Presentation
Download
Report
Transcript Presentation
EESSI
European Electronic Signature
Standardisation Initiative
Implementing Electronic Signature
EESSI Overview - 1
August 2002
EESSI Charter
Electronic Signature Directive is providing a
common EU framework for electronic signatures
(1993/93/EC)
Industry, with the assistance of European
Standards Bodies, to provide an agreed framework
for an open, market-oriented implementation of the
Directive
EESSI put in place to co-ordinate this task
(ICT-SB Dec. 98)
EESSI Overview - 2
August 2002
EESSI Objectives
Analyse needs for standards in support of
minimum essential legal requirements as stated
by the Directive
Assess available standards and current initiatives
at national, European and international levels
Set up and implement a Programme of Work, built
on international co-operation
EESSI Overview - 3
August 2002
Directive highlights
Legal recognition of electronic signatures
Technology neutral
Free flow of Products and Services
Excludes prior authorisation or licensing scheme
for Certification Service Providers
Mandates supervision scheme for CSPs
Calls for monitoring of Voluntary Accreditation
Scheme
EESSI Overview - 4
August 2002
Annexes of the Directive
Annex I:
Requirements for qualified certificates
Annex II:
Requirements for certification-service-providers
issuing qualified certificates
Annex III:
Requirements for secure signature-creation
devices
Annex IV:
Recommendations for secure signature
verification
EESSI Overview - 5
August 2002
Proposed Classes of
Electronic Signatures
Classes of
signature:
Level of legal
certainty:
Explanation:
EESSI Overview - 6
General
electronic
signature as
required in 5.2
Qualified electronic
Enhanced electronic
signature - as specified signature (applicable to
in 5.1 (Annex I, II, III)
both general and
qualified electronic
signatures)
Can not be denied Same legal effect as
Enhancement of
legal effect (art
hand-written signature
technical evidence
5.2)
(art 5.1)
Any electronic
Minimum technical level Additional technical
signature that is
required for the signer
requirements for a
not a qualified
so that his electronic
verifier, such as timeelectronic
signature can be
stamping, but also for
signature.
considered as legally
the signer, to enhance
equivalent with a hand- technical security and
written signature.
obtain protection against
certain threats.
August 2002
Framework for implementation
Security/Quality level
Signature Creation Device
Certificate Policy
Electronic Signature Syntax
Trustworthy System
Signature with long validity
Qualified Electronic Signature
Signature for limited value transactions
EESSI Overview - 7
August 2002
EESSI Organisation
Steering Committee
Standard Bodies and Consensus Bodies involved in
standardisation: CEN, ETSI, ISO, ECBS, EEMA, EURESCOM
Market Players: Bull, Globalsign, iD2, BT, ACE
Public Authorities and Consumers Rep’s: BSI (D), PRC (FIN),
AIPA (I), DSTI (F), ECP.NL (NL), ANEC
Commission as observer: DG Enterprise, DG Information
Society, DG Internal Market
Expertise activity as required
EESSI Overview - 8
August 2002
EESSI Structure
EESSI/SG
European Telecommunications
Standards Institute
Industry and business, assisted by European standard bodies
EESSI Overview - 9
August 2002
Base Line for Action
Capitalise on European & International activities
ETSI TC SEC, ISO/JTC1/SC27, IETF-PKIX, W3C, EURESCOM
EEMA/ECAF, ICC, ABA, ILPF
UNCITRAL Model of Law, AGB
European Projects: IST and ISIS programmes
National activities in Germany (BSI, INDI), Nordic Countries
(SEIS, SAT, FDS), Italy (AIPA), Austria, Spain (FESTE),
Netherlands (TTP.NL), UK (tScheme), ...
EESSI Overview - 10
August 2002
EESSI Programme Implementation
Standardization work programme
Phase 1 (work programme definition) completed 3Q1999
Phase 2 (essential requirements for the Directive) completed
2Q2002
Phase 3 (requirements for different classes of electronic
signature) to be completed by the end of 2002
Phase 4 (additional requirements) to be performed in
2002-2003
EESSI Overview - 11
August 2002
EESSI Programme Implementation
Use of the existing standardization technical groups
CEN/ISSS E-SIGN Workshop
– 30+ participants, funded Expert Teams
– Deliverables: CEN Workshop Agreements (CWA)
ETSI ESI Technical Committee
– 20+ Participants, funded Specialist Task Force
– Deliverables: ETSI Technical Specifications (ETSI TS)
and ETSI Technical Reports (ETSI TR)
Creation of the ALGO group
Expert group providing guidance on cryptographic
algorithms and parameters in EESSI standards
EESSI Overview - 12
August 2002
Roadmap of Phase 2 EESSI Standards
Certification Service Provider
Trustworthy
system- A.II.f
Requirements
for CSPs - A.II
Time
Stamp
Qualified certificate - A.I
Creation
device
A.III
Signature
creation
process &
environmen
t (A.III)
Signature format
and syntax
(Advanced ES)
Signature
valida-tion
process and
environment
- A.IV
CEN E-SIGN
User/signer
EESSI Overview - 13
ETSI ESI
Relying party/verifier
August 2002
Phase 2 Deliverables
Target: Directive Annexes I-IV requirements and
interoperability
Published in 4Q2000:
Policies for Certification Service Providers,
ETSI TS 101 456 (updated 2Q2002)
Profile for Qualified Certificates, ETSI TS 101 862,
(updated 2Q2001)
Electronic Signature Formats, ETSI TS 101 733,
(also published as 2 IETF RFC) (updated 1Q2002)
EESSI Overview - 14
August 2002
Deliverables…..
