PKI Deployment in Europe

1
PKI Deployment in Europe

• Prof. Riccardo Genghini
• ETSI ESI

2
Legislative environment 1

• In the EU, Member States are obliged by the
  Treaty of Rome that created the EEC, to implement
  EU Directives with Laws into national legislation
• Member States that to not comply with the Treaty,
  are liable fot the damage caused by the lack of
  compliance and furthermore can be forced to
  comply by the European Court of Justice

3
Legislative environment 2

• For the EU wide deployment of Digital Signature,
  the Commission and the EU Parliament adopted the
  Directive 93/1999 on Electronic Signatures
• The Directive had to be implemented into national
  legislation before July 18th 2001
• Almost all memberstates did implement the
  directive

4
EUs 3 Types of Electronic Signature
QES Advanced Electronic Signature (Art.
2.2) created with a SSCD and provided with a QC
Electronic Signature (2.1/5.2)
Qualified Electronic Signature
Advanced Electronic Signature
(2.2/5.2)
(5.1)
Article 2.2. Advanced Electronic Signature
means an electronic signature which meets the
following requirements (a) it is uniquely linked
to the signatory (b) it is capable of
identifying the signatory
(c) it is created using means that the signatory
can maintain under his sole control and (d) it
is linked to the data to which it relates in such
a manner that any subsequent change of the data
is Detectable.
5
Principles of 93/1999 EC (1)

• Principle of co-regulation
• Legislator sets goals
• Technical self-regulation defines ways in full
  respect of existing international standards
• Principle of technical neutrality
• Law should not stifle innovation
• Law should not distort competition

6
Principles of 93/1999 EC (2)

• Privacy Protection (art. 8)
• Electronic signatures shall not make data mining
  easier!
• Freedom of pseudonimity is a granted individual
  right
• Consumer Protection (Art. 3, 6 and Annexes I, II
  and III)
• Minimum liability (art. 6)
• Make technology transparent to users (art. 3
  6)
• secure signature creation device (Annex III)
• qualified certificates (Annex I)
• trustworthy systems (Annex II)

7
Principles of 93/1999 EC (3)

• No discrimination (art. 3)
• National legislator shall not discriminate
  electronic signatures coming from other member
  states
• Independent and transparent supervision of TSPs
• EU Mutual recognition (art. 5)
• A common framework of technical standards has
  been set up and is further developed by Cen-ISSS
  and ETSI
• 93/1999/EC refers to such standards
• Multilateral co-operation between supervisors
  started

8
Principles of 93/1999 EC (4)

• International recognition (art. 7)
• of third countries CSP if
• It fulfils the requirements of the directive and
  has been accredited under a voluntary
  accreditation scheme
• The certificates are guaranteed by a CSP
  established within the EU
• Is recognized under an international agreement
  with third countries or international
  organisations

9
Principles of 93/1999 EC (5)

• No licensing (art.3)
• Accreditation is voluntary
• Supervision is mandatory for each member state
• Legal relevance (art. 5)
• Advanced signatures, created with a Secure
  Signature Creation Device for which a Qualified
  Certificate has been issued, are equal to
  handwritten signatures (5.1)
• To other legal relevance cannot be denied in
  principle

10
93/1999/EC implementation

• Member States had to implement the directive
  before July 18th 2001. I.e.
• Legislation had to be in force
• Supervisory schemes have to be in place
• National Supervision bodies shall be notified to
  the Commission
• Accredited Certification Service Providers also
  shall be notified to the Commission

11
Open Issues

• European Interoperability
• European co-ordination of Supervision
• European Accreditation Schemes
• European Root Authority
• Sustainable Business Models
• EESSI Standards have been a first important
  step towards the solution of Open Issues

12
EESSI SG
EESSIEuropean Electronic Signatures
Standardization Process
Industry and business, assisted by European
standard bodies
European Telecommunications Standards
Institute ChairpersonsGyörgy EndersRiccardo
Genghini
Comitèe Europèen de Normation
Information Society Standardisation
System Chairpersons Hans Nilsson (until
Riccardo Genghini
13
Standards Produced by Cen-ISSS E-Sign

• CWA 14167-1 Security Requirements for
  Trustworthy Systems Managing Certificates for
  Electronic Signatures -gt referenced on the OJ
  EU!
• CWA 14167-2 Security of cryptographic modules
  -gt referenced on the OJ EU!
• CWA 14167-3 Cryptographic Module for CSP Key
  Generation Services Protection Profile CMCKG-PP
• CWA 14168 Security Requirements for Secure
  Signature Creation Devices EAL4
• CWA 14169 Security Requirements for Secure
  Signature Creation Devices EAL4 -gt
  referenced on the OJ EU!
• CWA 14170 Security Requirements for Secure
  Signature Creation Systems
• CWA 14171 Procedures for Electronic Signature
  Verification
• CWA 14172- 1 to 8 Conformity Assessment
  Guidances for Trustworty Systems
• CWA 14890-1/2 Application Interface for smart
  cards used as Secure Signature Creation Devices
• CWA 14365-1/2 Guide on the Use of Electronic
  Signatures
• CWA 14355 Guidelines for the implementation of
  Secure Signature Creation Devices
• http//www.cenorm.be/cenorm/businessdomains/busine
  ssdomains/isss/cwa/electronicsignatures.asp

