject t central management review. b) All sites have undergne internal auditing in accrdance with the qualified trust service prvider's internal auditing prcedures. c) A representative number f sites have been sampled by assessrs, taking int accunt the requirements belw: i) the results f internal audits f head ffice and the sites; ii) iii) the results f management review; variatins in the size f the sites; iv) variatins in the business purpse f the sites; v) cmplexity f the qualified trust service prvider's management system; vi) cmplexity f the infrmatin systems at the different sites; vii) variatins in wrking practices; viii) variatins in activities undertaken; ix) ptential interactin with critical infrmatin systems r infrmatin systems prcessing sensitive infrmatin; x) differing legal requirements. d) The sample shuld be partly selective based n the abve in pint c) and partly nnselective and shuld result in a range f different sites being selected, withut excluding the randm element f site selectin. e) Every site f the qualified trust service prvider that is subject t significant threats t assets, vulnerabilities r impacts shuld be included in the sampling prgramme. f) The surveillance prgramme shuld be designed in the light f the abve requirements and shuld, within a reasnable time, cver all sites f the qualified trust service prvider. g) In the case f a nn-cnfrmity being bserved either at the head ffice r at a single site, the crrective actin prcedure shuld apply t the head ffice and all sites f the qualified trust service prvider rganisatin. The cnfrmity assessment prcess must address the qualified trust service prvider 's head ffice activities t ensure that a single management system applies t all sites and delivers central management at the peratinal level. The cnfrmity assessment must address all the issues utlined abve. 218
Deliverable D3, Versin 2b (final) 11.9 Events triggering assessments (incl. ntificatin f changes, terminatin, incidents, cmplaints, at supervisry bdy sle's discretin, EC request) The ntificatin f the fllwing events shall lead t a supervisin review requiring either a full cnfrmity assessment r a surveillance cnfrmity assessment depending n the criticality, the implicatins and the nature f the ntified event: Ntificatin f a security breach r any incident with regards t the qualified trust service prvider and/r the qualified trust services it prvides; Cmplaints by third parties; On request by the Eurpean Cmmissin; On ntificatin f a change in the plicy(ies) and/r practices f the qualified trust service prvider and/r the qualified trust services it prvides; Ntificatin f the qualified trust service prvider f its intentin t cease ne r mre f the qualified trust services it prvides (nte that such a ntificatin will lead t the change f the actual qualified status int "supervisinincessatin" in the trusted list f the cmpetent supervisry bdy); Ntificatin f the, expected r un-expected, terminatin f the qualified trust service prvider and/r the qualified trust services it prvides. The supervisry bdy can initiate a supervisin review at any time n its sle discretin. 11.10 Cnfrmity Assessment Bdies 11.10.1 Recgnitin f Cnfrmity Assessment Bdies - Requirements n NABs Cnfrmity assessment bdies shall be accredited, in the sense f Regulatin 765/2008 [ref.2], by a Natinal Accreditatin Bdy (NAB) fr carrying ut assessments against the Supervisin Scheme. Natinal Accreditatin Bdy shall cmply with ISO/IEC 17011 [ref.6] when assessing and accrediting cnfrmity assessment bdies (CABs). 11.10.2 Requirements n Cnfrmity Assessment Bdies Principles regarding impartiality, cmpetence, respnsibility, penness, cnfidentiality and respnsiveness t cmplaints as per ISO 17021:2011 [ref.4] apply. Requirements frm ISO 17021:2011 [ref.4], clauses 5 t 8 (included) apply with the fllwing additins. CABs shall cmply with ISO/IEC 27006 [ref.7]. CABs shall cmply with ISO/FDIS 19011 [ref.8]. 219
Deliverable D3, Versin 2b (final) a. Assessr's cde f cnduct Assessrs deplyed fr perfrming assessments in the cntext f the Supervisin Scheme must bserve a Cde f Cnduct fulfilling at least the fllwing: (a) T act in a trustwrthy and unbiased manner in relatin t bth the bdy by which the assessr is emplyed, cntracted r therwise engaged and any ther rganisatin invlved in an assessment perfrmed by him/her r by persnnel directly under his/her cntrl. (b) T act independently and impartially; t disclse t the bdy deplying him/her any relatinships he/she may have r may have had with the rganisatin t be assessed and t decline any assignment that culd cause r culd be perceived as causing cnflict f interest. (c) Nt t accept