Implementation of the EESSI work programme

1
Implementation of the EESSI work programme

• György Endersz, Telia Research, SwedenChairman
  ETSI ESI Working Group

Hans Nilsson, iD2 Technologies, Sweden Chairman
CEN/ISSS E-SIGN Workshop
2
EESSI standards overview
Certification Service Provider
Trustworthy system
Qualified Certificate policy
Time Stamp
Qualified certificate
Signature creation process and environment
Signature validation process and environment
Creationdevice
Signature formatand syntax
Relying party/verifier
User/signer
CEN E-SIGN
ETSI ESI
3
EESSI standards implementation

• CEN/ISSS E-SIGN Workshop
• 70 participants, 12 paid experts
• Result CEN Workshop Agreements during Q3 and Q4
• Chairman hans.nilsson_at_id2tech.com
• ETSI ESI Working Group
• 40-50 Participants, 8 paid experts
• Result ETSI Standards/Technical Specifications
  2-4Q2000
• Chariman gyorgy.g.endersz_at_telia.se
• For more information
• http//www.ict.etsi.org/eessi/EESSI-homepage.htm

4
EESSI not limited to 5.1 signatures Different
classes of electronic signatures
5
Security requirements for electronic signature
creation devices

• Technical issues to be covered
• Key generation
• When and where the signature creation data are
  composed
• What constraints signature creation data have
• Key management
• How the signature creation data are stored
  handled
• How signature creation date relate to signature
  verification data
• Initialisation/Personalisation
• If signature creation data are transferred in
  this phase
• How the secrecy of the signature creation data
  is assured
• Lifecycle
• How signature creation data are disposed
• Signature creation process
• How signature creation data are handled

6
Signature process and environment
Signature Policy
PKI
Cryptographic Profile
Certificates
Intent Pin-Pad Authentication Signature
Par Document Signature
Signature Environments Operating System
Signature Application Processes
User
Signature-Device
Private Key
Local Storage
Other (un-trusted) Processes
Other un-trusted inputs/outputs
Scope of standardization
7
Guidelines for Signature verification process
and environment

• Some of the issues to to covered
• Validation process
• Trust points
• Certificate paths
• Revocation rules
• Roles and attributes
• Time-stamping and timing
• Validation environment
• Validation by humans (supported by machines)
• Validation by machines only
• Validation by third parties

8
Policies for Certification Service Providers
(CSPs)

• Functional, quality and security requirements
  expressed in Certificate Policy and security
  controls
• Uniform requirements as a basis for
  implementation, audit and accreditation
• Current work responds to Directive requirements
  for CSPs issuing Qualified Certificates
• Requirements for other class(es) to meet market
  needs
• ETSI TS in 4Q2000

9
Qualified Certificate Policy
Baseline Qualified Certificate Policy
Subscriber Obligations
CSP/ CA Obligations
RA Obligations
Liability
RepositoryObligations
Financial
CSP Security Controls
Objectives
PolicyRequirements
10
Electronic Signature Formats

• Defines interoperable syntax and encoding for
  signature, validation data and signing
  policy.Builds upon existing standards
• Published as ETSI Standard (ES) 201 733 in 2Q2000
• Proposed to IETF in March 2000 as an
  Informational RFC, based on the ES
• Aim to harmonise development with XML sigantures

11
Profile for Qualified Certificate

• Standard for the use of X.509 public key
  certificates as qualified certificates
• European profile based on current IETF PKIX draft
  
• Draft to be approved by ETSI SEC in 4Q2000

12
Format and Protocol for Time Stamp

• Profile based on current IETF PKIX draft
• Time stamps used for signature validation, e.g.
  in ES 201 733
• Draft to be approved by ETSI SEC in 4Q2000

13
Conformity Assessment ofElectronic
SignatureProducts and Services
14
Conformity Assessment of Secure Signature
Creation Devices

• Conformity shall be determined by appropriate
  public or private bodies designated by Member
  States
• The Commission shall establish criteria for
  Member States to determine whether a body should
  be designated
• CEN Workshop Agreement Common Criteria
  Protection Profile
• gt CC evaluation by CLEF or other notified body

15
Conformity Assessment of Certification Service
Providers

• Prior authorisation not allowed, but...
• Mandatory supervision of CSPs issuing QCs to the
  public
• Registration/notification of CSPs
• Self-declaration for fulfilling QC Policy
• What documentation is required?
• Voluntary Accreditation
• Audit to be performed
• Based on QC Policy
• Assessment guidelines also required?
• National private or government schemes
• Need for mutual recognition of accreditation !!

16
Conformity Assessment of Trustworthy Systems

• The Commission may establish and publish
  reference numbers of generally recognised
  standards for electronic-signature products.
  Member States shall presume that there is
  compliance with the requirements laid down in
  Annex II, point (f), and Annex III when an
  electronic signature product meets those
  standards
• Only applicable for Voluntary Accreditation?
• Common Criteria Protection Profile
• Evaluation by CLEF or notified body or in other
  ways

17
What we expect from this meeting

• Increased knowledge about the EESSI work amongst
  industry, users and regulators
• Get feedback on the contents of the work
• Discuss harmonization of supervision
• Discuss mutual recognition of accreditation