Published in 3Q2001:
Security Requirements for SSCDs (EAL4),
CWA 14168
Signature Creation Process and Environment,
CWA 14170
Signature Verification Process and Environment,
CWA 14171
Conformity Assessment Guidance,
CWA 14172 – Parts 1-2
Time Stamping Profile,
ETSI TS 101 861 (based on IETF RFC) (updated 1Q2002)
EESSI Overview - 15
August 2002
Deliverables...
Published in 4Q2001:
Security Requirements for Trustworthy Systems,
CWA 14167-1
Conformity Assessment Guidance,
CWA 14172 – Parts 3-5
Published in 1Q2002:
Cryptographic Modules for CSP (MCSO-PP),
CWA 14167-2
Security Requirements for SSCDs (EAL4+),
CWA 14169
EESSI Overview - 16
August 2002
Roadmap of Phase 3 Activities (2001)
Certification Service Provider
Alternative
Requirements
for CSPs *
Requirements
for TSAs *
Trustworthy
Systems *
Qualified certificate
Signature
Creation
device *
Time Stamping Authority
Signature
creation process
and environment
CA status
and
validation
by RP *
Signature format *
and syntax in XML
* Phase 3
Time Stamping
Format&Protocol
Signature validation process and
environment
Relying Party/Verifier
User/Signer
EESSI Overview - 17
August 2002
Phase 3 Deliverables
Published in 1Q2002:
Guidelines for the implementation of SSCDs,
CWA 14355
XML Advanced Electronic Signatures,
ETSI TS 101 903
International harmonization of Policy Requirements for CAs
issuing Certificates, ETSI TR 102 040
Signature Policies Report,
ETSI TR 102 041
EESSI Overview - 18
August 2002
Deliverables…..
Published in 2Q2002:
Policy Requirements for Time Stamping Authorities,
ETSI TS 102 023
Provision of harmonized Trust Service Provider status
information, ETSI TR 102 030
XML Format for Signature Policies,
ETSI TR 102 038
Policy Requirements for Certification authorities issuing
Public Key Certificates, ETSI TS 102 042
EESSI Overview - 19
August 2002
Ongoing work:
Deliverables…..
Guide on the Use of Electronic Signatures,
draft CWA 14365
Cryptographic Module for CSP Key Generation Services,
(CMCKG-PP), draft CWA 14167-3
Application Interface for Smart cards used as SSCDs,
draft CWA
Signature Policy for Extended Business Model
draft ETSI TR 102 045
Maintenance of ETSI Standards from EESSI phase 2 and 3,
draft ETSI TR 102 046
International harmonization and globalization activities,
draft ETSI TR 102 047
Publication is foreseen in the second half of 2002
EESSI Overview - 20
August 2002
Phase 4 Activities
New activities are planned in 2002-2003 on the following subjects:
Maintenance of the published specifications
Harmonised provision of TSP status information
Internationalisation of Certificate Policies
Technical Standards for Signature Policies
Policy Requirements for CSPs issuing Attribute Certificates
Technical properties of Advanced Electronic Signatures
Interoperability requirements of smart Cards used as SSCDs
Conformity assessment of SSCDs supporting non Qualified
Electronic Signatures
Provision of Certificates status information to Relying Parties
EESSI Overview - 21
August 2002
European perspectives
The evaluation of the EESSI specifications of the EESSI
phase 2 deliverables, as answering the requirements set by
the Directive has been performed by the Commission
The
recognition as Generally Recognized Standards under
the Directive of the EESSI phase 2 deliverables answering the
requirements set in the annexes, is proposed in a draft
Decision prepared by the Commission. The proposal was
discussed in the meeting of the Directive Member States
committee in July 2002, and generally supported
The publication in the EU OJ of the references to the
deliverables produced by EESSI, as providing a proper
technical framework for the implementation of the Directive
should follow. It will give a positive signal to the market
players for the development of products and services
complying with the EESSI specifications
EESSI Overview - 22
August 2002
International Perspectives
Recognition of conformance to SSCD requirements CC MRA:
Arrangement on the Mutual Recognition of CC Certificates in
the Field of IT Security Similar ambition with Trustworthy
Systems
Cross-recognition of “certification policy”: Assessment of
policy mapping between US Federal PKI and ETSI-EESSI
requirements
Harmonization of interoperability standards : Use of existing
standards (ISO, IETF), liaisons under development (W3C, WAP
Forum, EDI/XML) and submissions to IETF
EESSI Overview - 23
August 2002
EESSI on the Web
http://www.ictsb.org/EESSI_home.htm
More useful references:
ETSI:
http://www.etsi.org/esi/el-sign.htm
Sign up from Web-site to open El Sign mailing list
CEN:
http://www.cenorm.be/isss/workshop/e-sign
EESSI Overview - 24
August 2002