any inducement, gift, cmmissin, discunt r any ther prfit frm rganisatins assessed, frm their representatives, r frm any ther interested persn, nr knwingly allw persnnel fr whm he/she is respnsible t d s. (d) Nt t disclse the bservatins, r any part f them, f the assessment team fr which he/she is r was respnsible r f which he/she is r was part, r any ther infrmatin btained in the curse f an assessment, t any third party unless authrised in writing by bth the assessed rganisatin and the bdy by which the assessr is r was deplyed. (e) Nt t act in any way prejudicial t the reputatin r interest f the bdy by which the assessr is r was deplyed. (f) T identify, evaluate the significance and take safeguards with regard t threats that can be attributed t ne r mre f the fllwing categries: (i) Self-interest; (ii) Self-review; (iii) Advcacy; (iv) Familiarity; and (v) Intimidatin; (g) In the event f any alleged breach f the cde f cnduct, t c-perate fully in any frmal enquiry prcedure b. Cmpetence criteria and requirements fr assessrs Each individual assessr deplyed by an independent cnfrmity assessment bdy fr perfrming cnfrmity assessment must be qualified based n the fllwing criteria: (a) Academic qualificatins must have been gained by a prgramme f studies cnsisting f a range f interrelated tpics in which understanding is achieved by a predefined prgressin r rute. It shuld be expected that where the assessr has accrued extensive experience and supplementary prfessinal educatin and training, the requirement fr academic qualificatins wuld be significantly utweighed by their practical experience in the field. (b) Having at least fur years full time practical wrkplace experience in infrmatin technlgy, f which at least tw years have been in a rle r functin relating t Public Key Infrastructure and Infrmatin Security Management. (c) Having demnstrated understanding f the applicable standards. (d) Having demnstrated understanding f the cncepts f management systems in general. (e) Having demnstrated understanding f the issues related t varius areas f qualified trust services related techniques and technlgies, cryptlgy, Public Key Infrastructure, Infrmatin Security Management, and rganisatinal reliability. 220
Deliverable D3, Versin 2b (final) (f) Having demnstrated understanding f the principles and prcesses related t risk assessment and risk management. (g) Having successfully fllwed a training curse f at least five days n the subject f management system assessment and the management f assessment prcesses. (h) Having the fllwing persnal attributes: bjective, mature, discerning, analytical, persistent, and realistic. The candidate shuld be able t put cmplex peratins in a brad perspective and shuld be able t understand the rle f individual units in larger rganisatins. (i) Having knwledge and attributes t manage the assessment prcess. (j) Having the ability and prcesses t maintain wn knwledge and skills f qualified trust services related techniques and technlgies, cryptlgy, Public Key Infrastructure, Infrmatin Security Management, and management system assessment. (k) Prir t assuming respnsibility fr perfrming as an assessr, the candidate must have gained experience in the entire prcess f qualified trust service prviders and trust services assessment. This experience shuld have been gained by participatin under supervisin f qualified (lead) assessrs in a minimum f fur assessments fr a ttal f at least 20 days, including dcumentatin review, implementatin assessment and assessment reprting. (l) All relevant experience must be current. An assessr perfrming as assessment team leader (Lead Assessr) must additinally fulfil the fllwing requirements: (m) Having acted as qualified assessr in at least three cmplete qualified trust service prviders and qualified trust services assessments. (n) Having demnstrated t pssess adequate knwledge and attributes t manage the assessment prcess. () Having demnstrated the capability t cmmunicate effectively, bth rally and in writing. Satisfactin f these criteria must be demnstrated. Assessrs must maintain prfessinal liability/errrs and missins insurance enugh t cver liabilities. c. Requirement n assessment teams Assessment teams shall be cmpetent fr the duties assigned t them. The fllwing requirements apply t the assessment team as a whle. In each f the fllwing areas at least ne assessr in the team must satisfy assessrs' criteria fr taking respnsibility within the assessment team: 1) managing the team (Lead Assessr); 2) demnstrated knwledge f the legislative and regulatry requirements and f legal cmpliance in the particular field f certificatin service and infrmatin