14
Maintenance of Cen-ISSS E-Sign

• The CWAs for which CEN/TC 224 will take
  maintenance responsibility are the following
• CWA 14355 Guidelines for the implementation of
  Secure Signature Creation Devices
• CWA 14167-1/4 Security Requirements for
  Trustworthy Systems Managing Certificates for
  Electronic Signatures
• CWA 14169 Secure Signature-Creation Devices "EAL
  4"
• CWA 14170 Security Requirements for Signature
  Creation Applications
• CWA 14890-1/2 Application Interface for smart
  cards used as Secure Signature Creation Devices
• CWAs under the care and maintenance of the
  CEN/ISSS sector Forum
• CWA 14172 -1/8 EESSI Conformity Assessment
  Guidance
• CWA 14365-1/2 Guide on the Use of Electronic
  Signatures
• CWA under the care and maintenance of ETSI TC
  ESI
• CWA 14171 General guidelines for electronic
  signature verification

15
Standards Produced by ETSI ESI

• Phase 1 and 2 Publications
• TS 101 861 v 1.1.1
• September 2001 Time Stamping Profile
• ES 201 733 v 1.1.3 May 2000 Electronic Signature
  Formats
• Phase 3 Publications
• TS 101 456 v1.3.1 May 2005 Policy requirements
  for certification authorities issuing qualified
  certificates
• TS 102 042 v1.2.1 May 2005 Policy requirements
  for certification authorities issuing public key
  certificates
• TR 102 040 v1.3.1 March 2005 International
  Harmonization of Policy Requirements for CAs
  issuing Certificates
• TR 102 047 v1.2.1 March 2005 International
  Harmonization of Electronic Signature Formats
• TR 102 317 v1.1.1 June 2004 Process and tool
  for maintenance of ETSI deliverables
• TS 101 903 v1.2.2 April 2004 XML Advanced
  Electronic Signatures (XAdES)
• TS 101 862 v1.3.1 March 2004 Qualified
  Certificate Profile
• TS 102 280 March 2004 X.509 V.3 Certificate
  Profile for Certificates Issued to Natural
  Persons
• TS 101 733 v1.5.1 December 2003 Electronic
  Signature Formats

16
Maintenance of Cen-ISSS E-Sign

• TR 102 272 December 2003 ASN.1 format for
  signature policies
• TS 102 231 October 2003 Harmonized TSP status
  information
• TS 102 158 October 2003 Policy requirements
  for CSPs issuing attribute certificates
• TR 102 045 March 2003 Signature policy for
  extended business model
• SR 002 176 March 2003 Algorithms and
  Parameters for Secure Electronic Signatures
• TR 102 153 February 2003 Pre study on
  Certificate Profiles
• TR 102 046 February 2003 Maintenance of ETSI
  standards from EESSI phase 2 and 3
• TS 102 023 v1.2.1 January 2003 Policy
  requirements for time-stamping authorities
• TR 102 044 December 2002 Identification of
  requirements for attribute certification
• TR 102 038 April 2002 XML format for signature
  policies
• TS 102 023 April 2002 Policy requirements for
  time-stamping authorities
• TR 102 030 April 2002 Provision of harmonized
  Trust Service Provider status information
• TS 101 861 v1.2.1 March 2002 Time stamping
  profile
• TR 102 041 February 2002 Signature Policies
  Report
• http//portal.etsi.org/esi/el-sign.asp
• MAINTENANCE DONE BY ETSI ESI

17
Italys experience

• In Italy more then 2.000.000 of SSCDs
• Utilisation within electronic e-government (not
  for signing contracts)
• Access and modification of public registrars,
  digital tax declaration and NEW! Digital
  accounting, e-Invoicing, registered email
• SSCDs are used only of mandatory or significantly
  cheaper then other options

18
Rest of Europe experience

• In each State some thousands or ten-thousands of
  SSCDs issued
• Missing successful business models
• Great opportunity e-Invoicing Directive

19
Conclusions

• There is no WYSIWYS
• Technology is clumsy
• The social acceptance is low use only if
  mandated
• There are wrong expectations on what the QES can
  do
• Only success story data origin
  authentication!!!!!!!

20
Thank you !

• Dr. Riccardo Genghini
• riccardo.genghini_at_sng.it