security; 3) demnstrated knwledge f the current technical state-f-art regarding qualified trust services related techniques and technlgies, cryptlgy and Public Key Infrastructure; 4) demnstrated knwledge in technlgies applicable t the qualified trust services being assessed; 5) demnstrated knwledge f perfrming infrmatin security related risk assessments s as t identify assets, threats and the vulnerabilities f the qualified trust service prvider and the qualified trust services it prvides and understanding their impact and their mitigatin and cntrl; 6) demnstrated knwledge f rganisatinal reliability issues. The assessment team must be cmpetent t trace indicatins f security incidents in the qualified trust service prvider peratins back t the apprpriate elements f the qualified trust service prvider management system. 221
Deliverable D3, Versin 2b (final) An assessment team may cnsist f ne persn prvided that the persn meets all criteria set ut abve. d. Guidance n the use f technical experts In rder t ensure that the assessment team has at its dispsal all necessary expertise, assistance f Technical Experts with specific knwledge regarding the fllwing subjects shuld be used: (a) knwledge f the legislative and regulatry requirements and f legal cmpliance in the particular field f certificatin service and infrmatin security; (b) knwledge f the current technical state-f-art regarding qualified trust services related techniques and technlgies, cryptlgy and Public Key Infrastructure; (c) knwledge in technlgies applicable t the qualified trust service being assessed; and (d) knwledge f perfrming infrmatin security related risk assessments s as t identify assets, threats and the vulnerabilities f the qualified trust service prvider and its qualified trust services and understanding their impact and their mitigatin and cntrl. Thse nt satisfying all qualificatin criteria fr individual assessrs, may be used t assist the assessment team. Such Technical Experts must at all times be respnsible t the Lead Assessr and nt functin independently f Assessrs in the team. 11.11 Crss-brder Assessment and Mutual Assistance Requirements frm the Regulatin shall apply [ref.1 - Art.14]. 222
Trusted List f supervised Trust Services Annex 1 - Simplified Supervisin Scheme based n prirauthrisatin Preparatin TSP intends t prvide Qualified Trust Services subject t mandatry supervisin Initiatin Ntificatin including Full Cnfrmity Assessment reprt Cmpliance Pending Cnfrmity Assessment Full Cnfrmity Assessment (Determinatin + Review + Results mark) Cmpliance verificatin Cmpliance Nt OK Cmpliance OK Trusted List f supervised Trust Services Supervisin InCessatin Terminatin request by TSP Trusted List f supervised Trust Services Under Supervisin Event ntificatin (by TSP, by 3 rd party incl. EC; cmplaints, incidents, changes, terminatin f service) Supervisin review Cmpliance verificatin based n update f ntificatin infrmatin including new Cnfrmity Assessment Cnfrmity Assessment Full Cnfrmity Assessment r Surveillance Cnfrmity Assessment (Determinatin + Review + Results mark) One-year supervisin cycle based n: Full Cnfrmity Assessment every year (incl. at ntif ) r at request f the EC. Surveillance Cnfrmity Assessment at any time, at wn initiative f the Supervisry Bdy, frm event ntificatin. Statement f Cnfrmity is materialised by publicatin f the supervisin status in the cmpetent MS Trusted List and is valid until the TL next update. Legend: TSP Trust Service temprary state TSP Trust Service stable state and SupervisinRevked supervisin status in TL Transitin between states/statuses Verificatin f Cmpliance & f Cnfrmity Assessment Reprt Supervisin status is kept until next status assignment Trusted List f supervised Trust Services SupervisinCeased Cmpliance OK Cmpliance Nt OK Trusted List f supervised Trust Services SupervisinRevked Cmpliance Pending Figure A.1: Supervisin prcess flw f the Eurpean Supervisin Scheme (simplified).
Deliverable D3, Versin 2b (final) Start Trusted List f supervised Trust Services UnderSupervisin Trusted List f supervised Trust Services Supervisin InCessatin Trusted List f supervised Trust Services SupervisinCeased Trusted List f supervised Trust Services SupervisinRevked Figure A.2: Qualified (supervisin) status flw in the cntext f the Eurpean Supervisin Scheme (simplified). 224
225 Deliverable D3, Versin 2b (final)
Eurpean Cmmissin Feasibility study n an electrnic identificatin, authenticatin and signature plicy (IAS) Final Reprt Luxemburg, Publicatins Office f the Eurpean Unin 2013 415 pages ISBN 978-92-79-31151-2 DOI: 10.2759/25928
DOI: 10.2759/25928 ISBN 978-92-79-31151-2 KK-03-13-324-EN-N